7967ee67f8117381e628fc256018de84b0ff2ecea75dedf12380a6231d8c035a

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 21:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9947d9545bd704f4af95baa3f3241403_JaffaCakes118.html
Size

17KB
MD5

9947d9545bd704f4af95baa3f3241403
SHA1

2b70c1d9602349f68b64d42e207b11746cb7cb21
SHA256

7967ee67f8117381e628fc256018de84b0ff2ecea75dedf12380a6231d8c035a
SHA512

0d03421f7593a1b5990a46dc4843f468196fde191bdab53c366d311873e98ae3ab40fce60c645e9566da3b1c1b6904a06a1f0f54cd11ad2a992d2622d6a52386
SSDEEP

384:5bWyW4vcPBzBpOMbcMj0n167idx8o8Nq7zaqVlNFwDztxdX6sugvNkWgIwjz:/Uy4XyIwjz

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
508	msedge.exe
508	msedge.exe
4920	msedge.exe
4920	msedge.exe
4652	identity_helper.exe
4652	identity_helper.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 3404	4920	msedge.exe	83
PID 4920 wrote to memory of 3404	4920	msedge.exe	83
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 4324	4920	msedge.exe	84
PID 4920 wrote to memory of 508	4920	msedge.exe	85
PID 4920 wrote to memory of 508	4920	msedge.exe	85
PID 4920 wrote to memory of 1048	4920	msedge.exe	86
PID 4920 wrote to memory of 1048	4920	msedge.exe	86
PID 4920 wrote to memory of 1048	4920	msedge.exe	86
PID 4920 wrote to memory of 1048	4920	msedge.exe	86
PID 4920 wrote to memory of 1048	4920	msedge.exe	86
PID 4920 wrote to memory of 1048	4920	msedge.exe	86
PID 4920 wrote to memory of 1048	4920	msedge.exe	86
PID 4920 wrote to memory of 1048	4920	msedge.exe	86
PID 4920 wrote to memory of 1048	4920	msedge.exe	86
PID 4920 wrote to memory of 1048	4920	msedge.exe	86
PID 4920 wrote to memory of 1048	4920	msedge.exe	86
PID 4920 wrote to memory of 1048	4920	msedge.exe	86
PID 4920 wrote to memory of 1048	4920	msedge.exe	86
PID 4920 wrote to memory of 1048	4920	msedge.exe	86
PID 4920 wrote to memory of 1048	4920	msedge.exe	86
PID 4920 wrote to memory of 1048	4920	msedge.exe	86
PID 4920 wrote to memory of 1048	4920	msedge.exe	86
PID 4920 wrote to memory of 1048	4920	msedge.exe	86
PID 4920 wrote to memory of 1048	4920	msedge.exe	86
PID 4920 wrote to memory of 1048	4920	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\9947d9545bd704f4af95baa3f3241403_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcca7346f8,0x7ffcca734708,0x7ffcca734718
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,2071161245034994771,15237580667049927058,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,2071161245034994771,15237580667049927058,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,2071161245034994771,15237580667049927058,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2071161245034994771,15237580667049927058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2071161245034994771,15237580667049927058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,2071161245034994771,15237580667049927058,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,2071161245034994771,15237580667049927058,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2071161245034994771,15237580667049927058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2071161245034994771,15237580667049927058,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2071161245034994771,15237580667049927058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2071161245034994771,15237580667049927058,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,2071161245034994771,15237580667049927058,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4912 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4b4f91fa1b362ba5341ecb2836438dea

SHA1
9561f5aabed742404d455da735259a2c6781fa07

SHA256
d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

SHA512
fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
584B

MD5
9fca6d5b0d113209d44877c9519c078d

SHA1
ec86810bebccc5ec3a7e63485a384dba85b8e480

SHA256
278af31bf284814ff0b49238e53913f4d0e66566061053ee4796f3daef7e3ddd

SHA512
bef764c4e4060815318fb1c474666b0396600fcd6ed82468c3e68c3e24eda9823fd7ac5c29b5e8d2faa65826724bcb289476b28cda76d32e4dc4c16cee6edff6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
90327a22134751f164e770defda1f9e3

SHA1
a142848663147743f5f2c86bff11e73b0b2940b5

SHA256
543dd13a5f48cee36798c904b99074d3bc0acf614fcf082d0d3f828936af54f4

SHA512
a24f9de6696071bd5c00f172f69d7f6dca5e360f921d8eb3ea79a45a36d212f550cd2c31e719fe52245ee74845066da7e87c92e97a53a88e8b5f8a0d1d88039f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8fbee9f32f71bd88301fc7ee39bcb561

SHA1
833a955f5d75e826297c5f28ace7e34360682747

SHA256
62bb8b556aea51fa462f73e7c2e0dec0c8d370962d21f894c7ebb1a49d6d0fb0

SHA512
fdc41a778b9375c0c4dd14237d260ad7da00dbd6af9c1e7f7adcab2f0b3cf39b62902ac8e017426b970da7742c1f91b574dddfcecd7f8d1035eec9ee5de8ea8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT~RFe576716.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
11d9cc50bb7c8777694bb2e685418293

SHA1
566864e1fb5dd26089872775fb9b5009a17e5fe6

SHA256
a68e416a0a2c0092fa400508e68de023011f3b554fbe8dfb9bf916d801f6c0e5

SHA512
f3837a303e96b088fa9e9fa7ca146a7fa06c0be865640e38f92ff2e4e22e609f26e0d9582acaf73d1f37d4c65a0381afddfd181f82e8d841e82b9fd886612e00

Download Submit