32662428cf34b2d2889536e8795f2248f6ad4a4a7e092d370f2bc19491cfa87f

Analysis

max time kernel
145s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 07:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

836e9b6892a31c06f42e7f49541629bb_JaffaCakes118.html
Size

70KB
MD5

836e9b6892a31c06f42e7f49541629bb
SHA1

6a6127dda1268d5eb18ae33b5d26987f668c6eee
SHA256

32662428cf34b2d2889536e8795f2248f6ad4a4a7e092d370f2bc19491cfa87f
SHA512

139046867689748741a420cb0806c8f8ca6cbb1d1c5ecf918b8ea61cbc60ff91d80c027463c20e1f145fd79e842cdf69a85fff67645ea44283ec998b3787ff03
SSDEEP

768:JiMlUcRlgcMWR3sI2PDDnd0g6/dxiwZOAwkyc8oTye1wCZkoTyMdtbBnfBgN8/lM:JGuRlxTvNen0tbrga90hcJNnspv

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4744	msedge.exe
4744	msedge.exe
512	msedge.exe
512	msedge.exe
1600	identity_helper.exe
1600	identity_helper.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe
512	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 512 wrote to memory of 2320	512	msedge.exe	81
PID 512 wrote to memory of 2320	512	msedge.exe	81
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4336	512	msedge.exe	82
PID 512 wrote to memory of 4744	512	msedge.exe	83
PID 512 wrote to memory of 4744	512	msedge.exe	83
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84
PID 512 wrote to memory of 1240	512	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\836e9b6892a31c06f42e7f49541629bb_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd168946f8,0x7ffd16894708,0x7ffd16894718
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,11036327073130665962,14760887776862725745,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,11036327073130665962,14760887776862725745,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,11036327073130665962,14760887776862725745,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:1240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11036327073130665962,14760887776862725745,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11036327073130665962,14760887776862725745,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11036327073130665962,14760887776862725745,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,11036327073130665962,14760887776862725745,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,11036327073130665962,14760887776862725745,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11036327073130665962,14760887776862725745,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11036327073130665962,14760887776862725745,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11036327073130665962,14760887776862725745,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11036327073130665962,14760887776862725745,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:1868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,11036327073130665962,14760887776862725745,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5636 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3324

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56641592f6e69f5f5fb06f2319384490

SHA1
6a86be42e2c6d26b7830ad9f4e2627995fd91069

SHA256
02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

SHA512
c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
6564522a9e60b268b8f36ae1da476b44

SHA1
4d35209d1425000f63fd0b67d6d464e7d5ee5638

SHA256
e5587793cead93b6b3bb3b5228fd5abce8bb5a6da663675177e4602356bef0cb

SHA512
c1610cfc6f5ed47aaefa5cf57c20476ceaca63f0e149e70417c111d7eea05d4064e58ad2875a59990379d8ca886a47bce2cee6e7d8f599d3c3f1bb9d25b37473

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
410B

MD5
a887d3e3e32e7826c6c413b1e79dcc3e

SHA1
85461d77fd4df8a1babef7c2e7a133e1ba14d604

SHA256
19dd7a56d7298279d82a92ebd94ec996897e7a6edf08779dbce22df5f9b68158

SHA512
cf125906f9ed62ef671bf3ca7451bece2de06a32fb671ea64c1a89eb17439524da943e118af8385932fd5e622bc692d25329ddbe5fd9ea5a5deb09797d61e46c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
37dd824910365ae0cc7e306330305398

SHA1
f72155f41f5b9c8b161168acb857cab34d4f70ad

SHA256
0457effbac27234ec530ab6827c493c0d28298c43f8f1171185bd7b2213ec10a

SHA512
5a1627a5e489782eb2823819e5cd7b23f4fe719d0c609118085de0b15978005cc493e8e1ffbaf44f00f2657d30da36ba9e6609c9b1b65c74c2f35b39e17f71f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
65242b5ba45035bb2aa446b2a77c42cd

SHA1
269b343f60e775638b5c8863f5425d122bbdfd35

SHA256
c2ae1c31feba9a4f1a5283bf31cbeaeeb48416afb577a147a10e2c7da477b857

SHA512
36e400cb130f9f93e7a9d95a35b2ed0c94ae0203811e04d153b98daf875a86a8070e739abc5da1bad819e19c46ac9f349209bd261beef07c01649dac9bfcc1b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
be58f3846b4119e334a5308af2fe15d0

SHA1
d2fdffbf3f245851258abd6c8c2de4a1f1b90f78

SHA256
4e07d0dc6c09c7c9b07ef51fa3198fed8cc04bce7d58b04ed5a0dcc37ad45bae

SHA512
6933754ce6537f8a2c1c9c67d02845b728221f269f464286c47f187298aa7da57a7fa7fe0620992d2bedde58d4bf8c0d22b5bc2c6c9fa7f70cb63fb915b80490

Download Submit