649ba0f608bc0310fab013a323b9f640b02cfac418df7eba55b9fd8fde6024ad

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf93383e3501578c2e5a778acf2504f1_JaffaCakes118.html
Size

81KB
MD5

bf93383e3501578c2e5a778acf2504f1
SHA1

f1a2271068dedb33a21dad7bdf90ad509d8f08f5
SHA256

649ba0f608bc0310fab013a323b9f640b02cfac418df7eba55b9fd8fde6024ad
SHA512

1326512098155dd41cffec3db45aa61edc79937ae7002115b22a8e66cd78da0cfb94024312572d2fb1b253845e23a3dd16bac3f2641f2d55d28c1d049117eede
SSDEEP

1536:Bdr9oqp7YWMOIRHBP2L4aqHm1kCLyjRWxkGCi9oO/EzkWzrXWiX:Bdr9oqpMWMOIRhm4aLzLpWzrj

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1596	msedge.exe
1596	msedge.exe
436	msedge.exe
436	msedge.exe
4820	identity_helper.exe
4820	identity_helper.exe
2660	msedge.exe
2660	msedge.exe
2660	msedge.exe
2660	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 2996	436	msedge.exe	84
PID 436 wrote to memory of 2996	436	msedge.exe	84
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 2692	436	msedge.exe	85
PID 436 wrote to memory of 1596	436	msedge.exe	86
PID 436 wrote to memory of 1596	436	msedge.exe	86
PID 436 wrote to memory of 384	436	msedge.exe	87
PID 436 wrote to memory of 384	436	msedge.exe	87
PID 436 wrote to memory of 384	436	msedge.exe	87
PID 436 wrote to memory of 384	436	msedge.exe	87
PID 436 wrote to memory of 384	436	msedge.exe	87
PID 436 wrote to memory of 384	436	msedge.exe	87
PID 436 wrote to memory of 384	436	msedge.exe	87
PID 436 wrote to memory of 384	436	msedge.exe	87
PID 436 wrote to memory of 384	436	msedge.exe	87
PID 436 wrote to memory of 384	436	msedge.exe	87
PID 436 wrote to memory of 384	436	msedge.exe	87
PID 436 wrote to memory of 384	436	msedge.exe	87
PID 436 wrote to memory of 384	436	msedge.exe	87
PID 436 wrote to memory of 384	436	msedge.exe	87
PID 436 wrote to memory of 384	436	msedge.exe	87
PID 436 wrote to memory of 384	436	msedge.exe	87
PID 436 wrote to memory of 384	436	msedge.exe	87
PID 436 wrote to memory of 384	436	msedge.exe	87
PID 436 wrote to memory of 384	436	msedge.exe	87
PID 436 wrote to memory of 384	436	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\bf93383e3501578c2e5a778acf2504f1_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8996946f8,0x7ff899694708,0x7ff899694718
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,14604261097463724139,9188644202760146542,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,14604261097463724139,9188644202760146542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,14604261097463724139,9188644202760146542,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
  2⤵
  PID:384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,14604261097463724139,9188644202760146542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,14604261097463724139,9188644202760146542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,14604261097463724139,9188644202760146542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,14604261097463724139,9188644202760146542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,14604261097463724139,9188644202760146542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,14604261097463724139,9188644202760146542,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:3828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,14604261097463724139,9188644202760146542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,14604261097463724139,9188644202760146542,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,14604261097463724139,9188644202760146542,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1260 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
699B

MD5
ef09ae90c965e1ae8abdefdca37d7e56

SHA1
8bc4cf8672a974987c919e2971637d84b79f8586

SHA256
02e059e99c55dc792b1967d9ba79f890e117c33240c4e1f355c1a0f4c8731af3

SHA512
05f9fa2bb043bd10c9ba221ab35eb084154169541b08c024f7c3d199166f21efc86895897278ca4f9964d04e2da8639c89caec36f10b54556f29a81c0b2337dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b0c13028a200ce131c158666609810f4

SHA1
1ac31ea502b362991bd8eb6b36694883a96c6d0e

SHA256
11202fd6dd7e14b541e90f6e0eaed2ea07480760e7f47b534a860f992e41f139

SHA512
9a6e46dcb49653ca6e0b589e4aa03e6e64aa6e614e989fdc333590267839398fd8e6dc9f2fe85d8a6d2e30e46a0c9bc8c5f39f89282b13b8dd81356fc7df2c10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7a3e9ce40cb44dd025569dc13d917703

SHA1
f0dc9598d2756d33d706256ea500dac8f7acec6f

SHA256
1a9f78179f1b6b7176bb74c3e5cad76bac4ae31b869bdd9a3bc12e114cb00bf5

SHA512
3051ecf88f1cddb98acc23fce3a8c2b35b6613a14411f88011493c3c9f806e81190181c2c1a7a80484c505e62a4eac404af3e5deb782e80a759ef340802d2d7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4fbd878c2a56b71ff32ffe82df88380b

SHA1
2f0683bc44209b3527f8cc1c68289e5c4d046063

SHA256
b55d505423f78178c08a300075091042e7b01125311a8a94ce3d167d562dbfb0

SHA512
11ef34b820e4a151cc705e67dd2096275b0a67b2d374e169897a730b2897d675e06d545025cd650d0069f66d349e47a930b58c562acd64ecb9a286b1561e901a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
372B

MD5
5d33d30284b39bdb5be1518bdd9b7ced

SHA1
6797a4ed4b5dd1d1e0c73b65d68ea16c873391e6

SHA256
6502094025fd418378324aff83de4875d37c453f67c5afc6bbadf25ea54c956c

SHA512
1cbb25400217a33a5775c59a8bd3ce8d0de441473896a00e43c44fa649c38e100f4bbb39c7d7716fd09f072ed491ca1da4df9e298cefff0e208df6690a05ac2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5887d8.TMP

Filesize
372B

MD5
0e4c481708b7e79b1ea62ddcd831b321

SHA1
bb4299fe3b4d5b00d4d45ae7e9a57135a590e19f

SHA256
07b670a323245992922b7107545704c940a1cc201b94a47139ab592e2234b646

SHA512
525c14e6c3627396511ee461e70af2e068815a1846a6e2fe2f92130b77eac85ff6bae13ab7675c6c91e2117c4ea75bf1023e67aa453061d65ab40d78b1575413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
888f41ab1c9ab979a045c02e4e0706b1

SHA1
29404b2e2193078706f80dfcdc8b0b40fbf35d8c

SHA256
e33adea22a02076f251c4f70595ae0ac355b23d0999365657a12310e4945a16a

SHA512
4811579244458c4fa66cb8094f2d0371df70b1cc110f77a44f665b5b3b38980df8e8c0a2ed58fefd67cae55119f6d22c46a1d218d7894f7ca03258bd87c95be9

Download Submit