8a884c82afd63ed1db067ccc9083a73b4ede3ae7d4a92e2310fafc33d321b953

Analysis

max time kernel
145s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa7a3bbeae9d7351a72605024bdc4f6b_JaffaCakes118.html
Size

139KB
MD5

aa7a3bbeae9d7351a72605024bdc4f6b
SHA1

c684bd48c1e903e2aea975c1c5e2f8efde28737b
SHA256

8a884c82afd63ed1db067ccc9083a73b4ede3ae7d4a92e2310fafc33d321b953
SHA512

d80d5cc08d5949ada55b682d8eb81757b673960b7f730a3e9e51dbda05dd7dd6c8f364a67424ae94be67ea5c81b5cb7fbde0b6227af284e2bcef39d0b41c91a9
SSDEEP

1536:SRNaLpBzly8yLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJrusBw:SRSe8yfkMY+BES09JXAnyrZalI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4816	msedge.exe
4816	msedge.exe
1252	msedge.exe
1252	msedge.exe
408	identity_helper.exe
408	identity_helper.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe
3396	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 2912	1252	msedge.exe	81
PID 1252 wrote to memory of 2912	1252	msedge.exe	81
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 692	1252	msedge.exe	82
PID 1252 wrote to memory of 4816	1252	msedge.exe	83
PID 1252 wrote to memory of 4816	1252	msedge.exe	83
PID 1252 wrote to memory of 2552	1252	msedge.exe	84
PID 1252 wrote to memory of 2552	1252	msedge.exe	84
PID 1252 wrote to memory of 2552	1252	msedge.exe	84
PID 1252 wrote to memory of 2552	1252	msedge.exe	84
PID 1252 wrote to memory of 2552	1252	msedge.exe	84
PID 1252 wrote to memory of 2552	1252	msedge.exe	84
PID 1252 wrote to memory of 2552	1252	msedge.exe	84
PID 1252 wrote to memory of 2552	1252	msedge.exe	84
PID 1252 wrote to memory of 2552	1252	msedge.exe	84
PID 1252 wrote to memory of 2552	1252	msedge.exe	84
PID 1252 wrote to memory of 2552	1252	msedge.exe	84
PID 1252 wrote to memory of 2552	1252	msedge.exe	84
PID 1252 wrote to memory of 2552	1252	msedge.exe	84
PID 1252 wrote to memory of 2552	1252	msedge.exe	84
PID 1252 wrote to memory of 2552	1252	msedge.exe	84
PID 1252 wrote to memory of 2552	1252	msedge.exe	84
PID 1252 wrote to memory of 2552	1252	msedge.exe	84
PID 1252 wrote to memory of 2552	1252	msedge.exe	84
PID 1252 wrote to memory of 2552	1252	msedge.exe	84
PID 1252 wrote to memory of 2552	1252	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\aa7a3bbeae9d7351a72605024bdc4f6b_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9924846f8,0x7ff992484708,0x7ff992484718
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,5315915668413813240,973534772340556834,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,5315915668413813240,973534772340556834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,5315915668413813240,973534772340556834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5315915668413813240,973534772340556834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5315915668413813240,973534772340556834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,5315915668413813240,973534772340556834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:8
  2⤵
  PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,5315915668413813240,973534772340556834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5315915668413813240,973534772340556834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5315915668413813240,973534772340556834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5315915668413813240,973534772340556834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5315915668413813240,973534772340556834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,5315915668413813240,973534772340556834,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3024 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56641592f6e69f5f5fb06f2319384490

SHA1
6a86be42e2c6d26b7830ad9f4e2627995fd91069

SHA256
02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

SHA512
c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d8fa3334e0cbe066b621827cefca448c

SHA1
2d7bde703bb03668b758407aebdf5f7e7b00a886

SHA256
dd75d7b38cd184d998611a3bfb86e9d53882bf7eb9a54013380da7dfd1cceb55

SHA512
1ae3ea1af00e79179a7e11411309da195443fab01a9d9ec6c135bc3b17444f2aba84e1c77804df886699efaddc83d0d1711ad6d933264cebce38a5acafdb7dd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5171ccf40d9542f4482bb0bcca14fb77

SHA1
4ee36deb9bf61dcd5038a9a94e70b71d188e9bd1

SHA256
35d6c08a881caf3eb1f9397405ac1d6e1ed7bece57629a26f929088289849d1b

SHA512
f8c6c6f7102f70eb600e3cc168e66ccb102afc415d7cf670f70915d2fc842e33318341fb5936205f84bea5dec3db530b508aebec969c2944dd949a44c07bb0da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
341061bcf6e3941aa89632ce3e335556

SHA1
cd4d1d31511a2a0fcc54d4328fb1170c578ba1b7

SHA256
d7c56e7c23a6c733ebabbabd9f92209417d48c53f1042e6cbb65d30b7ba4ab55

SHA512
6895c74813d0c166f53eda5a0fbea523627160b4196b54137abf4cd3718b1c9646eb8b6aaf4e9dc53db96b2a5395f89bb675d450014675a8bb2343501782bfb3

Download Submit