81bed8920bda9db6de0b4dc8462d67b510f9dedc130733b790229b3dd01861a5

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea4bc6d1fccb08a13ee8a90017bb1cb6_JaffaCakes118.html
Size

110KB
MD5

ea4bc6d1fccb08a13ee8a90017bb1cb6
SHA1

bdfd8db2cf8927178073eed9079aaa5f29c159b4
SHA256

81bed8920bda9db6de0b4dc8462d67b510f9dedc130733b790229b3dd01861a5
SHA512

6193f0f3c0a39e8f7e13918a83a6f84cc0ed7334fd72385a291cf474c48b8eb1de196625d29485f988b40cee8a21ba210eec814319f6c3154d9b9d4688375f3a
SSDEEP

1536:o5Oy63DaFnVhNTfGSWwsLbi19jNDM2T3y0swjZsvC27uWMJcTRm/TQQbQUvJYsiA:StM2OMVN48sM8t0NOU

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3256	msedge.exe
3256	msedge.exe
5060	msedge.exe
5060	msedge.exe
4492	identity_helper.exe
4492	identity_helper.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 1684	5060	msedge.exe	82
PID 5060 wrote to memory of 1684	5060	msedge.exe	82
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3216	5060	msedge.exe	83
PID 5060 wrote to memory of 3256	5060	msedge.exe	84
PID 5060 wrote to memory of 3256	5060	msedge.exe	84
PID 5060 wrote to memory of 4316	5060	msedge.exe	85
PID 5060 wrote to memory of 4316	5060	msedge.exe	85
PID 5060 wrote to memory of 4316	5060	msedge.exe	85
PID 5060 wrote to memory of 4316	5060	msedge.exe	85
PID 5060 wrote to memory of 4316	5060	msedge.exe	85
PID 5060 wrote to memory of 4316	5060	msedge.exe	85
PID 5060 wrote to memory of 4316	5060	msedge.exe	85
PID 5060 wrote to memory of 4316	5060	msedge.exe	85
PID 5060 wrote to memory of 4316	5060	msedge.exe	85
PID 5060 wrote to memory of 4316	5060	msedge.exe	85
PID 5060 wrote to memory of 4316	5060	msedge.exe	85
PID 5060 wrote to memory of 4316	5060	msedge.exe	85
PID 5060 wrote to memory of 4316	5060	msedge.exe	85
PID 5060 wrote to memory of 4316	5060	msedge.exe	85
PID 5060 wrote to memory of 4316	5060	msedge.exe	85
PID 5060 wrote to memory of 4316	5060	msedge.exe	85
PID 5060 wrote to memory of 4316	5060	msedge.exe	85
PID 5060 wrote to memory of 4316	5060	msedge.exe	85
PID 5060 wrote to memory of 4316	5060	msedge.exe	85
PID 5060 wrote to memory of 4316	5060	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\ea4bc6d1fccb08a13ee8a90017bb1cb6_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcfe1346f8,0x7ffcfe134708,0x7ffcfe134718
  2⤵
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,11925314657404809997,930009230292803915,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2004 /prefetch:2
  2⤵
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,11925314657404809997,930009230292803915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1812 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,11925314657404809997,930009230292803915,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,11925314657404809997,930009230292803915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,11925314657404809997,930009230292803915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,11925314657404809997,930009230292803915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,11925314657404809997,930009230292803915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,11925314657404809997,930009230292803915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,11925314657404809997,930009230292803915,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,11925314657404809997,930009230292803915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,11925314657404809997,930009230292803915,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,11925314657404809997,930009230292803915,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4888 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1344

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
461B

MD5
c0d45f442df82c41a4b0529f828bb08a

SHA1
fdb2eb3f5a439ecebd4adccf371c5dd72d8b7971

SHA256
f10f3956d112489c99f5935d546711d49e1f28d775fe0c410b6dd0da29b0a3f7

SHA512
dfc4230b4d6b1315a540dd4eb15c2e0b8b04eda1f5bb9d00b74cba968de2bc5403ed28debb7c4c4ec0a1ce43d7908cf57d988b82b5285e8c73e76051477690f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0b4d207480156561aa2e7eb35a1d6a3b

SHA1
dc58016ba6d78552bf6b791e419ca818f0a35a4c

SHA256
222ea16dfeaee3480e1c1c3c8a124e9f500d1522042f636c3fcfbc9515ef7ca7

SHA512
6a4cd8c43faf60150302d89ba6438b12c19fa2fe10267568141f4da1c841b83e703dbda7e614f991e9febb86247a582cb50c824e231886d443d515ba4bac8bd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dac74030fbeead496df85f4d536dd8f0

SHA1
d884541dc9c38c721f49194b387e3254730ca557

SHA256
34db2c410deaa568c905f0abc2df189f3c99634dfb338749fc4b6ab708cc8699

SHA512
40b2c970f7b6c9ce6f312f0a5cebdc8dfc1f5cffaf2bcda0fde75f546e1579310c9d72218d5f11e66a0119a79b1acf90b135fed92cacedce06fd85eaa11139c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cb3c8ad1d3c89a8f86c75658f2523600

SHA1
e1019f73a52ca13b3399d412f95d4a9027173be6

SHA256
aeedaa28afea4f72e554d25ba13931a359532eb48b898ba541fe1a3adf74f4f1

SHA512
04982923ece6ec0b45ee0733405c9d6100bb7cde456fa593137ad50067f7472b80f625dbcbe3b233f3a70550aa0a33e29c78d3ae8268a2ac2e96bfb0b2a40c29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a8ecb4d90bd9ed720cee8a4faf8c8d89

SHA1
b59c216abd89c520bf1670d12dca2c65e58439cf

SHA256
5034ad6017840e15b87c408ca8f262af7eb2465ac24c32d165bc0fbf56b8b67e

SHA512
aad923891fa3a0e3974d1145fed2f5e9209196ce1da27e46eb703f7d79f6686b2d19c7741c226fbbd374b2789bfa7d2af9802529230608df69a7f83352e6ae6f

Download Submit