80569f95eb7b77beec6a198404ec7980eba1079d27323407493658c22b0bb82e

Analysis

max time kernel
145s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b0a8385600cd31352bb623a79c11d3e_JaffaCakes118.html
Size

71KB
MD5

7b0a8385600cd31352bb623a79c11d3e
SHA1

64a0ff691683a2d1f2e2d6aa26697f8bba87614d
SHA256

80569f95eb7b77beec6a198404ec7980eba1079d27323407493658c22b0bb82e
SHA512

5959728419e4099fad7a8f87f91ca0726d500c667db2ea0c9dee0446743ba60c1ffb49da3107f1bddeffaee2429ec980400bf78e72a385d936647f8d88e80978
SSDEEP

1536:y7Vi+ue9dMqghFDCke8W03Gl6jI7n6Qm/pY+LMhy:y7VtlYqghFDCWW03U6jI7xm/pN

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
384	msedge.exe
384	msedge.exe
3792	msedge.exe
3792	msedge.exe
3740	identity_helper.exe
3740	identity_helper.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3792 wrote to memory of 228	3792	msedge.exe	81
PID 3792 wrote to memory of 228	3792	msedge.exe	81
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 3820	3792	msedge.exe	82
PID 3792 wrote to memory of 384	3792	msedge.exe	83
PID 3792 wrote to memory of 384	3792	msedge.exe	83
PID 3792 wrote to memory of 3656	3792	msedge.exe	84
PID 3792 wrote to memory of 3656	3792	msedge.exe	84
PID 3792 wrote to memory of 3656	3792	msedge.exe	84
PID 3792 wrote to memory of 3656	3792	msedge.exe	84
PID 3792 wrote to memory of 3656	3792	msedge.exe	84
PID 3792 wrote to memory of 3656	3792	msedge.exe	84
PID 3792 wrote to memory of 3656	3792	msedge.exe	84
PID 3792 wrote to memory of 3656	3792	msedge.exe	84
PID 3792 wrote to memory of 3656	3792	msedge.exe	84
PID 3792 wrote to memory of 3656	3792	msedge.exe	84
PID 3792 wrote to memory of 3656	3792	msedge.exe	84
PID 3792 wrote to memory of 3656	3792	msedge.exe	84
PID 3792 wrote to memory of 3656	3792	msedge.exe	84
PID 3792 wrote to memory of 3656	3792	msedge.exe	84
PID 3792 wrote to memory of 3656	3792	msedge.exe	84
PID 3792 wrote to memory of 3656	3792	msedge.exe	84
PID 3792 wrote to memory of 3656	3792	msedge.exe	84
PID 3792 wrote to memory of 3656	3792	msedge.exe	84
PID 3792 wrote to memory of 3656	3792	msedge.exe	84
PID 3792 wrote to memory of 3656	3792	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\7b0a8385600cd31352bb623a79c11d3e_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff84b6d46f8,0x7ff84b6d4708,0x7ff84b6d4718
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,18022602294166634421,14738425435891093301,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,18022602294166634421,14738425435891093301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,18022602294166634421,14738425435891093301,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,18022602294166634421,14738425435891093301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,18022602294166634421,14738425435891093301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,18022602294166634421,14738425435891093301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1324 /prefetch:8
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,18022602294166634421,14738425435891093301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1324 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,18022602294166634421,14738425435891093301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
  2⤵
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,18022602294166634421,14738425435891093301,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,18022602294166634421,14738425435891093301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,18022602294166634421,14738425435891093301,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,18022602294166634421,14738425435891093301,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4196 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4832

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
670B

MD5
1fd4e4dab1467f7b89542dd1e69eeded

SHA1
c7cc81b7e0ec266f716d64219c2ab79fd5f8ebad

SHA256
242e964eceb4dfa0b7f6f6208f00fc249706d9239e462f1b37bee3cba97813fd

SHA512
8aaf5447678d2996cf7a958a3ebeb379c64cfc8ec13f087f95d40b262fd6a5e4eb0b1f337233da32bf2cfee3fac03589bf15a8b3942a3ccd7087ea39b175876c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6bc4e16e93020690ec2feeea9a0f26ed

SHA1
c0b271a7117cfce948c689d2bed661d8a9abe1f8

SHA256
774e3d3dc8da6cf1774ccc2cad6af02b47fc277ad42edf52355b17db0ab53538

SHA512
f592d436937c1bc02b3aa2e01c6d9fb4c3cd3cddacc7f06ef4a8397935c9c01b92fefebabca1cb01cfab7d32d40bd061f6c71307935d911afd0c7291e421e4cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
211223d784c101078ede96d793f53feb

SHA1
2350a6f027948f8de4f672f2c87e39c784c018d5

SHA256
cc453bf28fa6ed98e7d51224689c5ceb000c992906357100cbeb149dbcd3906f

SHA512
1fa9a4a48a619654566220cbd03f802a7f2092d84fe854e4a9e1e0191ca8ae9e625481e7fe87e1fd2c8689d388bde22018dbc408bc0172b74e0f99a5a698d340

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
1340f35adb9762cb53e0102ed14927ae

SHA1
cdb2a6df778346f994589240785c11c1ea6fd20d

SHA256
a36175af1bc95c44b97d5e49b849e2df71781f84fcd9104bb222ce61f00c7cdf

SHA512
13395f1717bf3afc387b17d24491abcc8046a8217af2da7ecbcce25a853abb865cb8fe12198b47a9df00d5bd40a9773123607f499dc47a0f85b4b240a3d74a2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581875.TMP

Filesize
371B

MD5
445d0b4507ae7f52fb5787ce6ec52110

SHA1
806c06de56612e1f685bed0c868dcf7c8570d9cf

SHA256
55cb00d8a5cfe5c322fc62ba2341f5b5c65308b885747c23878aad4681ceeacf

SHA512
1b619d2b90a043819847fd7e2b88377a15dd52eef610d4cc2d7f81d5459f11f59105baebc9c3c86960ab52802777768da8574a00dca3377542c37ce0b0f21455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7805211038d7e757dc7f20622e977e7b

SHA1
b5513c9c9010c2c249b40f416e5211cb9fa43c47

SHA256
2e8508066540fba8872430a6277f0a2acc07774543745f15f854e92a6ec99281

SHA512
5d67b3f8864782343409fa63e6a271f22edf0dd5c723ce8447c3252cb53bfe8f4bc9eaf465edf7cee470859e77bb1423bbb4e4ac6c54d6d1b8bacab320d8a293

Download Submit