6ca10e89572be82e3be2a505e57c8d97975bf3426885ecaaee6a87f3d33b2576

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bf286b5c4282c3b337029786987e924_JaffaCakes118.html
Size

189KB
MD5

9bf286b5c4282c3b337029786987e924
SHA1

20041932b13ea71ee411d791b93a8252cc1ccdcb
SHA256

6ca10e89572be82e3be2a505e57c8d97975bf3426885ecaaee6a87f3d33b2576
SHA512

f0c68a8b2262f496649734844bba7540aa22b35d5a4f8cd1cf8b2ea58c484cb4cdadab37f00d5109308b8f7ad977cc90ea639215e43020da8a0f53f565c3c63f
SSDEEP

3072:uSmacK/86JBq6p7RQYhtU9Us00ZwlWlB/:uSmacK/8D6hhw4lg

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2024	msedge.exe
2024	msedge.exe
1480	msedge.exe
1480	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1480	msedge.exe
1480	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 1232	1480	msedge.exe	84
PID 1480 wrote to memory of 1232	1480	msedge.exe	84
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 3228	1480	msedge.exe	85
PID 1480 wrote to memory of 2024	1480	msedge.exe	86
PID 1480 wrote to memory of 2024	1480	msedge.exe	86
PID 1480 wrote to memory of 548	1480	msedge.exe	87
PID 1480 wrote to memory of 548	1480	msedge.exe	87
PID 1480 wrote to memory of 548	1480	msedge.exe	87
PID 1480 wrote to memory of 548	1480	msedge.exe	87
PID 1480 wrote to memory of 548	1480	msedge.exe	87
PID 1480 wrote to memory of 548	1480	msedge.exe	87
PID 1480 wrote to memory of 548	1480	msedge.exe	87
PID 1480 wrote to memory of 548	1480	msedge.exe	87
PID 1480 wrote to memory of 548	1480	msedge.exe	87
PID 1480 wrote to memory of 548	1480	msedge.exe	87
PID 1480 wrote to memory of 548	1480	msedge.exe	87
PID 1480 wrote to memory of 548	1480	msedge.exe	87
PID 1480 wrote to memory of 548	1480	msedge.exe	87
PID 1480 wrote to memory of 548	1480	msedge.exe	87
PID 1480 wrote to memory of 548	1480	msedge.exe	87
PID 1480 wrote to memory of 548	1480	msedge.exe	87
PID 1480 wrote to memory of 548	1480	msedge.exe	87
PID 1480 wrote to memory of 548	1480	msedge.exe	87
PID 1480 wrote to memory of 548	1480	msedge.exe	87
PID 1480 wrote to memory of 548	1480	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\9bf286b5c4282c3b337029786987e924_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff92db846f8,0x7ff92db84708,0x7ff92db84718
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,6865521246888368975,8763524158320394545,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,6865521246888368975,8763524158320394545,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,6865521246888368975,8763524158320394545,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6865521246888368975,8763524158320394545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6865521246888368975,8763524158320394545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:2452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,6865521246888368975,8763524158320394545,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
9d418e2afb19deb7e7e8fab5c7106f03

SHA1
f1905171935252c79289aeaa564e2ee4ce1f586d

SHA256
f34e73a0091a70aeebcad44d52494d276ea1312ed95824421492a7882bc0522e

SHA512
169d3e7ab9cd75255c372a1976cd7e59ddfa206885cbab400e6c4ef0f14739d2044fbc4dd7e043bc6877146fce181e67f5484f3059b5180222faff6461b0b729

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
6ef8d52507303a5934b2e45a74f7561e

SHA1
ae203a19c5b32bc2d692f5f8cfe47cec6f75210b

SHA256
3c9ee07a7eefb6e50cb1380a09a8cccdcfb5a0e0304a889cce750b351dbd621f

SHA512
b8119eb12d4629772f021a9837ce26d834952821ae14b7689ca40e149fd294bbda4fa089490ab77ccbec0d5df8fd869169f97a86b4eb1638a23f170ca2169ee7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
641c9ec0e8c00500f8343ef8dc04dd70

SHA1
958a0a6765609fd5b72eb17a75bb12c90a0bcef4

SHA256
78036751e12641bc2aacbc3839d0a5e3c5ba8a3076f8ec083158f9e280e7e4bb

SHA512
2b70edab025ab1de55570bea1026e91d92a486a9c4319c3cdc5ce87969807076fe496f5de703986e449bd942ff6fe65a9f5e0daae811bbdc13cf64cec337217a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9698db76ba70fbc18de50eb406975815

SHA1
35dbbf3d02df833abb65d1cc4b96f00f994da047

SHA256
b0ab5e29a05c7ae8e0a960273bb83a0246dd58fc61af2fe3ad576722562d39ad

SHA512
fc643dee6c62b1ee1b02f01e1f221c2a6be14bb221f736dddd913da9003724fd5be8b086865874d07bc3a15a58e770bd83820f282af18809f208ccf88ed4e7a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
868747bb5bbbebc214cef3e76ce0c8da

SHA1
d2d2cae7c551e4e0d0389f42209011d87d6bb5ed

SHA256
cec9432ac03363756f0926777ed97f422378d1c366727cc8d96ce3fee4bd8f72

SHA512
26c4492a8002de3f2598d4c611b3c719b5a3f1ba38c866ff7849b0d9bd29ec678b2fe3021cefb62e1db5d0156a8572a18b4cc45abe9785c622b21730e1bb1a5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
957cec966cac1f149d96300d9345bd32

SHA1
e65f4acbd08cab247aa88fb24d7982caa734fb86

SHA256
ca5e8bfce3a277e0f0ae70179d37d7a18e96c88ef076548024a99bfb0a0cd737

SHA512
08b9dda670ce1f01b70ab92fc0ad57aa01a02b8bb6c9fc3b18e9934fad42c146ae2e0efd1d62165e51ece30c35f53ffbfeb23675e3832fc21cda673c5904f555

Download Submit