e93e15ea4e9724d3984110c98cec1a93553e76a55d6a91d426384512cc5c3de7

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6f1bd677526370b1ab67da0f6362491_JaffaCakes118.html
Size

89KB
MD5

b6f1bd677526370b1ab67da0f6362491
SHA1

e360f13b40830c00f4a6cc611403b9df5a8d17c7
SHA256

e93e15ea4e9724d3984110c98cec1a93553e76a55d6a91d426384512cc5c3de7
SHA512

af8fa4377220675d45f61aa9f48f5577872e97940ff3c4e4807358943d8a6e83004d850c4a9339b40612734118bd0472b6aae387ec094d0958bfcf4536ba540e
SSDEEP

1536:VnEapWbPSd+Ex3sYbsKzcz0GswNIhIUIMTO/6z95asDHEi3J8WktvHhB/KJz7ruk:DwbPSd+Q3sLASsMu+A98lB/KJnruAxn9

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
976	msedge.exe
976	msedge.exe
1916	msedge.exe
1916	msedge.exe
1948	identity_helper.exe
1948	identity_helper.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 4996	1916	msedge.exe	80
PID 1916 wrote to memory of 4996	1916	msedge.exe	80
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 3500	1916	msedge.exe	81
PID 1916 wrote to memory of 976	1916	msedge.exe	82
PID 1916 wrote to memory of 976	1916	msedge.exe	82
PID 1916 wrote to memory of 1208	1916	msedge.exe	83
PID 1916 wrote to memory of 1208	1916	msedge.exe	83
PID 1916 wrote to memory of 1208	1916	msedge.exe	83
PID 1916 wrote to memory of 1208	1916	msedge.exe	83
PID 1916 wrote to memory of 1208	1916	msedge.exe	83
PID 1916 wrote to memory of 1208	1916	msedge.exe	83
PID 1916 wrote to memory of 1208	1916	msedge.exe	83
PID 1916 wrote to memory of 1208	1916	msedge.exe	83
PID 1916 wrote to memory of 1208	1916	msedge.exe	83
PID 1916 wrote to memory of 1208	1916	msedge.exe	83
PID 1916 wrote to memory of 1208	1916	msedge.exe	83
PID 1916 wrote to memory of 1208	1916	msedge.exe	83
PID 1916 wrote to memory of 1208	1916	msedge.exe	83
PID 1916 wrote to memory of 1208	1916	msedge.exe	83
PID 1916 wrote to memory of 1208	1916	msedge.exe	83
PID 1916 wrote to memory of 1208	1916	msedge.exe	83
PID 1916 wrote to memory of 1208	1916	msedge.exe	83
PID 1916 wrote to memory of 1208	1916	msedge.exe	83
PID 1916 wrote to memory of 1208	1916	msedge.exe	83
PID 1916 wrote to memory of 1208	1916	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\b6f1bd677526370b1ab67da0f6362491_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9903a46f8,0x7ff9903a4708,0x7ff9903a4718
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,7053567771271422309,17982016392776981518,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,7053567771271422309,17982016392776981518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,7053567771271422309,17982016392776981518,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,7053567771271422309,17982016392776981518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,7053567771271422309,17982016392776981518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2160
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,7053567771271422309,17982016392776981518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,7053567771271422309,17982016392776981518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,7053567771271422309,17982016392776981518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,7053567771271422309,17982016392776981518,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,7053567771271422309,17982016392776981518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,7053567771271422309,17982016392776981518,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,7053567771271422309,17982016392776981518,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2276 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56641592f6e69f5f5fb06f2319384490

SHA1
6a86be42e2c6d26b7830ad9f4e2627995fd91069

SHA256
02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

SHA512
c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6fe14ffcc7b97caedb24a3ee99d4f298

SHA1
849d7573c8d66112dcc486bcdd569dcc93a28ca6

SHA256
8d5b3515c96f3498fdfeab2f8fe89ea4c910ce8479cc3fca5f8542d110368c74

SHA512
fe863518d65924b3a0da182d307b9cba13145b5f65611abf512ec1a9abca5de2375e054b486afd1baa441c3999a069f249c27f9e7866fe02d87c7e0a4bdb45f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2b69806304b47ed9991e6508457a6937

SHA1
6d60d4069d7f1ca63dcf256db2ab5323fdde5ab9

SHA256
3714c0fa497d820f70104fe881af69ef268efeca5ac56f95d0cb98cc049da222

SHA512
a4c7a28d4f572fb92c8a514f353e31f94f2060a8fb5da5c11652f1e0eb8584c91724ef8c963312684979a0b75adcb3138061d7c3ae27266908671c22dcae2a84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
a15506cc1b7c53e30f2faf47d645c8ea

SHA1
866e242c97b7a2de32e2c9b103232232291fa981

SHA256
cee3ab33c92a8fbceabb1543c9ebbb1e067c847476a0c1927581ababd34717ee

SHA512
14fc601d5fede4fadcb8c282c1cbde33b54719732bb507777ec7200d8bb0b591d83af0080b8b5db73005349cb1010b22e983507999788f9b5529df57f1fc695b

Download Submit