b05ae98de73b256f73fc49aacb8513be4f99af596cd85e8b53e07339dbb122ca

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 21:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7346615ebe9c0fd7b41a83298932488e_JaffaCakes118.html
Size

27KB
MD5

7346615ebe9c0fd7b41a83298932488e
SHA1

1bfa1b30a336212de1a9874ce346efdddcb28e0f
SHA256

b05ae98de73b256f73fc49aacb8513be4f99af596cd85e8b53e07339dbb122ca
SHA512

f9e60ec0b9253da481e6ee516b7093d73dac2b568295ca4256287a67792b0b9990d90c149ee81430ccfe2ef893c78ab2ecd15768d46b9838b95630232400fc6f
SSDEEP

192:uwfIb5n3OnQjxn5Q/mnQieFNninQOkEntesnQTbnxnQ9epBm6uDTUKglGQl7MBl4:OQ/AkrqTsS/YDX

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1336	msedge.exe
1336	msedge.exe
1628	msedge.exe
1628	msedge.exe
4520	identity_helper.exe
4520	identity_helper.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe
1628	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 3760	1628	msedge.exe	85
PID 1628 wrote to memory of 3760	1628	msedge.exe	85
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 5064	1628	msedge.exe	86
PID 1628 wrote to memory of 1336	1628	msedge.exe	87
PID 1628 wrote to memory of 1336	1628	msedge.exe	87
PID 1628 wrote to memory of 1324	1628	msedge.exe	88
PID 1628 wrote to memory of 1324	1628	msedge.exe	88
PID 1628 wrote to memory of 1324	1628	msedge.exe	88
PID 1628 wrote to memory of 1324	1628	msedge.exe	88
PID 1628 wrote to memory of 1324	1628	msedge.exe	88
PID 1628 wrote to memory of 1324	1628	msedge.exe	88
PID 1628 wrote to memory of 1324	1628	msedge.exe	88
PID 1628 wrote to memory of 1324	1628	msedge.exe	88
PID 1628 wrote to memory of 1324	1628	msedge.exe	88
PID 1628 wrote to memory of 1324	1628	msedge.exe	88
PID 1628 wrote to memory of 1324	1628	msedge.exe	88
PID 1628 wrote to memory of 1324	1628	msedge.exe	88
PID 1628 wrote to memory of 1324	1628	msedge.exe	88
PID 1628 wrote to memory of 1324	1628	msedge.exe	88
PID 1628 wrote to memory of 1324	1628	msedge.exe	88
PID 1628 wrote to memory of 1324	1628	msedge.exe	88
PID 1628 wrote to memory of 1324	1628	msedge.exe	88
PID 1628 wrote to memory of 1324	1628	msedge.exe	88
PID 1628 wrote to memory of 1324	1628	msedge.exe	88
PID 1628 wrote to memory of 1324	1628	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\7346615ebe9c0fd7b41a83298932488e_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff810c446f8,0x7ff810c44708,0x7ff810c44718
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,5494786791727414577,14682621847442361665,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,5494786791727414577,14682621847442361665,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,5494786791727414577,14682621847442361665,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5494786791727414577,14682621847442361665,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5494786791727414577,14682621847442361665,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,5494786791727414577,14682621847442361665,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,5494786791727414577,14682621847442361665,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5494786791727414577,14682621847442361665,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5494786791727414577,14682621847442361665,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5494786791727414577,14682621847442361665,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5494786791727414577,14682621847442361665,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,5494786791727414577,14682621847442361665,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2928 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
69c562e1ae4799f638370bcac3ed66c6

SHA1
1c7e0a4db6279cd0a3a3267b60facdab5d5811b4

SHA256
d9c33d14ccd85d2384d2badf50055d399da465b48136ffa2a59bea8c16a8ad1f

SHA512
4252d6d44c56c083e17824308090ac76be5ed39d35b16e7920e5bd334692abcfd081ddaac977aad5038733a1fc753cbe41fdc60397eff210039ef0f53ac4bacc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a9edc327b6845716c3276d655da45554

SHA1
e01a66ced2d4b084785504d2f8f097235587d974

SHA256
f4fd54fe916a9ccfd6c34643e7bfd678ffca0f8d6b5e9f5a1e24fd9168978021

SHA512
2b65317e4407b8d93c5a7be03de09b7feed8a0c5d364cf12f303dcea7ff7fe58e91da22729897f6c468b6a0e1c6a30e7a979432b12ecdc28d0a24ff0bf9d282b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2994b08e0368b756884226caf6d93ae2

SHA1
1e73ec08f237d50ed0f3f0959a9340c815391937

SHA256
b8d38d94fb9544cec623e5ab6e4a5719c107b5ef19d977fc689430c1235ff260

SHA512
81e6ec2b128e3f976d5e6fb3b5d26b102977caa9fa0c0f1123fe5b41e61a1db80ef9cf67e27dafe06b008a960d4823c6171c1189ab0cb776de3b3a5e1c9708be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d825eba152a6e2d2f009dfe3455a49c3

SHA1
4607139fbfa320a46914ef8a1988db26c5918a4e

SHA256
afd061181d38858b66c38492cbbc4dfc6643a97d060439a943b4f27462393050

SHA512
a1488fc8e75db737fffe87f32805300ed1d9d5709e8bc0faf0e6b0abd981af8f92c7a2d3c590f8b8987b5ef0da2750f97efc2ad992071ec7305a86b72fb3bf55

Download Submit