04b6e148cba5e7bd2e7798e7ef8046dc8623c389df5b85a863f381e96434ef59

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2024, 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44c9e2db31450d621ed0b829a80b02d4_JaffaCakes118.html
Size

26KB
MD5

44c9e2db31450d621ed0b829a80b02d4
SHA1

824b5bfc55ab83761877630383b74073d963caec
SHA256

04b6e148cba5e7bd2e7798e7ef8046dc8623c389df5b85a863f381e96434ef59
SHA512

772614ea20ef4d2de268a21063f706ad0f34b4c9fafe2c4ec34d443af297aad6e36b26f73871264cd5a8567a0e4a28c750fd8eb182b02899f5a23c86977f2102
SSDEEP

768:D1KpKVAqnd+qi9q7B2LLspsmfpM2S0nrp:D1QKVhnd+LABWLspsmfp3

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3224	msedge.exe
3224	msedge.exe
2012	msedge.exe
2012	msedge.exe
3120	identity_helper.exe
3120	identity_helper.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1332	2012	msedge.exe	83
PID 2012 wrote to memory of 1332	2012	msedge.exe	83
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 1320	2012	msedge.exe	84
PID 2012 wrote to memory of 3224	2012	msedge.exe	85
PID 2012 wrote to memory of 3224	2012	msedge.exe	85
PID 2012 wrote to memory of 468	2012	msedge.exe	86
PID 2012 wrote to memory of 468	2012	msedge.exe	86
PID 2012 wrote to memory of 468	2012	msedge.exe	86
PID 2012 wrote to memory of 468	2012	msedge.exe	86
PID 2012 wrote to memory of 468	2012	msedge.exe	86
PID 2012 wrote to memory of 468	2012	msedge.exe	86
PID 2012 wrote to memory of 468	2012	msedge.exe	86
PID 2012 wrote to memory of 468	2012	msedge.exe	86
PID 2012 wrote to memory of 468	2012	msedge.exe	86
PID 2012 wrote to memory of 468	2012	msedge.exe	86
PID 2012 wrote to memory of 468	2012	msedge.exe	86
PID 2012 wrote to memory of 468	2012	msedge.exe	86
PID 2012 wrote to memory of 468	2012	msedge.exe	86
PID 2012 wrote to memory of 468	2012	msedge.exe	86
PID 2012 wrote to memory of 468	2012	msedge.exe	86
PID 2012 wrote to memory of 468	2012	msedge.exe	86
PID 2012 wrote to memory of 468	2012	msedge.exe	86
PID 2012 wrote to memory of 468	2012	msedge.exe	86
PID 2012 wrote to memory of 468	2012	msedge.exe	86
PID 2012 wrote to memory of 468	2012	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\44c9e2db31450d621ed0b829a80b02d4_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff0b3d46f8,0x7fff0b3d4708,0x7fff0b3d4718
  2⤵
  PID:1332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,12321505319098090448,15233888395194549005,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,12321505319098090448,15233888395194549005,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,12321505319098090448,15233888395194549005,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2576 /prefetch:8
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12321505319098090448,15233888395194549005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12321505319098090448,15233888395194549005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,12321505319098090448,15233888395194549005,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,12321505319098090448,15233888395194549005,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12321505319098090448,15233888395194549005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12321505319098090448,15233888395194549005,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12321505319098090448,15233888395194549005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12321505319098090448,15233888395194549005,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,12321505319098090448,15233888395194549005,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5844 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c00b0d6e0f836dfa596c6df9d3b2f8f2

SHA1
69ad27d9b4502630728f98917f67307e9dd12a30

SHA256
578481cd359c669455e24983b13723c25584f58925b47283cb580019ef3142b1

SHA512
0e098ab5f5772fec17880e228a0dccbbaa06dc1af14e0fd827f361599c61899fe07d612a7f7b049ff6661d27fdc495566dd20fc28ceed022b87c212bf00be5da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
54f1b76300ce15e44e5cc1a3947f5ca9

SHA1
c978bfaa6ec6dae05464c6426eaa6cb3c3e2f3b7

SHA256
43dec5d87b7ee892a3d99cb61f772ba403882ac0772423f36034e84244c1ca24

SHA512
ac26e5676c675be329eb62b5d5a36a0e6014ab8a6366684b0fc2a59ae5f061f596f462b82eb4e9f135d2235a0cbd4af96680d234eecc873a8397fd81507d277a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
569B

MD5
1f816b9bf11ee899959196e22380914f

SHA1
7c8c26668c31442bf7c7dbb9aede1ed84f8dcc77

SHA256
9a3960981c6f4dc527ea6b655363f6dae2912dfbc0c84cd5be3cd10b979ba03b

SHA512
e80e237f97a2cb2f0c30c8c2415952fa7866a4cd45c8cd35baba4e3d4458db5087858ee508a568a9048e887bef047ee3274d038a27d93376c83381338a6759f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0149dd1cb8466a7d015a9f0278adbc8f

SHA1
6b7a482e8c27fdd2c0659c8b6c8257ed13cdf282

SHA256
33bec4bcf363335db023d6c48339ca49aa6ca509a4481588fcc4d3d84f73b3ad

SHA512
9fac40a0a822dd0d201b95321fafb43551de0f788972172cf7ef17018bb57ca80e2f066f200a5954f7e2ea9bf2639e6c602b16c2056080a868c3cc22ec2004aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
14531b41014434e4afdec2e1998bac87

SHA1
b34b9c3b4616a67350a557a3ab59c8e2b2d0c908

SHA256
7ba666d38d205aee87198fe0efc690b93e75454496e8bebb2044e592415b9990

SHA512
e7ceab2a8fb3ed9c0779319ee165526090fda555cc9b5fc151cbb1c192a5f2b6866d5dac2e7a77f6a1d6c237204ca57d1d108d453c807f6c0f283634b075a6ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d263a9cae7d2cde4a2bee2506390d908

SHA1
8e7a65cb743793b2a7a2844a2a4aeec9706f99ff

SHA256
e9a6f6f9030c65c40e74354456db307cf3779b883f8b310cefadb1491dcf4f31

SHA512
0481a99a36e27edcbc837c46705028dc9d0845f9d6dae875d4119a8d959129646a36ab37721209b36d88c18d1acd9daa1f7fdc889e466a236c560f6bebaf2a83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
724a4c76ed33e9154e8aa855aceee81b

SHA1
c68c16eb3836888a478e2035e1ebb3f199c9bf32

SHA256
c82d792639c8dee1a2e8c9137d06db413d8696ee3fd97c7aa4143b1d7de2dd8d

SHA512
e82409282205d23e0e4ee26b13f453042873a5e9cfdd6d876a8639767b4cc307f82983c5b6b9556c44c4c0a79b6641143eb3815bbd104a1dab335ac13f1d65f4

Download Submit