Malware Analysis Report

2025-08-05 20:57

Sample ID 240404-v7vmpsed57
Target be879277e08563a258358f6762643974_JaffaCakes118
SHA256 43aadb765b7818787237db22ee95f1127b98f6b78cdb0525cb72f7ed434030dc
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

43aadb765b7818787237db22ee95f1127b98f6b78cdb0525cb72f7ed434030dc

Threat Level: Shows suspicious behavior

The file be879277e08563a258358f6762643974_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Program Files directory

Program crash

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 17:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 17:38

Reported

2024-04-04 17:40

Platform

win7-20240221-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\be879277e08563a258358f6762643974_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe" C:\Users\Admin\AppData\Local\Temp\be879277e08563a258358f6762643974_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe" \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\program files (x86)\adobe\acrotray .exe C:\Users\Admin\AppData\Local\Temp\be879277e08563a258358f6762643974_JaffaCakes118.exe N/A
File created \??\c:\program files (x86)\adobe\acrotray.exe C:\Users\Admin\AppData\Local\Temp\be879277e08563a258358f6762643974_JaffaCakes118.exe N/A
File created \??\c:\program files (x86)\internet explorer\wmpscfgs.exe C:\Users\Admin\AppData\Local\Temp\be879277e08563a258358f6762643974_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\259426917.dat C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe N/A
File created \??\c:\program files (x86)\microsoft office\office14\bcssync.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe N/A
File opened for modification \??\c:\program files (x86)\adobe\acrotray .exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe N/A
File opened for modification \??\c:\program files (x86)\adobe\acrotray.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe N/A
File created \??\c:\program files (x86)\microsoft office\office14\bcssync.exe C:\Users\Admin\AppData\Local\Temp\be879277e08563a258358f6762643974_JaffaCakes118.exe N/A
File created \??\c:\program files (x86)\internet explorer\wmpscfgs.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe N/A
File created C:\Program Files (x86)\259426839.dat \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2FA78D41-F2AA-11EE-8A09-FA5112F1BCBF} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f097dbf5b686da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418414193" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000c12c25e2ddfb54dbf19c8710c23067700000000020000000000106600000001000020000000d34b8628e89f910ae93a3575ad59939736ab0a268efd6bc27c42445b7e13a63a000000000e8000000002000020000000fe14bf12e897a9ee214a5d181264b03c182efbb8bac1fc8bfd94051871956c7a90000000bf285e30b62e322a2018d3c88c6e119dd14b496a528ed3c0516b4cf86c29a943d2d4c653d68414fe87f48502b7be303aa86885715b88f60492d7e0ea469ad17bffd4ac4d157f9cc9b36855020cbfe5ee22f0f46871060df181865b46799719a10368d0d01077a9d4cf66c739815c68585f3f7e0baf578147b253a25c51d9c0b5f1bc3b19fdbed4881c33046b5c4dea6c400000004befc70e84f3cbac8f0f9938a6b63ed5fbdd0f31b9e4a67c59bc602924682b5cd2e7bba37a07562bf5d22d98cf66029c223af0097c2cc2f174c22451b3bd8169 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000c12c25e2ddfb54dbf19c8710c23067700000000020000000000106600000001000020000000be5684ab2cf5a8be045ecb6a06756f34cf925eb99877ed4041bac2d66ef77b1d000000000e8000000002000020000000973bfcbecc2f6d4784ddac8f0d7c24c25623ee5526e894d7af9b5123f73c087420000000c82dc5a17f4c14d0fbbe5246538c7965aa6d6fb4931439230628b1f63a9757af4000000091b864ef9ec22d2a1fcba0094d41224f0b5223dd16c4f83630bb70a0efaa056d0e93184749f8fd50ff624c3f8f118f832bca27f465193f1c484eda4f2c9bf2ea C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\be879277e08563a258358f6762643974_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1144 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\be879277e08563a258358f6762643974_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
PID 1144 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\be879277e08563a258358f6762643974_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
PID 1144 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\be879277e08563a258358f6762643974_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
PID 1144 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\be879277e08563a258358f6762643974_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
PID 1144 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\be879277e08563a258358f6762643974_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
PID 1144 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\be879277e08563a258358f6762643974_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
PID 1144 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\be879277e08563a258358f6762643974_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
PID 1144 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\be879277e08563a258358f6762643974_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
PID 2484 wrote to memory of 1164 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2484 wrote to memory of 1164 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2484 wrote to memory of 1164 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2484 wrote to memory of 1164 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1932 wrote to memory of 1496 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
PID 1932 wrote to memory of 1496 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
PID 1932 wrote to memory of 1496 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
PID 1932 wrote to memory of 1496 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
PID 1932 wrote to memory of 1328 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
PID 1932 wrote to memory of 1328 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
PID 1932 wrote to memory of 1328 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
PID 1932 wrote to memory of 1328 N/A \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
PID 2484 wrote to memory of 324 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2484 wrote to memory of 324 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2484 wrote to memory of 324 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2484 wrote to memory of 324 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\be879277e08563a258358f6762643974_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\be879277e08563a258358f6762643974_JaffaCakes118.exe"

\??\c:\users\admin\appdata\local\temp\wmpscfgs.exe

c:\users\admin\appdata\local\temp\\wmpscfgs.exe

C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe

C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2484 CREDAT:275457 /prefetch:2

