bb2d3e3bb58f15b4e8adb54c3d6839d8aea986f14e0bce15143478368249755f

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 19:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bf49c661129f87a890f81ac0a272ac77_JaffaCakes118.html
Size

576KB
MD5

bf49c661129f87a890f81ac0a272ac77
SHA1

cb8702b6411f62e8363a0bd0572990e4dec1dad2
SHA256

bb2d3e3bb58f15b4e8adb54c3d6839d8aea986f14e0bce15143478368249755f
SHA512

ada8c9753fd95e7980eb994c3d8a891335c7c30c7d345b67581a744a9174066fcda54566e449deb6f3bb9df368ca41e2ece63ededc6458012e73860826b807af
SSDEEP

6144:wdofBJyH7xVKbJHFT86m6SYMFV0GwefMG/n9Z:mVK1HFg6heft

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1216	msedge.exe
1216	msedge.exe
3096	msedge.exe
3096	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3720	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3720	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe
3096	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 1400	3096	msedge.exe	84
PID 3096 wrote to memory of 1400	3096	msedge.exe	84
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 4968	3096	msedge.exe	85
PID 3096 wrote to memory of 1216	3096	msedge.exe	86
PID 3096 wrote to memory of 1216	3096	msedge.exe	86
PID 3096 wrote to memory of 3380	3096	msedge.exe	87
PID 3096 wrote to memory of 3380	3096	msedge.exe	87
PID 3096 wrote to memory of 3380	3096	msedge.exe	87
PID 3096 wrote to memory of 3380	3096	msedge.exe	87
PID 3096 wrote to memory of 3380	3096	msedge.exe	87
PID 3096 wrote to memory of 3380	3096	msedge.exe	87
PID 3096 wrote to memory of 3380	3096	msedge.exe	87
PID 3096 wrote to memory of 3380	3096	msedge.exe	87
PID 3096 wrote to memory of 3380	3096	msedge.exe	87
PID 3096 wrote to memory of 3380	3096	msedge.exe	87
PID 3096 wrote to memory of 3380	3096	msedge.exe	87
PID 3096 wrote to memory of 3380	3096	msedge.exe	87
PID 3096 wrote to memory of 3380	3096	msedge.exe	87
PID 3096 wrote to memory of 3380	3096	msedge.exe	87
PID 3096 wrote to memory of 3380	3096	msedge.exe	87
PID 3096 wrote to memory of 3380	3096	msedge.exe	87
PID 3096 wrote to memory of 3380	3096	msedge.exe	87
PID 3096 wrote to memory of 3380	3096	msedge.exe	87
PID 3096 wrote to memory of 3380	3096	msedge.exe	87
PID 3096 wrote to memory of 3380	3096	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\bf49c661129f87a890f81ac0a272ac77_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeebe946f8,0x7ffeebe94708,0x7ffeebe94718
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,15969532984229536130,9655702783033636026,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,15969532984229536130,9655702783033636026,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,15969532984229536130,9655702783033636026,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
  2⤵
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15969532984229536130,9655702783033636026,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15969532984229536130,9655702783033636026,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15969532984229536130,9655702783033636026,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2180 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15969532984229536130,9655702783033636026,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2140 /prefetch:1
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15969532984229536130,9655702783033636026,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1948 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2088,15969532984229536130,9655702783033636026,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6152 /prefetch:8
  2⤵
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,15969532984229536130,9655702783033636026,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4908 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3080

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518 0x4a0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
864B

MD5
22582204c1e38529605c6e077a78f835

SHA1
95af762a4fdf690b499dec4db323861a827a5152

SHA256
01995be445a71cda423ab8224900127460fee37a17abf2952b7d0eabf5950aea

SHA512
4308be1dcdb06499d567ecfad29423fec455d97398ae39260fb62395b8cf27deb3b3a9752c5a7d0e6f5c4da7f07a91c56af3d02c701f9a95db39ad3d9167c69a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
8dbe8c7911933ad6a403d3f9ba743738

SHA1
9c2698f7938cbaaae45fe6a3b825f1233051d8e7

SHA256
eea563f398b5a67554984e5d5ea193fe45eba32720adff5517759b1d210c7982

SHA512
e3474bf6f0c54cb917c340423e6791dbba7f6948e74119d3a4ca490dcc70417518b2e79cb2f35fbea3cee70fd41d04c2b208cf460c799a51bda3f0dc08dc5bb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
37a31dd2cfb494c527ee0134a35f35f9

SHA1
7d4adbf71e5aeb7ff67ef76f946f4fbc78e53b1f

SHA256
8a77b1ca4a186015d3c1b9ca45b3b9941f7adabb9d0922cc4b6526839a240f21

SHA512
fcdce27c3e2ab26072dd39531d4520d37e1cdace3e959942d5375ec7b9f88ec5072c84ecd89595144780c4e796811b7b15cf34e79b1fe864b2deefa41395dd19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f750f9673e85ec82ed683b1c5f4dfa7c

SHA1
ddcb331f43ceade2a7cc7857a5c15d1fde23f7e3

SHA256
c16598fa06868ece6a2cf9f2a211c9ee77ff3c1ea08a58134fa975d5fb50281a

SHA512
197eccb3421e2e94ec7f8bf2f7294f7d1e2b4cd363f06b708b58868205aaf4784a44fe0e7a25543152f29777db8f8bd7732de2404dd6c0d009d658fd2c754866

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
117f00e9fffada4acb72e57bd7f081ac

SHA1
ea2033bfa91be8288b7677b8a9260d40b8016b4c

SHA256
d7a1c80b24fdaf8c03ba2da16c054e7c8562a4c2791af5d4340562c979408af0

SHA512
a850def087a99352c845943fc2aabe43785b0547187af924a2a29c8d9c4ca8db560c74569b11d3af7c05210a7ae7f82108a3b552f349030bdef06a3dff808a5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
efd52457db09094bfe2b786ddd0b6fbe

SHA1
68ae4512dd550cc86e97876edb25a6a6783eb962

SHA256
b863d682f5313e8dc72f628f589de2ca9621bc5c33fdea35f00faaf42bdb293e

SHA512
bb1e8846a7bc3fe26dbbd14d1ec6a6eafa3f256cd902e6e4343187a3b3e9ceddb0e3bbb5fa5e7681469ff4ff6bf076dfd7a05a50d25d754c6d13a81690dc4833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586f5f.TMP

Filesize
203B

MD5
328a0728e17ffede3e631fb29730ae78

SHA1
928e09a382c0bb7a99a98363fe4079da19d6ad38

SHA256
c97ebe42a89d26485d08f2d929b3c84bd226d9a7a933afd76442902f718d62c6

SHA512
4e8836eddde620ae3d68056879444810a5699a7c4fa38fa9ead46701db3d705ff405f41a619083d7981affbc88c852f00b2b27b9dd661a0068703c2010f4f532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
46fc849b357cc064be99f9525dd3744f

SHA1
13d3716b40fa10cc7f75e809742f53add97cbdf7

SHA256
4782c1ee345c4a28bc13ff8c71ef7b344b938e27f6de1cae6f2a4e12afcf21ba

SHA512
2fe297a287d7a75f6d17db0cff3f0705316768e7e3ce5d3c7aad626e686f3a200efbc86fc97137154fdbdf96419d80a0107fb86ccb3d320872398a4509fd0464

Download Submit