Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 18:23
Static task
static1
Behavioral task
behavioral1
Sample
6bda5939ed75a0a481b14df8b2e4f9c0_JaffaCakes118.html
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
6bda5939ed75a0a481b14df8b2e4f9c0_JaffaCakes118.html
Resource
win10v2004-20240426-en
General
-
Target
6bda5939ed75a0a481b14df8b2e4f9c0_JaffaCakes118.html
-
Size
45KB
-
MD5
6bda5939ed75a0a481b14df8b2e4f9c0
-
SHA1
42919be9a5a7ca964b45d90ee22807b08236238d
-
SHA256
c32aca92270afa1533afd56fb9c14d28d2b362bbd5b82076361d68937f64a4be
-
SHA512
88c187b4b12552be902cd62d4c562490ec225a77fba941b5208f243f1fa4a8c15f53f337f3f59766416faed7afea7c96d0c45171b24f757777bd298daf98f75b
-
SSDEEP
768:kfO1jiF2fKA02cjRozN8WpN5ZpO5Bx24Vk6iZAl6RdpgrllpjZGH:qO1jiF2fKA0njRoz2WpN5ZpO5LtiZAl4
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msedge.exemsedge.exemsedge.exepid process 3828 msedge.exe 3828 msedge.exe 1484 msedge.exe 1484 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
msedge.exepid process 1484 msedge.exe 1484 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1484 wrote to memory of 3540 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 3540 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4292 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 3828 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 3828 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4700 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4700 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4700 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4700 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4700 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4700 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4700 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4700 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4700 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4700 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4700 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4700 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4700 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4700 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4700 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4700 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4700 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4700 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4700 1484 msedge.exe msedge.exe PID 1484 wrote to memory of 4700 1484 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\6bda5939ed75a0a481b14df8b2e4f9c0_JaffaCakes118.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd8cff46f8,0x7ffd8cff4708,0x7ffd8cff47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,2756527545998610297,5756250794010679837,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,2756527545998610297,5756250794010679837,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,2756527545998610297,5756250794010679837,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2756527545998610297,5756250794010679837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2756527545998610297,5756250794010679837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,2756527545998610297,5756250794010679837,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2688 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51ac52e2503cc26baee4322f02f5b8d9c
SHA138e0cee911f5f2a24888a64780ffdf6fa72207c8
SHA256f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4
SHA5127670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b2a1398f937474c51a48b347387ee36a
SHA1922a8567f09e68a04233e84e5919043034635949
SHA2562dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6
SHA5124a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
185B
MD5903a24d03bc86b91d233d6d633df198f
SHA11fbd025c712bc9b7bc09806d0c8f62f861120fb3
SHA256f35061ff793564d211bbe11b8a6feb59fcdeaa223ad744dbe85f4641fffc01d8
SHA512072f2676e7f99dfea509b5e717a1005549db0817e09ff681d786710a8933fef29b75e30314ea72c1b1b9753fc246a2fe959264a818631af957c064beb50bacde
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD55805b6018f83c792c83f13d8d89b7527
SHA1e3e9a93abe6541727b2713ba8d6cd7b22335171a
SHA2569b206c99982919ea965f34c132bd0f88fd43d55275b448f6e0cd4ab72a3070b1
SHA5126f2460812a869ab9e0ff747990fbf8ecdeb871f305e2904e9be63f7391ba3a40c0705d83b4be6ae34128cab3bb666fc24c4c66b9442c44e3af1f40fefe3b92e1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD591010e3bb0d48ba7f76f244496c41736
SHA16c4a81717581914fd59563af0483499ad3dad08f
SHA2567ece6bf8f9750ce9cecf454867307f2aef54e36ffe876bf83b7900b8529a4b4f
SHA51286a2288fb43d8aa9e5abe7017c98c26c9e57aaf555ea2eff01df883ebd8fd29e7423a823fe947f9d4fb15ba01ffb5156324de56ead382162ab99fb121d8c4a02
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD50995c3d8af409ca229d9e0225fd2168d
SHA11c7e4c312296af2485a75f3a2b01cb196d738902
SHA2567d943f8edd22094788b46cb3a41b16f699361c75edcd3a77aa214f79dbdba7eb
SHA512b10a0449d3956e5ee61e097c7339bc88bda2b90760fc53130b78065f6d01e91d6ccea2d745f76f57060dff951090144b8ba5d7e7c4247fc85e956e466726912d
-
\??\pipe\LOCAL\crashpad_1484_QSYKEMZAABKGBBLRMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e