dd1dd4b01261ad58ea062d641513db7aeef4b5a9aabf49985b9172a8f993a074

General

Target

6bda9c21f6a58ae35048bba36e941513_JaffaCakes118.html
Size

122KB
MD5

6bda9c21f6a58ae35048bba36e941513
SHA1

26b80f8f6cca94f97007797e23a248ee823cf4ee
SHA256

dd1dd4b01261ad58ea062d641513db7aeef4b5a9aabf49985b9172a8f993a074
SHA512

fc24a95d6843bac1fa3bb583c6ba76d00f5990c8f14a1506bcf655beea442eb2ba1c98354589d87bbdf8ededc96a9305169dc13f04bf1588b2bec1b3cd5ac276
SSDEEP

1536:SlnyhBgtoDyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJrusBTs:SlKB5yfkMY+BES09JXAnyrZalI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

2016 msedge.exe
2016 msedge.exe
3156 msedge.exe
3156 msedge.exe
4688 msedge.exe
4688 msedge.exe
4688 msedge.exe
4688 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

3156 msedge.exe
3156 msedge.exe

pid	process
2016	msedge.exe
2016	msedge.exe
3156	msedge.exe
3156	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3156 wrote to memory of 4676	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 4676	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 3508	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 2016	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 2016	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 2000	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 2000	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 2000	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 2000	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 2000	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 2000	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 2000	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 2000	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 2000	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 2000	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 2000	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 2000	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 2000	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 2000	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 2000	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 2000	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 2000	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 2000	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 2000	3156	msedge.exe	msedge.exe
PID 3156 wrote to memory of 2000	3156	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\6bda9c21f6a58ae35048bba36e941513_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffad7f046f8,0x7ffad7f04708,0x7ffad7f04718
2⤵
PID:4676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,7853271803428403869,18284394405485187126,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
2⤵
PID:3508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,7853271803428403869,18284394405485187126,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,7853271803428403869,18284394405485187126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
2⤵
PID:2000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,7853271803428403869,18284394405485187126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
2⤵
PID:4152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,7853271803428403869,18284394405485187126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
2⤵
PID:1804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,7853271803428403869,18284394405485187126,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4800 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1612

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c9c4c494f8fba32d95ba2125f00586a3

SHA1
8a600205528aef7953144f1cf6f7a5115e3611de

SHA256
a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b

SHA512
9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4dc6fc5e708279a3310fe55d9c44743d

SHA1
a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2

SHA256
a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8

SHA512
5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
c3ca672ab8d129f94428d19e66f27cc8

SHA1
f99c8902288c503b1fb35079bddc21aaf678585f

SHA256
247525d6841f604ff7c2b50aedde768ad79a3ba25f329c7e9f59441c051af27b

SHA512
236daeb7f1cbce18577ff6f9b0f3e8d4acdb001f3178af1541a288474832c4b1bef1a72cd62be074b310b9c8892f3d58c7522becf9c00383cdeee1688963e253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
635fc0d9508fb5228b2ed148d7fb22d0

SHA1
6fd6de03d2e8af646ef4108e47485102ac01b76e

SHA256
7058ecaf4401bae7f6b41fc6ea3ac14fc9f3ab6a9d4bfa12b9d7e8ca4a7f840c

SHA512
87b50be1a608e8f4520b427972ba312e8ca459baea2aa8c0d5f2f21b4f89ab3ade316b79e23466e0912cb6b4e185cead232f3de74148859b4546cb217162fd47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
3c3e2c212a7ca8eaba938dd96dc7ae92

SHA1
06183f34e9dd9788fd212030142ca17abc87275b

SHA256
9a0a7da04c2741d17586b0cee32cdf26f2abafab2bfb0a5709bafb1a50ddf87f

SHA512
2720450cc482125b6ecb65b608c7fd2f7300ae1e09d8a130fcb01e5ea3a3dba60c5784e6965739674b5409bd57794827f5c0ac5a673b4d60d9f7025098f788d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
7266ed1570a09f8e03efe474de83a09f

SHA1
26406af2b6a7adc890e17ebb38f92e2e29998d8d

SHA256
5900bb151fd9e42b4e503c6b66489769e2df98e30023721a4585962d5b9c718c

SHA512
c3e7ec6764da08aad6438ce6f60396ba99b717642d881fe67d1f01b7988f84e7b43abd37478e0fce3236cf9a8d1b84ea6c2e4283f2b333bf8437a2b87c54feef

Download Submit
\??\pipe\LOCAL\crashpad_3156_XUUKZKFJHOAAXJFF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads