Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 19:50
Static task
static1
Behavioral task
behavioral1
Sample
6c11a760b9060cf3a3e511ee2cc3bef8_JaffaCakes118.html
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
6c11a760b9060cf3a3e511ee2cc3bef8_JaffaCakes118.html
Resource
win10v2004-20240426-en
General
-
Target
6c11a760b9060cf3a3e511ee2cc3bef8_JaffaCakes118.html
-
Size
128KB
-
MD5
6c11a760b9060cf3a3e511ee2cc3bef8
-
SHA1
09dca9a5a4504d7461e08b4ee72695b30be56415
-
SHA256
4d3564371cb211d98c1866d55c87cf1286e81fc4dc9d838b2ccc35e11d4802c9
-
SHA512
60a97e8ec40b1914dcc8c4bde0e9398de99dd256673f1b003e75eb24bb97aa462c454bfa1bfd445c0bc27e9c3ac4993a28528e112438f562297b7cb5ad29c748
-
SSDEEP
1536:S2fq4RdDtvyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJrusBTs:S2fxfyfkMY+BES09JXAnyrZalI+YQ
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msedge.exemsedge.exemsedge.exepid process 1832 msedge.exe 1832 msedge.exe 2908 msedge.exe 2908 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
msedge.exepid process 2908 msedge.exe 2908 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2908 wrote to memory of 976 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 976 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1020 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1832 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1832 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 32 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 32 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 32 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 32 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 32 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 32 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 32 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 32 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 32 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 32 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 32 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 32 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 32 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 32 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 32 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 32 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 32 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 32 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 32 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 32 2908 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\6c11a760b9060cf3a3e511ee2cc3bef8_JaffaCakes118.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa7c1346f8,0x7ffa7c134708,0x7ffa7c1347182⤵PID:976
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,14680077289622540850,12422093827029213850,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:22⤵PID:1020
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,14680077289622540850,12422093827029213850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1832 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,14680077289622540850,12422093827029213850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:82⤵PID:32
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14680077289622540850,12422093827029213850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:12⤵PID:440
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,14680077289622540850,12422093827029213850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:12⤵PID:1596
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,14680077289622540850,12422093827029213850,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1752
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3636
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:844
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5537815e7cc5c694912ac0308147852e4
SHA12ccdd9d9dc637db5462fe8119c0df261146c363c
SHA256b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f
SHA51263969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD58b167567021ccb1a9fdf073fa9112ef0
SHA13baf293fbfaa7c1e7cdacb5f2975737f4ef69898
SHA25626764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513
SHA512726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5622f8c7297f79dd49c657dfc495b078e
SHA1deaa612dafd6b2a7666e17745b45ef4a467f7581
SHA25650fbcf4c0eedb64e4fffe9d63b8423f70926a8f6f1a81cb320d78c9cff1ece26
SHA5128d95db395dab7595a2f638c3c79ead741348ee0e83379577fa85986de6178142f9fa13e66966f522fbcdd3a024c86a50bae1861ee2893551240919306b5cf8cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5c5e985966126abb8648708eedb67725a
SHA1d2633f6484e8ee73d1cddf81a12094c0485c5a65
SHA256c2924ac3800f296050d3561456ce3ea7ac77a6f4e49a1691cc47a50ca663d2df
SHA512496626093bbe3c9214e3a0a48818b70495ce11d44b04d8e858c1ca3dcc3d78cac5053189a8e6355a666311401eb98925c8b1c1d1e2496460f5b880029ee5fec6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5d6e218ee79059d112dc35c7074e7b340
SHA120d0c88d3d98031d229930aeef81547176145b26
SHA25605fea65ecd6e08e107d98b16bb53cd4733979681b725c66bd8e7d0ffc8cd37d6
SHA512c1db2fd0e97f7a6169057932944ea191f25a7c88cb26ec34467b304c603dadca8086bc83a75e2a4f12f350b544eff91f2adf9a584b28a69d7d745c1fca94971a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5698eba8fb616bf8115eecc39a437ca9c
SHA1f9aa7a72a0ea8c7b0c1d182d031787fd1d1b1af8
SHA256c3b088e9902b6ba4a0e9218fe10abc830214daedba41aad921a979fab32fbc26
SHA512bbf460f7a0a0874b24b26e952c2fda7b7a487fcede28921526b0c20f177e40d601c25b0845bbb88e81918175db32854d4164a3fdb9a29731c98c93de11f68c16
-
\??\pipe\LOCAL\crashpad_2908_REBUUPYCVKILNVDEMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e