Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31/05/2024, 15:45
Static task
static1
Behavioral task
behavioral1
Sample
8786d8b32eecc82f5b9e7e9017d492aa_JaffaCakes118.html
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8786d8b32eecc82f5b9e7e9017d492aa_JaffaCakes118.html
Resource
win10v2004-20240508-en
General
-
Target
8786d8b32eecc82f5b9e7e9017d492aa_JaffaCakes118.html
-
Size
30KB
-
MD5
8786d8b32eecc82f5b9e7e9017d492aa
-
SHA1
928021c32e8030e752285c3a22cd1170217555ef
-
SHA256
aac304b8239cb986566e71f857ddd4a7b13480108818391715d7a74e29044e1d
-
SHA512
247322f2a2787a7c380c7222898a228e2ff5569efc148fde12d18178778b2aa6a3210aec4cb7550353f3316e68c44701c3f8d0090e9d8413fb23d37f17bc2940
-
SSDEEP
384:SNd/mscacHcicTc6c+fSrHx84JNliFz907CnUK2yPk2dU7+2U:Sjpmr0xSrO4JniV9NUK27Z7i
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3088 msedge.exe 3088 msedge.exe 4228 msedge.exe 4228 msedge.exe 1204 msedge.exe 1204 msedge.exe 1204 msedge.exe 1204 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 4228 msedge.exe 4228 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4228 wrote to memory of 4804 4228 msedge.exe 83 PID 4228 wrote to memory of 4804 4228 msedge.exe 83 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 4856 4228 msedge.exe 84 PID 4228 wrote to memory of 3088 4228 msedge.exe 85 PID 4228 wrote to memory of 3088 4228 msedge.exe 85 PID 4228 wrote to memory of 3676 4228 msedge.exe 86 PID 4228 wrote to memory of 3676 4228 msedge.exe 86 PID 4228 wrote to memory of 3676 4228 msedge.exe 86 PID 4228 wrote to memory of 3676 4228 msedge.exe 86 PID 4228 wrote to memory of 3676 4228 msedge.exe 86 PID 4228 wrote to memory of 3676 4228 msedge.exe 86 PID 4228 wrote to memory of 3676 4228 msedge.exe 86 PID 4228 wrote to memory of 3676 4228 msedge.exe 86 PID 4228 wrote to memory of 3676 4228 msedge.exe 86 PID 4228 wrote to memory of 3676 4228 msedge.exe 86 PID 4228 wrote to memory of 3676 4228 msedge.exe 86 PID 4228 wrote to memory of 3676 4228 msedge.exe 86 PID 4228 wrote to memory of 3676 4228 msedge.exe 86 PID 4228 wrote to memory of 3676 4228 msedge.exe 86 PID 4228 wrote to memory of 3676 4228 msedge.exe 86 PID 4228 wrote to memory of 3676 4228 msedge.exe 86 PID 4228 wrote to memory of 3676 4228 msedge.exe 86 PID 4228 wrote to memory of 3676 4228 msedge.exe 86 PID 4228 wrote to memory of 3676 4228 msedge.exe 86 PID 4228 wrote to memory of 3676 4228 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\8786d8b32eecc82f5b9e7e9017d492aa_JaffaCakes118.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe6b4b46f8,0x7ffe6b4b4708,0x7ffe6b4b47182⤵PID:4804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4084102366551458144,1932449590191824449,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:22⤵PID:4856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,4084102366551458144,1932449590191824449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,4084102366551458144,1932449590191824449,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:82⤵PID:3676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4084102366551458144,1932449590191824449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:12⤵PID:2364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4084102366551458144,1932449590191824449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:12⤵PID:4844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4084102366551458144,1932449590191824449,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1204
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2520
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2740
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5ce4c898f8fc7601e2fbc252fdadb5115
SHA101bf06badc5da353e539c7c07527d30dccc55a91
SHA256bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA51280fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c
-
Filesize
152B
MD54158365912175436289496136e7912c2
SHA1813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA51274b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4bacd3c7-7cfa-49cf-a8d9-afed9e3bcc7d.tmp
Filesize5KB
MD5b6a06d9fc50587e4cd085650c0329dca
SHA1c38eeeb3704d188a7251425443a0d1dca99748e7
SHA2564ac7cab172daab1296fab30776f8440f45afb017c9e439460f89de0e07fd3c7d
SHA51253ee9bcca1f79d140559101576f9155a1f60b0dd3bea935ad85778f0869fa177d99ae18fe9f06638ebd34be3efcbd21fa9c9c74ed2372b783a2595cb73ade665
-
Filesize
6KB
MD5e770c651b90d319af20835a0bb88e109
SHA1fe46d7ddb09d5b0ff1e9d84720da95c52dd5cedd
SHA256a2627a71b99e80b54d841bc3b35095979b783bbd49bd35ec3e1d51bfd765888b
SHA512b3e7853a5667fe205deafce4837cf6728c09a3c13eca94654986948e00ac8112ea7a61fa375660c533a0f4606a108e9da07b66315fa6a3563081a75f61f60b91
-
Filesize
6KB
MD5a43eecd05fa256fa093302c57fb2680c
SHA1f2ff59c344f328a1c609fe847e28cdbf6c668ef9
SHA25693a332bdf8afe2f508e878df6890525513f1598f2ee00d1ae5d61d094eea56dd
SHA5128ec72622b937d46c23b4ec0bfabe7fba8b047a2aa2192e7fec5ae4b9c667a00f20eddc9d4ac60689bd0ae335e71018caeae1298881978fdab130b3dcfc503f09
-
Filesize
11KB
MD5471cdadbb69672826d47e31c95590b74
SHA15cc0765682a0c625ea97434d7b47098ae77f7ed5
SHA2563546f5d16a1b7eb5bb7eaf47d3c10887aa71f49cc3aaaf3a8b77b493a42835da
SHA5128646d945d7245bcf4efb7186ab93ac8bbf792a4518b467c712eb2684a37b280f655e75d1259ec25ef8d0e22d8d2c10cf950e9abbd7c227849b181528b50afa5b