928c2a8a8f3c9496429ab21e69b69fb42897789853fac8d08bc65f92ccbbbe41

Analysis

max time kernel
145s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fec76649365774a8e768bc553a6b7548_JaffaCakes118.html
Size

236KB
MD5

fec76649365774a8e768bc553a6b7548
SHA1

3c0e88e11bc42b85dd01800b2777a55015b021a4
SHA256

928c2a8a8f3c9496429ab21e69b69fb42897789853fac8d08bc65f92ccbbbe41
SHA512

6c5c2bd9ed7fdef9d5ca5510c75b9c1e41b719c3de24eb5e427588f9dba58a03512276fe0e7a131e7b649256fc338211aad772477778362362e69343cd747970
SSDEEP

6144:Zbgp/p9ppzjF3bpMQ7q9DCzKtGtpz2pypXY9pNv7gpHXLEpKK:Vgp/p9ppzjF3bpMQ7q9DCzKtGtpz2pyo

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3264	msedge.exe
3264	msedge.exe
3820	msedge.exe
3820	msedge.exe
4272	identity_helper.exe
4272	identity_helper.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe
3820	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3820 wrote to memory of 4028	3820	msedge.exe	82
PID 3820 wrote to memory of 4028	3820	msedge.exe	82
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 900	3820	msedge.exe	83
PID 3820 wrote to memory of 3264	3820	msedge.exe	84
PID 3820 wrote to memory of 3264	3820	msedge.exe	84
PID 3820 wrote to memory of 1404	3820	msedge.exe	85
PID 3820 wrote to memory of 1404	3820	msedge.exe	85
PID 3820 wrote to memory of 1404	3820	msedge.exe	85
PID 3820 wrote to memory of 1404	3820	msedge.exe	85
PID 3820 wrote to memory of 1404	3820	msedge.exe	85
PID 3820 wrote to memory of 1404	3820	msedge.exe	85
PID 3820 wrote to memory of 1404	3820	msedge.exe	85
PID 3820 wrote to memory of 1404	3820	msedge.exe	85
PID 3820 wrote to memory of 1404	3820	msedge.exe	85
PID 3820 wrote to memory of 1404	3820	msedge.exe	85
PID 3820 wrote to memory of 1404	3820	msedge.exe	85
PID 3820 wrote to memory of 1404	3820	msedge.exe	85
PID 3820 wrote to memory of 1404	3820	msedge.exe	85
PID 3820 wrote to memory of 1404	3820	msedge.exe	85
PID 3820 wrote to memory of 1404	3820	msedge.exe	85
PID 3820 wrote to memory of 1404	3820	msedge.exe	85
PID 3820 wrote to memory of 1404	3820	msedge.exe	85
PID 3820 wrote to memory of 1404	3820	msedge.exe	85
PID 3820 wrote to memory of 1404	3820	msedge.exe	85
PID 3820 wrote to memory of 1404	3820	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\fec76649365774a8e768bc553a6b7548_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb08a746f8,0x7ffb08a74708,0x7ffb08a74718
  2⤵
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,2215971862306341612,17040492260636821163,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,2215971862306341612,17040492260636821163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2548 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,2215971862306341612,17040492260636821163,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2215971862306341612,17040492260636821163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2215971862306341612,17040492260636821163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,2215971862306341612,17040492260636821163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,2215971862306341612,17040492260636821163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2215971862306341612,17040492260636821163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2215971862306341612,17040492260636821163,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2215971862306341612,17040492260636821163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2215971862306341612,17040492260636821163,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,2215971862306341612,17040492260636821163,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2832

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
245B

MD5
c339c650ff7df4c374b206d0ee6d3a2a

SHA1
742ac917076fdcc0c393e177b26b6ee200f903bb

SHA256
5c51dbd49fd6ab9ca2fc2f7f244c5ad55650ae686feda46c8512a09c9128c037

SHA512
c59bbf82e02a0ebd1d0dd46d693fc9c3a1b76d7409fc55a38c38a97f94381662e80c72c562da50ad56d33255e139abb6d24a2635d996f11862136ebbc9c746a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f3b39fd3ea3602f8a8e47b41cb96cf9e

SHA1
92c595793466eec53356abb6a6683107e1368f28

SHA256
721c76924b2078a67ecc00869db4e9a0474a3efcf5449edfe95354a4e65b2d1c

SHA512
e862400c5ef8792fbc97194ae235505ecb8bd5be37d878363fde13315d89d4c8d89bb333fc0468a7b5552439140e3de6b9dc91dc4d4c8049bb7d31ecda2a3508

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cfe2deb298c7b9da6f06dc166d1e3ed8

SHA1
f895150864dfbb6cfb70dfded1d08c7ab3a5b5d9

SHA256
7ea92909dcd18cc45348c8b00f7278108b3ce850eb79e1250da0cd9f47a6761a

SHA512
69ef2400f335a93f9c873b1c2be56018062bf5146783497403bdf6822652a04f882096b1015a33020ccce61b10092d98d4906755f5d147ccd46d2e5139704696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f59280d25317a6af43e9eb87cc660fa8

SHA1
d3c8af65e1eae745e696a62c7f59cd946e2cc6f4

SHA256
cac39e970c612cc594bb74cd000ae945caf3f2d8c0fccf9a08c7372702906d98

SHA512
df84b66372ff6d99f4d5dfb4f25f4bc7bec3f954f0a763640484fef7de1200ebcb9f74d9de60d1b8bbb4ed05cd8ba829102dc8e6f4919993bbcafacc9f61078d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
372B

MD5
055d79fcf832fb9500df1ed307df3b84

SHA1
985a76b0c41baf42a387d0a21d67131d9a3cb423

SHA256
4febc031c56cb4b40fee6cb2ca31decae21b41ba63306be9c7a9724124044b27

SHA512
339d92e3f82fce970ba8f109bdbaf905e0b60c7a8d727a0445639539def159d19ca0adfe12e46a82fe79bf2b9141e1e513ce25004a4bb1762e1f58c0b0b12d91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5859c3.TMP

Filesize
372B

MD5
dbaa52bda0f6c41e29b93ada2b196a5f

SHA1
702a53aedb704dd2d64a299295703341ca46b872

SHA256
ab9f934f781675d6f7169746a608639cda30a831d988edf08eb33ba56e9d098f

SHA512
ff7e90e81cebbfa798267ac29580642a8f84306121d3ed575ec252f7e3837a146e76eabca2f7c75a63c587b8af1addc60ec1e2bd5e0b4f69c14ebe31af279a89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c65a638534a482e636e7f3b7b20ecf34

SHA1
66200fa81e5c811651f884e005894e4ae195b612

SHA256
8365e7dd0b316bfa8e0c76a46ff7baa76ad6b9d8e0b971e340c0d14f0a016dad

SHA512
c4552ad549673f73f02cd81f21ea76a659b127172a1a9b2aa35eb4da2c2628c57561fd26b20f937d25352eb35b4ca746fff3cc39e75e3dd0dfd13308d7010986

Download Submit