145796219e59bb779e9a775f6fb355dd032170bad47d6fde97207a081c764be3

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eacddf68a4221abc16583c32f1e92a14_JaffaCakes118.html
Size

11KB
MD5

eacddf68a4221abc16583c32f1e92a14
SHA1

f5a552ffd4aa3cbbd772057c23c20e5560a4e34b
SHA256

145796219e59bb779e9a775f6fb355dd032170bad47d6fde97207a081c764be3
SHA512

b5b287b2eaff8ee33b13b763971aef59328c751c91ab5a578f06e3ee4cb4a969ada3c96625c2db57f0a9099508b51f15203e98ca232c7023241b8440400586f4
SSDEEP

192:syjMlB5iWygYM7wS4Dv3HVxsFcrj+etPemRe0u01ouGHb2JwIppupO:syfTQwS4Dv3HVxsFMjbJb11s6Df

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1924	msedge.exe
1924	msedge.exe
1428	msedge.exe
1428	msedge.exe
888	identity_helper.exe
888	identity_helper.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe
688	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 1484	1428	msedge.exe	84
PID 1428 wrote to memory of 1484	1428	msedge.exe	84
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 4924	1428	msedge.exe	85
PID 1428 wrote to memory of 1924	1428	msedge.exe	86
PID 1428 wrote to memory of 1924	1428	msedge.exe	86
PID 1428 wrote to memory of 4400	1428	msedge.exe	87
PID 1428 wrote to memory of 4400	1428	msedge.exe	87
PID 1428 wrote to memory of 4400	1428	msedge.exe	87
PID 1428 wrote to memory of 4400	1428	msedge.exe	87
PID 1428 wrote to memory of 4400	1428	msedge.exe	87
PID 1428 wrote to memory of 4400	1428	msedge.exe	87
PID 1428 wrote to memory of 4400	1428	msedge.exe	87
PID 1428 wrote to memory of 4400	1428	msedge.exe	87
PID 1428 wrote to memory of 4400	1428	msedge.exe	87
PID 1428 wrote to memory of 4400	1428	msedge.exe	87
PID 1428 wrote to memory of 4400	1428	msedge.exe	87
PID 1428 wrote to memory of 4400	1428	msedge.exe	87
PID 1428 wrote to memory of 4400	1428	msedge.exe	87
PID 1428 wrote to memory of 4400	1428	msedge.exe	87
PID 1428 wrote to memory of 4400	1428	msedge.exe	87
PID 1428 wrote to memory of 4400	1428	msedge.exe	87
PID 1428 wrote to memory of 4400	1428	msedge.exe	87
PID 1428 wrote to memory of 4400	1428	msedge.exe	87
PID 1428 wrote to memory of 4400	1428	msedge.exe	87
PID 1428 wrote to memory of 4400	1428	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\eacddf68a4221abc16583c32f1e92a14_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8293946f8,0x7ff829394708,0x7ff829394718
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,11631280850441114393,4314612607927361901,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,11631280850441114393,4314612607927361901,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,11631280850441114393,4314612607927361901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11631280850441114393,4314612607927361901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11631280850441114393,4314612607927361901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,11631280850441114393,4314612607927361901,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,11631280850441114393,4314612607927361901,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11631280850441114393,4314612607927361901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11631280850441114393,4314612607927361901,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11631280850441114393,4314612607927361901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11631280850441114393,4314612607927361901,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,11631280850441114393,4314612607927361901,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7006aacd11b992cd29fca21e619e86ea

SHA1
f224b726a114d4c73d7379236739d5fbb8e7f7b7

SHA256
3c434b96841d5a0fa0a04a6b503c3c4d46f1c4e3a1be77853175e5680e182814

SHA512
6de169882c0e01217c4ca01f6ead8e5ebb316a77558e51cd862532dbf9147d9e267f8db667ff6e9fa33164243724f5e437cb882392382f3cae1072dadb762c1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b80cf20d9e8cf6a579981bfaab1bdce2

SHA1
171a886be3a882bd04206295ce7f1db5b8b7035e

SHA256
10d995b136b604440ac4033b2222543975779068a321d7bddf675d0cb2a4c2b1

SHA512
0233b34866be1afd214a1c8a9dcf8328d16246b3a5ef142295333547b4cfdc787c8627439a2ca03c20cb49107f7428d39696143b71f56b7f1f05029b3a14376a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cba5f8b62abb57046bbb67f1abb61450

SHA1
f0754b6f2b3179760c8719a8c0e564dda4c3d017

SHA256
fccdc272322a8b776fa09bdd4569fc6a0a1d558acdc78c006e2e1398e0580d3f

SHA512
992d30036866ccfc05ed4f5b2406fa34d1f4e5cc010658a81d1bae01b1ce74a5f8da7fdeea744fdac31450e75ef5ffacd6452ead8074fd48133ffd8714a404c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a59e5716b7beeede2770bb149ce3d2db

SHA1
df4f76cf491f25fd80fc00107fead6343e050eb3

SHA256
d05d5eedbf48f1b7d03bc0a099e0bfe80ba86cdf85f14a42acaf96c9aa3ed83e

SHA512
38db5c300b956cc15e2dfe24c346f336bdccc8dd6c974710ce4833366b42991836ac98da3f8a8a2889dec4957a71fbeca83565263c724818bb69839259e93f95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f26d125261e95c5359069f02e362c2a6

SHA1
e17154019d31987b1643b493e028ec376155d3c5

SHA256
3ae57e16055417042b481f18679bfb4f35efd8fad61fdaefb3ec99e444c72981

SHA512
eb4ad67845610426ae8642109bd3b3aaa425321ccafb4d08bd3a8bf66a1f0610420e03277c9eaec9c34557ed958d8c47510440730c067d1ca2fe824fdaf339f5

Download Submit