86819fd44cd794c07dd2022b909d27acb3e6b3f440292ed3705b49666dce3b05

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2025 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_10dd960e0339498d35a8aa2f5a0f79f3.html
Size

65KB
MD5

10dd960e0339498d35a8aa2f5a0f79f3
SHA1

05f51d7b652c4177c230accf74d3dca6ac58c4c2
SHA256

86819fd44cd794c07dd2022b909d27acb3e6b3f440292ed3705b49666dce3b05
SHA512

3647dc0d61cafb5e32cf96816ce9e4e8f1c785017c58d4802bf204074f75ea650d772128429f44524c74e7de9c37f875238ac546b41bf4352b3f9b8d55f1d686
SSDEEP

1536:ZJzGwhEGtlNJQL1s2SLKmlLi4Hsj4sRGQf1det/e6:ZJzGwhEGtlNz2SemlLi4Hsj4sfdet/e6

Score

6^/10

discovery motw phishing

Malware Config

Signatures

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs

phishing motw

flow	ioc	pid	Process
82	https://jira.ops.aol.com/secure/attachment/688199/failwhale.html	4796	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4796	msedge.exe
4796	msedge.exe
1564	msedge.exe
1564	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1564	msedge.exe
1564	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe
1564	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 1084	1564	msedge.exe	83
PID 1564 wrote to memory of 1084	1564	msedge.exe	83
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 3644	1564	msedge.exe	85
PID 1564 wrote to memory of 4796	1564	msedge.exe	86
PID 1564 wrote to memory of 4796	1564	msedge.exe	86
PID 1564 wrote to memory of 2772	1564	msedge.exe	87
PID 1564 wrote to memory of 2772	1564	msedge.exe	87
PID 1564 wrote to memory of 2772	1564	msedge.exe	87
PID 1564 wrote to memory of 2772	1564	msedge.exe	87
PID 1564 wrote to memory of 2772	1564	msedge.exe	87
PID 1564 wrote to memory of 2772	1564	msedge.exe	87
PID 1564 wrote to memory of 2772	1564	msedge.exe	87
PID 1564 wrote to memory of 2772	1564	msedge.exe	87
PID 1564 wrote to memory of 2772	1564	msedge.exe	87
PID 1564 wrote to memory of 2772	1564	msedge.exe	87
PID 1564 wrote to memory of 2772	1564	msedge.exe	87
PID 1564 wrote to memory of 2772	1564	msedge.exe	87
PID 1564 wrote to memory of 2772	1564	msedge.exe	87
PID 1564 wrote to memory of 2772	1564	msedge.exe	87
PID 1564 wrote to memory of 2772	1564	msedge.exe	87
PID 1564 wrote to memory of 2772	1564	msedge.exe	87
PID 1564 wrote to memory of 2772	1564	msedge.exe	87
PID 1564 wrote to memory of 2772	1564	msedge.exe	87
PID 1564 wrote to memory of 2772	1564	msedge.exe	87
PID 1564 wrote to memory of 2772	1564	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_10dd960e0339498d35a8aa2f5a0f79f3.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdcef546f8,0x7ffdcef54708,0x7ffdcef54718
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,2632054370651245046,3315363059205244697,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,2632054370651245046,3315363059205244697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
  2⤵
  - Mark of the Web detected: This indicates that the page was originally saved or cloned.
  - Suspicious behavior: EnumeratesProcesses
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,2632054370651245046,3315363059205244697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2632054370651245046,3315363059205244697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2632054370651245046,3315363059205244697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,2632054370651245046,3315363059205244697,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4652 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
395082c6d7ec10a326236e60b79602f2

SHA1
203db9756fc9f65a0181ac49bca7f0e7e4edfb5b

SHA256
b9ea226a0a67039df83a9652b42bb7b0cc2e6fa827d55d043bc36dd9d8e4cd25

SHA512
7095c260b87a0e31ddfc5ddf5730848433dcede2672ca71091efb8c6b1b0fc3333d0540c3ce41087702c99bca22a4548f12692234188e6f457c2f75ab12316bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e27df0383d108b2d6cd975d1b42b1afe

SHA1
c216daa71094da3ffa15c787c41b0bc7b32ed40b

SHA256
812f547f1e22a4bd045b73ff548025fabd59c6cba0da6991fdd8cfcb32653855

SHA512
471935e26a55d26449e48d4c38933ab8c369a92d8f24fd6077131247e8d116d95aa110dd424fa6095176a6c763a6271e978766e74d8022e9cdcc11e6355408ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
6c8b6cc2ef18a6312aae9595bdc4d4b0

SHA1
4baeeaabfe48a2f4bbc1d104d7f62cfdb51c040e

SHA256
4d8cba4abb9e7e08fbe3a568fd171eb128105a82ed86d30d807e23ffdbaab79a

SHA512
7e80111e4a6b7964f7c4bd70c1901a3a59a1359c9dc44364453460447a7ff2a7bbb51a0da8183f6bcc3fce45088dd70549a90a383dd9099631c60f0447075849

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c81437fe093fe095a264caa291f604f8

SHA1
2071d436cfc84a4ca538692f540d3cf0da4c5a85

SHA256
2490e2e145beac60c4c84b7336a0e3f608249da6513ac4e13ac6fe043ebe321c

SHA512
706a204b5dcb26cf156a66a52ac778d16fcd9dcd554847c3a1423f7d643503275c5307dae292b9922c0e45af0e13278bf37d5a9ddfe26cb16bf1084e7c7ee76c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
902509cc744159fddbd378853627c9de

SHA1
b33169c3851e685b1833251dbd750f8673a881b7

SHA256
2fcadc951f42f2acb8f3c3145d41d4404cbc4e1d04aba89b2b5869226acd549f

SHA512
94164a26983925e351322c41d59bb8750e396bcc0bb52199712cbfc133f3096c2b9273ab3d6633996352eaed3ce587a6a540f0805bbc5396059ebde0d47e7a6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f6ad0b27a7e7903272a15d9e59da13ea

SHA1
2412055bf6a32a1de5ba2919e5c44c0759951e52

SHA256
bdf59fd6cfd43931383c743b4f5f841c4ead179cb7ee7d2edb356be047dcbfe0

SHA512
61d39fd086efa600e6d6d354d0e1b2072e519b285aa1499d1d1f8d63b654064f2f9498241f9f5f6b9fec7e921fefead7f74c47c378ebb9689335d1ebae2115e6

Download Submit