d94f103a24813fce071f9bc3ded947d6c9bd586fc8b3e2559d063562d1ad993e

General

Target

78a4c9716dcd7ce505cca8b2a6c4102a_JaffaCakes118.html
Size

155KB
MD5

78a4c9716dcd7ce505cca8b2a6c4102a
SHA1

f8467c69eb8ac556babd9a6895683ee7e28cd720
SHA256

d94f103a24813fce071f9bc3ded947d6c9bd586fc8b3e2559d063562d1ad993e
SHA512

eb2f0789cd0cfbbe422fb58d4dee089352a4cf5c1b3bca918a39ba2ba22c1616b272803ab8a9f7bb45ffc829ec40eb1ad32f9f23336303b991f572d49e9d6700
SSDEEP

3072:ixCCYy9Fh7yfkMY+BES09JXAnyrZalI+YQ:igyThesMYod+X3oI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
1016	msedge.exe
1016	msedge.exe
3080	msedge.exe
3080	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3500	identity_helper.exe
3500	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

3080 msedge.exe
3080 msedge.exe
3080 msedge.exe
3080 msedge.exe
3080 msedge.exe
3080 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3080 wrote to memory of 2184	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2184	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4720	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 1016	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 1016	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 1916	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 1916	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 1916	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 1916	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 1916	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 1916	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 1916	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 1916	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 1916	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 1916	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 1916	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 1916	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 1916	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 1916	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 1916	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 1916	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 1916	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 1916	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 1916	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 1916	3080	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\78a4c9716dcd7ce505cca8b2a6c4102a_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd179146f8,0x7ffd17914708,0x7ffd17914718
2⤵
PID:2184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,457238947281567847,3394739908017985826,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
2⤵
PID:4720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,457238947281567847,3394739908017985826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,457238947281567847,3394739908017985826,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
2⤵
PID:1916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,457238947281567847,3394739908017985826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
2⤵
PID:4632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,457238947281567847,3394739908017985826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
2⤵
PID:3628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,457238947281567847,3394739908017985826,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4872 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3196

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,457238947281567847,3394739908017985826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:8
2⤵
PID:4520

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,457238947281567847,3394739908017985826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,457238947281567847,3394739908017985826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
2⤵
PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,457238947281567847,3394739908017985826,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
2⤵
PID:3860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,457238947281567847,3394739908017985826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
2⤵
PID:2788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,457238947281567847,3394739908017985826,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
2⤵
PID:700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4552

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f61fa5143fe872d1d8f1e9f8dc6544f9

SHA1
df44bab94d7388fb38c63085ec4db80cfc5eb009

SHA256
284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

SHA512
971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
87f7abeb82600e1e640b843ad50fe0a1

SHA1
045bbada3f23fc59941bf7d0210fb160cb78ae87

SHA256
b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

SHA512
ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
94f2d7fe7d75fd271c23b8a98103af21

SHA1
d6bed5f06628a8d25e7ee2ae8cc5c2abe76a7bb4

SHA256
11bd68f3ad6a9b94507cde1234de56260d87a5d3473ead854ed3d8c4f4b906d2

SHA512
ffabe80eff64005c165ae392edc000f613592cef4fa0e06a9f2c2c372f792913b18d6ff379065896de28f647e2857530af76699b3a24754b0c4adcdd269efdee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
2db6cb4af2ac8950f18aa4d7047d29d1

SHA1
da9869f474aa864336a355519ce3dab40620a03a

SHA256
ae3097771325f89eff7235ecdd03e8a650d1524aa12e566956c12006cfd4dfe5

SHA512
a12555699f2833fb97b76f790d190cc2942cd760bb22eeaaa2ff5553d29b332741ffc0ec45c8519a239fc7e0e861c8ac30a0bfe6eef061dd0d2604acdbf164f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
9c951476e4ad15ec1072bc9003ad99ba

SHA1
9268ae019ef123bfa1e39176bf1171a5e3c5a258

SHA256
a782808d03cdda0f071df72f3625af9e2e938ad253c0d12109a7a4fffbb80c6c

SHA512
606a7ce16841ec2df9ffb6d21744f07605a242d5f11646d4080207335fb918f82fb5c15c53037a381e7ac84789d34914c53292544cea3f5d7a807ef6b85813a5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads