6623abe7b5e76580ff5a3e902d39bd63f3d9da3a8e435628ed094a71bf62cb58

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9fd5e1d1bea87fcc0231c3bd5705ed9_JaffaCakes118.html
Size

37KB
MD5

a9fd5e1d1bea87fcc0231c3bd5705ed9
SHA1

b774342df518aa7cfeabfb74b21651f2e81eaf6e
SHA256

6623abe7b5e76580ff5a3e902d39bd63f3d9da3a8e435628ed094a71bf62cb58
SHA512

1dee7b910638b6c95701d3fa8c1a9f96e97c06bacf48a0733bf3b05f64c6443f2bd7ddf87c4aaa8c5b5f9d86c8edfb39b387321bf400b0415ededc58954340a4
SSDEEP

768:cqH+rLz8prz7yh7XJZdkFw0RzTb/VEXjPWHljWLwPWz3bdRr/FEIngTw4:1H+/Qbz//VEXjPWHtJPWrhRr/FEIoH

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
832	msedge.exe
832	msedge.exe
1948	msedge.exe
1948	msedge.exe
4308	identity_helper.exe
4308	identity_helper.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe
2708	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe
1948	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 544	1948	msedge.exe	81
PID 1948 wrote to memory of 544	1948	msedge.exe	81
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 4092	1948	msedge.exe	82
PID 1948 wrote to memory of 832	1948	msedge.exe	83
PID 1948 wrote to memory of 832	1948	msedge.exe	83
PID 1948 wrote to memory of 3232	1948	msedge.exe	84
PID 1948 wrote to memory of 3232	1948	msedge.exe	84
PID 1948 wrote to memory of 3232	1948	msedge.exe	84
PID 1948 wrote to memory of 3232	1948	msedge.exe	84
PID 1948 wrote to memory of 3232	1948	msedge.exe	84
PID 1948 wrote to memory of 3232	1948	msedge.exe	84
PID 1948 wrote to memory of 3232	1948	msedge.exe	84
PID 1948 wrote to memory of 3232	1948	msedge.exe	84
PID 1948 wrote to memory of 3232	1948	msedge.exe	84
PID 1948 wrote to memory of 3232	1948	msedge.exe	84
PID 1948 wrote to memory of 3232	1948	msedge.exe	84
PID 1948 wrote to memory of 3232	1948	msedge.exe	84
PID 1948 wrote to memory of 3232	1948	msedge.exe	84
PID 1948 wrote to memory of 3232	1948	msedge.exe	84
PID 1948 wrote to memory of 3232	1948	msedge.exe	84
PID 1948 wrote to memory of 3232	1948	msedge.exe	84
PID 1948 wrote to memory of 3232	1948	msedge.exe	84
PID 1948 wrote to memory of 3232	1948	msedge.exe	84
PID 1948 wrote to memory of 3232	1948	msedge.exe	84
PID 1948 wrote to memory of 3232	1948	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\a9fd5e1d1bea87fcc0231c3bd5705ed9_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef34646f8,0x7ffef3464708,0x7ffef3464718
  2⤵
  PID:544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,8975297772456714193,14468272010986575236,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,8975297772456714193,14468272010986575236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,8975297772456714193,14468272010986575236,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8
  2⤵
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8975297772456714193,14468272010986575236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8975297772456714193,14468272010986575236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,8975297772456714193,14468272010986575236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:8
  2⤵
  PID:444
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,8975297772456714193,14468272010986575236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8975297772456714193,14468272010986575236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8975297772456714193,14468272010986575236,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8975297772456714193,14468272010986575236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8975297772456714193,14468272010986575236,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,8975297772456714193,14468272010986575236,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dabfafd78687947a9de64dd5b776d25f

SHA1
16084c74980dbad713f9d332091985808b436dea

SHA256
c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201

SHA512
dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c39b3aa574c0c938c80eb263bb450311

SHA1
f4d11275b63f4f906be7a55ec6ca050c62c18c88

SHA256
66f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c

SHA512
eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
268B

MD5
2380d14e16137a859787af4fb1047f30

SHA1
0e50828e3fd589b577155b9c73fbd84ab0e6d525

SHA256
b0025896336300b477e700757414741a0e67ee78519e8f739e136d2e66d17fa4

SHA512
5b98d77b8edd201061674ac961066bf95ac3b3214da14e72e59797c409064d242f0e108c2b9539549e032ae6c26c92dfead58d00813d136f3d834d428b7fb539

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
944a8a6a6ec85c39d2d7de1dca1332b6

SHA1
8812d14aeeea95efe4d9869666c9a81c4cd9a801

SHA256
72d95baf26fef341dfa3b4f08e03886e79544dc01d3e8d95fcf974a6f0d55c05

SHA512
546758766a4dd91094e257f6244e300ea37ae3ec6bacb7e494e34900b362b23f0c8226f1fce878e134ee6d22301195c749f146a1e0e55e51899d4f224f0b324a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
32dfca8cf8a111656409a59bce27cc0f

SHA1
895d2dd77c5ed2f5ca33aa6c985cc5ac43b751e8

SHA256
b41afbcf42867d4b3feec434d627db5bb02073a1cf9044649c185507551ee91a

SHA512
50b17c5d15447655912690ade20070ef5555a0bb81f273522f381572ec39ffee58ed5125c585158f823ec4200e5fdc6594f2ca0c6511238587f5217706e53e39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6a41066fc0493968bf2a8f1fe3d9d0fc

SHA1
fe6a032afb3fbadd2e9ae8a89a38b757b41e9319

SHA256
bfc864b27eb1eae0ce19e04983e380a27d98875889c900fc5b556fbbfcc39cef

SHA512
8f8234f8db915e2d00378baaa6f963bd28a8ee448c61b14d04ac65c69ff54a8ab65e373a7a0065f251725e065ac61d4f580aa240c15bc6d0263caf4eec54bff8

Download Submit