55b0ab37c0085ae620584fec81cfd57ad3b529fabd37b5b1a2fe513770eaac0c

General

Target

77d9f7c638a22877009f2a3d9196ce47_JaffaCakes118.html
Size

159KB
MD5

77d9f7c638a22877009f2a3d9196ce47
SHA1

9434355dbba48839db35f9c106c34ab0854f0e38
SHA256

55b0ab37c0085ae620584fec81cfd57ad3b529fabd37b5b1a2fe513770eaac0c
SHA512

95901adc62803932f4db854e6a2316d2731f7b00a54488bde5d80c788be712bc87bd8d642cf7b61f9d19fb3bed003b10be21d2c72e199e65bc242cce6a0b21ae
SSDEEP

3072:i1bbf0ZK6KayfkMY+BES09JXAnyrZalI+YQ:ilOK1/sMYod+X3oI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

1436 msedge.exe
1436 msedge.exe
4800 msedge.exe
4800 msedge.exe
2496 msedge.exe
2496 msedge.exe
2496 msedge.exe
2496 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

4800 msedge.exe
4800 msedge.exe

pid	process
1436	msedge.exe
1436	msedge.exe
4800	msedge.exe
4800	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4800 wrote to memory of 4160	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 4160	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 3732	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 1436	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 1436	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 5096	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 5096	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 5096	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 5096	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 5096	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 5096	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 5096	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 5096	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 5096	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 5096	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 5096	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 5096	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 5096	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 5096	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 5096	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 5096	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 5096	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 5096	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 5096	4800	msedge.exe	msedge.exe
PID 4800 wrote to memory of 5096	4800	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\77d9f7c638a22877009f2a3d9196ce47_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe40aa46f8,0x7ffe40aa4708,0x7ffe40aa4718
2⤵
PID:4160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,11499718070163654836,9804890909406205731,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:2
2⤵
PID:3732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,11499718070163654836,9804890909406205731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,11499718070163654836,9804890909406205731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
2⤵
PID:5096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11499718070163654836,9804890909406205731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
2⤵
PID:2044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11499718070163654836,9804890909406205731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
2⤵
PID:2520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,11499718070163654836,9804890909406205731,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4116

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
77ec5f39e625a63a4ccb8b0bf1fc4e6c

SHA1
a481b0ef4af1f47ae81d09f105f6255652972f50

SHA256
ad29b22377af829435234169a64f130c0d376edad85bb5ad32d3a9857dac7e06

SHA512
27d606aa5139ff69ae52d39640c1e0dd458008651ab8be6d61e50b50cfeca426dc061e00c2332a5a6b63281a9b0d3c2808eebc73013fd27ca50adfaa8a7dbb12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
5fb759c98e8678f6562f5b9d160ae02f

SHA1
7ee9d1dbc55bbdbeacfeda09ac27422c1c46a4b0

SHA256
64b20506ad27fddec13dda4a71340fd68232dcef26634bb042ff9b8d5b36c3b7

SHA512
94728ab33f7fa7d3a049571a62c179fbdf703cc7e3359977f1ff460e19132181bb14d185013034e931faffb0901fe44c8a8e571746a7b54b4c2058c10eea88aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
d4f4c23e777bea676960e3d8b5065ca1

SHA1
0bf1767d6184494d164d3ef56bbeaa45fdd66f20

SHA256
ddbac11c2f68b14d9fc9da509753796b247a5fa420c01e71a8d289d621853a30

SHA512
eff8f21beff0b584a5ad3fb4a33ec3700ba0628ec5163a1c86fd9ec10f2d2a77cbf03e43e15693c63c349f3fc50d2c3fac8be47d04a8c9772403f2d08612f6d7

Download Submit
\??\pipe\LOCAL\crashpad_4800_QYCOBHJICIYHEBGT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads