9ee3151de1005666fdf1453b011bb32accb0a1f86e6bffb9084b1fe53690ff2d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 01:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b61a64e7bd26a5c1c25d102a0e0e00fc_JaffaCakes118.html
Size

18KB
MD5

b61a64e7bd26a5c1c25d102a0e0e00fc
SHA1

2f39f8e4545f3d0c414788abbd35565482fd11bb
SHA256

9ee3151de1005666fdf1453b011bb32accb0a1f86e6bffb9084b1fe53690ff2d
SHA512

a04e62c611fa678abcaaa75e0be5a3ab4d3c739c6948a994e916f5fd81576dcf335adf2035d71483e5e5f359ff9c21d62ae9a3b1ed99af0d9e801f4f3b6a2b9e
SSDEEP

192:SIM3t0I5fo9cKivXQWxZxdkVSoAIFDnDfJ4CxBZh3G3UizUnjBh62yQ82qDB8:SIMd0I5nvHtsvfKxDB8

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2956	msedge.exe
2956	msedge.exe
4080	msedge.exe
4080	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe
1060	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4080	msedge.exe
4080	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 1428	4080	msedge.exe	81
PID 4080 wrote to memory of 1428	4080	msedge.exe	81
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 884	4080	msedge.exe	82
PID 4080 wrote to memory of 2956	4080	msedge.exe	83
PID 4080 wrote to memory of 2956	4080	msedge.exe	83
PID 4080 wrote to memory of 3256	4080	msedge.exe	84
PID 4080 wrote to memory of 3256	4080	msedge.exe	84
PID 4080 wrote to memory of 3256	4080	msedge.exe	84
PID 4080 wrote to memory of 3256	4080	msedge.exe	84
PID 4080 wrote to memory of 3256	4080	msedge.exe	84
PID 4080 wrote to memory of 3256	4080	msedge.exe	84
PID 4080 wrote to memory of 3256	4080	msedge.exe	84
PID 4080 wrote to memory of 3256	4080	msedge.exe	84
PID 4080 wrote to memory of 3256	4080	msedge.exe	84
PID 4080 wrote to memory of 3256	4080	msedge.exe	84
PID 4080 wrote to memory of 3256	4080	msedge.exe	84
PID 4080 wrote to memory of 3256	4080	msedge.exe	84
PID 4080 wrote to memory of 3256	4080	msedge.exe	84
PID 4080 wrote to memory of 3256	4080	msedge.exe	84
PID 4080 wrote to memory of 3256	4080	msedge.exe	84
PID 4080 wrote to memory of 3256	4080	msedge.exe	84
PID 4080 wrote to memory of 3256	4080	msedge.exe	84
PID 4080 wrote to memory of 3256	4080	msedge.exe	84
PID 4080 wrote to memory of 3256	4080	msedge.exe	84
PID 4080 wrote to memory of 3256	4080	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\b61a64e7bd26a5c1c25d102a0e0e00fc_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf84646f8,0x7ffdf8464708,0x7ffdf8464718
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,15269025960276473626,16369364653644006373,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,15269025960276473626,16369364653644006373,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,15269025960276473626,16369364653644006373,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:8
  2⤵
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15269025960276473626,16369364653644006373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15269025960276473626,16369364653644006373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,15269025960276473626,16369364653644006373,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1588 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dabfafd78687947a9de64dd5b776d25f

SHA1
16084c74980dbad713f9d332091985808b436dea

SHA256
c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201

SHA512
dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c39b3aa574c0c938c80eb263bb450311

SHA1
f4d11275b63f4f906be7a55ec6ca050c62c18c88

SHA256
66f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c

SHA512
eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5db98828e524230535861b5cd233a7bb

SHA1
03c98f0e7df1fa3d7ad42a68e3dbedbb6f4cbd93

SHA256
0b8884be24b886fcb97a3acf5db636e74fd9537e69e72d195aaeaf09847b520f

SHA512
1a9274e1147dcaf8022a3638901d1560166605e7ce4fdaa6593df75a437ef81fa4307455c3f441e417b9fdb9ffc408bb4501b52615f8e1441d2b0402fe899569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e719a6e3ea44552b4ee39ab26e557afe

SHA1
4b1a99b252fcd48c5a90f23b28d9710b735097f9

SHA256
bda9ddd3c34527762470a0a07881c2d67c60735be4fc951e8d13d11758077d16

SHA512
259bfd8dae8970ae36caed0d9bdcc197684d46403defb2b3721debdf1fff301ecdbfe85a1432aa1cc96b59bb6d822a2d35d879034b38f53df5a3e8f3697a2583

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e8dc632ba09776275b64f582147d5f0b

SHA1
30eafb6d6b4b7a2944dcc86d0413c513ff57e4f0

SHA256
342e27e9c3978bdd300d718bc77cd0995561e6a7eea02b1807a61cd77c184057

SHA512
9cf8148083634d057db7bb24d69a5ef4774ca4c93bef4f627055c630bc981210f3bfb5a15aebf6f76a0c4c078192c4cf768bebd426214610d7441dc7bfbf6574

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bb1198cb9cff3dc6d2cc9a71fb0d5675

SHA1
078a11372f87b87bca966df241dd28fe89f5e5ab

SHA256
b4be0fac749641b9c56a131c53a2fa68d22c5bec47459e4ba1f999f4d7fb807a

SHA512
84f39228c50a6f4b921fdbb888a8f490a3b3e8f36ac121b66ae7441ed18a131c5b1a58675b8f6905ad3473c58e89e2e78c69e0929c5c204049d9727c3c426d27

Download Submit