4e7bc97fb56bf2a809d8d0ff342c8c72458ca4c6c3b6c0c917aedad38693efd2

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23f25d3468010703a41c99ac4c3f93b8_JaffaCakes118.html
Size

155KB
MD5

23f25d3468010703a41c99ac4c3f93b8
SHA1

f4474029725ef9cf6902796e317ae89e81b969d1
SHA256

4e7bc97fb56bf2a809d8d0ff342c8c72458ca4c6c3b6c0c917aedad38693efd2
SHA512

bdeb55a3184e22c51f89ba00cdb9b8af98c5a9f866f36e88c82a320a191e9918fca1396e9e0d789392ee4e5c605550489df95697a8ce65dfc6826f432f93e9d4
SSDEEP

1536:DIi9cAI0fx7xa5Ssfssv1aJg3CUrUhfznjefamkvOToEpbJf1wREo1POIm9/ZYKg:DI7A9ium9/ZYqg

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
464	msedge.exe
464	msedge.exe
400	msedge.exe
400	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
400	msedge.exe
400	msedge.exe
400	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 1964	400	msedge.exe	81
PID 400 wrote to memory of 1964	400	msedge.exe	81
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 2608	400	msedge.exe	82
PID 400 wrote to memory of 464	400	msedge.exe	83
PID 400 wrote to memory of 464	400	msedge.exe	83
PID 400 wrote to memory of 1724	400	msedge.exe	84
PID 400 wrote to memory of 1724	400	msedge.exe	84
PID 400 wrote to memory of 1724	400	msedge.exe	84
PID 400 wrote to memory of 1724	400	msedge.exe	84
PID 400 wrote to memory of 1724	400	msedge.exe	84
PID 400 wrote to memory of 1724	400	msedge.exe	84
PID 400 wrote to memory of 1724	400	msedge.exe	84
PID 400 wrote to memory of 1724	400	msedge.exe	84
PID 400 wrote to memory of 1724	400	msedge.exe	84
PID 400 wrote to memory of 1724	400	msedge.exe	84
PID 400 wrote to memory of 1724	400	msedge.exe	84
PID 400 wrote to memory of 1724	400	msedge.exe	84
PID 400 wrote to memory of 1724	400	msedge.exe	84
PID 400 wrote to memory of 1724	400	msedge.exe	84
PID 400 wrote to memory of 1724	400	msedge.exe	84
PID 400 wrote to memory of 1724	400	msedge.exe	84
PID 400 wrote to memory of 1724	400	msedge.exe	84
PID 400 wrote to memory of 1724	400	msedge.exe	84
PID 400 wrote to memory of 1724	400	msedge.exe	84
PID 400 wrote to memory of 1724	400	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\23f25d3468010703a41c99ac4c3f93b8_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcab8046f8,0x7ffcab804708,0x7ffcab804718
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,11716364343260394571,9868436374209380370,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2000 /prefetch:2
  2⤵
  PID:2608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,11716364343260394571,9868436374209380370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,11716364343260394571,9868436374209380370,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1840 /prefetch:8
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,11716364343260394571,9868436374209380370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,11716364343260394571,9868436374209380370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,11716364343260394571,9868436374209380370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,11716364343260394571,9868436374209380370,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1808 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f61fa5143fe872d1d8f1e9f8dc6544f9

SHA1
df44bab94d7388fb38c63085ec4db80cfc5eb009

SHA256
284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

SHA512
971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
87f7abeb82600e1e640b843ad50fe0a1

SHA1
045bbada3f23fc59941bf7d0210fb160cb78ae87

SHA256
b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

SHA512
ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
183B

MD5
23a4fd41139e7ecf76c825a215a6afee

SHA1
637bfc7ffe5adabacb6e668b5c9d38c78246ae08

SHA256
fbe75da969d47d1474d5aeb0bccd58e0357fa2d7d6a0eb723035c3bb977c86e8

SHA512
513aad3cf289d24154d14eccf9a5a2892fd019d69f6efd6edf25c9f23308c253d82e6575b3ea3d7e7cfcf53ad4eec264d64c99e993ee2477544b09f2101987cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9adfc85fc7da960862daafe10a6dfe70

SHA1
8c295bc1da62b51aedc256159b230cfa7a6395f0

SHA256
cdb64fb336b2385ea8bb021fa14be22aff665fea8c113184f0f6e339c1aa53e7

SHA512
065107b33076639bbf15dd4c2e7a68289dc90b6fbbea34d5daa152900f86baf2c2d7094dabd22c4297559591dd98baf2aa02c142bddc5fe05db3e3ebb33f25c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
edfe7f632979de0ab54a9adbc611de09

SHA1
c5ad35d1baa0e1520287e20cd0504609aa50f62c

SHA256
f171ed94380fb05caa56cb7d3fef09d78d7a3532304f3097086cc1a08c25aa5c

SHA512
30feee8fd4595a2b04a7dcdc28c76894fbfc606f7a13d38cedb898d41dd922d28c7dc81cafc9891148b68bcc9aa0cdf464308743db1ffb2183d0eaab77a26bad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0afa891ad031e6cc7afbf2ab36a73fdf

SHA1
1a725dc31c3c63ce8a6d7849457e65433b820503

SHA256
dc8dd957c7972fc2c305faff7525c41bb9a5c03c150d810433382fc96a92a5dc

SHA512
37f744306c24f41caba1de8111854a7a3cc8af7811a073cded03a0ec9d940716beff12c5e9fcd3723168c10222b00cfee9c0d4a535a90406524db954e707523c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e03c5e4820ed8c91d0374014d1302c3f

SHA1
7b68cfd600de9de1e76bb86f66ab7f25760c228d

SHA256
bca16e1f90a7bbd7424ffdba65ff81a3955579b4c563ed5d4176b6ff6e7e2de3

SHA512
2e88278ea391954b0dc60d1da85ea965732208b65d30ba96f144f2ead074c851738095e404db1d25acd1efe186e0c52bdea3b9477c654516d03f812255364911

Download Submit