4d3564371cb211d98c1866d55c87cf1286e81fc4dc9d838b2ccc35e11d4802c9

General

Target

6c11a760b9060cf3a3e511ee2cc3bef8_JaffaCakes118.html
Size

128KB
MD5

6c11a760b9060cf3a3e511ee2cc3bef8
SHA1

09dca9a5a4504d7461e08b4ee72695b30be56415
SHA256

4d3564371cb211d98c1866d55c87cf1286e81fc4dc9d838b2ccc35e11d4802c9
SHA512

60a97e8ec40b1914dcc8c4bde0e9398de99dd256673f1b003e75eb24bb97aa462c454bfa1bfd445c0bc27e9c3ac4993a28528e112438f562297b7cb5ad29c748
SSDEEP

1536:S2fq4RdDtvyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJrusBTs:S2fxfyfkMY+BES09JXAnyrZalI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

1832 msedge.exe
1832 msedge.exe
2908 msedge.exe
2908 msedge.exe
1752 msedge.exe
1752 msedge.exe
1752 msedge.exe
1752 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

2908 msedge.exe
2908 msedge.exe

pid	process
1832	msedge.exe
1832	msedge.exe
2908	msedge.exe
2908	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2908 wrote to memory of 976	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 976	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1020	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1832	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 1832	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 32	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 32	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 32	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 32	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 32	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 32	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 32	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 32	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 32	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 32	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 32	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 32	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 32	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 32	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 32	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 32	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 32	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 32	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 32	2908	msedge.exe	msedge.exe
PID 2908 wrote to memory of 32	2908	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\6c11a760b9060cf3a3e511ee2cc3bef8_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa7c1346f8,0x7ffa7c134708,0x7ffa7c134718
2⤵
PID:976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,14680077289622540850,12422093827029213850,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
2⤵
PID:1020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,14680077289622540850,12422093827029213850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,14680077289622540850,12422093827029213850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:8
2⤵
PID:32

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14680077289622540850,12422093827029213850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
2⤵
PID:440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14680077289622540850,12422093827029213850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
2⤵
PID:1596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,14680077289622540850,12422093827029213850,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
622f8c7297f79dd49c657dfc495b078e

SHA1
deaa612dafd6b2a7666e17745b45ef4a467f7581

SHA256
50fbcf4c0eedb64e4fffe9d63b8423f70926a8f6f1a81cb320d78c9cff1ece26

SHA512
8d95db395dab7595a2f638c3c79ead741348ee0e83379577fa85986de6178142f9fa13e66966f522fbcdd3a024c86a50bae1861ee2893551240919306b5cf8cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
c5e985966126abb8648708eedb67725a

SHA1
d2633f6484e8ee73d1cddf81a12094c0485c5a65

SHA256
c2924ac3800f296050d3561456ce3ea7ac77a6f4e49a1691cc47a50ca663d2df

SHA512
496626093bbe3c9214e3a0a48818b70495ce11d44b04d8e858c1ca3dcc3d78cac5053189a8e6355a666311401eb98925c8b1c1d1e2496460f5b880029ee5fec6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
d6e218ee79059d112dc35c7074e7b340

SHA1
20d0c88d3d98031d229930aeef81547176145b26

SHA256
05fea65ecd6e08e107d98b16bb53cd4733979681b725c66bd8e7d0ffc8cd37d6

SHA512
c1db2fd0e97f7a6169057932944ea191f25a7c88cb26ec34467b304c603dadca8086bc83a75e2a4f12f350b544eff91f2adf9a584b28a69d7d745c1fca94971a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
698eba8fb616bf8115eecc39a437ca9c

SHA1
f9aa7a72a0ea8c7b0c1d182d031787fd1d1b1af8

SHA256
c3b088e9902b6ba4a0e9218fe10abc830214daedba41aad921a979fab32fbc26

SHA512
bbf460f7a0a0874b24b26e952c2fda7b7a487fcede28921526b0c20f177e40d601c25b0845bbb88e81918175db32854d4164a3fdb9a29731c98c93de11f68c16

Download Submit
\??\pipe\LOCAL\crashpad_2908_REBUUPYCVKILNVDE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads