b17774dab594f3abb198a9e38286b264a6b67082351437c3cf1daf784f152e59

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96ea2803a936c20c85cee00047a3954a_JaffaCakes118.html
Size

215KB
MD5

96ea2803a936c20c85cee00047a3954a
SHA1

7662c234208ae058e7a7d02b8de51b931fe77a74
SHA256

b17774dab594f3abb198a9e38286b264a6b67082351437c3cf1daf784f152e59
SHA512

e851039cbb50b8223f5e214e79741f75690c11c9b66e2997fd7334548cbcbceb7fe5dfd7912d00235b489202400aa93ec963f12d281fb264cbd3c24b0c340232
SSDEEP

6144:xEfAwwow/4NPrQq2p4ohos4oyZraCpmx/vG:UNPrQq2p4ohos4oyZraCpmx/vG

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2628	msedge.exe
2628	msedge.exe
916	msedge.exe
916	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
916	msedge.exe
916	msedge.exe
916	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 1552	916	msedge.exe	83
PID 916 wrote to memory of 1552	916	msedge.exe	83
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 4596	916	msedge.exe	84
PID 916 wrote to memory of 2628	916	msedge.exe	85
PID 916 wrote to memory of 2628	916	msedge.exe	85
PID 916 wrote to memory of 908	916	msedge.exe	86
PID 916 wrote to memory of 908	916	msedge.exe	86
PID 916 wrote to memory of 908	916	msedge.exe	86
PID 916 wrote to memory of 908	916	msedge.exe	86
PID 916 wrote to memory of 908	916	msedge.exe	86
PID 916 wrote to memory of 908	916	msedge.exe	86
PID 916 wrote to memory of 908	916	msedge.exe	86
PID 916 wrote to memory of 908	916	msedge.exe	86
PID 916 wrote to memory of 908	916	msedge.exe	86
PID 916 wrote to memory of 908	916	msedge.exe	86
PID 916 wrote to memory of 908	916	msedge.exe	86
PID 916 wrote to memory of 908	916	msedge.exe	86
PID 916 wrote to memory of 908	916	msedge.exe	86
PID 916 wrote to memory of 908	916	msedge.exe	86
PID 916 wrote to memory of 908	916	msedge.exe	86
PID 916 wrote to memory of 908	916	msedge.exe	86
PID 916 wrote to memory of 908	916	msedge.exe	86
PID 916 wrote to memory of 908	916	msedge.exe	86
PID 916 wrote to memory of 908	916	msedge.exe	86
PID 916 wrote to memory of 908	916	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\96ea2803a936c20c85cee00047a3954a_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcce9946f8,0x7ffcce994708,0x7ffcce994718
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,6616173594911046940,6517910607513759563,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,6616173594911046940,6517910607513759563,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,6616173594911046940,6517910607513759563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  PID:908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6616173594911046940,6517910607513759563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6616173594911046940,6517910607513759563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6616173594911046940,6517910607513759563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,6616173594911046940,6517910607513759563,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4996 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1264

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4b4f91fa1b362ba5341ecb2836438dea

SHA1
9561f5aabed742404d455da735259a2c6781fa07

SHA256
d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

SHA512
fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
0310e90944bc450f7c84149365fc9319

SHA1
f1b9d366d48cde0abd60f89fe1fdae13fa1fb90f

SHA256
19826a8e6b178dbc6a85c3a638db28a0282bb81ad41935136110248ddfce20df

SHA512
a9b37d617736fb41a93fa361651b82078a3a7faf4d1b6589cfc0c21d7f7aaf944fdc2f388d71a344380dea0620bd95b05c62fb072b1787f2491f10dc56b867de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
a84b0cae08b1ef8199ae698ac613823d

SHA1
2a401e69601e5354daa6f53b62f030a59a02d7ab

SHA256
dd37b215328fce1cf2ac4b59dce1491ca5ce8d8a8e82dd9dd224a28c0b59d2da

SHA512
c253ff2d9c927af6d0675d01750123840d97c87dd410ec83348bd82db182e57d86172e2304f501727206eba6de09ce6cd3e099b7a9f1bc25000feeeb268bb3ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
10c713b78d9e0de1da8f170c0020e461

SHA1
31a21c39f5da910c6cde231aa6717df39883d1da

SHA256
9b468ea97d44b974d1ef2fa5569eb1f45f7d21a8d4262c24d5aef8bc11ea5857

SHA512
c064b82955871ec397698f1503d76d7c832870bc17526f6a11bf7ce1ae211b52781a2f5d0b77d7272e032bc2656e3236e59a39b96125246761178ce9e42afeea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
aa582897615fa7858767882e1009e6d0

SHA1
c0ff68360b7bd4d62d22ef1a5c485ac3d9dd84bb

SHA256
a7d993750b56d37885a96cf7d82aedd8e5dbf1f4a8408960aece14142c5b4b2d

SHA512
b2960f0cdb80939a50fffbd7f6cb87a728e9da75c57ca2e85df94e684015f7a7ac4e82fa3866478352ef9fbf04889f635e8a16d0d4fe04332a9b141e5953d65e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7fd733662bee7b5a76d60310e5241f5e

SHA1
0e16515ee54d1065b1071de04bc16c57b49c65c4

SHA256
f3025a3a5dc8632d2315d8020d118269c43f302425b3e284b074867d3dc447a1

SHA512
cb0bcf20eee37f54c2c00be532919354249e2706a2f5b4105fbd16b172c1c2f5da9e0d857ddb86f3914090b62ae3fef549802fbf8b4c2d93ff2c64d9f043c390

Download Submit