ae2a075a143ef235afd079c03034b75c4bdd21b9bb6491e55425a80d78514a61

General

Target

a4f3927d465e36c1ada912df58837cb3_JaffaCakes118.html
Size

157KB
MD5

a4f3927d465e36c1ada912df58837cb3
SHA1

e004f4a5fd7cc78d8a2f2d1abc69b91fc2c9cc00
SHA256

ae2a075a143ef235afd079c03034b75c4bdd21b9bb6491e55425a80d78514a61
SHA512

4e502dc9dd696cfc6f49511d7a7119c108d8753f13c68a733537a439a7db0b68e3463f9b43048dd3761420cee6c909f9b2dfe01768bbe42cb01dabe80f91caad
SSDEEP

1536:i0RTtrqR+dhD7wcyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJA:imb3XyfkMY+BES09JXAnyrZalI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

1908 msedge.exe
1908 msedge.exe
800 msedge.exe
800 msedge.exe
2072 msedge.exe
2072 msedge.exe
2072 msedge.exe
2072 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

800 msedge.exe
800 msedge.exe

pid	process
1908	msedge.exe
1908	msedge.exe
800	msedge.exe
800	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 800 wrote to memory of 928	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 928	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 400	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 1908	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 1908	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 1648	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 1648	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 1648	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 1648	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 1648	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 1648	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 1648	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 1648	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 1648	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 1648	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 1648	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 1648	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 1648	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 1648	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 1648	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 1648	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 1648	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 1648	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 1648	800	msedge.exe	msedge.exe
PID 800 wrote to memory of 1648	800	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\a4f3927d465e36c1ada912df58837cb3_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff93d6e46f8,0x7ff93d6e4708,0x7ff93d6e4718
2⤵
PID:928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,9213349592172960353,15947719669104936761,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
2⤵
PID:400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,9213349592172960353,15947719669104936761,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,9213349592172960353,15947719669104936761,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
2⤵
PID:1648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9213349592172960353,15947719669104936761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
2⤵
PID:4244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9213349592172960353,15947719669104936761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
2⤵
PID:2176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,9213349592172960353,15947719669104936761,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2000

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
dabfafd78687947a9de64dd5b776d25f

SHA1
16084c74980dbad713f9d332091985808b436dea

SHA256
c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201

SHA512
dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c39b3aa574c0c938c80eb263bb450311

SHA1
f4d11275b63f4f906be7a55ec6ca050c62c18c88

SHA256
66f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c

SHA512
eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
aa5d6f441c86c9ddd485bf8ae1f16293

SHA1
6ae870646d0126ac5c4ac148c1281674e3b97f55

SHA256
8bbc40af60f71e3055d98275b5d24c6d18b992f41d2ba8a286ad961e055cc1a3

SHA512
b3969217de4968e74c3dfd239669cd2d68a101bbd57c4bc878abfcec4ee0835830d7ca887542711b1020d2e6cc194da67e90bf519f615bddc2bd5c395abfd4b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
1241ce5d4619567c3923be176eb2b0dc

SHA1
639670b9d461e7384867b716a6e5b93251bc9e30

SHA256
45addc7a62fd6e527cfc44bd1abf935798f2f4fdff552639c5ed33dbc0de7196

SHA512
757586a936fbb0d3423756f48e18f5a9ff71fd4ad5316d2d86a9b0575213d106193d38a1fe6d47dd3d2a46f37c8f9684baa66505d46ca6f8d2189837ae6ceb79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
05be8e5baf4f2239189feb5d825fd29f

SHA1
f6627f99463f7fef21fc5a3af1be589f48fdd2f9

SHA256
de5a4b12e51e7c53c82cc1866a4d0aa4c6e2f872fe1fbeb0d2c863cc10ff62c3

SHA512
20d5127f882d55ff3e83e57c088e2de1e09cbe75f1fdb3b9c7e61ac49204ed9f69c2eac76cb3ef36d3a5d72a43d80ef1835cf37bc8c94c347c6292332aef3849

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads