3afb1cd953059890130a1a1838d24a8e544f4f0eedfce9eabdffab8d406910c2

Analysis

max time kernel
145s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2024 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54101efbf72def7c138be108194d1e7a_JaffaCakes118.html
Size

44KB
MD5

54101efbf72def7c138be108194d1e7a
SHA1

850251cdc7878bbbc9df7f06e14371fb8b6720da
SHA256

3afb1cd953059890130a1a1838d24a8e544f4f0eedfce9eabdffab8d406910c2
SHA512

c810251014ac339cba7a216a5bcb06fc3dc654ce39fddeacfacdc5da3f2d9c07e9ad2ae80ead2a3b290d607dccf1e17491127613b96b44f6f5d91871fff64b5a
SSDEEP

768:0spDufmiOUSeEeAe6eveseKeteGe5eue2eQeqeFeaeueSeOeTePe9eme0ereWepe:zFViOUSeEeAe6eveseKeteGe5eue2eQ8

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3644	msedge.exe
3644	msedge.exe
4180	msedge.exe
4180	msedge.exe
644	identity_helper.exe
644	identity_helper.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 2800	4180	msedge.exe	84
PID 4180 wrote to memory of 2800	4180	msedge.exe	84
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 548	4180	msedge.exe	85
PID 4180 wrote to memory of 3644	4180	msedge.exe	86
PID 4180 wrote to memory of 3644	4180	msedge.exe	86
PID 4180 wrote to memory of 4856	4180	msedge.exe	87
PID 4180 wrote to memory of 4856	4180	msedge.exe	87
PID 4180 wrote to memory of 4856	4180	msedge.exe	87
PID 4180 wrote to memory of 4856	4180	msedge.exe	87
PID 4180 wrote to memory of 4856	4180	msedge.exe	87
PID 4180 wrote to memory of 4856	4180	msedge.exe	87
PID 4180 wrote to memory of 4856	4180	msedge.exe	87
PID 4180 wrote to memory of 4856	4180	msedge.exe	87
PID 4180 wrote to memory of 4856	4180	msedge.exe	87
PID 4180 wrote to memory of 4856	4180	msedge.exe	87
PID 4180 wrote to memory of 4856	4180	msedge.exe	87
PID 4180 wrote to memory of 4856	4180	msedge.exe	87
PID 4180 wrote to memory of 4856	4180	msedge.exe	87
PID 4180 wrote to memory of 4856	4180	msedge.exe	87
PID 4180 wrote to memory of 4856	4180	msedge.exe	87
PID 4180 wrote to memory of 4856	4180	msedge.exe	87
PID 4180 wrote to memory of 4856	4180	msedge.exe	87
PID 4180 wrote to memory of 4856	4180	msedge.exe	87
PID 4180 wrote to memory of 4856	4180	msedge.exe	87
PID 4180 wrote to memory of 4856	4180	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\54101efbf72def7c138be108194d1e7a_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a2d746f8,0x7ff9a2d74708,0x7ff9a2d74718
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,15027104539523323254,5772486167505732889,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,15027104539523323254,5772486167505732889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,15027104539523323254,5772486167505732889,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15027104539523323254,5772486167505732889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15027104539523323254,5772486167505732889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,15027104539523323254,5772486167505732889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5904 /prefetch:8
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,15027104539523323254,5772486167505732889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5904 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15027104539523323254,5772486167505732889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15027104539523323254,5772486167505732889,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15027104539523323254,5772486167505732889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,15027104539523323254,5772486167505732889,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,15027104539523323254,5772486167505732889,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3396 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
191B

MD5
f7da3bf15983ea1f51173cce7da6dde9

SHA1
4f1ed880a524a43d021bea9c39738ece5f925983

SHA256
e83761fc8cbf67b9ab20d5bc111026957a795275945d6c9c413fc326c1773273

SHA512
5a75abbc9bde6b2d16e10735c515cbc5aa58210b3c87354c7d011d5def00d70cd1cb83b69260b3dbe8444f3875a4dadeeb122ba5612a4e9c467849d7f4f340d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9fc34600d7d6b5aab1de620882af0f2d

SHA1
ff7abc75977184d2f6a31102318b0635dfc074e0

SHA256
604c459850791e82d20c38cdb30022912211dd06b344867946820e0e8c90fe28

SHA512
e313d382738cf538649627cf436f2bc5deb9d0a434b9dfacd9201300034aaf6fd896b316e65b78985d61755774f9617e7411176ab92ea93118279ba9c238f040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f18d6ec36c9bbf2220fbc6981783cba8

SHA1
bc84474d8cb2ddf2f3395004e6ff030ec8689c84

SHA256
618ba6903b84518a3c2bbf49e54822069cae56aee6ac2ecb3fee199254f674be

SHA512
4eed621cf4d6334697215ec1a4b7e191543567294b1b7022b6ef718941c4c7f8902125d9b61690125101c88beaabaef3e12d79a86643867522c661439cf00798

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5d0a3efb7686e111a9ecefadc654f223

SHA1
d47a85379255d0d5c7eca93041cd1fa5b4efb037

SHA256
ddb46f862110b678b10d801c124d8f43fa65b50569bef2a7e30e6e253ead7d7d

SHA512
f714cc6f777b95116244ab2ed9866390ce5bc7138c631f87f00c957b1a08823c112957fc978de6f9736669078ca1343d6b08488096ad34325ea92915f91c43e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c64cfac632423eb32c0749a712924d57

SHA1
e7637b213793e2f01ffb9065d49e7db8db661a07

SHA256
05b1961b515a8245798e772f059c541f6ce866ee5eb80bd8b6a3504844bb442b

SHA512
821044141dfdb52ca8f039b9dc4ffd46e4add30c9acad5d83525bca6d0c04afe4734e1d29c5b400a7eaf76c5a57dc42aec77297638adbacce5ebef6c53bcea26

Download Submit