f941d959e8e7485f825ab6784cfb8bb22dd4917c5bbac3216e47819a8f7e61ee

General

Target

a50bb9ee134c8c15dcf47d34a357ccda_JaffaCakes118.html
Size

118KB
MD5

a50bb9ee134c8c15dcf47d34a357ccda
SHA1

ce51313cdf84829fb311294d999fdf0455620027
SHA256

f941d959e8e7485f825ab6784cfb8bb22dd4917c5bbac3216e47819a8f7e61ee
SHA512

395a25b8f326b9186e98101a408c7e26007faa9b9c79cdfc240e0859fee66bdaa2fee0c074bcf9756c88438447121b3171c3b42daf3cd4bb7bdc8ebec50bd4ac
SSDEEP

1536:S1E4oyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJrusBTOy9dGL:SKyfkMY+BES09JXAnyrZalI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
2956	msedge.exe
2956	msedge.exe
3696	msedge.exe
3696	msedge.exe
2712	identity_helper.exe
2712	identity_helper.exe
676	msedge.exe
676	msedge.exe
676	msedge.exe
676	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

3696 msedge.exe
3696 msedge.exe
3696 msedge.exe
3696 msedge.exe
3696 msedge.exe
3696 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3696 wrote to memory of 1316	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 1316	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 688	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 2956	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 2956	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 4188	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 4188	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 4188	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 4188	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 4188	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 4188	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 4188	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 4188	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 4188	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 4188	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 4188	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 4188	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 4188	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 4188	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 4188	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 4188	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 4188	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 4188	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 4188	3696	msedge.exe	msedge.exe
PID 3696 wrote to memory of 4188	3696	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\a50bb9ee134c8c15dcf47d34a357ccda_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8e77046f8,0x7ff8e7704708,0x7ff8e7704718
2⤵
PID:1316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,198614098922127314,5554864426913044177,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
2⤵
PID:688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,198614098922127314,5554864426913044177,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,198614098922127314,5554864426913044177,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
2⤵
PID:4188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,198614098922127314,5554864426913044177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
2⤵
PID:4276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,198614098922127314,5554864426913044177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
2⤵
PID:1680

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,198614098922127314,5554864426913044177,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4368 /prefetch:8
2⤵
PID:2612

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,198614098922127314,5554864426913044177,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4368 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,198614098922127314,5554864426913044177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
2⤵
PID:448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,198614098922127314,5554864426913044177,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
2⤵
PID:4400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,198614098922127314,5554864426913044177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
2⤵
PID:2132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,198614098922127314,5554864426913044177,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
2⤵
PID:2296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,198614098922127314,5554864426913044177,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4720 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:440

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f61fa5143fe872d1d8f1e9f8dc6544f9

SHA1
df44bab94d7388fb38c63085ec4db80cfc5eb009

SHA256
284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

SHA512
971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
87f7abeb82600e1e640b843ad50fe0a1

SHA1
045bbada3f23fc59941bf7d0210fb160cb78ae87

SHA256
b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

SHA512
ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
849666bc01312abdace048ecb518f86d

SHA1
dbfa6779a08291a83b6d4eccd0e4f31864c8f660

SHA256
e3b559d2dc8cae8c10e95c310566351c96ea95cfdbba9b8407fe44714033ad77

SHA512
f79b86a1e7cad78cc2bd4dee4226c7f4f243f73bdcb3ea773dea1900872c0a082c8870048d8e394f9ebe1fdd4844a07a8779177556ba48cd7f8e40d58ca04b5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
5e4186ebdcb4c9cbbd61d8d0a6bcfa60

SHA1
b7233d0707c86c25f1fa87de4573af9db3569fae

SHA256
fc5aad5650600c452859ffe997138aec5e52dfed43f4d49ebb4f3b456877b892

SHA512
9a403fccf79976328cdeb3e4df5bec62a61d966426e514741488adc8fdd7d63353e988425ae679b3ddeb364422747920b9f519ceb1504012d775e951f9fd10f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
fd19246d5e80931272f878d0a7b75f6d

SHA1
c6f6e7afcc9752a035edf4e469f1961cd72fe796

SHA256
ce34c0df888baed48094a02a923e41872e2ac520a7d55b28a1220f6f51995af3

SHA512
b336fef0cf4b3c77944563cd92576693ee0012f74e27ccfeff43df5fa5991f0208551c09ffe61cab282ae53600e0776774fd2dc9e8c8854276644677fc7df900

Download Submit
\??\pipe\LOCAL\crashpad_3696_XMIZDJPHOCKVQUVV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads