2ec8c21bc902657b44e720a0d47fded4f9419afc5b481cf322995502c2a18d0d

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d2df94ecfe3ea0b3fcfe7d1fa5d4937_JaffaCakes118.html
Size

63KB
MD5

5d2df94ecfe3ea0b3fcfe7d1fa5d4937
SHA1

b3a2383e83decbf4abf6453c36fed97388b09801
SHA256

2ec8c21bc902657b44e720a0d47fded4f9419afc5b481cf322995502c2a18d0d
SHA512

9a1fcf77c0504a66f0c023c16e5c54618c822c73c54895481a80e2b3307dc8c375d44e7b216372e59ee5e4c4927eeace281071d8991ce60caa85de437bd982f2
SSDEEP

1536:S9P01OLWa3yIxRRIcJLPFjrrfi1ZXOF7pND+/uFh1vNmZen9JKLvYBS:S+kZS

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
5792	msedge.exe
5792	msedge.exe
4856	msedge.exe
4856	msedge.exe
2584	identity_helper.exe
2584	identity_helper.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 4528	4856	msedge.exe	87
PID 4856 wrote to memory of 4528	4856	msedge.exe	87
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 3008	4856	msedge.exe	88
PID 4856 wrote to memory of 5792	4856	msedge.exe	89
PID 4856 wrote to memory of 5792	4856	msedge.exe	89
PID 4856 wrote to memory of 4964	4856	msedge.exe	90
PID 4856 wrote to memory of 4964	4856	msedge.exe	90
PID 4856 wrote to memory of 4964	4856	msedge.exe	90
PID 4856 wrote to memory of 4964	4856	msedge.exe	90
PID 4856 wrote to memory of 4964	4856	msedge.exe	90
PID 4856 wrote to memory of 4964	4856	msedge.exe	90
PID 4856 wrote to memory of 4964	4856	msedge.exe	90
PID 4856 wrote to memory of 4964	4856	msedge.exe	90
PID 4856 wrote to memory of 4964	4856	msedge.exe	90
PID 4856 wrote to memory of 4964	4856	msedge.exe	90
PID 4856 wrote to memory of 4964	4856	msedge.exe	90
PID 4856 wrote to memory of 4964	4856	msedge.exe	90
PID 4856 wrote to memory of 4964	4856	msedge.exe	90
PID 4856 wrote to memory of 4964	4856	msedge.exe	90
PID 4856 wrote to memory of 4964	4856	msedge.exe	90
PID 4856 wrote to memory of 4964	4856	msedge.exe	90
PID 4856 wrote to memory of 4964	4856	msedge.exe	90
PID 4856 wrote to memory of 4964	4856	msedge.exe	90
PID 4856 wrote to memory of 4964	4856	msedge.exe	90
PID 4856 wrote to memory of 4964	4856	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\5d2df94ecfe3ea0b3fcfe7d1fa5d4937_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbbdf646f8,0x7ffbbdf64708,0x7ffbbdf64718
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,2673951567196530427,14014331100690742724,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
  2⤵
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,2673951567196530427,14014331100690742724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,2673951567196530427,14014331100690742724,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2673951567196530427,14014331100690742724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2673951567196530427,14014331100690742724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2673951567196530427,14014331100690742724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:5240
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,2673951567196530427,14014331100690742724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,2673951567196530427,14014331100690742724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2673951567196530427,14014331100690742724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:2652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2673951567196530427,14014331100690742724,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2673951567196530427,14014331100690742724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:1
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2673951567196530427,14014331100690742724,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
  2⤵
  PID:5848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,2673951567196530427,14014331100690742724,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4860 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8dc45b70cbe29a357e2c376a0c2b751b

SHA1
25d623cea817f86b8427db53b82340410c1489b2

SHA256
511cfb6bedbad2530b5cc5538b6ec2184fc4f85947ba4c8166d0bb9f5fe2703a

SHA512
3ce0f52675feb16d6e62aae1c50767da178b93bdae28bacf6df3a2f72b8cc75b09c5092d9065e0872e5d09fd9ffe0c6931d6ae1943ddb1927b85d60659ef866e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1790c766c15938258a4f9b984cf68312

SHA1
15c9827d278d28b23a8ea0389d42fa87e404359f

SHA256
2e3978bb58c701f3c6b05de9349b7334a194591bec7bcf73f53527dc0991dc63

SHA512
2682d9c60c9d67608cf140b6ca4958d890bcbc3c8a8e95fcc639d2a11bb0ec348ca55ae99a5840e1f50e5c5bcf3e27c97fc877582d869d98cc4ea3448315aafb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
5bf9124a53dfa65de010011d2f11cecb

SHA1
d6279fc708f05b05f7c3dfa83b2702b93c2c15cc

SHA256
7aff951f12745113fe7bd18ca8139f54d5fdf0f26b5ad962647cd78b8e4fce71

SHA512
81f21b9908ed2f58f9e279813f691470ff54f8618a11a22d1cb983b7e37b52ec79d34e3b5e488dad6570b4952305aee38da710a987e2debb50445086ada7fa38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
719B

MD5
5722a8c84e19725df058de1b73e5c8f9

SHA1
4ed4979e7f5a2f1b9f79516af97747ee2d1b9519

SHA256
1f1c0c2bb9adc6aaf5087afc24f9f911d54b67e1b75728a8ad4b0178b5a0b442

SHA512
22a91756405f85f72f876388967a2c05c7917a69ce1022ad83e4c3bb5490fcf07496dd172d20a236997b36d80c158d1e5c387debfabe48b58b2654b0eec8c570

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5b49f53f34df4eea9cdc49cefb31f57c

SHA1
dca38f41f1a12ca60145612df84e689fddaa55d2

SHA256
f0cf13dc9187184161dd04f7d9da9169992fd66a77f96514f82546a48f9a7a4b

SHA512
b7bdfd659c2a5b10eb01bb6be1cbbd46cb84cbe3258860f4755cca3cf207df0a2dad8e9014fdae27dabe89d0100094e8b5c09174c0ed5f3e2b68887bd0e249a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
07608843a1eede87313f10772c949967

SHA1
8366efec328d7692bb326a4907de0894e525338c

SHA256
b1bd00a92be2a52d0a40fe7530586ffa84ceaf0bbd6389dc753bfa9e2915b1ab

SHA512
6480fdb05261ca04e62403b494da6f2d685651cc3035d407eac9de88a5673758bcfc7418f3cfeac5b423bf6e308160fa5312eb18b86c1bf7c5f8c894f4a7edfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
936db79228ef7b6d4874c77a2854288e

SHA1
8556968d5e0dbb86ade829c204327e7c33e67a8f

SHA256
45bd1c9bd030b37c098697531a447a58ecdc7793dcc791146e3f3b7f9b0bbee9

SHA512
6f31deee377940156a0b728ef573000a575748223fde5d7958e3f494c508a49d6f294746d3224bc50b09b0bef96f8ed5b1874536626a502e494379786aa6d6a8

Download Submit