c6779d79644c8cb210bfc5f64c8aa4a750ca1435f046bed8866be81b33bec3d7

Analysis

max time kernel
145s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2024 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13eaef8aa0336109a9399179f5e102ca_JaffaCakes118.html
Size

25KB
MD5

13eaef8aa0336109a9399179f5e102ca
SHA1

fe83c211f179f54ffbb59b8fba32d9eea61d0b0d
SHA256

c6779d79644c8cb210bfc5f64c8aa4a750ca1435f046bed8866be81b33bec3d7
SHA512

a367e37cb8901dbfe78800a4a9765c727d1382597acc2e67df32930b68877cbaaf03dbbe7ff06c3374be8d6f21d9e8f1c4bee98a78577be59967ec453e5c369b
SSDEEP

768:YppNfpvlDgpNEWh0Uut8r47VbL4maSsq9:8pNfpvlDgpNEWhGcoSmaSsq9

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
19	sites.google.com
27	sites.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4796	msedge.exe
4796	msedge.exe
4104	msedge.exe
4104	msedge.exe
3188	identity_helper.exe
3188	identity_helper.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe
4104	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 2188	4104	msedge.exe	82
PID 4104 wrote to memory of 2188	4104	msedge.exe	82
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 2776	4104	msedge.exe	83
PID 4104 wrote to memory of 4796	4104	msedge.exe	84
PID 4104 wrote to memory of 4796	4104	msedge.exe	84
PID 4104 wrote to memory of 2044	4104	msedge.exe	85
PID 4104 wrote to memory of 2044	4104	msedge.exe	85
PID 4104 wrote to memory of 2044	4104	msedge.exe	85
PID 4104 wrote to memory of 2044	4104	msedge.exe	85
PID 4104 wrote to memory of 2044	4104	msedge.exe	85
PID 4104 wrote to memory of 2044	4104	msedge.exe	85
PID 4104 wrote to memory of 2044	4104	msedge.exe	85
PID 4104 wrote to memory of 2044	4104	msedge.exe	85
PID 4104 wrote to memory of 2044	4104	msedge.exe	85
PID 4104 wrote to memory of 2044	4104	msedge.exe	85
PID 4104 wrote to memory of 2044	4104	msedge.exe	85
PID 4104 wrote to memory of 2044	4104	msedge.exe	85
PID 4104 wrote to memory of 2044	4104	msedge.exe	85
PID 4104 wrote to memory of 2044	4104	msedge.exe	85
PID 4104 wrote to memory of 2044	4104	msedge.exe	85
PID 4104 wrote to memory of 2044	4104	msedge.exe	85
PID 4104 wrote to memory of 2044	4104	msedge.exe	85
PID 4104 wrote to memory of 2044	4104	msedge.exe	85
PID 4104 wrote to memory of 2044	4104	msedge.exe	85
PID 4104 wrote to memory of 2044	4104	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\13eaef8aa0336109a9399179f5e102ca_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc66846f8,0x7ffdc6684708,0x7ffdc6684718
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,9489355021967593214,7172466644976578050,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
  2⤵
  PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,9489355021967593214,7172466644976578050,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,9489355021967593214,7172466644976578050,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,9489355021967593214,7172466644976578050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,9489355021967593214,7172466644976578050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,9489355021967593214,7172466644976578050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,9489355021967593214,7172466644976578050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,9489355021967593214,7172466644976578050,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,9489355021967593214,7172466644976578050,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,9489355021967593214,7172466644976578050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,9489355021967593214,7172466644976578050,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,9489355021967593214,7172466644976578050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,9489355021967593214,7172466644976578050,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
  2⤵
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,9489355021967593214,7172466644976578050,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
7ed8d780b4968c539b9ead4c06daaffb

SHA1
3e98c1788cb048f79af45bd1ef94e49372e6aaf0

SHA256
813cfba6e200b04a00b9a417e0bb5e491db3880007229b2b20873f514e25b5d3

SHA512
824099b2206694e4db6edc3acf39c7535f3dcd975b44aef493b92bbbf611d41e56d426a88fd120c5a7142eb75c97c8b3956068e949218b472166228a34151a4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
868B

MD5
2db1128384f383db6a63d327e3c61260

SHA1
6bc5bfb1792ab00fd36f3edb64fa52ce0108c2ec

SHA256
f90d9c9ee8a54460aee11340d1e1f4ff7ee120252d1ec11925d17a812cc388a2

SHA512
72874b671b44ab80d691795328ecd2411056efbf110ef2fa0b23bc20fb4b5e4394ccdc2cae953e936ceebadf0ea805c593bbe3ad87415266197a754ea452a8d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f6a8315a67671a07b63f1317fac850f2

SHA1
e2fe38b50b72929a65ea353478bdd78874773874

SHA256
afe92c61118ef0dc0d7d3d63babc33e479aa4d6f225c7910b2aebfa716c9a0db

SHA512
2008ef084ad83cb7017ab93f9360a537eaf73690905a2647e451eddcb6901fd2eb50155a377a6497fcccc61e30cc3622c1f965ff16827a9f9df4d0a28389688f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
63babd6168351f0448c2a539dd8646a7

SHA1
eb69deb0a543b406ecd063f82b7eefc70a5dccb4

SHA256
6ca54ff9a5b6953449f983ffb09c0f9666d44bf9127f917cac5c4b9914a19408

SHA512
41ce7f90c2e85304a6500965a2b0684e951dca19e8d77ee92be4a5daf3d5370d781dfdde2e57310647f4748118e58892029d19663945e192e8f33a301eeba7f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ed0c5f832ea0761286cf5fbb3cd68bf3

SHA1
95359d039b2c2499987df2042d6cd6539f08daaa

SHA256
f582aed2cd58eaf289af58f2ead9073141b6b81b1c6c03e4fefa2070aac49b0e

SHA512
07fbc2f48e5428b4a7fd464383aac82d6fe0a2aeaab6da584ca372a20bcd0fa199cdee733cac416c4cbbdd1519d6a5fdf9a61e0be03474fd571fcdf05aa7b5fc

Download Submit