8838da839cbd91cc5821d4617438431a146e929eaa7a69569c138d13cd9b3d9f

General

Target

6dcb6f9f2b9f6d06184b779c9d6aff7c_JaffaCakes118.html
Size

2.7MB
MD5

6dcb6f9f2b9f6d06184b779c9d6aff7c
SHA1

c9977ab539600da4ecb258abed52b3e670a19e19
SHA256

8838da839cbd91cc5821d4617438431a146e929eaa7a69569c138d13cd9b3d9f
SHA512

82fabcfae01469eed8199338a1a2c432ee3ca7361069e60f7bb3ef53c39b136ec3e85e520774c2606809aa19b9dab6ffc20005de9c37f29faa4ee173db71a9eb
SSDEEP

24576:q+aDHsJ+aDHsX+aDHsT+aDHs1+aDHsT+aDHs1:4

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

1312 msedge.exe
1312 msedge.exe
2952 msedge.exe
2952 msedge.exe
4480 msedge.exe
4480 msedge.exe
4480 msedge.exe
4480 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

2952 msedge.exe
2952 msedge.exe

pid	process
1312	msedge.exe
1312	msedge.exe
2952	msedge.exe
2952	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2952 wrote to memory of 1664	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 1664	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 4284	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 1312	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 1312	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 3324	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 3324	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 3324	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 3324	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 3324	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 3324	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 3324	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 3324	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 3324	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 3324	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 3324	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 3324	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 3324	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 3324	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 3324	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 3324	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 3324	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 3324	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 3324	2952	msedge.exe	msedge.exe
PID 2952 wrote to memory of 3324	2952	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\6dcb6f9f2b9f6d06184b779c9d6aff7c_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe7e4646f8,0x7ffe7e464708,0x7ffe7e464718
2⤵
PID:1664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,2635458054527816351,11553500456282478110,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
2⤵
PID:4284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,2635458054527816351,11553500456282478110,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,2635458054527816351,11553500456282478110,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
2⤵
PID:3324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2635458054527816351,11553500456282478110,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
2⤵
PID:1072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2635458054527816351,11553500456282478110,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
2⤵
PID:872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,2635458054527816351,11553500456282478110,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5028 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1784

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
d29944ba634df4cdb5cc242f648d5347

SHA1
d730f81305e0718111ae80902ca6eede0c3a8402

SHA256
245cb2214ab3bc5e544c074720da49b222fa2b3e84d8a968c3b56fa90b18358a

SHA512
74641162e2308500725578e511f9af885cf296694b2d6bbb52d8d32dd8032936fa77764a6bbf6f23a0672181db235fa895f0b0b12b5abc98837473f810b609f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
9289c9d581d6896f8c26da2f4f4e7904

SHA1
2f0f2b181291a8c574e23b8c06851447a06d2f9c

SHA256
6cced2e06cd1204a9e927b5afb9fd6924b167015e77aa1eaf473f3b3e2397717

SHA512
8d5d06ec4bef0794d569f99ebf9dc0be096eaddb34c5d5b929399c7ef1f729a001ab100055108cce99e9b606d7c33f51556042709555a4ba17150329cf6b3dea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
25ab410da6562191f9a9d05754beab80

SHA1
141caf5391d8865700d4aae3ee6f712ee6846b06

SHA256
6db2f3c1096a8a3f51aefbd3b44e0b1b8a2946e8ab83a72ce0181418a480ceba

SHA512
eae6f59ab4f197c2bcdabe70bc3615cf4131908f0bb1fda7e0df5c5764f59e9916b958aeabf2f3fea974c3fa941d185dd3d375b3379ecbb73a0a1106b2fee336

Download Submit
\??\pipe\LOCAL\crashpad_2952_EDYDNBWQDKEKEDMX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads