e300a5c33b23bd819cb7c2d50b1d379239a83d0a72d73ec9100ef76ca7ff94b4

General

Target

a83c5f4e53acf58d1be571c3a9b728f7_JaffaCakes118.html
Size

348KB
MD5

a83c5f4e53acf58d1be571c3a9b728f7
SHA1

4dfe6db2cfa8eda0395b95b99fd6737370a43408
SHA256

e300a5c33b23bd819cb7c2d50b1d379239a83d0a72d73ec9100ef76ca7ff94b4
SHA512

48357546b6931d4b8a87f18af5dfc462f377280cf85a70c80efc343684e9ac0a2a8a6356abdfdfc119a877fba94afd1097e321c146bef84a78a2f4415409c76b
SSDEEP

6144:LsMYod+X3oI+Y6sMYod+X3oI+Y5sMYod+X3oI+YQ:f5d+X3y5d+X3f5d+X3+

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
208	msedge.exe
208	msedge.exe
4484	msedge.exe
4484	msedge.exe
3472	identity_helper.exe
3472	identity_helper.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4484 msedge.exe
4484 msedge.exe
4484 msedge.exe
4484 msedge.exe
4484 msedge.exe
4484 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe
4484	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4484 wrote to memory of 2732	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 2732	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 4192	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 208	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 208	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 1820	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 1820	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 1820	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 1820	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 1820	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 1820	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 1820	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 1820	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 1820	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 1820	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 1820	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 1820	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 1820	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 1820	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 1820	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 1820	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 1820	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 1820	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 1820	4484	msedge.exe	msedge.exe
PID 4484 wrote to memory of 1820	4484	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\a83c5f4e53acf58d1be571c3a9b728f7_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe0,0xe4,0xd8,0xdc,0x108,0x7ff959b246f8,0x7ff959b24708,0x7ff959b24718
2⤵
PID:2732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,9758118810041753171,6869667495016110952,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
2⤵
PID:4192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,9758118810041753171,6869667495016110952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,9758118810041753171,6869667495016110952,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
2⤵
PID:1820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9758118810041753171,6869667495016110952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
2⤵
PID:428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9758118810041753171,6869667495016110952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
2⤵
PID:4720

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,9758118810041753171,6869667495016110952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2868 /prefetch:8
2⤵
PID:5068

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,9758118810041753171,6869667495016110952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2868 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9758118810041753171,6869667495016110952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
2⤵
PID:1176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9758118810041753171,6869667495016110952,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
2⤵
PID:1644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9758118810041753171,6869667495016110952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
2⤵
PID:2972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,9758118810041753171,6869667495016110952,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
2⤵
PID:4596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,9758118810041753171,6869667495016110952,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=180 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4432

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
81e892ca5c5683efdf9135fe0f2adb15

SHA1
39159b30226d98a465ece1da28dc87088b20ecad

SHA256
830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17

SHA512
c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
56067634f68231081c4bd5bdbfcc202f

SHA1
5582776da6ffc75bb0973840fc3d15598bc09eb1

SHA256
8c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4

SHA512
c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b3c6cbc51d95b4d22ff03d64eb2bcc07

SHA1
4009f382ab38b41a0700ae003c052989189fdfaf

SHA256
10ad27f91869ce0a90c3ce2dc4e0f62f1d0f643b392282710a6d5dc4f672313f

SHA512
ed52487afd9bf0842b9f5135dcff6f070605d6309ece0694608d16bfe42323ae98d02ebf9d4e710bb2fe55f13947adcaec68c58548c4a34a634a44e8fa61f586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
10e868a54373547b9b0b716358a4900f

SHA1
190de7b89d7040e3528c95de0a2d879f801ec6ac

SHA256
0497f9f64b6e1ca3dd13be3e2497b0560508e530535993b4ccac4e865578aed0

SHA512
8ab3ea0717f7fadf2dc06315ec3f2785d3a956f187d57d783272e324aca73adfed5830eef9cb0a7c9850e92d0235f9bd8ccf1b929528f296d09b6b7cdc9bad4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
95309e01fe0190564c2de5bf2ff536dc

SHA1
628c553bf7334e0998afbed1ec33e396563d8093

SHA256
b11e0a2d8a4dade6d6ecd17cbda8080d7fc5293685036ed288925fe834323c3f

SHA512
311c8aa38db4c9d275acbb8780aedb20fc6e51af184c6be2ec359db1e1c5f6ec1c300b1d016b721c47debabed050de7297a55bc92e3c724000f752de726f1cc8

Download Submit
\??\pipe\LOCAL\crashpad_4484_NZGUKTGSXAYTITQZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads