Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 08:57
Static task
static1
Behavioral task
behavioral1
Sample
7899f5f68ad3b1faf9da6865a1fa871a_JaffaCakes118.html
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
7899f5f68ad3b1faf9da6865a1fa871a_JaffaCakes118.html
Resource
win10v2004-20240508-en
General
-
Target
7899f5f68ad3b1faf9da6865a1fa871a_JaffaCakes118.html
-
Size
185KB
-
MD5
7899f5f68ad3b1faf9da6865a1fa871a
-
SHA1
b9c0f53f3ea1a84f3806bddcefad3e9b39e7a2b6
-
SHA256
8c2275fa0af8c89da740482c24da659f27f04db587ba50e037b534edbf12a2f8
-
SHA512
cc292c5569ae698fc7fb3df6686ce0cc14195e0da28b75926297178708a23fa3c9996f81fdc61b68e6c41ecf620cc7f392a50a2b277461a5f07d6f11a2e0d340
-
SSDEEP
3072:SMU76M1yyfkMY+BES09JXAnyrZalI+Y5N86QwUdedbFilfO5YFis:SMU76M1sMYod+X3oI+Yn86/U9jFis
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msedge.exemsedge.exemsedge.exepid process 4512 msedge.exe 4512 msedge.exe 1476 msedge.exe 1476 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe 2828 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
msedge.exepid process 1476 msedge.exe 1476 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe 1476 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1476 wrote to memory of 2200 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 2200 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 808 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 4512 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 4512 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 1428 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 1428 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 1428 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 1428 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 1428 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 1428 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 1428 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 1428 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 1428 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 1428 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 1428 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 1428 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 1428 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 1428 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 1428 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 1428 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 1428 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 1428 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 1428 1476 msedge.exe msedge.exe PID 1476 wrote to memory of 1428 1476 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\7899f5f68ad3b1faf9da6865a1fa871a_JaffaCakes118.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f40f46f8,0x7ff8f40f4708,0x7ff8f40f47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,4265076060750927306,3687678358766541137,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1964 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,4265076060750927306,3687678358766541137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1960,4265076060750927306,3687678358766541137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,4265076060750927306,3687678358766541137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,4265076060750927306,3687678358766541137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,4265076060750927306,3687678358766541137,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1908 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD519e1993a64f3aa475ecb756aa3f162c8
SHA124e6584e68c1293c313136c6a64d8d038fedfc67
SHA256e4ed3e365847c50716e354b79bd57f73d4ddf6be1def476bc98f49f41473b08c
SHA5128022a1e5f675591c3023d20a6c27758a2f9a55e62a27cd5e0cae536a378c8de179226e27f1bdb8de30926d39c73b4827d87d22f9001401816e70143f23636068
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD56795407816eae171046b0d443f2fdcbf
SHA1198de437ae94a6be4d38222ca6ade176c8946fe0
SHA256a52b3012fbc62db6c7aa30fa4962a4ce8064a1ef48cf80273b658f8a1b589a59
SHA5121829a0b90b80530de1ed9e00757e9b0c1ea24a8bc0dfb4f9175aaddab083bac83b80d2c1dc0e349e8463412f17a217d01289e3f215ae65a1b71cec83930171ec
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD52f866ffef031f29ceb43680bc8176d98
SHA1626e39ac22735de0d8a7790228b2a006c6bef0cf
SHA256aa441435258193475417f7257690f92985a54f5d7bead5df34fe438c64eca1aa
SHA512e58389ee4ebcab63c6ed64940b7ab69b70d72edf2bf8b4eda7664f28e6c5c6a728f01f1ddd3f6b8834d23a89d320e9d1e5e1f6a29a3a815ef32b7064cfe9a13b
-
\??\pipe\LOCAL\crashpad_1476_VBCHTYUSROIFLSRHMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e