869c6fa2cc3033fae1c1cfe9d971369052ef623472562a026bc56e857504ff0a

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

795f3ae3ea3007c2b7e3c21d1b9d0f39_JaffaCakes118.html
Size

77KB
MD5

795f3ae3ea3007c2b7e3c21d1b9d0f39
SHA1

631974a5eb4b1c81d9c641fe3457a05dc982f05f
SHA256

869c6fa2cc3033fae1c1cfe9d971369052ef623472562a026bc56e857504ff0a
SHA512

5d0f3a9de02674b8eb1821b6e46a1dfa9194264c43f1fcad39d8c4dd27089018b4d93f5eff1e3d9ae139a009e8bc38165ff23e74c2b97ac8277e21dc66ce0f3d
SSDEEP

1536:h+ycJI5qEjvgFq9tHauMUbc9Yq9tjTPymOIOII:L1Mq99aKWYq9RTPG

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4136	msedge.exe
4136	msedge.exe
2500	msedge.exe
2500	msedge.exe
1800	identity_helper.exe
1800	identity_helper.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 4928	2500	msedge.exe	83
PID 2500 wrote to memory of 4928	2500	msedge.exe	83
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 1196	2500	msedge.exe	84
PID 2500 wrote to memory of 4136	2500	msedge.exe	85
PID 2500 wrote to memory of 4136	2500	msedge.exe	85
PID 2500 wrote to memory of 3440	2500	msedge.exe	86
PID 2500 wrote to memory of 3440	2500	msedge.exe	86
PID 2500 wrote to memory of 3440	2500	msedge.exe	86
PID 2500 wrote to memory of 3440	2500	msedge.exe	86
PID 2500 wrote to memory of 3440	2500	msedge.exe	86
PID 2500 wrote to memory of 3440	2500	msedge.exe	86
PID 2500 wrote to memory of 3440	2500	msedge.exe	86
PID 2500 wrote to memory of 3440	2500	msedge.exe	86
PID 2500 wrote to memory of 3440	2500	msedge.exe	86
PID 2500 wrote to memory of 3440	2500	msedge.exe	86
PID 2500 wrote to memory of 3440	2500	msedge.exe	86
PID 2500 wrote to memory of 3440	2500	msedge.exe	86
PID 2500 wrote to memory of 3440	2500	msedge.exe	86
PID 2500 wrote to memory of 3440	2500	msedge.exe	86
PID 2500 wrote to memory of 3440	2500	msedge.exe	86
PID 2500 wrote to memory of 3440	2500	msedge.exe	86
PID 2500 wrote to memory of 3440	2500	msedge.exe	86
PID 2500 wrote to memory of 3440	2500	msedge.exe	86
PID 2500 wrote to memory of 3440	2500	msedge.exe	86
PID 2500 wrote to memory of 3440	2500	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\795f3ae3ea3007c2b7e3c21d1b9d0f39_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa05d646f8,0x7ffa05d64708,0x7ffa05d64718
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,6436165745417972212,7177013164449238449,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,6436165745417972212,7177013164449238449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,6436165745417972212,7177013164449238449,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
  2⤵
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6436165745417972212,7177013164449238449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6436165745417972212,7177013164449238449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6436165745417972212,7177013164449238449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1704 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6436165745417972212,7177013164449238449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2004 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,6436165745417972212,7177013164449238449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,6436165745417972212,7177013164449238449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6436165745417972212,7177013164449238449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6436165745417972212,7177013164449238449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,6436165745417972212,7177013164449238449,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
637B

MD5
62a660643c8ecf3fff96d422092dc181

SHA1
f67c0e5376cf3b1d786f719009d3b364d9a69db2

SHA256
a5907e7e1601fbd251bc54d164a732f59c272eb854a1d8f2087c3cd28edeb51b

SHA512
013b97f521b74934888c6f3a8b8aca0b9be1f011a15c1fe2467c7348124f69e0fb1e03037ffc198835d582be3becdc2de4aa1dee8f5526370b3324e44923d242

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
637B

MD5
61cef41cb59d9384a8fceb7e6672d37c

SHA1
4f33d680d02106663e1fbef501065a92cdf214fb

SHA256
d479b7c923ffb312c54f12e9b821b703101cf243bc5e7818f8ee60cf831e953d

SHA512
82067700197f16a40a4c652c7934ae115c2409e5ecd28244d02007f09b9e4e0ed8ecf309ec7cb429a65615860713dd7ddd04e88e3cc81a64c897a99bd67876df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f50e50de4cb73e8797beb7e78656d472

SHA1
522ca5f2bf86759a7665d865fc2db50f77a31df7

SHA256
5ec93917f35c8109738e76d659d382413bf23dfd936220a25eb2307ef274451c

SHA512
43fcdf94cf2d60e45b0c966c3ffc6e1f46ab223cfa8690a04d72b69a0af49252f6af47e9100658c553a821cf4da2a7205e8233574c321a90ef8640565af36701

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2b45ca148d2c5a145e4f5b642a6d26d3

SHA1
15e2c4366fce6ade5126cbe099bd0a683804e046

SHA256
1fd28a11a301f231ac64f795f1fd685151eb634bd6cfeb277bf719a19fd293a4

SHA512
2a05da72174bf341658521b08db01929b9d792ada227ce13e97e4294202a5db36084e83f1b1f90fc5cdc518c361f6d0066e51e8c5cf59a8ef255c1d90e582100

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8e4d487d4dd10892689f48d9b3c8274f

SHA1
e4cbf70ea5be73d9de0fa9632b03042430b89639

SHA256
1e701aec88f070169ebeabb8a35314045640cba28daa287ccc6e72033f4fe827

SHA512
0e65625cd20d2cd7b917516be57b799c3508ddae5b36ba3517f4558441ec538ca3e2c31ab52f7110e1da9d1b7d1b977bdd176c80b027ab2f50045d566a1b99d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ffd5532e351ecdb02163cff78fc639a4

SHA1
23d7f22196ac863474bb206f266f75aecd669b81

SHA256
e889ef6906c108c7b0f748cfa0abe1d448e39eb89ebb3f2b03116470a41b00ae

SHA512
4b9f5ecce63dc7fa42606dd36ce2cfe694713bcdc1b0af2df6f615514158d0344c6890cbdc7291ef7555ace3ae8ccaf1bb1775146d910671ab89a7b8e13e1845

Download Submit