d1d66e62c3f2e0376fdaf6cd4c27c38e3f3b0a9457f09b671e886661a16bd75a

Analysis

max time kernel
145s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae5dc60ea60146053a2d08eae8632d4a_JaffaCakes118.html
Size

28KB
MD5

ae5dc60ea60146053a2d08eae8632d4a
SHA1

9019cdbd2288a3b202496ccd8171d356d73f88f7
SHA256

d1d66e62c3f2e0376fdaf6cd4c27c38e3f3b0a9457f09b671e886661a16bd75a
SHA512

00fd54c7841ac9139c58e3251a2d98b68bf9a3fae5d35565d47e0b934d413922c1dcb169e8bb9c5b02c7c8793b0d085fa641341326e7ffcec99d1b16f20dfa9b
SSDEEP

192:uwXob5nR2zwnQjxn5Q/ZnQiesNnrnQOkEntvnnQTbn5nQ9eucm6OZ+WX3Ql7MBMm:NQ/ZfEO+W2Sd

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2736	msedge.exe
2736	msedge.exe
1264	msedge.exe
1264	msedge.exe
3920	identity_helper.exe
3920	identity_helper.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe
1264	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 4868	1264	msedge.exe	81
PID 1264 wrote to memory of 4868	1264	msedge.exe	81
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 5012	1264	msedge.exe	82
PID 1264 wrote to memory of 2736	1264	msedge.exe	83
PID 1264 wrote to memory of 2736	1264	msedge.exe	83
PID 1264 wrote to memory of 3836	1264	msedge.exe	84
PID 1264 wrote to memory of 3836	1264	msedge.exe	84
PID 1264 wrote to memory of 3836	1264	msedge.exe	84
PID 1264 wrote to memory of 3836	1264	msedge.exe	84
PID 1264 wrote to memory of 3836	1264	msedge.exe	84
PID 1264 wrote to memory of 3836	1264	msedge.exe	84
PID 1264 wrote to memory of 3836	1264	msedge.exe	84
PID 1264 wrote to memory of 3836	1264	msedge.exe	84
PID 1264 wrote to memory of 3836	1264	msedge.exe	84
PID 1264 wrote to memory of 3836	1264	msedge.exe	84
PID 1264 wrote to memory of 3836	1264	msedge.exe	84
PID 1264 wrote to memory of 3836	1264	msedge.exe	84
PID 1264 wrote to memory of 3836	1264	msedge.exe	84
PID 1264 wrote to memory of 3836	1264	msedge.exe	84
PID 1264 wrote to memory of 3836	1264	msedge.exe	84
PID 1264 wrote to memory of 3836	1264	msedge.exe	84
PID 1264 wrote to memory of 3836	1264	msedge.exe	84
PID 1264 wrote to memory of 3836	1264	msedge.exe	84
PID 1264 wrote to memory of 3836	1264	msedge.exe	84
PID 1264 wrote to memory of 3836	1264	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\ae5dc60ea60146053a2d08eae8632d4a_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9beb846f8,0x7ff9beb84708,0x7ff9beb84718
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,4410344241378735655,15437367229297294769,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,4410344241378735655,15437367229297294769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,4410344241378735655,15437367229297294769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
  2⤵
  PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4410344241378735655,15437367229297294769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4410344241378735655,15437367229297294769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,4410344241378735655,15437367229297294769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
  2⤵
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,4410344241378735655,15437367229297294769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4410344241378735655,15437367229297294769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4410344241378735655,15437367229297294769,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4410344241378735655,15437367229297294769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4410344241378735655,15437367229297294769,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,4410344241378735655,15437367229297294769,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3392 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
db9081c34e133c32d02f593df88f047a

SHA1
a0da007c14fd0591091924edc44bee90456700c6

SHA256
c9cd202ebb55fe8dd3e5563948bab458e947d7ba33bc0f38c6b37ce5d0bd7c3e

SHA512
12f9809958b024571891fae646208a76f3823ae333716a5cec303e15c38281db042b7acf95bc6523b6328ac9c8644794d39a0e03d9db196f156a6ee1fb4f2744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3a09f853479af373691d131247040276

SHA1
1b6f098e04da87e9cf2d3284943ec2144f36ac04

SHA256
a358de2c0eba30c70a56022c44a3775aa99ffa819cd7f42f7c45ac358b5e739f

SHA512
341cf0f363621ee02525cd398ae0d462319c6a80e05fd25d9aca44234c42a3071b51991d4cf102ac9d89561a1567cbe76dfeaad786a304bec33821ca77080016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
80e93a0c404b16bd87b36a53eb1b45ae

SHA1
bec3fe78a6cdb0c704aff69f1fbc95c7f18602f0

SHA256
15d19f9080ce1675f47d2f950415fcd3d367faa351609f59141716ca5e8bf59e

SHA512
d05d5487de6467116f73e63a58ca50890946763eb8eb0f3e7c911974674758280da060312f0f84f231dbde4d4bb29276500cadf0594fada0cd46cc419e0324b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bcec29c3ea4a67ad75cb833750702510

SHA1
5a43fa116ce043c5f754cae335ae15a8f0fb5e61

SHA256
62ea7a4c48e845700a0b0f0bfb7645f0416da201ed4ee085bfeb42b8e2d85387

SHA512
6f6c4730918fc4facacf2be42593fbb42763a882bb85b818e2cdfca1225df4e2fd026427f063afe2589de88f0ed5c5fc97f4a1afaf4aa0834eb4f0c1d0a4950e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
da56107226789862d2cd2df4e0f636ae

SHA1
e1c54bdc70728e3bfb40feeb9d3c1570786ce302

SHA256
da42741b9054e1157a63aed4b6fb701720003cb886b5d020fe7af8b657479e03

SHA512
d4c8b260b40a629667d855eddea2100ecdd3f76571ca96fe6f59c90be6a7005b3f2a4a77bfc785248d6fd9342f8c83d527aa16427a31083277397e187467cc58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7031f8562819e979bb1950f6f05d2f87

SHA1
4b52ce1ddad9640868269fa9524ab214190fa161

SHA256
3044eaea398f8b5bc2dead424a84ea2d94f3c58a08543497c359c9d893eaf29d

SHA512
b42f3594f9af2be37de26ac34a7778639e5f0cb1f841e715b353ad3d685bc4d43ce8c8ee6dc9139480ea7c4927a48289eee7bfcdca92bd5c72a7c7920407b5c8

Download Submit