a40ca31aaef75b95bfb0cf6a08a22108a1c64d425621515511e70a0f9d861b31

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3e2b9c84c50ee6bb8ec27a9b44afbdf_JaffaCakes118.html
Size

30KB
MD5

d3e2b9c84c50ee6bb8ec27a9b44afbdf
SHA1

0061c439bc134506f8b887853fc70c55440893b3
SHA256

a40ca31aaef75b95bfb0cf6a08a22108a1c64d425621515511e70a0f9d861b31
SHA512

15230988bd71274da16fe64f3549ae92babb7b220cca33e94122bac48d218e3d888ad9c2096bafdd7fb253fc3e1613006a4e1ca481d163d49e61e540a971f2e4
SSDEEP

384:bNE6ibeh5hkTYZ5uUnJx9gk4sUXrKXQN+LnRYyN+w1MFIgM0+ctMHqboMAlJKDoq:X6owAnJAkZU7KXvLRYMysnCuMp8d+B

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4480	msedge.exe
4480	msedge.exe
4820	msedge.exe
4820	msedge.exe
1652	identity_helper.exe
1652	identity_helper.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 4232	4820	msedge.exe	83
PID 4820 wrote to memory of 4232	4820	msedge.exe	83
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 2888	4820	msedge.exe	84
PID 4820 wrote to memory of 4480	4820	msedge.exe	85
PID 4820 wrote to memory of 4480	4820	msedge.exe	85
PID 4820 wrote to memory of 2904	4820	msedge.exe	86
PID 4820 wrote to memory of 2904	4820	msedge.exe	86
PID 4820 wrote to memory of 2904	4820	msedge.exe	86
PID 4820 wrote to memory of 2904	4820	msedge.exe	86
PID 4820 wrote to memory of 2904	4820	msedge.exe	86
PID 4820 wrote to memory of 2904	4820	msedge.exe	86
PID 4820 wrote to memory of 2904	4820	msedge.exe	86
PID 4820 wrote to memory of 2904	4820	msedge.exe	86
PID 4820 wrote to memory of 2904	4820	msedge.exe	86
PID 4820 wrote to memory of 2904	4820	msedge.exe	86
PID 4820 wrote to memory of 2904	4820	msedge.exe	86
PID 4820 wrote to memory of 2904	4820	msedge.exe	86
PID 4820 wrote to memory of 2904	4820	msedge.exe	86
PID 4820 wrote to memory of 2904	4820	msedge.exe	86
PID 4820 wrote to memory of 2904	4820	msedge.exe	86
PID 4820 wrote to memory of 2904	4820	msedge.exe	86
PID 4820 wrote to memory of 2904	4820	msedge.exe	86
PID 4820 wrote to memory of 2904	4820	msedge.exe	86
PID 4820 wrote to memory of 2904	4820	msedge.exe	86
PID 4820 wrote to memory of 2904	4820	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\d3e2b9c84c50ee6bb8ec27a9b44afbdf_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b2b846f8,0x7ff9b2b84708,0x7ff9b2b84718
  2⤵
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,9675304850324566056,13961314584796053764,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,9675304850324566056,13961314584796053764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,9675304850324566056,13961314584796053764,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9675304850324566056,13961314584796053764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9675304850324566056,13961314584796053764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,9675304850324566056,13961314584796053764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:8
  2⤵
  PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,9675304850324566056,13961314584796053764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9675304850324566056,13961314584796053764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9675304850324566056,13961314584796053764,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9675304850324566056,13961314584796053764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9675304850324566056,13961314584796053764,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,9675304850324566056,13961314584796053764,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2396 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
e75179806fdb60b3337e8cd5b04cd6cf

SHA1
434a695c7607996cc4d1a0698d9214afe4d9fd38

SHA256
a121c6f8b11a0682ab639049f50ef2a1b00b3a2a565d7686cc64f501056b7b19

SHA512
e1e2f888005696fb33453f369efda963c71c15270338db02d812a1ad503c1dfd2a0f693c3f6a02ca2abb7cad631524b0481141646353c7b39adf44b09bf8464f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2fd4f71bf797d489d2eadd0390ec8102

SHA1
cd1ae0f519e56e46e1aec0185ee880e487ee675a

SHA256
ff387db471492af4f32a383f7bbfde34990e82d4453bfaf2509c1c2fdc2de81b

SHA512
c36038fb0486dfe55d9ffc70d8c18ab26478843da342d92d713487ea08a2d7aba868142910ebc7f30d498bb34f31c8aa34b82ea09fb0bf60d0460451361e1a1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d89d5bad1a28654ee754e000c90afe9f

SHA1
a13119a92a266cd5b7d75b22bca84810cc6aacda

SHA256
d4a55f27647699b0b558d59d0acf2e6597930993fc65e564abf25148f6b463c2

SHA512
1fd5fabdf84a2e1daeeadbd7c3def43247022c7c37920b3607acac642ab33596428da3754c2f1cd37c40378352f758034bd41b8f926b4809a0d284c1b4530c82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
372B

MD5
e04523cff5336aef494928ebc8db4200

SHA1
4bcee9d69e6510bc2bccdc51fa48cac94bebecca

SHA256
2e2b3617ff8a55de66e86998e37891914c0f706dd33b4531d609bdc788e300d8

SHA512
f67e235429e5872ca0d51f2bd3362b35ff2797118214aec91855f255c3560d2e64493ce838358f36d1879cff05db3a7d956558a8f23c8a057697a3cfd4be3d83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f51e.TMP

Filesize
372B

MD5
270bced5ade9275fb91dee76d412070a

SHA1
823dc9d0c88d8d72f927d22c78dbde7f3859f476

SHA256
bc617142044f1f0c46928137464c95111095fb69e81904ee6f2a3fa03807bdd9

SHA512
df8d4d676c13f1d2cc3cd0d8dcc82477397608568edd939d3898d8a899aa49eac12e2d0f3c43998e265c700d60bffd5ece7fad67ad5c0d7cd93741c91cc0d44f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a4bff303eff14ed14e2136be6cf75d86

SHA1
d5af80b1fb092f59187739920def96206106f72b

SHA256
3b812b049ccbaab740ba35c2504b98129dfe5fd6b824c8fc57c3fd52b4636a04

SHA512
95c3a8c6ddcc49ecbd8d239cea64435bc78b8238c4ec88d22e9e83cba80338fc037555a87b3eafe5ab2182e90209a9e927fde523eae4d1357b104e673f5097d9

Download Submit