dd8dfb2fec4fefa69867d5621f56df55f52af99e55cd227c0946927d31e0f028

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2025 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_04a5c6fff1f8a76a90b7e4c64fc804f0.html
Size

64KB
MD5

04a5c6fff1f8a76a90b7e4c64fc804f0
SHA1

1409bd30dae9850bdf0817e57078db1e19011457
SHA256

dd8dfb2fec4fefa69867d5621f56df55f52af99e55cd227c0946927d31e0f028
SHA512

a855a5ecc65eae8fbbe93915c1bba7d18b7019f6923aa15b7a069f7e2aeaf900ec9f004a9d8223824aaa41ee1edb06e132a01b5adc79a8841fba23cfa6cd5027
SSDEEP

1536:ZDzGwhEGtlNJQL1s2SJKXHxK4Hsj4sRGQf1detJ96:ZDzGwhEGtlNz2SAXHxK4Hsj4sfdetJ96

Score

6^/10

discovery motw phishing

Malware Config

Signatures

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs

phishing motw

flow	ioc	pid	Process
85	https://jira.ops.aol.com/secure/attachment/688199/failwhale.html	1556	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1556	msedge.exe
1556	msedge.exe
3900	msedge.exe
3900	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3900	msedge.exe
3900	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe
3900	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 3440	3900	msedge.exe	82
PID 3900 wrote to memory of 3440	3900	msedge.exe	82
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 4416	3900	msedge.exe	83
PID 3900 wrote to memory of 1556	3900	msedge.exe	84
PID 3900 wrote to memory of 1556	3900	msedge.exe	84
PID 3900 wrote to memory of 1796	3900	msedge.exe	85
PID 3900 wrote to memory of 1796	3900	msedge.exe	85
PID 3900 wrote to memory of 1796	3900	msedge.exe	85
PID 3900 wrote to memory of 1796	3900	msedge.exe	85
PID 3900 wrote to memory of 1796	3900	msedge.exe	85
PID 3900 wrote to memory of 1796	3900	msedge.exe	85
PID 3900 wrote to memory of 1796	3900	msedge.exe	85
PID 3900 wrote to memory of 1796	3900	msedge.exe	85
PID 3900 wrote to memory of 1796	3900	msedge.exe	85
PID 3900 wrote to memory of 1796	3900	msedge.exe	85
PID 3900 wrote to memory of 1796	3900	msedge.exe	85
PID 3900 wrote to memory of 1796	3900	msedge.exe	85
PID 3900 wrote to memory of 1796	3900	msedge.exe	85
PID 3900 wrote to memory of 1796	3900	msedge.exe	85
PID 3900 wrote to memory of 1796	3900	msedge.exe	85
PID 3900 wrote to memory of 1796	3900	msedge.exe	85
PID 3900 wrote to memory of 1796	3900	msedge.exe	85
PID 3900 wrote to memory of 1796	3900	msedge.exe	85
PID 3900 wrote to memory of 1796	3900	msedge.exe	85
PID 3900 wrote to memory of 1796	3900	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04a5c6fff1f8a76a90b7e4c64fc804f0.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffb09046f8,0x7fffb0904708,0x7fffb0904718
  2⤵
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,11184651859008270855,6149252974379897170,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,11184651859008270855,6149252974379897170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Mark of the Web detected: This indicates that the page was originally saved or cloned.
  - Suspicious behavior: EnumeratesProcesses
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,11184651859008270855,6149252974379897170,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11184651859008270855,6149252974379897170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11184651859008270855,6149252974379897170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,11184651859008270855,6149252974379897170,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4308

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
25f87986bcd72dd045d9b8618fb48592

SHA1
c2d9b4ec955b8840027ff6fd6c1f636578fef7b5

SHA256
d8b542281740c12609279f2549f85d3c94e6e49a3a2a4b9698c93cca2dce486c

SHA512
0c8a0d1a3b0d4b30773b8519a3d6e63d92973733da818ca9838599a9639e18df18ce31ebf56f46f6bbb7d89d10c726f4d73781e154d115a6068a3be7dd12b314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
94bd9c36e88be77b106069e32ac8d934

SHA1
32bd157b84cde4eaf93360112d707056fc5b0b86

SHA256
8f49a43a08e2984636b172a777d5b3880e6e82ad25b427fef3f05b7b4f5c5b27

SHA512
7d4933fae6a279cc330fde4ae9425f66478c166684a30cec9c5c3f295289cf83cbdf604b8958f6db64b0a4b1566db102fbcbdcdb6eca008d86d9a9c8b252ff16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
4264462dfbc6904b74dfb330c58fb140

SHA1
76552b272b681cd60e8387cb8d0079218dcef7ef

SHA256
9d5fd8ed68ec48d924697520f2dacf35c17200c7868ba6dbcc32a2f2bd1c2c33

SHA512
391c605801976bbf1400da42b7f84bb50d9f2b2d510118971be4de287e92a0aac9823aaaf377244c8d1e8a6fb58acb39698d9b15ec23ec0ec1d6a48e22333fc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5dcd9b333b10cabba4513c31a6148d11

SHA1
bf17a96e2ce317efcbd53931f3a26d134f23754b

SHA256
671a2270ccf6c52888ec5f17d7bc862b56779ef25ab1ba32c0c0bce74bdf95b8

SHA512
b4e5bb4c8519697bddac76a39a2b97cbaa3fb33990a0bc2453ca9b8ab20b013d6a4f833e3ac09b4cb3a43de3e25ce795f078cdf594922ee248063a1c5a617d9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8fd5f5a8e4809208e1b6f3dd419994d0

SHA1
eeeead10bf7c534a10058583f6674c8b364dcf89

SHA256
5007743639e421c9ed739fa5983455632e865c13126282828cb91d771616ec7b

SHA512
f87927b5d849056dd2f6032edda81e38c7ac36f2909e1a45c2ddbc34e4465338d8db5b637d153d4fab9f747e8c44932ec5a8c4fbc1dc94ce5db1c95a37e0cc4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0b11915bd595cd55de6a8272081dba8c

SHA1
d4bef655eb97e7ca6b574944b4fe13f1f466d3b6

SHA256
9efc501ab03b661251e47f51871bcd0bc2c4e6616c7d8af0df805f3d9fccc769

SHA512
f7deaf4212119875dabc8e70786b71c0be94720e23985a66d0322abd5315a3ef21f93b550c8f021b33f3f37295626e6a4d002d7280cfcad5b4f446d32e03445c

Download Submit