d5add9c13a577c861884d3ed77db858640a9809f26341488547da715876d66c0

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2024 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12746f3423a2543d15e0f7a31def918c_JaffaCakes118.html
Size

8KB
MD5

12746f3423a2543d15e0f7a31def918c
SHA1

6d675502a0b9f83884a6918a21157408429f3781
SHA256

d5add9c13a577c861884d3ed77db858640a9809f26341488547da715876d66c0
SHA512

3ee0ac39a773d13e357c2e7826733fee36f70757fa34b9771312e65fa4b09d1d0fc9029f34e32cd668c34ae45700bbea71904bc3cc42b95ae6e5e85020c6ff3e
SSDEEP

96:5J3mZAUgYNMIjxuYr4OaPdzsPkDDOeO9unx3YUdslqhrpSh/T7mwNdP:5EbZxhrCYqVO9unxoqsWpShL7mwv

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4812	msedge.exe
4812	msedge.exe
4944	msedge.exe
4944	msedge.exe
1436	identity_helper.exe
1436	identity_helper.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 4504	4944	msedge.exe	82
PID 4944 wrote to memory of 4504	4944	msedge.exe	82
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 208	4944	msedge.exe	83
PID 4944 wrote to memory of 4812	4944	msedge.exe	84
PID 4944 wrote to memory of 4812	4944	msedge.exe	84
PID 4944 wrote to memory of 2572	4944	msedge.exe	85
PID 4944 wrote to memory of 2572	4944	msedge.exe	85
PID 4944 wrote to memory of 2572	4944	msedge.exe	85
PID 4944 wrote to memory of 2572	4944	msedge.exe	85
PID 4944 wrote to memory of 2572	4944	msedge.exe	85
PID 4944 wrote to memory of 2572	4944	msedge.exe	85
PID 4944 wrote to memory of 2572	4944	msedge.exe	85
PID 4944 wrote to memory of 2572	4944	msedge.exe	85
PID 4944 wrote to memory of 2572	4944	msedge.exe	85
PID 4944 wrote to memory of 2572	4944	msedge.exe	85
PID 4944 wrote to memory of 2572	4944	msedge.exe	85
PID 4944 wrote to memory of 2572	4944	msedge.exe	85
PID 4944 wrote to memory of 2572	4944	msedge.exe	85
PID 4944 wrote to memory of 2572	4944	msedge.exe	85
PID 4944 wrote to memory of 2572	4944	msedge.exe	85
PID 4944 wrote to memory of 2572	4944	msedge.exe	85
PID 4944 wrote to memory of 2572	4944	msedge.exe	85
PID 4944 wrote to memory of 2572	4944	msedge.exe	85
PID 4944 wrote to memory of 2572	4944	msedge.exe	85
PID 4944 wrote to memory of 2572	4944	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\12746f3423a2543d15e0f7a31def918c_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9023646f8,0x7ff902364708,0x7ff902364718
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,6611876316813859254,6707689489907609797,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
  2⤵
  PID:208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,6611876316813859254,6707689489907609797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,6611876316813859254,6707689489907609797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:8
  2⤵
  PID:2572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,6611876316813859254,6707689489907609797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,6611876316813859254,6707689489907609797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,6611876316813859254,6707689489907609797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,6611876316813859254,6707689489907609797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,6611876316813859254,6707689489907609797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:8
  2⤵
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,6611876316813859254,6707689489907609797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,6611876316813859254,6707689489907609797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,6611876316813859254,6707689489907609797,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,6611876316813859254,6707689489907609797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,6611876316813859254,6707689489907609797,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,6611876316813859254,6707689489907609797,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3332

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
f79f315aed92fba887613b0bef76ab98

SHA1
32db518d5fe66ed812a121edb16e7943b2f68d5c

SHA256
66ce151deabcf0fcebb51f88c6df9c204c492d93eb748cc93e9d10fee39446a7

SHA512
31f57568a1b9fe74521ee965dcb4cdf4ea05999048254bce70fc46d6dd58440999b8b129950f47bbef6b512d75d77c82ae4521e1d9cc8b4b87acf22e99500791

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
400B

MD5
efb04ba1513f1e1e380abdd24d90c4ae

SHA1
cf56c1b9dc060c20bd72912b7663eb401d1da7d4

SHA256
44cf294cb73fd52ac0028274e2b35c9b38988b56eb571fefd09b4ae0d34354a4

SHA512
f5e63e5941bcf3dc586f2e9ee995e16d9177de3210c9eb904801573aef432963d6f9bef8f674a2638552d2ed803368a790a235663890ea402c7d365af4b58025

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3658755dbf091066119d7ad38e7535c3

SHA1
f0f1a722d9a851502b21b0e09abe2f37ea4b5b6c

SHA256
b3356ceefc98b72b3a6259d9b4d6f9cd4609b452236ffcdbbe2ec3ad3bf73506

SHA512
c373653770b93696378c929462f6d05646c28b4848e13daf7bd9c9a570fc04d2648341924cfe602dffcc2ded7992c17a0f0bfd0e09caf6d253570870e1593d9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1576be37694939c84a54367db35bc015

SHA1
c2f85d4cd89e8dbc9f2a9afe46d1d3edbbadb0ea

SHA256
9f6b25363eb8b81033219b91e57b243799cd99157a944abe5f4fd82b96f61200

SHA512
d5eca9a192d027ab6240a9cda8d58781a7c59b66ce359a359de9fbc93afceae7e0421c0086f8b3cdeda1b55154b72ea385eab65d15a161fa61bd80cb942f9f35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1c8e0a1e1e3ddf9048cad054eef1a880

SHA1
55d48b0aa3e2174f2908d08b8c26c66192188143

SHA256
6ba0d321cf01a7fa1cb3ec1535dd9b4e3651864022c87c072e768a6af3939781

SHA512
7a659fe276c3b5ad83d3b764d1f5b30ea1f950a6022ece4d3c7ba3c547544d7e0621b21e2e02183f80845573fdf758d35f388219b65d1df5db5636007cd7ed88

Download Submit