38a6e0fdd060ba2a373668720eaced0d7488871b91c9316ef86c531cd919476f

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f72a2f7618177d76b1eaf6a1bcb01c3_JaffaCakes118.html
Size

14KB
MD5

8f72a2f7618177d76b1eaf6a1bcb01c3
SHA1

fa04fab8fa859ca018c3cdcacd598e8f928ec6eb
SHA256

38a6e0fdd060ba2a373668720eaced0d7488871b91c9316ef86c531cd919476f
SHA512

cc49f31bca5476edc588acc7b2912418609c018a40df4d04cce585ae90773030994dcceba30ca29568327b5fb7e78eea1574568cd98fe7388fc73e3fa8a7bc6d
SSDEEP

192:SRKJMa0dyhPwV0EeYetfL1DHs2bSYLT2pHco+sxgK7+Jye7vkon0Q/:SRKIdyEHeLBL1Ds2bSYLqPxgK2k8Z/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2460	msedge.exe
2460	msedge.exe
4940	msedge.exe
4940	msedge.exe
4484	identity_helper.exe
4484	identity_helper.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 4784	4940	msedge.exe	85
PID 4940 wrote to memory of 4784	4940	msedge.exe	85
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2536	4940	msedge.exe	86
PID 4940 wrote to memory of 2460	4940	msedge.exe	87
PID 4940 wrote to memory of 2460	4940	msedge.exe	87
PID 4940 wrote to memory of 1620	4940	msedge.exe	88
PID 4940 wrote to memory of 1620	4940	msedge.exe	88
PID 4940 wrote to memory of 1620	4940	msedge.exe	88
PID 4940 wrote to memory of 1620	4940	msedge.exe	88
PID 4940 wrote to memory of 1620	4940	msedge.exe	88
PID 4940 wrote to memory of 1620	4940	msedge.exe	88
PID 4940 wrote to memory of 1620	4940	msedge.exe	88
PID 4940 wrote to memory of 1620	4940	msedge.exe	88
PID 4940 wrote to memory of 1620	4940	msedge.exe	88
PID 4940 wrote to memory of 1620	4940	msedge.exe	88
PID 4940 wrote to memory of 1620	4940	msedge.exe	88
PID 4940 wrote to memory of 1620	4940	msedge.exe	88
PID 4940 wrote to memory of 1620	4940	msedge.exe	88
PID 4940 wrote to memory of 1620	4940	msedge.exe	88
PID 4940 wrote to memory of 1620	4940	msedge.exe	88
PID 4940 wrote to memory of 1620	4940	msedge.exe	88
PID 4940 wrote to memory of 1620	4940	msedge.exe	88
PID 4940 wrote to memory of 1620	4940	msedge.exe	88
PID 4940 wrote to memory of 1620	4940	msedge.exe	88
PID 4940 wrote to memory of 1620	4940	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\8f72a2f7618177d76b1eaf6a1bcb01c3_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff76e346f8,0x7fff76e34708,0x7fff76e34718
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,6279613297365385764,13276966613391827302,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,6279613297365385764,13276966613391827302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,6279613297365385764,13276966613391827302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6279613297365385764,13276966613391827302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6279613297365385764,13276966613391827302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,6279613297365385764,13276966613391827302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,6279613297365385764,13276966613391827302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6279613297365385764,13276966613391827302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6279613297365385764,13276966613391827302,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:1164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6279613297365385764,13276966613391827302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:5128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6279613297365385764,13276966613391827302,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:5136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,6279613297365385764,13276966613391827302,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3752 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
182B

MD5
4a0b6d9339e186d972916232cf84ba36

SHA1
931fa7ccfaf403b00307fce7947fbcfd5585a906

SHA256
c06a23f64dee8c1e387813eb5bd287cc3f37b1b1a41a3a973a87e90794437617

SHA512
358e86bf87bee777a60d63565e674d9b113b0e975cd9c6591cc99bc379fb30947c63b3ca8b12386db100d1d93ba3a847f83a2d3898f2f0ef1dcf4cd7bd19bfb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9ad7a79d5feccc507d086d02ca151474

SHA1
1a71424bb8c583a03326faf00a8fb324e9923aa3

SHA256
4356841ae0f91d8a3ff5d51b3a3a5e23bdafb170c365431ea84e97fc38974ecb

SHA512
0a616a2be3cf34715387a4bfac835f1b087a3156c07b93831f4475cae43ff224031434c810522ce9277efeb850248bb5e1daa57301cacfb150f362eabb44ac74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ff0211ff-628e-462f-868a-b74e5c0f43e3.tmp

Filesize
6KB

MD5
b4d3dcdb37f9a1ec66f2768ab2c18ddc

SHA1
7263f028152d3830be7503682e58934c734050d4

SHA256
1ce3162633ea55d2bea1a73f4fac37c5d9a079b56f36626f6bb3671ac61ec585

SHA512
00007c6817107747239ffcb7ad0a20628ee4c8484cb8be47b8914f235aa043d0fbc1bfea1a44ebf3c03878881b2dacb069207e106e3be3f005371987a3b84120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e05fbd285fac05c578efcd151d1640f7

SHA1
49cbd09ec8c61801b06413c000855bb65cd2ad02

SHA256
ba5f95201eac506c4d33b65d075a5783dc056d30efaf64fc66ad1d38379c14fc

SHA512
91d0cb330ec19f7132b4ea124c52f59180d6319de46efd68f889daa9f3d521e686f5feda71c6f671d83664d909167848c2f6a9efc4284d897c33d653de12e600

Download Submit