7a69d1cb11fea9c4044de1ab598d5344ebd71d8695afee95e60fc47414b1a050

General

Target

6bdf39a0cea529911de49f14c384dfc4_JaffaCakes118.html
Size

46KB
MD5

6bdf39a0cea529911de49f14c384dfc4
SHA1

53bccec65a00b55138ec931123b5bb9469126af8
SHA256

7a69d1cb11fea9c4044de1ab598d5344ebd71d8695afee95e60fc47414b1a050
SHA512

c37c362d0dc754704320bba093b772e4076fa8e146282b6dc2b19b798ffa14fb045f0b733fd8f696e1366848d1d9e7b45db51f4db18eebee70a3cf9ac08956b0
SSDEEP

768:FTYFKpL1Q/P4/5/Wgvx08sQSmbGJgVED2mYaYUoSBhty/uiFGlg4eV3d3h:NYFKL/5/Wgvx08sQSmbGJgVECmYaYZSC

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

4852 msedge.exe
4852 msedge.exe
1884 msedge.exe
1884 msedge.exe
4632 msedge.exe
4632 msedge.exe
4632 msedge.exe
4632 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

1884 msedge.exe
1884 msedge.exe

pid	process
4852	msedge.exe
4852	msedge.exe
1884	msedge.exe
1884	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1884 wrote to memory of 1908	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 1908	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 2524	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 4852	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 4852	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 4076	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 4076	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 4076	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 4076	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 4076	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 4076	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 4076	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 4076	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 4076	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 4076	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 4076	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 4076	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 4076	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 4076	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 4076	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 4076	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 4076	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 4076	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 4076	1884	msedge.exe	msedge.exe
PID 1884 wrote to memory of 4076	1884	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\6bdf39a0cea529911de49f14c384dfc4_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb55f646f8,0x7ffb55f64708,0x7ffb55f64718
2⤵
PID:1908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,3315914564153458957,11108969392696472728,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:2
2⤵
PID:2524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,3315914564153458957,11108969392696472728,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1972,3315914564153458957,11108969392696472728,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
2⤵
PID:4076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3315914564153458957,11108969392696472728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
2⤵
PID:5028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3315914564153458957,11108969392696472728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
2⤵
PID:396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,3315914564153458957,11108969392696472728,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2288 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4992

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
390B

MD5
9de959c3ec452bbd695d4224c93dc314

SHA1
d1bd179fb267938ffa56b819f34ac93d3f33eb63

SHA256
602299d4df4bdf4b9e95321f085be9daf04508b77aae4e8863e7e725cfdfc0bf

SHA512
1dff121aa1d962c33297a306bd9a83a3391b7889f8473ce97489a174596f7ff1a9fdbb372038d82d2ff48da77a8b231cd7c21484638e410e92a9b9367b4a37d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
f3f4bc2b967f8edaf4c91b1329d9412c

SHA1
1fd6426c97c461b78e282e117a310345afa9b0f6

SHA256
79f0f6d0cefccf7917822b2e147eee90161637fb05a42c7b7acbb663c1e22c35

SHA512
7738d2eb2efb05f6967c50f52a398ace2d3ee0486f2bccdea9a96b3ee6c16d8aacf72548e0e23570ac9e0be8c4f19b577b8ea5cad771072cf1a3e3f71d999272

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
19bf011bd3a7ad7ecac4175658cd36d3

SHA1
3a72b704f8b96f46247c434a149ae5ba0cc25731

SHA256
494e3895a1d8aa97ff83c7ec0e8a784d46e3cb166b88f68001487b5b0dd1c676

SHA512
e10c99c8852a8854652fe673d7c1b4a7a80e6cf18492338b1507fa9aa3906b871ccd6f924aaac42ebf7cc7b557397aab5d927dc945b5cc0c21219c30526da1cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
fdf186fdb70eecd40aa9deb69d174249

SHA1
3943b3ee4cc8982f65e482256e55bc4c577edd50

SHA256
4fa06a0d5f754e97062f42ae131714d957d2b2b405b1d2c947f55536c2b3fc86

SHA512
362ff7b27264eccafcc63a484a8878bbf979f6202dc0a25c67f7466874212a28cd7671fdd2ed771029941bd4b44f91df5a671e27bce421f491aca853984f8464

Download Submit
\??\pipe\LOCAL\crashpad_1884_WUEEPRHWGYJYBKUD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads