61af44b8f6f60c22034a21e91ff5bbcfe4dcf41d32c28293b19ac31d41b7b510

Analysis

max time kernel
145s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

954a150377d33f86b99cdab270120bb8_JaffaCakes118.html
Size

907KB
MD5

954a150377d33f86b99cdab270120bb8
SHA1

39a9a8adfcd8c37d6c7c06b2e77959b2b0d58927
SHA256

61af44b8f6f60c22034a21e91ff5bbcfe4dcf41d32c28293b19ac31d41b7b510
SHA512

b0cc49a1bcb1dac067692aa33e565b1555c0ea766f5a530660d7a8e87c6fbd47fc06b9ba87fd96a96d024df02db353ea1a75cba004cea5a931eb563f50c665ce
SSDEEP

3072:VpADf2szA0N/Gd7ZXtjgDJtdYyVeefrxOMQfw/vf2szA0N/Gd7ZXtjgDJtdYyVe3:XsM2tdYyYjM6sM2tdYyYjMpQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1296	msedge.exe
1296	msedge.exe
4660	msedge.exe
4660	msedge.exe
1844	identity_helper.exe
1844	identity_helper.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe
4224	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe
4660	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 2516	4660	msedge.exe	81
PID 4660 wrote to memory of 2516	4660	msedge.exe	81
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 3196	4660	msedge.exe	82
PID 4660 wrote to memory of 1296	4660	msedge.exe	83
PID 4660 wrote to memory of 1296	4660	msedge.exe	83
PID 4660 wrote to memory of 1472	4660	msedge.exe	84
PID 4660 wrote to memory of 1472	4660	msedge.exe	84
PID 4660 wrote to memory of 1472	4660	msedge.exe	84
PID 4660 wrote to memory of 1472	4660	msedge.exe	84
PID 4660 wrote to memory of 1472	4660	msedge.exe	84
PID 4660 wrote to memory of 1472	4660	msedge.exe	84
PID 4660 wrote to memory of 1472	4660	msedge.exe	84
PID 4660 wrote to memory of 1472	4660	msedge.exe	84
PID 4660 wrote to memory of 1472	4660	msedge.exe	84
PID 4660 wrote to memory of 1472	4660	msedge.exe	84
PID 4660 wrote to memory of 1472	4660	msedge.exe	84
PID 4660 wrote to memory of 1472	4660	msedge.exe	84
PID 4660 wrote to memory of 1472	4660	msedge.exe	84
PID 4660 wrote to memory of 1472	4660	msedge.exe	84
PID 4660 wrote to memory of 1472	4660	msedge.exe	84
PID 4660 wrote to memory of 1472	4660	msedge.exe	84
PID 4660 wrote to memory of 1472	4660	msedge.exe	84
PID 4660 wrote to memory of 1472	4660	msedge.exe	84
PID 4660 wrote to memory of 1472	4660	msedge.exe	84
PID 4660 wrote to memory of 1472	4660	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\954a150377d33f86b99cdab270120bb8_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff61f746f8,0x7fff61f74708,0x7fff61f74718
  2⤵
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,12181744458538795047,9684097073092672594,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,12181744458538795047,9684097073092672594,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,12181744458538795047,9684097073092672594,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,12181744458538795047,9684097073092672594,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,12181744458538795047,9684097073092672594,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,12181744458538795047,9684097073092672594,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,12181744458538795047,9684097073092672594,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,12181744458538795047,9684097073092672594,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,12181744458538795047,9684097073092672594,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,12181744458538795047,9684097073092672594,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,12181744458538795047,9684097073092672594,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,12181744458538795047,9684097073092672594,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4004 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
512B

MD5
e1e9d464995fc6fa87db24e7a7712569

SHA1
e90f4e8c64b2b69dd4fddc670a6e65c758cb3575

SHA256
13d4f9116a816265f31f14acf652720dcd486939dc9a49a5f5548fee7a67b9fe

SHA512
242f7cb4c4c180feb121b8f7b21bdfc085fa0835f50dda5dca55d1e56d3ff4b4a867c1c18d3848fd7b14ab3b223d0deb2954bd09516cbd75a9f6eae5af070a1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ab4866e410581208d59b57ee443555a9

SHA1
cfa5e85af50b30503c17a3a5802bf017a538dc4b

SHA256
84f766448946ee16d1a4e1ceefb329bbf9af6b40e04d501d709df3e1aa48c82a

SHA512
0c5d7de6fd76983627946818e6f38404944037173878bbad7300f026bda570b3790ec8dae3e11de4c7296ac0ae3d917926edfffa052060bc4b0da8c4df8b0ad4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
40754e9f7acb0ded7ae7ea60d7b1c145

SHA1
09c429f39ae06940b81e83c74a405475ee46e040

SHA256
37244dfc01d7099b1f75daf91911a16d15f1136df626d3abd1208e5d011745ee

SHA512
65de24827f811980de6776fae18c8910753dbdb591e8806d5fe68251fabbd7da432afcd6d14abebb5d22831edb3ea074e01ae213026eace96673a5f6291229b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
024540b5412159a2a9fb0769bc19ee1e

SHA1
332199c71f6deb69575f9283c7575d6d79f9668e

SHA256
d8143583df78941d8fbd9b5faa45f268253271513a2876e8736704e07f4a1bbb

SHA512
88ba3d6241d1cbdb9d768849187da3df027e241b21a2c9c68ae7789e0ec68b0497def6c6365d659a48dc87ba6961ccf5640555a3b455cf431d56e67acd5dca0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
369B

MD5
bdea862e9a75f58a40b1481361e6bacf

SHA1
a79caedac2533f0ce9b52ee6e7c39e1e6662f5ac

SHA256
21b0949416ed7c422d6fc4d9710d6f65c8ae31854e90a87922614ee583295e48

SHA512
55287c834277b462e59e18fe65fbc4c8bf4fe114ce37686d2d81d2f050e5d6c0537b04d75a6fca1e9547825f74f527aff5e4e407e35177fb5bcc71eba628ed0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b621.TMP

Filesize
204B

MD5
abb560e1b385fdceaa7ba6527bff9d68

SHA1
26dc592baf46d6331ad25a5f970452f92ae77f71

SHA256
7a17bca001cdf0e9edd50005fa4c1db669efc501d0c2fffc36ab0c7201014fa7

SHA512
a5912e6041b87f1237cff2aa431f0df84ed461e0ef6bb619fbc6ef8ea22b624452c341ae7c07bd23a10abe4e00f24313301b0d4f574625a4526063ab47c913e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8d3b515d12fe6fe83e495f77d12b84d1

SHA1
a1e6b9e16f418bf332946c668e79cce5f94f8d02

SHA256
e0ad74001a3fefb67df31ebe479a5de0c22efa108572db9426f49e13e463ae07

SHA512
b04f2ce74921473d0b8a42a607a4b9163936fecd4fa94dfb7713614b6fbadcc326d2a4807b70fae7adce1e9eddfad62491d8a4cbb4da0d7e67fd698e40ab00c9

Download Submit