ffd0d14f526efcb084f69ba8ee454c59d9e08e0ee6e0a630e09422cd4073ea2c

Analysis

max time kernel
120s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 10:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a7511f22c7219d00c5495079114ffb7_JaffaCakes118.html
Size

1KB
MD5

9a7511f22c7219d00c5495079114ffb7
SHA1

22de9c8783addd653c8cb0adf46ae0bed14bd587
SHA256

ffd0d14f526efcb084f69ba8ee454c59d9e08e0ee6e0a630e09422cd4073ea2c
SHA512

a6f5b5b4ad62d5ad7e8d56133def0c2a084376a537b49c355bb65db5b3ddbaeded7985695dd5b7af046e72d57fca890947d04ad0ccf89ec9e04220671c15cac0

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2320	msedge.exe
2320	msedge.exe
624	msedge.exe
624	msedge.exe
1056	identity_helper.exe
1056	identity_helper.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 4844	624	msedge.exe	81
PID 624 wrote to memory of 4844	624	msedge.exe	81
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 4476	624	msedge.exe	82
PID 624 wrote to memory of 2320	624	msedge.exe	83
PID 624 wrote to memory of 2320	624	msedge.exe	83
PID 624 wrote to memory of 4452	624	msedge.exe	84
PID 624 wrote to memory of 4452	624	msedge.exe	84
PID 624 wrote to memory of 4452	624	msedge.exe	84
PID 624 wrote to memory of 4452	624	msedge.exe	84
PID 624 wrote to memory of 4452	624	msedge.exe	84
PID 624 wrote to memory of 4452	624	msedge.exe	84
PID 624 wrote to memory of 4452	624	msedge.exe	84
PID 624 wrote to memory of 4452	624	msedge.exe	84
PID 624 wrote to memory of 4452	624	msedge.exe	84
PID 624 wrote to memory of 4452	624	msedge.exe	84
PID 624 wrote to memory of 4452	624	msedge.exe	84
PID 624 wrote to memory of 4452	624	msedge.exe	84
PID 624 wrote to memory of 4452	624	msedge.exe	84
PID 624 wrote to memory of 4452	624	msedge.exe	84
PID 624 wrote to memory of 4452	624	msedge.exe	84
PID 624 wrote to memory of 4452	624	msedge.exe	84
PID 624 wrote to memory of 4452	624	msedge.exe	84
PID 624 wrote to memory of 4452	624	msedge.exe	84
PID 624 wrote to memory of 4452	624	msedge.exe	84
PID 624 wrote to memory of 4452	624	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\9a7511f22c7219d00c5495079114ffb7_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e5e046f8,0x7ff9e5e04708,0x7ff9e5e04718
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1500,1781001764074777231,440364493055632707,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1968 /prefetch:2
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1500,1781001764074777231,440364493055632707,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1500,1781001764074777231,440364493055632707,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,1781001764074777231,440364493055632707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,1781001764074777231,440364493055632707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,1781001764074777231,440364493055632707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1500,1781001764074777231,440364493055632707,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1500,1781001764074777231,440364493055632707,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,1781001764074777231,440364493055632707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
  2⤵
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,1781001764074777231,440364493055632707,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,1781001764074777231,440364493055632707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,1781001764074777231,440364493055632707,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1500,1781001764074777231,440364493055632707,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2752 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4b4f91fa1b362ba5341ecb2836438dea

SHA1
9561f5aabed742404d455da735259a2c6781fa07

SHA256
d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

SHA512
fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
672B

MD5
33ad9d2cb28614cc084c43f77ed4ff32

SHA1
1443adfe19a989977b2ab411ab55a82a21a0b159

SHA256
26d32592a73008c3741f7d43f40c0ac026f397604fb27b167a738f070db22230

SHA512
e91f99247e91481e895f5477852f92d896dddedcbeefcc9231061a5a69d75d0046932cd7964ada67f1b61d6ec61cecb6590446aa51c911e89b0d1c9d5ed471b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
aa02c130e9af711d94a7fc9ae52c6137

SHA1
e1d91b2e0236a048af4648795593c4fc7533d503

SHA256
457933203a32d1aed029d0375f2172b168f3e961a31f1d56f061261798aaace6

SHA512
a76e02003b4afd4a6de5b01f60ca6d57a5cbb95cec69a865f1c87bf402769735984264628ebcff1772ce91abdbf457bd7529616035bb55c8545a7faa5eb9215d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d3647995fedcd04b3095b8cf4835bdc4

SHA1
9a218f0cb2dc8f81147ca62cc949a0e44c88f17e

SHA256
cd77150a959243ae653dbd3991d3501a0ba1ddeb277e571e5cf92ba0ca8710c9

SHA512
2591668d885066a526e0d7e4f7dabd440a57417f30fdd1994baafdc46ca9f4d845f603aa2374f824041b90daaad423ee353e8f3af11c0297a3133adbca08f5cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f0c4606ea9bdbbc25ecb6022b8477d48

SHA1
19ae53434240a4301685c20b946121c0fe211fec

SHA256
b3fa9c62ebfbcbd56b45b76c439847e2b0d3a1ab7180b39aa09b981ab7e61f94

SHA512
82a4c02530c2aa9cf77f52f0836d5b609bd0bf730ff437d086a58dcec0b75d70087f7a95d08ff8fe22a3a0ab0a4907c7d8f9ae826ee91161bf5e72d76e1eb6e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9a35e6b3df35e7a9940bb37d879e22fb

SHA1
4c20ad9887a7ce08ace1d8f76c306ed765e53bdb

SHA256
c29bd7a12eaa43dfafe348caaba64f50b9c76a0f4dc9ebece20abc6cc1cb256b

SHA512
ef9dbae05b2cff04efa99f15f6bb789161d64752b54733403477c8e85fea977ae0d151992dd31d9273bdef79485fa4390682b94fe301fece96da43e8fc0a7098

Download Submit