aeaaad363bb5bd151edecbf0ddb4b7d286c7c3c4d2c1c96f45dbbc203461be99

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b405b7e9e0444505c6a342f8940238a1_JaffaCakes118.html
Size

37KB
MD5

b405b7e9e0444505c6a342f8940238a1
SHA1

0f0185244dcf815dd34329cdeb71a41984795878
SHA256

aeaaad363bb5bd151edecbf0ddb4b7d286c7c3c4d2c1c96f45dbbc203461be99
SHA512

725d3afd86d07e60c7194b66fe3dbaaedd7460a5b02fae3d98668ca43fff636ea0fcceecb75c0f0ac422dde4af02b323e441ea8e777a3f090e54f14a3a5e46ea
SSDEEP

768:+/qmAs6LiypowQBa9cPSBeyM1ru1rf1MG1rpqO1rq1x:+/qmAnityQr6r9MirtrGx

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1172	msedge.exe
1172	msedge.exe
1612	msedge.exe
1612	msedge.exe
4404	identity_helper.exe
4404	identity_helper.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 812	1612	msedge.exe	82
PID 1612 wrote to memory of 812	1612	msedge.exe	82
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 2116	1612	msedge.exe	83
PID 1612 wrote to memory of 1172	1612	msedge.exe	84
PID 1612 wrote to memory of 1172	1612	msedge.exe	84
PID 1612 wrote to memory of 2284	1612	msedge.exe	85
PID 1612 wrote to memory of 2284	1612	msedge.exe	85
PID 1612 wrote to memory of 2284	1612	msedge.exe	85
PID 1612 wrote to memory of 2284	1612	msedge.exe	85
PID 1612 wrote to memory of 2284	1612	msedge.exe	85
PID 1612 wrote to memory of 2284	1612	msedge.exe	85
PID 1612 wrote to memory of 2284	1612	msedge.exe	85
PID 1612 wrote to memory of 2284	1612	msedge.exe	85
PID 1612 wrote to memory of 2284	1612	msedge.exe	85
PID 1612 wrote to memory of 2284	1612	msedge.exe	85
PID 1612 wrote to memory of 2284	1612	msedge.exe	85
PID 1612 wrote to memory of 2284	1612	msedge.exe	85
PID 1612 wrote to memory of 2284	1612	msedge.exe	85
PID 1612 wrote to memory of 2284	1612	msedge.exe	85
PID 1612 wrote to memory of 2284	1612	msedge.exe	85
PID 1612 wrote to memory of 2284	1612	msedge.exe	85
PID 1612 wrote to memory of 2284	1612	msedge.exe	85
PID 1612 wrote to memory of 2284	1612	msedge.exe	85
PID 1612 wrote to memory of 2284	1612	msedge.exe	85
PID 1612 wrote to memory of 2284	1612	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\b405b7e9e0444505c6a342f8940238a1_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa84ef46f8,0x7ffa84ef4708,0x7ffa84ef4718
  2⤵
  PID:812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,3913934720299613963,14523298756334585171,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
  2⤵
  PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,3913934720299613963,14523298756334585171,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,3913934720299613963,14523298756334585171,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3913934720299613963,14523298756334585171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3913934720299613963,14523298756334585171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,3913934720299613963,14523298756334585171,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,3913934720299613963,14523298756334585171,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3913934720299613963,14523298756334585171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3913934720299613963,14523298756334585171,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3913934720299613963,14523298756334585171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3913934720299613963,14523298756334585171,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,3913934720299613963,14523298756334585171,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5096 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8e09a8e24a2b0dd1a60a08d011035fc0

SHA1
f1be9285848372d6834825ac9027b300241df526

SHA256
1ce5b633c5f1afcc742148842563ec0bfaaa9b0ed88cb8fa6ad1ae8f077a5cac

SHA512
5a4b6dd159d1319b1f1915d471018811c3195db173876a23d2e8e006107924d37b5799ae925f5a1c1250d38eb218674ed1d8cf72b0bbe9563474b68b8387d3c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
32ffaed4a14d478516aa1405812d23fe

SHA1
815158c92bf667fce6051595817e1c88e8b19596

SHA256
2d2125e9c736adbbb208a83660b65000a0ce05a61fe6e8dbd69ce437891eb0e0

SHA512
f8277cd4d759f34e62167018ddcd54b0c818a356b1da42df69594dde7bba115d742ff610cff04e770b577268882173dc6bd78af12e3783b4f1069c7b98e9bef4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
9d5f4439d58802863d4de72982b308d0

SHA1
de22b00942dbc34ad903adaf2af382387550ce60

SHA256
9d33a40792f14033300386400e369d387e936dfdfb20d27d517e1ec169d796e7

SHA512
0787f5fe117ccad69b33878a1e3411fe74ac1b70e2925392367a7a9232f1b20a3f4fc63c502a1303a6e1e0ae78313a044b00967c3636c8fea2a37f557e292c23

Download Submit