c1864372e038be51bc8d9a692a5bbe9671082335ed1f4170bb53c94ad5f7b0a0

Analysis

max time kernel
145s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d6fbef23a81ea6f17d8947703e4f4d4_JaffaCakes118.html
Size

23KB
MD5

6d6fbef23a81ea6f17d8947703e4f4d4
SHA1

58e67ee35706b3dc1f8da768df35f6e13674342c
SHA256

c1864372e038be51bc8d9a692a5bbe9671082335ed1f4170bb53c94ad5f7b0a0
SHA512

b77b8999118db74991191c11408d54fa7421396dbfe6cd66beda22a946f24cb7a9651c4e4f52491bd417c82127735564f34e1ecba251dccfdea6374091e53f49
SSDEEP

192:uWH8b5nz+nQjxn5Q/anQiepNnynQOkEntWknQTbnxnQ/CnQttwMBJqnYnQ7tnkYs:KQ/CDV

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2980	msedge.exe
2980	msedge.exe
3776	msedge.exe
3776	msedge.exe
3148	identity_helper.exe
3148	identity_helper.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe
1204	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe
3776	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3776 wrote to memory of 4044	3776	msedge.exe	85
PID 3776 wrote to memory of 4044	3776	msedge.exe	85
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 1236	3776	msedge.exe	88
PID 3776 wrote to memory of 2980	3776	msedge.exe	89
PID 3776 wrote to memory of 2980	3776	msedge.exe	89
PID 3776 wrote to memory of 1992	3776	msedge.exe	90
PID 3776 wrote to memory of 1992	3776	msedge.exe	90
PID 3776 wrote to memory of 1992	3776	msedge.exe	90
PID 3776 wrote to memory of 1992	3776	msedge.exe	90
PID 3776 wrote to memory of 1992	3776	msedge.exe	90
PID 3776 wrote to memory of 1992	3776	msedge.exe	90
PID 3776 wrote to memory of 1992	3776	msedge.exe	90
PID 3776 wrote to memory of 1992	3776	msedge.exe	90
PID 3776 wrote to memory of 1992	3776	msedge.exe	90
PID 3776 wrote to memory of 1992	3776	msedge.exe	90
PID 3776 wrote to memory of 1992	3776	msedge.exe	90
PID 3776 wrote to memory of 1992	3776	msedge.exe	90
PID 3776 wrote to memory of 1992	3776	msedge.exe	90
PID 3776 wrote to memory of 1992	3776	msedge.exe	90
PID 3776 wrote to memory of 1992	3776	msedge.exe	90
PID 3776 wrote to memory of 1992	3776	msedge.exe	90
PID 3776 wrote to memory of 1992	3776	msedge.exe	90
PID 3776 wrote to memory of 1992	3776	msedge.exe	90
PID 3776 wrote to memory of 1992	3776	msedge.exe	90
PID 3776 wrote to memory of 1992	3776	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\6d6fbef23a81ea6f17d8947703e4f4d4_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc5b1c46f8,0x7ffc5b1c4708,0x7ffc5b1c4718
  2⤵
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,3651985945466490337,9673948492605732754,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
  2⤵
  PID:1236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,3651985945466490337,9673948492605732754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,3651985945466490337,9673948492605732754,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3651985945466490337,9673948492605732754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3651985945466490337,9673948492605732754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,3651985945466490337,9673948492605732754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 /prefetch:8
  2⤵
  PID:1216
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,3651985945466490337,9673948492605732754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3651985945466490337,9673948492605732754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3651985945466490337,9673948492605732754,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3651985945466490337,9673948492605732754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3651985945466490337,9673948492605732754,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,3651985945466490337,9673948492605732754,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4872 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4828

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
178b19f3f8704c241a4309635b2c7f72

SHA1
e00cfc4d4679e88b36054f11601875c2483aa519

SHA256
d9fa99c07a71fc2765cc8da5396c9cf23fc0aa1032a432d3885bf07a5243d748

SHA512
0b19452ddeb5eaca33a4dcbfba70075642ab09dcb81134b38d079d951af252f4f0145a605e12c620a81099a8e8308a53190c0b27d3be71d7bf27ad1209ab6bad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
066b758b5bad1c6a937029ab0dc424f6

SHA1
0e703bb3e993060e6e3ae1442a6dd5855b63317f

SHA256
b794c0e4eb4ade0fc131f787c44b3ac67a2e5aca81c7d5034472cb34b9b91ffe

SHA512
b6dacc356081b38768e9f839a313e931c112b168df44a6d99eea5a047c38f94b033629aaec3e224d5dc9cb360dc12d9160d33ea1dd96b82f9c64ecc568f567e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
71c0f5ee8e9a28223c410807baa6c0f6

SHA1
30edfdfd6ff6de652c6d3af075adf807a4edaaaa

SHA256
9ba210d8b81d0fb3c9243246f71ee934a79d172f0460da1d5451a578c2e081cd

SHA512
ed98c1842e9c05d65a6896b0c0e7426117fe868b3ce6e0c2adb4f4e165bd40dfbed26e152149cccd94a9b2489d8080717428d4e4cde8cbf688f591563d725a62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bf5227d42dded43f246cbce6c474c49d

SHA1
6ee1a32c9cc3fe1b3847a5cf31d2abc29898cd34

SHA256
082e0c33997e9e3fb86e54614a56e4c64c9be60fe7303a9d381415adbd902b77

SHA512
b6d9a2da47c1b3adb180f216497f1f0ff2b84a92f59f52d00d52297272a862d2b8556b0046bfce1cb5a497e9be072cb594e46ec5669c39e7b3a91549914190f1

Download Submit