d19f6a0531b7f46d9bebb608d94207dd29291edf673b91099f89882e8d049753

General

Target

72a72eeb397a1302f5709a40c74b9beb_JaffaCakes118.html
Size

342KB
MD5

72a72eeb397a1302f5709a40c74b9beb
SHA1

f376fb6c38a76779882992341a6dac5688a40074
SHA256

d19f6a0531b7f46d9bebb608d94207dd29291edf673b91099f89882e8d049753
SHA512

e4458dd1dc16a627eff75a437117f921d80126f7ff0e80c797fbc3f54173a4d286f15de2e88c6e0d7cdc24920763a80b6bf8684ab1bf0b4d77ecb36870c0ab00
SSDEEP

6144:SrTsMYod+X3oI+Y5QsMYod+X3oI+YZsMYod+X3oI+YQ:on5d+X3u5d+X3L5d+X3+

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

1240 msedge.exe
1240 msedge.exe
4944 msedge.exe
4944 msedge.exe
628 msedge.exe
628 msedge.exe
628 msedge.exe
628 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

4944 msedge.exe
4944 msedge.exe

pid	process
1240	msedge.exe
1240	msedge.exe
4944	msedge.exe
4944	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4944 wrote to memory of 4568	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 4568	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 3320	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 1240	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 1240	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 4204	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 4204	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 4204	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 4204	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 4204	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 4204	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 4204	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 4204	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 4204	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 4204	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 4204	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 4204	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 4204	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 4204	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 4204	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 4204	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 4204	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 4204	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 4204	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 4204	4944	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\72a72eeb397a1302f5709a40c74b9beb_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe676e46f8,0x7ffe676e4708,0x7ffe676e4718
2⤵
PID:4568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,12591111942246304913,6740915972132931971,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
2⤵
PID:3320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,12591111942246304913,6740915972132931971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,12591111942246304913,6740915972132931971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
2⤵
PID:4204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12591111942246304913,6740915972132931971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
2⤵
PID:4660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12591111942246304913,6740915972132931971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
2⤵
PID:1184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,12591111942246304913,6740915972132931971,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1980 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ec8f0ffeba06fad71d425ea523407b17

SHA1
d555452f5f6324cf357751f0555e7efc9c9069da

SHA256
e6a0d3706a484985e29dd610fae7b554ad1cf3d6fda23f127e892500aae47571

SHA512
2c45dc547cbe2abb3fc9fe5fa93910992c0afd1d5d7bbc81ba58b50d33b8909c5eb7b5d6a082e30ba2736ca30531de03848bfae0ce9c51cf74edb315e4f8af47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
235eb84a3680e7c341d4cc6714d31351

SHA1
db98f20eef6671716a2a29059b9daca60927994a

SHA256
148a6eb538e4541b53f16d8441235d01db8a5021afa4417bd3774bc02bee0210

SHA512
aa1ad90998aa8b4fc0e62bb6770def52380db88736a449d0562d613151ee821a66c9fb43b165462ccc6195c9bc664c4e6fef3bcf5c4d4f92f54c4298d039c587

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0feba5727134731427dbd4edc3d47fb6

SHA1
f36dd1baae8a14f87a9d09f4e1e07f5772ad97cf

SHA256
7dabe33596cb57173327e9b4170a39b801ae39abdf67ee048dddb785f12603b7

SHA512
96149b30cfe867d1f697d92d6d70ba3adf35404f5b64b28a7a514202652572351c5f6e2fd2b3a2ec1cb5b772cecff16ceab63c60a390bc4e026babbfc3f5046a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
071d1c514109c6b75857b5761ef20c56

SHA1
a364240b6e05d979c6c522b07e55cc0d1b859ba6

SHA256
3f3ba4e499af31a4320ac2b060700297ba6e75da111e96dfa47cd507f362ba01

SHA512
0cde9ea503b9cb1a3c64bc9f1ad9e6f80f887c8576d9825b9cab5b905d1cb75bbce64e0d2a7d1baef785b1f71233e75a587d2bc78ad99253cf2a09b07865961a

Download Submit
\??\pipe\LOCAL\crashpad_4944_PGXOZMKGSJSPXFWV

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads