Analysis

  • max time kernel
    145s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/10/2024, 11:15 UTC

General

  • Target

    17da97a16cfd8f20369ca39f2464faef_JaffaCakes118.html

  • Size

    14KB

  • MD5

    17da97a16cfd8f20369ca39f2464faef

  • SHA1

    889585c34afb2a7ea0997cafcd249a75785dbcd5

  • SHA256

    58a15e709865c290e46f8ef7ed82bd51c2fa5135727353fed6afca9eb61dc8ea

  • SHA512

    e40f229923bd25b2de571f33dcc80c9ea3ab44404edd7b48d19540d0d43b57fd3667644ecc419f43d031d94698f0b9ccaf5a40f6f6d6c1948f3b35bdad33720b

  • SSDEEP

    192:Mr+N65EDJyjXIRKDvo/nymb5AEVBRzEfldtWyBAuzzTKqWBju:Mr+TDUFIjVBRzuzWyKYzgBju

Score
3/10

Malware Config

Signatures

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\17da97a16cfd8f20369ca39f2464faef_JaffaCakes118.html
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1008
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcfff146f8,0x7ffcfff14708,0x7ffcfff14718
      2⤵
        PID:2136
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,1892920046719569686,13107809141539038710,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:2
        2⤵
          PID:4048
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,1892920046719569686,13107809141539038710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:876
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,1892920046719569686,13107809141539038710,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8
          2⤵
            PID:4320
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1892920046719569686,13107809141539038710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
            2⤵
              PID:1632
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1892920046719569686,13107809141539038710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
              2⤵
                PID:2704
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1892920046719569686,13107809141539038710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:1
                2⤵
                  PID:4996
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,1892920046719569686,13107809141539038710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
                  2⤵
                    PID:4648
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,1892920046719569686,13107809141539038710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:812
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1892920046719569686,13107809141539038710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
                    2⤵
                      PID:4080
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1892920046719569686,13107809141539038710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
                      2⤵
                        PID:4572
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1892920046719569686,13107809141539038710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
                        2⤵
                          PID:368
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1892920046719569686,13107809141539038710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
                          2⤵
                            PID:3020
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,1892920046719569686,13107809141539038710,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3156 /prefetch:2
                            2⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:2972
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:4836
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:2140

                            Network

                            • flag-us
                              DNS
                              8.8.8.8.in-addr.arpa
                              Remote address:
                              8.8.8.8:53
                              Request
                              8.8.8.8.in-addr.arpa
                              IN PTR
                              Response
                              8.8.8.8.in-addr.arpa
                              IN PTR
                              dnsgoogle
                            • flag-us
                              DNS
                              217.106.137.52.in-addr.arpa
                              Remote address:
                              8.8.8.8:53
                              Request
                              217.106.137.52.in-addr.arpa
                              IN PTR
                              Response
                            • flag-us
                              DNS
                              muronosono.com
                              msedge.exe
                              Remote address:
                              8.8.8.8:53
                              Request
                              muronosono.com
                              IN A
                              Response
                              muronosono.com
                              IN A
                              202.191.118.132
                            • flag-jp
                              GET
                              http://muronosono.com/6yF7gbvm.php
                              msedge.exe
                              Remote address:
                              202.191.118.132:80
                              Request
                              GET /6yF7gbvm.php HTTP/1.1
                              Host: muronosono.com
                              Connection: keep-alive
                              Upgrade-Insecure-Requests: 1
                              DNT: 1
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                              Accept-Encoding: gzip, deflate
                              Accept-Language: en-US,en;q=0.9
                              Response
                              HTTP/1.1 404 Not Found
                              Date: Sun, 06 Oct 2024 11:15:11 GMT
                              Server: Apache
                              Content-Length: 210
                              Keep-Alive: timeout=5, max=10
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=iso-8859-1
                            • flag-us
                              DNS
                              133.32.126.40.in-addr.arpa
                              Remote address:
                              8.8.8.8:53
                              Request
                              133.32.126.40.in-addr.arpa
                              IN PTR
                              Response
                            • flag-us
                              DNS
                              172.210.232.199.in-addr.arpa
                              Remote address:
                              8.8.8.8:53
                              Request
                              172.210.232.199.in-addr.arpa
                              IN PTR
                              Response
                            • flag-us
                              DNS
                              95.221.229.192.in-addr.arpa
                              Remote address:
                              8.8.8.8:53
                              Request
                              95.221.229.192.in-addr.arpa
                              IN PTR
                              Response
                            • flag-us
                              DNS
                              132.118.191.202.in-addr.arpa
                              Remote address:
                              8.8.8.8:53
                              Request
                              132.118.191.202.in-addr.arpa
                              IN PTR
                              Response
                              132.118.191.202.in-addr.arpa
                              IN PTR
                              is012new-corecom
                            • flag-us
                              DNS
                              97.17.167.52.in-addr.arpa
                              Remote address:
                              8.8.8.8:53
                              Request
                              97.17.167.52.in-addr.arpa
                              IN PTR
                              Response
                            • flag-us
                              DNS
                              58.55.71.13.in-addr.arpa
                              Remote address:
                              8.8.8.8:53
                              Request
                              58.55.71.13.in-addr.arpa
                              IN PTR
                              Response
                            • flag-us
                              DNS
                              50.23.12.20.in-addr.arpa
                              Remote address:
                              8.8.8.8:53
                              Request
                              50.23.12.20.in-addr.arpa
                              IN PTR
                              Response
                            • flag-us
                              DNS
                              241.42.69.40.in-addr.arpa
                              Remote address:
                              8.8.8.8:53
                              Request
                              241.42.69.40.in-addr.arpa
                              IN PTR
                              Response
                            • flag-us
                              DNS
                              98.117.19.2.in-addr.arpa
                              Remote address:
                              8.8.8.8:53
                              Request
                              98.117.19.2.in-addr.arpa
                              IN PTR
                              Response
                              98.117.19.2.in-addr.arpa
                              IN PTR
                              a2-19-117-98deploystaticakamaitechnologiescom
                            • flag-us
                              DNS
                              83.210.23.2.in-addr.arpa
                              Remote address:
                              8.8.8.8:53
                              Request
                              83.210.23.2.in-addr.arpa
                              IN PTR
                              Response
                              83.210.23.2.in-addr.arpa
                              IN PTR
                              a2-23-210-83deploystaticakamaitechnologiescom
                            • flag-us
                              DNS
                              48.229.111.52.in-addr.arpa
                              Remote address:
                              8.8.8.8:53
                              Request
                              48.229.111.52.in-addr.arpa
                              IN PTR
                              Response
                            • 202.191.118.132:80
                              http://muronosono.com/6yF7gbvm.php
                              http
                              msedge.exe
                              780 B
                              662 B
                              7
                              6

                              HTTP Request

                              GET http://muronosono.com/6yF7gbvm.php

                              HTTP Response

                              404
                            • 202.191.118.132:80
                              muronosono.com
                              msedge.exe
                              334 B
                              276 B
                              7
                              6
                            • 8.8.8.8:53
                              8.8.8.8.in-addr.arpa
                              dns
                              66 B
                              90 B
                              1
                              1

                              DNS Request

                              8.8.8.8.in-addr.arpa

                            • 8.8.8.8:53
                              217.106.137.52.in-addr.arpa
                              dns
                              73 B
                              147 B
                              1
                              1

                              DNS Request

                              217.106.137.52.in-addr.arpa

                            • 8.8.8.8:53
                              muronosono.com
                              dns
                              msedge.exe
                              60 B
                              76 B
                              1
                              1

                              DNS Request

                              muronosono.com

                              DNS Response

                              202.191.118.132

                            • 8.8.8.8:53
                              133.32.126.40.in-addr.arpa
                              dns
                              72 B
                              158 B
                              1
                              1

                              DNS Request

                              133.32.126.40.in-addr.arpa

                            • 8.8.8.8:53
                              172.210.232.199.in-addr.arpa
                              dns
                              74 B
                              128 B
                              1
                              1

                              DNS Request

                              172.210.232.199.in-addr.arpa

                            • 8.8.8.8:53
                              95.221.229.192.in-addr.arpa
                              dns
                              73 B
                              144 B
                              1
                              1

                              DNS Request

                              95.221.229.192.in-addr.arpa

                            • 8.8.8.8:53
                              132.118.191.202.in-addr.arpa
                              dns
                              74 B
                              106 B
                              1
                              1

                              DNS Request

                              132.118.191.202.in-addr.arpa

                            • 224.0.0.251:5353
                              574 B
                              9
                            • 8.8.8.8:53
                              97.17.167.52.in-addr.arpa
                              dns
                              71 B
                              145 B
                              1
                              1

                              DNS Request

                              97.17.167.52.in-addr.arpa

                            • 8.8.8.8:53
                              58.55.71.13.in-addr.arpa
                              dns
                              70 B
                              144 B
                              1
                              1

                              DNS Request

                              58.55.71.13.in-addr.arpa

                            • 8.8.8.8:53
                              50.23.12.20.in-addr.arpa
                              dns
                              70 B
                              156 B
                              1
                              1

                              DNS Request

                              50.23.12.20.in-addr.arpa

                            • 8.8.8.8:53
                              241.42.69.40.in-addr.arpa
                              dns
                              71 B
                              145 B
                              1
                              1

                              DNS Request

                              241.42.69.40.in-addr.arpa

                            • 8.8.8.8:53
                              98.117.19.2.in-addr.arpa
                              dns
                              70 B
                              133 B
                              1
                              1

                              DNS Request

                              98.117.19.2.in-addr.arpa

                            • 8.8.8.8:53
                              83.210.23.2.in-addr.arpa
                              dns
                              70 B
                              133 B
                              1
                              1

                              DNS Request

                              83.210.23.2.in-addr.arpa

                            • 8.8.8.8:53
                              48.229.111.52.in-addr.arpa
                              dns
                              72 B
                              158 B
                              1
                              1

                              DNS Request

                              48.229.111.52.in-addr.arpa

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                              Filesize

                              152B

                              MD5

                              ecf7ca53c80b5245e35839009d12f866

                              SHA1

                              a7af77cf31d410708ebd35a232a80bddfb0615bb

                              SHA256

                              882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

                              SHA512

                              706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                              Filesize

                              152B

                              MD5

                              4dd2754d1bea40445984d65abee82b21

                              SHA1

                              4b6a5658bae9a784a370a115fbb4a12e92bd3390

                              SHA256

                              183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

                              SHA512

                              92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              5KB

                              MD5

                              55294a2bdcd2d3d726fd8be0a76244ad

                              SHA1

                              6d319d91d9a715d112b65f76583f8595fe1b0ec3

                              SHA256

                              7d657b7638f665a045b16092a218a68e18f5d33f8a3c9542fb7690d1a3c6274a

                              SHA512

                              ea52c8bd7c60dc5f3d7ee0ffcde775ac4ae0ea69918dbfa50f6ac231a72a3d1262ceab32832618123423daf121c7d79e88152156613fcefca27929fd76853db7

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              6KB

                              MD5

                              0d4be5ac431d5a3e368116815478342f

                              SHA1

                              e4e9f5a81f93cfe7bae4014a29363ce2824c670f

                              SHA256

                              fab8e702bef342319bdd5585f6979899dbb1289c81e5541b19fb08b5f029ca62

                              SHA512

                              49a165a86371fc0a5a8b863efd9cb6cc69a330017efa40accac43d9c9e7a4eeed84eb43db866010135b76d11856cb422bb69d660cb69975a202131f30eb42aa4

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                              Filesize

                              16B

                              MD5

                              6752a1d65b201c13b62ea44016eb221f

                              SHA1

                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                              SHA256

                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                              SHA512

                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                              Filesize

                              10KB

                              MD5

                              0e9cfb25d09e6732cf30896c555a7b85

                              SHA1

                              e8a52604a655f852fe382ac117e947743995b876

                              SHA256

                              9822a8694fc9360df40ac6c14ed67ed9eb6bfab34a1de7ae78880287fcb07b48

                              SHA512

                              22679ce8507a2f1a13f639d8657daa2d84a1e4a2b9f1c5dd65de551af1958a7fdec3fa5d562c028ff4a7334bf6f905e6b1a11e47d2a9ac50d974db1fa888b84f

                            We care about your privacy.

                            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.