Analysis
-
max time kernel
139s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 09:13
Static task
static1
Behavioral task
behavioral1
Sample
78a4c9716dcd7ce505cca8b2a6c4102a_JaffaCakes118.html
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
78a4c9716dcd7ce505cca8b2a6c4102a_JaffaCakes118.html
Resource
win10v2004-20240508-en
General
-
Target
78a4c9716dcd7ce505cca8b2a6c4102a_JaffaCakes118.html
-
Size
155KB
-
MD5
78a4c9716dcd7ce505cca8b2a6c4102a
-
SHA1
f8467c69eb8ac556babd9a6895683ee7e28cd720
-
SHA256
d94f103a24813fce071f9bc3ded947d6c9bd586fc8b3e2559d063562d1ad993e
-
SHA512
eb2f0789cd0cfbbe422fb58d4dee089352a4cf5c1b3bca918a39ba2ba22c1616b272803ab8a9f7bb45ffc829ec40eb1ad32f9f23336303b991f572d49e9d6700
-
SSDEEP
3072:ixCCYy9Fh7yfkMY+BES09JXAnyrZalI+YQ:igyThesMYod+X3oI+YQ
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exepid process 1016 msedge.exe 1016 msedge.exe 3080 msedge.exe 3080 msedge.exe 3196 msedge.exe 3196 msedge.exe 3196 msedge.exe 3196 msedge.exe 3500 identity_helper.exe 3500 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe 3080 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3080 wrote to memory of 2184 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 2184 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 4720 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 1016 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 1016 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 1916 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 1916 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 1916 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 1916 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 1916 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 1916 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 1916 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 1916 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 1916 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 1916 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 1916 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 1916 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 1916 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 1916 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 1916 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 1916 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 1916 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 1916 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 1916 3080 msedge.exe msedge.exe PID 3080 wrote to memory of 1916 3080 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\78a4c9716dcd7ce505cca8b2a6c4102a_JaffaCakes118.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd179146f8,0x7ffd17914708,0x7ffd179147182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,457238947281567847,3394739908017985826,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,457238947281567847,3394739908017985826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,457238947281567847,3394739908017985826,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,457238947281567847,3394739908017985826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,457238947281567847,3394739908017985826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,457238947281567847,3394739908017985826,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4872 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,457238947281567847,3394739908017985826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,457238947281567847,3394739908017985826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,457238947281567847,3394739908017985826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,457238947281567847,3394739908017985826,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,457238947281567847,3394739908017985826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,457238947281567847,3394739908017985826,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f61fa5143fe872d1d8f1e9f8dc6544f9
SHA1df44bab94d7388fb38c63085ec4db80cfc5eb009
SHA256284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64
SHA512971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD587f7abeb82600e1e640b843ad50fe0a1
SHA1045bbada3f23fc59941bf7d0210fb160cb78ae87
SHA256b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262
SHA512ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD594f2d7fe7d75fd271c23b8a98103af21
SHA1d6bed5f06628a8d25e7ee2ae8cc5c2abe76a7bb4
SHA25611bd68f3ad6a9b94507cde1234de56260d87a5d3473ead854ed3d8c4f4b906d2
SHA512ffabe80eff64005c165ae392edc000f613592cef4fa0e06a9f2c2c372f792913b18d6ff379065896de28f647e2857530af76699b3a24754b0c4adcdd269efdee
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD52db6cb4af2ac8950f18aa4d7047d29d1
SHA1da9869f474aa864336a355519ce3dab40620a03a
SHA256ae3097771325f89eff7235ecdd03e8a650d1524aa12e566956c12006cfd4dfe5
SHA512a12555699f2833fb97b76f790d190cc2942cd760bb22eeaaa2ff5553d29b332741ffc0ec45c8519a239fc7e0e861c8ac30a0bfe6eef061dd0d2604acdbf164f9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD59c951476e4ad15ec1072bc9003ad99ba
SHA19268ae019ef123bfa1e39176bf1171a5e3c5a258
SHA256a782808d03cdda0f071df72f3625af9e2e938ad253c0d12109a7a4fffbb80c6c
SHA512606a7ce16841ec2df9ffb6d21744f07605a242d5f11646d4080207335fb918f82fb5c15c53037a381e7ac84789d34914c53292544cea3f5d7a807ef6b85813a5