ba3e8a6220ac4c652b92200581df2a6140f0d7300bdbea80f514aac41ed56250

Analysis

max time kernel
145s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 16:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98977ebe2ca12107c6c813376bf70a4d_JaffaCakes118.html
Size

55KB
MD5

98977ebe2ca12107c6c813376bf70a4d
SHA1

51590e243700f89c74378631f48e6dda2f81078f
SHA256

ba3e8a6220ac4c652b92200581df2a6140f0d7300bdbea80f514aac41ed56250
SHA512

6b5076b87dbd7d1a2cb2336162c5dd796a4eef6e52109a43a0dccccc1c0be54b444cb3ee87ed173a30cc858a2957f107dd0c102543c32acb98a99fe84169ffb6
SSDEEP

1536:U06qUfoBBQihujMBpFKxlaDZaMkvww26rGru:U06KnMApFBD02E3

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3272	msedge.exe
3272	msedge.exe
1684	msedge.exe
1684	msedge.exe
2800	identity_helper.exe
2800	identity_helper.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 4492	1684	msedge.exe	82
PID 1684 wrote to memory of 4492	1684	msedge.exe	82
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 4832	1684	msedge.exe	83
PID 1684 wrote to memory of 3272	1684	msedge.exe	84
PID 1684 wrote to memory of 3272	1684	msedge.exe	84
PID 1684 wrote to memory of 4376	1684	msedge.exe	85
PID 1684 wrote to memory of 4376	1684	msedge.exe	85
PID 1684 wrote to memory of 4376	1684	msedge.exe	85
PID 1684 wrote to memory of 4376	1684	msedge.exe	85
PID 1684 wrote to memory of 4376	1684	msedge.exe	85
PID 1684 wrote to memory of 4376	1684	msedge.exe	85
PID 1684 wrote to memory of 4376	1684	msedge.exe	85
PID 1684 wrote to memory of 4376	1684	msedge.exe	85
PID 1684 wrote to memory of 4376	1684	msedge.exe	85
PID 1684 wrote to memory of 4376	1684	msedge.exe	85
PID 1684 wrote to memory of 4376	1684	msedge.exe	85
PID 1684 wrote to memory of 4376	1684	msedge.exe	85
PID 1684 wrote to memory of 4376	1684	msedge.exe	85
PID 1684 wrote to memory of 4376	1684	msedge.exe	85
PID 1684 wrote to memory of 4376	1684	msedge.exe	85
PID 1684 wrote to memory of 4376	1684	msedge.exe	85
PID 1684 wrote to memory of 4376	1684	msedge.exe	85
PID 1684 wrote to memory of 4376	1684	msedge.exe	85
PID 1684 wrote to memory of 4376	1684	msedge.exe	85
PID 1684 wrote to memory of 4376	1684	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\98977ebe2ca12107c6c813376bf70a4d_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe8a2246f8,0x7ffe8a224708,0x7ffe8a224718
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,13850555091198435485,7186662511885652902,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,13850555091198435485,7186662511885652902,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,13850555091198435485,7186662511885652902,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,13850555091198435485,7186662511885652902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,13850555091198435485,7186662511885652902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,13850555091198435485,7186662511885652902,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3704 /prefetch:8
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,13850555091198435485,7186662511885652902,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3704 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,13850555091198435485,7186662511885652902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,13850555091198435485,7186662511885652902,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
  2⤵
  PID:980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,13850555091198435485,7186662511885652902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,13850555091198435485,7186662511885652902,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1976 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,13850555091198435485,7186662511885652902,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5536 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae54e9db2e89f2c54da8cc0bfcbd26bd

SHA1
a88af6c673609ecbc51a1a60dfbc8577830d2b5d

SHA256
5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

SHA512
e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
588B

MD5
6653a720ad4af38c3f1afbe0c64a6d0d

SHA1
0c85ea37558a3b3175e8b82db61ed2d11cf6cb2f

SHA256
6fe67678682d20c6b3c0c2ff7b03fab51fcf8a3e206ae301939bea288bbe26b9

SHA512
fec5f356d776d1e22c78ebf53084ba0b64babba4244be17045d96f3be4ce99c12a0e954a52c6df23eea8101bdb869908da9361b1025c9e34db613bd0a56b4db1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e5334e1e1fd1ff8e97a02eaf62b66bd3

SHA1
913125357725cb655726d3f564dfaa1f3bbf4e2f

SHA256
1fc788f838dab5a5b318829bfa7db851e7fe97334abb68a835c2a0c6eb61b809

SHA512
9e197859161442fb1122bf4500c91146fbe9d64ae58bd2deb60d91510f24eb963c4e2be4646676ec3c4c766839d793c2f0f7b9a1ca97181ff90ea0e0edeb5449

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5ea074e03ae99360c4ad2b5b5c0c55ed

SHA1
22ae9f38425c856191d5b23428dd4ebd0cd6a8c5

SHA256
969c3847bc6e209d5bbec503f5db35ff78f0bec8d5eda704e3da2368f1231efa

SHA512
e1d154eb06ece1ad53d27d1b11d2c2fb2ccbe6bdf78ad30c40c39f75649a52e8eb1f4a80c9938b17aed4a4b5264321fea3e20488d6e67b0aa7477db0f8a33be6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a447271edcc9ae054747cc8d7a1a7b57

SHA1
ebde69f92ef6a2118c63d00a91310b232b19e50b

SHA256
32cb4e35881cd3c8941d0d7c57607ea1a2d81d6be49574804f8acb07b40694b6

SHA512
3e55c86431268d74d70a49b469575b8bfc3800d13c749fb9e7d1161bc6b3d7af043da12bc133c92e2eaac27e1ddf77f993208a780001fd27036d14924085365b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
b5f0dad2c4ee4aa92895b91573b76e58

SHA1
aa965b38a566eaf99bd9f6cfa4d75f3949672300

SHA256
cfbf488d4ec5dc35310ca25044a8dcc6a38ba45ea1090cee4ae1311d03df8115

SHA512
25b86cd3d8209715fe2321c5d8393873ccf1824bc97e2ad10379b9fd48b31b22bfff835e2b15bfee9336fb17611889513edaac03fbc10c7449672c3712cdf821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ea41.TMP

Filesize
706B

MD5
4e0548b581df06f6cf1ddc9afaf0816a

SHA1
999603ff20585c80338912d4436bccaa07729f5d

SHA256
6c86befdc192975b089f4a4a12c903868760d2b901be64f9804fe0e2485fb5f1

SHA512
d24214f789e144b39ae3cb958f7382d0a4c4c39ca408231aee4315716c6f8dca58db2f753b49f9e599ac3a03201b51a119e5d98d6eaa6db2531b95bf22919ac5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
96a53fa9027a4ad8a673fa5638e25b48

SHA1
4ca40e05782f442d46de510c585b53d9322888c2

SHA256
c1d8154e6bcb1ba2695b58cf3de67774a987d3de883dffbe5bbc29d13198fa3d

SHA512
d86e939d0ef220c63d727c8ce63320e6b6113a88c3ad95399bc8f405309f2dcee8aef2fa4085d2d9879c52c109cca1d5f97efd6d11c8a1c7a8ac318745bfe07d

Download Submit