85e102eaeb3eb3dc8807c31e76325b817ebeb1b9d36c20182cdf61baafc507e6

General

Target

85cd9f5023142b5edbeea0158c2a9fe3_JaffaCakes118.html
Size

207KB
MD5

85cd9f5023142b5edbeea0158c2a9fe3
SHA1

5cc50f80ee47b2f523602298e6e837992aed7734
SHA256

85e102eaeb3eb3dc8807c31e76325b817ebeb1b9d36c20182cdf61baafc507e6
SHA512

8413b745ed5f542041d5350c49442c417b31107ba220b59fe5a3bc9ca459418b35e21188256b08a5cd66d5dbbadaf5740ba8b48be7b548fcb100f5876511d8cd
SSDEEP

6144:ijsMYod+X3oI+Yk9TSTQ+u1+/YVSqyMwVE9AmO0fAHm/guky2P:C5d+X3S9TSTQ+u1+/YVSqyMwVE9AmO0o

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

1612 msedge.exe
1612 msedge.exe
4660 msedge.exe
4660 msedge.exe
384 msedge.exe
384 msedge.exe
384 msedge.exe
384 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

4660 msedge.exe
4660 msedge.exe

pid	process
1612	msedge.exe
1612	msedge.exe
4660	msedge.exe
4660	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4660 wrote to memory of 3740	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 3740	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 4232	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 1612	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 1612	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 2044	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 2044	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 2044	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 2044	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 2044	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 2044	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 2044	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 2044	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 2044	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 2044	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 2044	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 2044	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 2044	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 2044	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 2044	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 2044	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 2044	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 2044	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 2044	4660	msedge.exe	msedge.exe
PID 4660 wrote to memory of 2044	4660	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\85cd9f5023142b5edbeea0158c2a9fe3_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b7db46f8,0x7ff9b7db4708,0x7ff9b7db4718
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,17136386818018550487,13488653935565182360,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 /prefetch:2
  2⤵
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,17136386818018550487,13488653935565182360,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,17136386818018550487,13488653935565182360,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,17136386818018550487,13488653935565182360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,17136386818018550487,13488653935565182360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,17136386818018550487,13488653935565182360,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=212 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3fb6a98f5802bc60af3ba1728c1fa072

SHA1
45b06539abeeabe4a32dd6485cfd41fe7c079774

SHA256
162d10d5bac0130082a6f710aa77a743ffbd036536a4d2a604617e9fed831a94

SHA512
17723843ff18fa1287dea559d8ffff2b4cda148be93f4b0e9094c397dbd458844dc5065491c01508fbe0b6667e834c99ab74060112a5b6909d6f0b18f93d9026

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
066fae16af084af80e60e7bbd2b5126d

SHA1
7ec43321df8ed8af0e026295f2d85a2f96c259a0

SHA256
7cb39491d870fa7a0ef7390f2718857dc72b5d151660d6bedd474a09a5e10868

SHA512
a978c2af969248d8a5e6f81ee3a98e6893977eba9562b7ef073e29774450cb91c1bfcc11cb5dbf32e63a21d838d736cf43ec5c988d55a91fd148577d609cf5b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ab9400f3-6a9f-468f-bfd1-69469f9e5bb5.tmp

Filesize
5KB

MD5
5f1f833fccedf07ff895887f36670c5b

SHA1
6abfd3d07985231a5d38e0ec63d381450d18dc32

SHA256
1fac653329f3a8fd4b758c3c6831569456cd83ae750671518cc25f15405b2638

SHA512
3d97b6e5cdb7dba6e1baaa0f12d2e411d3bd2d3c223d8fa8cbc2eb0ecb937ab56f169c5db143f12fcba4e18a539ae6f8c01a7e819770c5d060e9033c39d47a5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e460411095bd67c3715fceba1104ecf9

SHA1
774437b99a12f36b334f37c510a29423c359d8ad

SHA256
2d958bffc20c378104a48f006298fe3cd645c6f06e734787cdee5f8b141ea6f6

SHA512
e3e1b2d67b3e48bb4280d070a41f19ce089a14def0d7059364af208d2063f0705471a995e9085076d948368a68d4e2c734063f50711d49eba25574dfba9e95c8

Download Submit
\??\pipe\LOCAL\crashpad_4660_ATXMIJEHSOJCDKSP

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads