9535d97ddc81f0e52afcae7d01224dea2240a401ae9fab3d4cfd943b17f4af1c

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2024 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27dd6e503d11799840015d67b4cc0331_JaffaCakes118.html
Size

198KB
MD5

27dd6e503d11799840015d67b4cc0331
SHA1

0666ac3746aa263b6340c94444e2352111007cb8
SHA256

9535d97ddc81f0e52afcae7d01224dea2240a401ae9fab3d4cfd943b17f4af1c
SHA512

edfd86b599a4820234ce444cffc72b2985ecdfec3550fa8094fad13ea3f0d73ee35ef941bc197213ab572028214bfb92127bbbb2edf0dbcddc7c86130fe45a8f
SSDEEP

3072:tsGPlVranIRnEtlbux3CfVuWQ2qVJJ+I/Xke:F5CtuCMWe

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2708	msedge.exe
2708	msedge.exe
1572	msedge.exe
1572	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1572	msedge.exe
1572	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 2296	1572	msedge.exe	81
PID 1572 wrote to memory of 2296	1572	msedge.exe	81
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 1408	1572	msedge.exe	82
PID 1572 wrote to memory of 2708	1572	msedge.exe	83
PID 1572 wrote to memory of 2708	1572	msedge.exe	83
PID 1572 wrote to memory of 1824	1572	msedge.exe	84
PID 1572 wrote to memory of 1824	1572	msedge.exe	84
PID 1572 wrote to memory of 1824	1572	msedge.exe	84
PID 1572 wrote to memory of 1824	1572	msedge.exe	84
PID 1572 wrote to memory of 1824	1572	msedge.exe	84
PID 1572 wrote to memory of 1824	1572	msedge.exe	84
PID 1572 wrote to memory of 1824	1572	msedge.exe	84
PID 1572 wrote to memory of 1824	1572	msedge.exe	84
PID 1572 wrote to memory of 1824	1572	msedge.exe	84
PID 1572 wrote to memory of 1824	1572	msedge.exe	84
PID 1572 wrote to memory of 1824	1572	msedge.exe	84
PID 1572 wrote to memory of 1824	1572	msedge.exe	84
PID 1572 wrote to memory of 1824	1572	msedge.exe	84
PID 1572 wrote to memory of 1824	1572	msedge.exe	84
PID 1572 wrote to memory of 1824	1572	msedge.exe	84
PID 1572 wrote to memory of 1824	1572	msedge.exe	84
PID 1572 wrote to memory of 1824	1572	msedge.exe	84
PID 1572 wrote to memory of 1824	1572	msedge.exe	84
PID 1572 wrote to memory of 1824	1572	msedge.exe	84
PID 1572 wrote to memory of 1824	1572	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\27dd6e503d11799840015d67b4cc0331_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed12946f8,0x7ffed1294708,0x7ffed1294718
  2⤵
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,16806802713904394240,2990384446770602801,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,16806802713904394240,2990384446770602801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,16806802713904394240,2990384446770602801,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16806802713904394240,2990384446770602801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,16806802713904394240,2990384446770602801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,16806802713904394240,2990384446770602801,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4928 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1fe3a26bd35b84102bb4203f31e74c7

SHA1
45fdfa8433789b575eb64e116718e62e0e0cf4a0

SHA256
26e0d51529de906dd285ba48288e25eaf5213c0f0bab9bc5f119ecbc5e1b93ee

SHA512
d528db2e9b917d4fbe24b1b5c6f4cb274f4f91c84f63e5119e041fa89ae0cd01a370e314f8b6aca9d6fa958e79feabc720f4b54b3d8aed69aab11fa84cad36bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2915233ace3b11bc8898c958f245aa9a

SHA1
68c6aa983da303b825d656ac3284081db682f702

SHA256
b2cb442f2ca27619c8df087f56fcbbb53186c53f8fd131af886ee3712220477e

SHA512
e3f1b70d39b615e212f84d587ee816598236ee6ce144d919593894fcce4a0900343a9e8b837a0d1bd10921fff1c976c84c4a570eda776fe84d374a69e7a54890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
333B

MD5
096dc2fe06a258bf2650a8af505814bb

SHA1
910e578a63488293e1d6ccc5d8b3facd4689938c

SHA256
dd61bbad2149f8b1647cfcf9995522732472c9300057f07a72d2bdebfa278d30

SHA512
ee52362330f8512a729387b9fbc0c690ed0ef04c485c69c3bf9e1e9dba44fe040f4245b10a541d8bd17604144460b6177c93a9b3b3ba71301e028d3648e8d006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1e85070e5d33921bd9f1c52725b6a192

SHA1
df34256d2801ef0a2dcc932751704d6e4b9ba6e7

SHA256
fbaac49ac50db64b85f32231bdc76fba9641e88b36d9d9a44d2b3387e07ed281

SHA512
9502e1c4eacaf5c05b35fa67ae96cf6f95b63a5d03fc5c5bdcf5f23c4a086507e701d50487287dd7213bbc30c74d737cd517e43bbf7bc8f3095fbff849b3702d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
14b2f39b30f5ce6527cf9af6fc7e0944

SHA1
78263d285b7c3dd35187afb89558eab5599234d1

SHA256
20d2ddb20a602c4a4121f078a0dade585709ef5be94f3610ea18908bbdf9f002

SHA512
672634151238943474850ed02ca9b4aa3a00b8af1904c80ae9a18f46521dcb89a2e8e6003e0af54cc5be84fbd680e6fea26ca89cac8183e9ff2655c11a45fd1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2b60bbec85369852e7ebd47f22378814

SHA1
6c49e930613471383f34a5bfd4675cc8f9788e6e

SHA256
d6c7d603399c371cd7f59367b32afc04036a46e6fd24c3b09783afccbb5066d8

SHA512
c4ff6a0c3cf5f45cde37e06a55c1a90f582e843c93f81d7288a0807ee1a6c70eb7339b1bcde35357d064acaf7e00ad7eb4183cf068d0bf3abba86d43e7888c69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
34cd90bfe223017dfb3fe0f8278cdb86

SHA1
e4843543189ccc4730b4369e6391b45bf1ca0713

SHA256
15865f2756fb86fa8fb8ff2258e5d3814c7bcc48ae71f1a94b9275b1df408f72

SHA512
1f7669e8146ddbc2805e5dca9bd89ee3a0019c6e6e95beb8dfbd0eeacdc14d439e4afa18245f6450e6b814f6ed5a4c8605cdb82b630587286e83ab79ababa835

Download Submit