fa0950b5430eab197a8b8289515c85281e9e0c6a0be9904e238aa0f60d8713a6

General

Target

9f0a56478ec49be62a30c4f351ab2749_JaffaCakes118.html
Size

214KB
MD5

9f0a56478ec49be62a30c4f351ab2749
SHA1

8445cff587aeaab39e607943af735293b52ced63
SHA256

fa0950b5430eab197a8b8289515c85281e9e0c6a0be9904e238aa0f60d8713a6
SHA512

2ff9ceb21cd3379419ef57404b589ed46d0f1f4d86dd948442abe073bce97d3c1728d0f7398bc398667b926b6212bfc089a8793a31e3ad1b8e0acf831a2f4af9
SSDEEP

3072:S0rhB9CyHxX7Be7iAvtLPbAwuBNKifXTJa:SMz9VxLY7iAVLTBQJla

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

3996 msedge.exe
3996 msedge.exe
3940 msedge.exe
3940 msedge.exe
1404 msedge.exe
1404 msedge.exe
1404 msedge.exe
1404 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

3940 msedge.exe
3940 msedge.exe

pid	process
3996	msedge.exe
3996	msedge.exe
3940	msedge.exe
3940	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3940 wrote to memory of 4212	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4212	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 4504	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 3996	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 3996	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 5004	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 5004	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 5004	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 5004	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 5004	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 5004	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 5004	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 5004	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 5004	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 5004	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 5004	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 5004	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 5004	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 5004	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 5004	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 5004	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 5004	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 5004	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 5004	3940	msedge.exe	msedge.exe
PID 3940 wrote to memory of 5004	3940	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\9f0a56478ec49be62a30c4f351ab2749_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd1b3f46f8,0x7ffd1b3f4708,0x7ffd1b3f4718
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,7466558861052815127,1424358873976647989,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,7466558861052815127,1424358873976647989,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,7466558861052815127,1424358873976647989,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,7466558861052815127,1424358873976647989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,7466558861052815127,1424358873976647989,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,7466558861052815127,1424358873976647989,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3056 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e0c2491340235f13767f48f81f1d30f9

SHA1
467d5dbc771d68241073a6b9b258adba30d1be33

SHA256
4f654bf61188bba8d4b022d67e4ff6b03082333af774bf23510c5b7b88c3717f

SHA512
585a44a27566449506fca5253009175b1cec0008b15a2bf4f489a6415b27777a122ea1439c5eaca5b01f09685d9afca6a7dbcf52c48ff32d7f5d21de4ca7ee2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5bd2889dc758f41458eca3721e2e4bb7

SHA1
fb72fe6f898d3f9bcbd4ec09a892a0549364ea66

SHA256
41dbeff6e4396a6c3c885d8d4f2204abf7c9c10dea9b6bf8dd15249ad94dbf64

SHA512
5bdd74802d12db208135fe52bafd318b3970cdf7d334fce48002439699c92aaab05aaaf0aa56483d257546f5fffa54b0f01cc6157ada42763abca2cec8603a39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3676b10ebdfa59131e81da621aaf5ef7

SHA1
3f3ae3a4660f5426b677aec2df90a559858acc0c

SHA256
8f56f6cf71978c7a21e10ce07f3e878483128bc0bb0805e999fd5d8d5f0b1503

SHA512
8f63eca891bbed6cca6a069d48bbf230388816b180aab105340516440840e28675559cd6577078d4e0208791a412b29d34d8553794253a342e6b8567dd33acb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
46db5c90bfbe2000455ab9f424980476

SHA1
534386c76ff0c863944e58d19ccb83af61b2afd3

SHA256
34d4c074e39aa241fc7abb6d69f2ca4d55255879d19fb5f5e60fc9f5be0ce655

SHA512
f44b85ba866e36ed922658240e591c1e084e3229cbeca2f6d9b3279bc891255e1ba9c0ba054f512bce9f7c4abcdf2028c2926b8b50c749e1adbff3ac8cc602eb

Download Submit
\??\pipe\LOCAL\crashpad_3940_OXKXLPTWMFAFXBMS

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads