c32aca92270afa1533afd56fb9c14d28d2b362bbd5b82076361d68937f64a4be

General

Target

6bda5939ed75a0a481b14df8b2e4f9c0_JaffaCakes118.html
Size

45KB
MD5

6bda5939ed75a0a481b14df8b2e4f9c0
SHA1

42919be9a5a7ca964b45d90ee22807b08236238d
SHA256

c32aca92270afa1533afd56fb9c14d28d2b362bbd5b82076361d68937f64a4be
SHA512

88c187b4b12552be902cd62d4c562490ec225a77fba941b5208f243f1fa4a8c15f53f337f3f59766416faed7afea7c96d0c45171b24f757777bd298daf98f75b
SSDEEP

768:kfO1jiF2fKA02cjRozN8WpN5ZpO5Bx24Vk6iZAl6RdpgrllpjZGH:qO1jiF2fKA0njRoz2WpN5ZpO5LtiZAl4

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

3828 msedge.exe
3828 msedge.exe
1484 msedge.exe
1484 msedge.exe
4500 msedge.exe
4500 msedge.exe
4500 msedge.exe
4500 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

1484 msedge.exe
1484 msedge.exe

pid	process
3828	msedge.exe
3828	msedge.exe
1484	msedge.exe
1484	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1484 wrote to memory of 3540	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 3540	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4292	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 3828	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 3828	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4700	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4700	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4700	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4700	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4700	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4700	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4700	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4700	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4700	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4700	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4700	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4700	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4700	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4700	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4700	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4700	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4700	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4700	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4700	1484	msedge.exe	msedge.exe
PID 1484 wrote to memory of 4700	1484	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\6bda5939ed75a0a481b14df8b2e4f9c0_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd8cff46f8,0x7ffd8cff4708,0x7ffd8cff4718
2⤵
PID:3540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,2756527545998610297,5756250794010679837,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
2⤵
PID:4292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,2756527545998610297,5756250794010679837,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,2756527545998610297,5756250794010679837,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
2⤵
PID:4700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2756527545998610297,5756250794010679837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
2⤵
PID:444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2756527545998610297,5756250794010679837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
2⤵
PID:228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,2756527545998610297,5756250794010679837,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2688 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4584

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
185B

MD5
903a24d03bc86b91d233d6d633df198f

SHA1
1fbd025c712bc9b7bc09806d0c8f62f861120fb3

SHA256
f35061ff793564d211bbe11b8a6feb59fcdeaa223ad744dbe85f4641fffc01d8

SHA512
072f2676e7f99dfea509b5e717a1005549db0817e09ff681d786710a8933fef29b75e30314ea72c1b1b9753fc246a2fe959264a818631af957c064beb50bacde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
5805b6018f83c792c83f13d8d89b7527

SHA1
e3e9a93abe6541727b2713ba8d6cd7b22335171a

SHA256
9b206c99982919ea965f34c132bd0f88fd43d55275b448f6e0cd4ab72a3070b1

SHA512
6f2460812a869ab9e0ff747990fbf8ecdeb871f305e2904e9be63f7391ba3a40c0705d83b4be6ae34128cab3bb666fc24c4c66b9442c44e3af1f40fefe3b92e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
91010e3bb0d48ba7f76f244496c41736

SHA1
6c4a81717581914fd59563af0483499ad3dad08f

SHA256
7ece6bf8f9750ce9cecf454867307f2aef54e36ffe876bf83b7900b8529a4b4f

SHA512
86a2288fb43d8aa9e5abe7017c98c26c9e57aaf555ea2eff01df883ebd8fd29e7423a823fe947f9d4fb15ba01ffb5156324de56ead382162ab99fb121d8c4a02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
0995c3d8af409ca229d9e0225fd2168d

SHA1
1c7e4c312296af2485a75f3a2b01cb196d738902

SHA256
7d943f8edd22094788b46cb3a41b16f699361c75edcd3a77aa214f79dbdba7eb

SHA512
b10a0449d3956e5ee61e097c7339bc88bda2b90760fc53130b78065f6d01e91d6ccea2d745f76f57060dff951090144b8ba5d7e7c4247fc85e956e466726912d

Download Submit
\??\pipe\LOCAL\crashpad_1484_QSYKEMZAABKGBBLR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads