b32928b85cf3f77f681d833b14cf6f3335c216f9487e5b09b5910788dde7e17d

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

725e8d9ae336801c70fee436becd9385_JaffaCakes118.html
Size

9KB
MD5

725e8d9ae336801c70fee436becd9385
SHA1

c1bc2c3c9fd9bed4a59ebe0d2f56b19698b0927b
SHA256

b32928b85cf3f77f681d833b14cf6f3335c216f9487e5b09b5910788dde7e17d
SHA512

bcf625fe02f39b786d2f9fbd90c37dfac128e8117e7840adb0f11da5dd5da0f6401bf9081cdb5124dec150ab062d289d640fc136b68f15a10a7364b5793a9460
SSDEEP

192:P5AM6EPuXu45TphYWPN/WyG29Nwv/xyd2MiEa069OJZCPBt/TU:aMLPsnymNWxgiv2K9oCPBt/TU

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4588	msedge.exe
4588	msedge.exe
3592	msedge.exe
3592	msedge.exe
1800	identity_helper.exe
1800	identity_helper.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 900	3592	msedge.exe	82
PID 3592 wrote to memory of 900	3592	msedge.exe	82
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 3160	3592	msedge.exe	83
PID 3592 wrote to memory of 4588	3592	msedge.exe	84
PID 3592 wrote to memory of 4588	3592	msedge.exe	84
PID 3592 wrote to memory of 440	3592	msedge.exe	85
PID 3592 wrote to memory of 440	3592	msedge.exe	85
PID 3592 wrote to memory of 440	3592	msedge.exe	85
PID 3592 wrote to memory of 440	3592	msedge.exe	85
PID 3592 wrote to memory of 440	3592	msedge.exe	85
PID 3592 wrote to memory of 440	3592	msedge.exe	85
PID 3592 wrote to memory of 440	3592	msedge.exe	85
PID 3592 wrote to memory of 440	3592	msedge.exe	85
PID 3592 wrote to memory of 440	3592	msedge.exe	85
PID 3592 wrote to memory of 440	3592	msedge.exe	85
PID 3592 wrote to memory of 440	3592	msedge.exe	85
PID 3592 wrote to memory of 440	3592	msedge.exe	85
PID 3592 wrote to memory of 440	3592	msedge.exe	85
PID 3592 wrote to memory of 440	3592	msedge.exe	85
PID 3592 wrote to memory of 440	3592	msedge.exe	85
PID 3592 wrote to memory of 440	3592	msedge.exe	85
PID 3592 wrote to memory of 440	3592	msedge.exe	85
PID 3592 wrote to memory of 440	3592	msedge.exe	85
PID 3592 wrote to memory of 440	3592	msedge.exe	85
PID 3592 wrote to memory of 440	3592	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\725e8d9ae336801c70fee436becd9385_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9903a46f8,0x7ff9903a4708,0x7ff9903a4718
  2⤵
  PID:900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,4224482100750265902,17544427381222402878,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,4224482100750265902,17544427381222402878,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,4224482100750265902,17544427381222402878,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4224482100750265902,17544427381222402878,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4224482100750265902,17544427381222402878,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4224482100750265902,17544427381222402878,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4224482100750265902,17544427381222402878,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,4224482100750265902,17544427381222402878,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,4224482100750265902,17544427381222402878,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4224482100750265902,17544427381222402878,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4224482100750265902,17544427381222402878,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,4224482100750265902,17544427381222402878,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4832 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56641592f6e69f5f5fb06f2319384490

SHA1
6a86be42e2c6d26b7830ad9f4e2627995fd91069

SHA256
02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

SHA512
c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
254B

MD5
abd6a5eba9c4b5f9646770fb54745778

SHA1
ef7c130a4159a28d48fa29383cc434c5643e1b88

SHA256
4bf50c364b4622bca6c09eb7fc654db3b8dd66b66aa73ec42a963a38abdf854e

SHA512
8da1ca949e86d57246b02815e684281af68b96841b7715366f630f813d25b373470f1251dcbf1388fbba804401b948d1530acf087fc092a8fceed619955cb952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6610a7a06425e5fe617b8afbba214086

SHA1
701998bd8b6af3a919b3fe6da5be342d4ee4f3a8

SHA256
ed4324b62edb287cbb13066445dd8ffdc040f7d0d7428ef62af361ac0f4d5a8f

SHA512
4cf0b88bb57f880038da30d7ebe8059423786f33b0a359abd9b00be93b5b47ae3b543edb62c5d4443a676ffd8d615c885f53e1cfe8b78b849e6d2dadde991fa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bf41ab4d7ffb005e5e70c79cd9688e9c

SHA1
ad2966e9c7488feae318f98d0fea0045c4d5e8e0

SHA256
e979d2596f84cf66935799c0ee968b50710e306b429d4fe3d8d2b5f19b58a9bc

SHA512
ff46528ff532b8777f8441d73ac836610c516dc7cf06ac8059a0719b95f12dde9c937cf81079041f62cefa26c39ae4ebafb52d011373ac8850ac2b390ad9b538

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ba16ec9c027987bd6c7933bd7205c7ec

SHA1
3d1cc374bb4e37c4c9ab296adbac08f1560bf058

SHA256
4f70eba24495fd2d6d1a988753ca56b9570cc814a7f8d5c6d47e264f13d4e658

SHA512
4549c23ff9eb5746e6a424368bbd082b8293bcf39856b9386dbeb60bd4bf4e2a47c4a8da9c6ecebc9c50964b8aa9dfb76ceadf5eb3cb31ea4d1d9e2add33cf7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b3bbf2a8fce0b744171a7847e3f9f90a

SHA1
053a8f2e41103d00902fdbe289db7ad15d450e5a

SHA256
8944f485f2437fe6a7bd5c6a4b6fc7bd4c69d93224309e61b4840efc2a69148a

SHA512
7c157484894f3362dc79bbf34365b1d02eeb30d622517f00a36a22e29ab764c5fd47c14a44135b84106458dd2cdfb5d63041516005659defdafc728e3276a29b

Download Submit