99d29d368b01ee76b438ef41b59a13da4efa18da76f2d1d6355344ec8fe25dad

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 19:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f6b0c5cd0561927bae8502360409213d_JaffaCakes118.html
Size

911KB
MD5

f6b0c5cd0561927bae8502360409213d
SHA1

a96a1f56bf5adf8d47aa021b42814caf83c9654d
SHA256

99d29d368b01ee76b438ef41b59a13da4efa18da76f2d1d6355344ec8fe25dad
SHA512

0df83a908ddacec4fe87b932caa4ecd314678d8f220ebe7b04e79a56be01948d9fac0052a3c5636cc056fd7487f2646ceb1ac6250da79f78a81cc9830c24481d
SSDEEP

3072:opPCq/32szA0N/Gd7ZXxjgrJBdYPVeef0xOMQfw/I32szA0N/Gd7ZXxjgrJBdYPU:ThsMKBdYPYQMfsMKBdYPYQMpv

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
900	msedge.exe
900	msedge.exe
3292	msedge.exe
3292	msedge.exe
1600	identity_helper.exe
1600	identity_helper.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 3368	3292	msedge.exe	82
PID 3292 wrote to memory of 3368	3292	msedge.exe	82
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 1588	3292	msedge.exe	83
PID 3292 wrote to memory of 900	3292	msedge.exe	84
PID 3292 wrote to memory of 900	3292	msedge.exe	84
PID 3292 wrote to memory of 3484	3292	msedge.exe	85
PID 3292 wrote to memory of 3484	3292	msedge.exe	85
PID 3292 wrote to memory of 3484	3292	msedge.exe	85
PID 3292 wrote to memory of 3484	3292	msedge.exe	85
PID 3292 wrote to memory of 3484	3292	msedge.exe	85
PID 3292 wrote to memory of 3484	3292	msedge.exe	85
PID 3292 wrote to memory of 3484	3292	msedge.exe	85
PID 3292 wrote to memory of 3484	3292	msedge.exe	85
PID 3292 wrote to memory of 3484	3292	msedge.exe	85
PID 3292 wrote to memory of 3484	3292	msedge.exe	85
PID 3292 wrote to memory of 3484	3292	msedge.exe	85
PID 3292 wrote to memory of 3484	3292	msedge.exe	85
PID 3292 wrote to memory of 3484	3292	msedge.exe	85
PID 3292 wrote to memory of 3484	3292	msedge.exe	85
PID 3292 wrote to memory of 3484	3292	msedge.exe	85
PID 3292 wrote to memory of 3484	3292	msedge.exe	85
PID 3292 wrote to memory of 3484	3292	msedge.exe	85
PID 3292 wrote to memory of 3484	3292	msedge.exe	85
PID 3292 wrote to memory of 3484	3292	msedge.exe	85
PID 3292 wrote to memory of 3484	3292	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\f6b0c5cd0561927bae8502360409213d_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa0b4346f8,0x7ffa0b434708,0x7ffa0b434718
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,11381556156486095758,1833716968563342661,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,11381556156486095758,1833716968563342661,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,11381556156486095758,1833716968563342661,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:8
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11381556156486095758,1833716968563342661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11381556156486095758,1833716968563342661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11381556156486095758,1833716968563342661,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11381556156486095758,1833716968563342661,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11381556156486095758,1833716968563342661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11381556156486095758,1833716968563342661,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11381556156486095758,1833716968563342661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11381556156486095758,1833716968563342661,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,11381556156486095758,1833716968563342661,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5904 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
512B

MD5
22a4d117197bba0bbc6d541c8e7164d1

SHA1
3aaafe3141973e1d967a1b574d43ae8d0ff80212

SHA256
ad0c86b0cfa6065d826b876bddcf51ab2091957a168075c4cda7ab3da216c5f6

SHA512
405469a5327770e7f708936b72dec3d36c514b4d09d4e4f22a7f543b8f1c0e1bdbb52b8da56ad28ef5cd217c2101f79af690da0dc60b61e4ea87449aaa9f2f2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
91c6866cb91162f47b2a27187b3a37ce

SHA1
11ae487a80bfd67f15c00cdd276672dc8b6af489

SHA256
a100bbe4c08232dc2390ac47d0e7c127f09bcf69b98fda2427d39afef42047c0

SHA512
df44399c37172e37368019a1ea4cfd0da299393f29a621a72aa1f91279c9dbdd058467b727c75d7f82642c50ce2c5df3e862d3bab0f009706c826110c5f9e6ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9b9719415c5485615ed6b25941e3136d

SHA1
ab9da99c62f137f458538e7c8b1b749dd377fa59

SHA256
7c1693e3a095f1a6c4ee970d09b5d93ffc4f10a1015c3ea77684de0f914b1a73

SHA512
dd4763c71ec3c313679a7b415efc05618dd2313d2635221e34d7e2bf458463a45aefe06ed249071ee8a668e5a5355ceb2d04f8cefdbbb2e3f670b4ee8717b056

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
06f2909d307ff8dbba9da5e7aea369b9

SHA1
6efa91af7a77d7ad85da3cd09ecd30e2e83ec1dc

SHA256
0abb6819521c58d9be906c3c85d2c08c4dea416bd7dce33fb883c66e7e24ad4d

SHA512
56a430799ce2f82e3329f56fad2bc66a508c3c7c5cb48f7c5fde5bb7fd1e05bd439a380d43094d88bfe14ddd628d0b69daac0b5fceb71a127160df262028df95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
529960bc9785e17c4c0cdf910cf0fa35

SHA1
dd3907d107568c349f14052f37a7d66ec8084251

SHA256
7038453d472311cbc9e64f985c6e376869275b8771f41ef380aca7be5f611c68

SHA512
25fa6642480985f75c909839d00c13d01b0bdd3b55522594e0771f6a0f2d53180ec762e1552d8937325b797afda1da996a04898d1aa7a711ad6ad0f07f1125e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5836f9.TMP

Filesize
204B

MD5
8a1de68217f74d67fa840fdf5030a8a0

SHA1
8c45c923bf72266cac434f6a402dbc1c0fb30eec

SHA256
309a53969baec8e8ba8c39e89cd844ddd2976db9f5e0f14a587934e9e7579dd3

SHA512
032cde7d86752c95e76523d0657b8ff19ddcd93b45812b62a302ff9fe85311adbbd8260237189134431a3c18cb370f4fee0ec018dd069cc78c51a569308086f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c27bdbf82482852a5f0ab1e44acdcd02

SHA1
ca3f76b64acfd26f0a65f51fc69bc33d4827ebab

SHA256
507d00ef232dc09a027c7d583bd04a1fab310aef6a8adb88d87ab812f0e1440a

SHA512
eb17cec1603fa34b8915a14c4121269fa90d7de8aa95d2e91e69118ea1962cde2701a4fa7f7ae6ecaa0ff80792b39edd8cdd8d4c0c47719fc31e58d4a639bc7a

Download Submit