935ec1c0b653921a39609ce6cf30202222afd4713d901834bbd4f47ac249f353

Analysis

max time kernel
145s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9faf63046ac5e583a6858715e0e8ffe_JaffaCakes118.html
Size

50KB
MD5

a9faf63046ac5e583a6858715e0e8ffe
SHA1

b8c1e5afd8e4668efecf852dc6f6cbd8e4b0b178
SHA256

935ec1c0b653921a39609ce6cf30202222afd4713d901834bbd4f47ac249f353
SHA512

ea0edc8a9ede261301f575aecc47e4e5c558cffa23eaf044aa7ed3c3aff86c9e38f00d827b552f8c0d2200931546476621f3681cdc5185bc410c1063e2d1a077
SSDEEP

1536:u0P+LCBEMBLrCWFuZu+pkSDLFA/z7+2hYVN5UGxWMB:oCBEMBLrjuZunz7uiGxWMB

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4236	msedge.exe
4236	msedge.exe
2312	msedge.exe
2312	msedge.exe
1224	identity_helper.exe
1224	identity_helper.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 632	2312	msedge.exe	81
PID 2312 wrote to memory of 632	2312	msedge.exe	81
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 1308	2312	msedge.exe	82
PID 2312 wrote to memory of 4236	2312	msedge.exe	83
PID 2312 wrote to memory of 4236	2312	msedge.exe	83
PID 2312 wrote to memory of 4812	2312	msedge.exe	84
PID 2312 wrote to memory of 4812	2312	msedge.exe	84
PID 2312 wrote to memory of 4812	2312	msedge.exe	84
PID 2312 wrote to memory of 4812	2312	msedge.exe	84
PID 2312 wrote to memory of 4812	2312	msedge.exe	84
PID 2312 wrote to memory of 4812	2312	msedge.exe	84
PID 2312 wrote to memory of 4812	2312	msedge.exe	84
PID 2312 wrote to memory of 4812	2312	msedge.exe	84
PID 2312 wrote to memory of 4812	2312	msedge.exe	84
PID 2312 wrote to memory of 4812	2312	msedge.exe	84
PID 2312 wrote to memory of 4812	2312	msedge.exe	84
PID 2312 wrote to memory of 4812	2312	msedge.exe	84
PID 2312 wrote to memory of 4812	2312	msedge.exe	84
PID 2312 wrote to memory of 4812	2312	msedge.exe	84
PID 2312 wrote to memory of 4812	2312	msedge.exe	84
PID 2312 wrote to memory of 4812	2312	msedge.exe	84
PID 2312 wrote to memory of 4812	2312	msedge.exe	84
PID 2312 wrote to memory of 4812	2312	msedge.exe	84
PID 2312 wrote to memory of 4812	2312	msedge.exe	84
PID 2312 wrote to memory of 4812	2312	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\a9faf63046ac5e583a6858715e0e8ffe_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa7e3f46f8,0x7ffa7e3f4708,0x7ffa7e3f4718
  2⤵
  PID:632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,2506989765811872431,10544067239531218186,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,2506989765811872431,10544067239531218186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,2506989765811872431,10544067239531218186,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2506989765811872431,10544067239531218186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2506989765811872431,10544067239531218186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,2506989765811872431,10544067239531218186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:8
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,2506989765811872431,10544067239531218186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2506989765811872431,10544067239531218186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2506989765811872431,10544067239531218186,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2506989765811872431,10544067239531218186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,2506989765811872431,10544067239531218186,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,2506989765811872431,10544067239531218186,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4828 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
81e892ca5c5683efdf9135fe0f2adb15

SHA1
39159b30226d98a465ece1da28dc87088b20ecad

SHA256
830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17

SHA512
c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56067634f68231081c4bd5bdbfcc202f

SHA1
5582776da6ffc75bb0973840fc3d15598bc09eb1

SHA256
8c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4

SHA512
c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
252B

MD5
17d746299145b52b41aaec34c468e6de

SHA1
58287380c62c905732512a2deea602b50c3bebe7

SHA256
f4d5f919dc64124a4028cca92abb32ba66c827e7202b4cf1ff47291f70c8372f

SHA512
fd89e260945f7dec685ab25ea1ed52dd457e21d56261a2fa083db49ebd10bbc743f81d15cab70d026b0275e034389697dad4a336af0e782c831e8b32907c726f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
23867d39398f8c9058d04ebde6037258

SHA1
dbec8107eb40a41d93fc320911c03d73e5f23e03

SHA256
75ed074d4566d176b100eb6213e4357a3fcd3af7b3554a4fc99aa8cd5f4bff0f

SHA512
e7f2ced6deee8ff99151619627319767211a985a9161836df13d8d12f977d31adf9c08e9b1fa44719c3a4b4b19a42e435894b2b4f85310d63440bb47f191479c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
faf8892e44b52fafd09f6ec4aa378025

SHA1
49417c440c50c29fbb5ac2a1df7083fd462c97df

SHA256
e0a0b186c841dd06ac53069ba5ded970d4a80e4021a7df32a1199a6ec5256aa0

SHA512
2f8d127e2030e2981783dd1be07fd0f6448f06d59ef4a3d6ce3fb0b0b695c1bd7f31b5f846473f2626b52e6c9a591d578e2f9a649a180c247b0d4a7d13e7933f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1dedfadc621bfd992379e388e4ca4dc8

SHA1
648ee74edf5cb5e721c2226759eebe4f70d97d7a

SHA256
0fc9d6d21c173125fe83b1bc995251e958da45bc03d8552f51fa6b8693a57592

SHA512
7753ce994b58ae5c83dd1ba24a041be9ddd2270eb540c7a8f277ee2216a783a3c9ef932f57059cbe5a96e609d4cd797baf10851eaf1b74fba97a6e8459844b25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
372B

MD5
21c0f2e318e5f8e866ef73d1e5bc02d7

SHA1
5fe1658450135648a5fe2590ea7e99a0d240e150

SHA256
d1823f1cf4acabae2e41323e43727199a3bee02c5b5aa37040dd08ba989b57aa

SHA512
058201e67bf3ccb8d7e44596780cf60e724c73dd3b630b1320ba6cc2c4a8bd625bf5e8e42d77b2a0b2cc645245e15a77ecdbf829b52ed7698b418834e505fe25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f2eb.TMP

Filesize
372B

MD5
b7146ba24e41470f420dfeb4a33aa99f

SHA1
d9a0e84fbbae4b8f0356c35aee3e4b2082c07f3f

SHA256
6c074f6f6164303ecc571c6e8a5c989269563b6ea28c734d849750cb81cfbc93

SHA512
602e9e3c79d536b378a8171f890304ef7fb102614da1c5d5ff9c5e33579abe03bd89cad5b45f53eb746b09486d049d9838c47473f66e3a1db3cd07743bc318c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
aba6b6e33330b6bf37b6809f72ee8afb

SHA1
5fc8c4c9df2911e683221b0703203cbc8388ef4f

SHA256
b61356f62642494b496adfdf83c39f0950d0f4223b946c31805a42086f0fd175

SHA512
a31777236eb54d0f08788847173e3fe6f8087819fb9c7e7d9fb575791c3340dd4720607fbe64de3d1d1ff16ebf67c1ba11db7d049ca2885e7b5427a78e2d83eb

Download Submit