d5cea2ae86b939b35dc34ad24ccd4b5ede210195eaa3c0c932ac9d76a24e90c9

Analysis

max time kernel
145s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 13:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

26f56d18b43dcd74165064f7dddfe570_JaffaCakes118.html
Size

119KB
MD5

26f56d18b43dcd74165064f7dddfe570
SHA1

9a14b99e8ece25c48db9b424de4f0a5a619db203
SHA256

d5cea2ae86b939b35dc34ad24ccd4b5ede210195eaa3c0c932ac9d76a24e90c9
SHA512

a6816455f859c1580a3d5873139950fd58791ee842b77274c42bb93a447aaeada9e854d2c1edc049d397fe78a2ab3179fd6ae70e9a9a29322d0c3bbbc19e7f8a
SSDEEP

1536:QCZrKWzqaEx79OodfhMoW+6ScMBzL/kh2gVyqXGdKgOFnMP58lhw:drA9OodfhMoW+9cMBzLchDVyqXGV8ly

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3652	msedge.exe
3652	msedge.exe
620	msedge.exe
620	msedge.exe
5032	identity_helper.exe
5032	identity_helper.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 2668	620	msedge.exe	82
PID 620 wrote to memory of 2668	620	msedge.exe	82
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 2796	620	msedge.exe	83
PID 620 wrote to memory of 3652	620	msedge.exe	84
PID 620 wrote to memory of 3652	620	msedge.exe	84
PID 620 wrote to memory of 1044	620	msedge.exe	85
PID 620 wrote to memory of 1044	620	msedge.exe	85
PID 620 wrote to memory of 1044	620	msedge.exe	85
PID 620 wrote to memory of 1044	620	msedge.exe	85
PID 620 wrote to memory of 1044	620	msedge.exe	85
PID 620 wrote to memory of 1044	620	msedge.exe	85
PID 620 wrote to memory of 1044	620	msedge.exe	85
PID 620 wrote to memory of 1044	620	msedge.exe	85
PID 620 wrote to memory of 1044	620	msedge.exe	85
PID 620 wrote to memory of 1044	620	msedge.exe	85
PID 620 wrote to memory of 1044	620	msedge.exe	85
PID 620 wrote to memory of 1044	620	msedge.exe	85
PID 620 wrote to memory of 1044	620	msedge.exe	85
PID 620 wrote to memory of 1044	620	msedge.exe	85
PID 620 wrote to memory of 1044	620	msedge.exe	85
PID 620 wrote to memory of 1044	620	msedge.exe	85
PID 620 wrote to memory of 1044	620	msedge.exe	85
PID 620 wrote to memory of 1044	620	msedge.exe	85
PID 620 wrote to memory of 1044	620	msedge.exe	85
PID 620 wrote to memory of 1044	620	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\26f56d18b43dcd74165064f7dddfe570_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffd6abb46f8,0x7ffd6abb4708,0x7ffd6abb4718
  2⤵
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,9678910315697168615,7796632527691980051,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,9678910315697168615,7796632527691980051,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,9678910315697168615,7796632527691980051,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
  2⤵
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,9678910315697168615,7796632527691980051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,9678910315697168615,7796632527691980051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,9678910315697168615,7796632527691980051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,9678910315697168615,7796632527691980051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,9678910315697168615,7796632527691980051,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,9678910315697168615,7796632527691980051,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,9678910315697168615,7796632527691980051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,9678910315697168615,7796632527691980051,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,9678910315697168615,7796632527691980051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,9678910315697168615,7796632527691980051,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,9678910315697168615,7796632527691980051,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1260 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f0f818d52a59eb6cf9c4dd2a1c844df9

SHA1
26afc4b28c0287274624690bd5bd4786cfe11d16

SHA256
58c0beea55fecbeded2d2c593473149214df818be1e4e4a28c97171dc8179d61

SHA512
7e8a1d3a6c8c9b0f1ac497e509e9edbe9e121df1df0147ce4421b8cf526ad238bd146868e177f9ce02e2d8f99cf7bb9ce7db4a582d487bbc921945211a977509

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0331fa75ac7846bafcf885ea76d47447

SHA1
5a141ffda430e091153fefc4aa36317422ba28ae

SHA256
64b4b2e791644fc04f164ecd13b8b9a3e62669896fb7907bf0a072bbeebaf74a

SHA512
f8b960d38d73cf29ce17ea409ef6830cae99d7deafaf2ff59f8347120d81925ff16e38faaa0f7f4c39936472d05d1d131df2a8a383351f138c38afb21c1a60e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
fcafa4e7c72a40f9e76549bbff117145

SHA1
351bc9a85ba28941336ecdb9252dd94364729692

SHA256
a50609ba7f09b7f1f91546889d53ca9ce6b94fe3fc4f07e7be9a01328115869f

SHA512
b29559fbab208d6f91cb8c45c64ff581270fafa2c691a6c2fefada30e30cabff6d35ef59ec55757335b3a535b6fc4aaa96f6e95ddad837a88312e057af065545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
147903c025c863d1818bbd8d15570342

SHA1
7a896b6b709a500c2f7979dc4a23821565032521

SHA256
0a4c1990e3455002fb07a5976e521edd1346e396e5317e213e6156f7295041cb

SHA512
a6afa11f881158a5578f0641be369d01cc625653f418d5dbef599e3e9f69c140cfcb6e80e8df39289567588872c15438d51aae22ef1b1be4506b12ab2c2d8a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
802ba9b25ef377f92a9bb1ace4f9d442

SHA1
d4a888d3bd058c6a9be8a34c7335104582057154

SHA256
1732df0fcb05c33a14b0689a4e267957221775c65ad7f8305fc59d72e41e0f63

SHA512
e58e3b30f9499446a1fe7e9a4781214fea7cb07ede1b951494b663c9cb8d7b7d8a6d96ae02c7c9bc3b2f41894679d53ae372327b4777cad6464303a178c89d97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8fccb3f58c4d54ca1483a9a84205ebc2

SHA1
b2a4695105bb485550d3bb836257c9bfe8a0ca27

SHA256
616a5ac194ea2e6b133642a06c72dc3b4c7c4c9f2080d8c24fb367db397e187c

SHA512
e352589d3a11fb87cec92d6140c43dc027c6763f3e8a55e2bbe01daf1049104721da586ea861e0771a0e96a046245b89c46442a7db164539ac9fcfff5bc37856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
08854f2beb778c03afdf0f6858ab0d5f

SHA1
c0b8e7395cccf963da9535c17d077eb954de86f6

SHA256
274bb67c68f57c4b234f522ed6f5bbe47fdf0412509271a2deee96e01899c12d

SHA512
40cdb8d3fdbfea008dd196b03fde4211158bf8b695e548dd725683de7dbacc694e5ef48990458f21d250ece4d5fd9312a66ec0cb942aa61d1d2a8d66db99d528

Download Submit