ae978daa7ea2e01d63319c912c2b3e40d49dcbf5effc81d5fff6bdc207f3499b

Analysis

max time kernel
145s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72a60c0b666c7a0b3bec1eb5d35cd88a_JaffaCakes118.html
Size

37KB
MD5

72a60c0b666c7a0b3bec1eb5d35cd88a
SHA1

fec3d0064dbddfaa42d26e9648deb877b965099e
SHA256

ae978daa7ea2e01d63319c912c2b3e40d49dcbf5effc81d5fff6bdc207f3499b
SHA512

94c739b069e0c1df0bfac5329661b62bf02b65a57ce57bccd1482ffa183dbc2395c492b2e5f4677ce7235856ab47f5a7a8f82b4880341b5ccb80e83fe428fbbf
SSDEEP

768:U+0MIKWF8IKLCQ0d5hlNWOIhKIybu64sBDEgdDCpELC+pHq+9xJ71qhvIVWEk4:U+0HKKu0nkOIwbuZsBDNCpEGgh7khQV3

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
912	msedge.exe
912	msedge.exe
1356	msedge.exe
1356	msedge.exe
3536	identity_helper.exe
3536	identity_helper.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe
1356	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 4324	1356	msedge.exe	83
PID 1356 wrote to memory of 4324	1356	msedge.exe	83
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 3012	1356	msedge.exe	84
PID 1356 wrote to memory of 912	1356	msedge.exe	85
PID 1356 wrote to memory of 912	1356	msedge.exe	85
PID 1356 wrote to memory of 3648	1356	msedge.exe	86
PID 1356 wrote to memory of 3648	1356	msedge.exe	86
PID 1356 wrote to memory of 3648	1356	msedge.exe	86
PID 1356 wrote to memory of 3648	1356	msedge.exe	86
PID 1356 wrote to memory of 3648	1356	msedge.exe	86
PID 1356 wrote to memory of 3648	1356	msedge.exe	86
PID 1356 wrote to memory of 3648	1356	msedge.exe	86
PID 1356 wrote to memory of 3648	1356	msedge.exe	86
PID 1356 wrote to memory of 3648	1356	msedge.exe	86
PID 1356 wrote to memory of 3648	1356	msedge.exe	86
PID 1356 wrote to memory of 3648	1356	msedge.exe	86
PID 1356 wrote to memory of 3648	1356	msedge.exe	86
PID 1356 wrote to memory of 3648	1356	msedge.exe	86
PID 1356 wrote to memory of 3648	1356	msedge.exe	86
PID 1356 wrote to memory of 3648	1356	msedge.exe	86
PID 1356 wrote to memory of 3648	1356	msedge.exe	86
PID 1356 wrote to memory of 3648	1356	msedge.exe	86
PID 1356 wrote to memory of 3648	1356	msedge.exe	86
PID 1356 wrote to memory of 3648	1356	msedge.exe	86
PID 1356 wrote to memory of 3648	1356	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\72a60c0b666c7a0b3bec1eb5d35cd88a_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8354246f8,0x7ff835424708,0x7ff835424718
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,16693052275310152855,18173297453387402270,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
  2⤵
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,16693052275310152855,18173297453387402270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,16693052275310152855,18173297453387402270,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16693052275310152855,18173297453387402270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16693052275310152855,18173297453387402270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16693052275310152855,18173297453387402270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16693052275310152855,18173297453387402270,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,16693052275310152855,18173297453387402270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3356 /prefetch:8
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,16693052275310152855,18173297453387402270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3356 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16693052275310152855,18173297453387402270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16693052275310152855,18173297453387402270,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,16693052275310152855,18173297453387402270,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
194B

MD5
17b464c51c18feaf600dd9534722f8c7

SHA1
9eaa3139907b000c4ac5568e25976dcf640e4733

SHA256
519930b7d766baf91b68c30e9753508fcd83ae1d678172efdf66c50d5b0ca633

SHA512
762ab5714d3d45b44658dc5a8034d8ee6a8be2c7098be553cf8e01cbb6318d6c53a39859fb9b07769286b8d3b291e3c74945cdc88028db4fd4522fc687b6a620

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c3255d4062e2129021846e955fec5db0

SHA1
428e66cb5165af2ab41a88daaf0f74e8666391b4

SHA256
f2ac9f1104f63cc3b7d95185c765bb12d568d92ede638495ea4ebe736a1fb99b

SHA512
7e808402c38331ab0dad3524c18b20b2d915aecc3c0d5136ed784e23c87a73e29b38fe8609642d84419f7d48160b88c9eb488cf07af7b5892c1aacaa2cbc64d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a6ee51193900a7a0a060ddae9cd3c856

SHA1
6303783d625b7925201c86becd616784ffa5c4b1

SHA256
223c8670388a2a84d9a35c2e982cbd5f8dc2c5f15acc6f5b1eadb9ee7986cfea

SHA512
db20437f91e04ed6dfd09e967543382f9bdc6ca99367439a52621fe66fde813ae41d51863886aaf5f35107df7c70ef4f3220ec1b4253e7a85dc941569e38f0e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9531d57a6751836ebed8db25d032abd2

SHA1
51bc37d74c15d7273f19c18992737ba3a2d25da8

SHA256
e7171dbc64496d49ce7b67de610f1c58875f11e9dafb9158e42bd87d7dd74a5c

SHA512
aa903c01c19a6fa8237ebc6830786a011f992fda4d91fa22fe18f16e0557796deee8ec2eaabc613c21ba81b77e5aa6fdda77eb188924e7ea34a72a06ae739b8f

Download Submit