\??\c:\users\admin\appdata\local\temp\wmpscfgs.exe

c:\users\admin\appdata\local\temp\\wmpscfgs.exe

C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe

C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2484 CREDAT:209938 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.supernetforme.com udp
NL 82.192.82.228:80 www.supernetforme.com tcp
NL 82.192.82.228:80 www.supernetforme.com tcp
US 8.8.8.8:53 ww1.supernetforme.com udp
US 199.59.243.225:80 ww1.supernetforme.com tcp
US 199.59.243.225:80 ww1.supernetforme.com tcp
NL 82.192.82.228:80 www.supernetforme.com tcp
NL 82.192.82.228:80 www.supernetforme.com tcp
US 199.59.243.225:80 ww1.supernetforme.com tcp
US 199.59.243.225:80 ww1.supernetforme.com tcp
NL 94.75.229.248:80 tcp
NL 94.75.229.248:80 tcp
NL 94.75.229.248:80 tcp
NL 94.75.229.248:80 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.superwebbysearch.com udp
US 199.115.116.216:80 www.superwebbysearch.com tcp
US 199.115.116.216:80 www.superwebbysearch.com tcp
US 8.8.8.8:53 ww1.superwebbysearch.com udp
US 199.59.243.225:80 ww1.superwebbysearch.com tcp
US 199.59.243.225:80 ww1.superwebbysearch.com tcp

Files

memory/1144-0-0x0000000010000000-0x0000000010010000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

MD5 b7b13590e9d4315f4cc79014dd07611d
SHA1 a9eccd6ea058fba552f2755ab8c6bc64f3def3b7
SHA256 e1eee4bdffd6c20a5cc88f39a015b39a71617f8b587565d8db5bf0f945f46c30
SHA512 177c289664d61a83453fa52a108826cbe0d4b209108d9c45ce18980e871d8380aa99e1c09b89efdd524ceeffd1eaaec70b84a2c130b31cf4ccc3272013bdbb47

\Program Files (x86)\Internet Explorer\wmpscfgs.exe

MD5 921b2d7120f19b7e8e120f7f303bd6e2
SHA1 deece0afb4703255827faff9a0d97793140b81e5
SHA256 21d89472af24b415c0390651d7b50e631ac2ffb671ecfd5543f197ebab3bb9b6
SHA512 f53cccb9f1cbf9fe1acf959612f2f916b97fc8713a3ef1cbe58c08431793db35df8c8e09311533ffe222f4b22c3a7dcc7f570b1598cfe80ff23cb4c5e10f4c5f

memory/1932-22-0x0000000010000000-0x0000000010010000-memory.dmp

\??\c:\program files (x86)\microsoft office\office14\bcssync.exe

MD5 2b84891211d8e66b47851e3fb42942df
SHA1 272cc482cde8b46432dcb9d35fdfaa9d01dfb251
SHA256 5976f12affe7258799c99abcf9bbfca78fb92ee9baf5c4e3e8ad03c13c5bce3e
SHA512 cbf6dcac12b76f345ae96ebb8dc0ada53d12d800c000c41ef2d3cdf6d07b07ac536c987b413686863428dcc46cc276d33957e0a98bf34e405901181addb49775

memory/2584-35-0x00000000002C0000-0x00000000002C2000-memory.dmp

\??\c:\program files (x86)\adobe\acrotray .exe

MD5 80b9cc2a3262873d95a2bc896ef56176
SHA1 e3034bfded6073bb2c22039d708ed835c800827f
SHA256 ae0ad8e172d8b117c7ea1ad04c2ac726e6856cbaa469c0ad21ebc82558eb52ad
SHA512 7f215e923b9cd54b12e95dba2a5909a5a694a83aaaa91fa86654dd6e0bf042b2edb21e7d597449dbaea940e7a60de041e576065dfe9c982d609aa2735d934abc

\??\c:\program files (x86)\adobe\acrotray.exe

MD5 eb1962e33f3403031e9ce53847f4d08b
SHA1 2aae919ab6682c0fafb38989db2e9566bb5c320f
SHA256 076d62ec9797a5d80dc14992b52f83c3ac1749ba18c8671f160b375f3a2f5770
SHA512 523fd25cd5d67d6ce10066587146dc50d358b94c86913cd2655f8927ad4673186a9009e9d921f0f80c9668f0b66550e73bd833a53fbafc665d8fb2ba9cd5cee8

memory/1932-60-0x00000000003C0000-0x00000000003C2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\032FKQSX.txt

MD5 9e37c057d2a9137d749daf25475d9beb
SHA1 a03f9e4f2b385b1361eedbe82d772c198ab71d9f
SHA256 83415c14d60f8e67a3d524614ba475785e2706460fbaabbf0d269bd8e5602538
SHA512 9527644d1a014b80bf654bce052f9a67ac9b378d50d53a847ebf1dfae4a2cae5be31fb8da941d92cd442038b0afabfc7d48710330fadffbfa2c8b3e8132fb5a0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\U30JS7KG.txt

MD5 5daf6641fd716e6be12c23be54ff6cb6
SHA1 a8db6a0c581a349c12853bd5bfc883131b642ab2
SHA256 0028ef8fe18ce1df48438e46dcca1b54bfbc132a9bedb5ee52379d1330b98d51
SHA512 d787c2420d3bb4df489c74770fb91bb950c7b3f3b1a55b1791182cddf7b304c22d27fed09745e487010452d8aa56006b8d009ccbd5caf0eedb7505744015a1ce

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IT88KKGO\bwvBGLEOm[1].js

MD5 bedd5b20cbf738c54a47311acc47a826
SHA1 66095a8fccf7458bbe9fba769b645ad41ab7ed51
SHA256 63aa7f15d8b7ed9c9155109a3f408ca285e587317d37ef5f878ba592f4bcd442
SHA512 75eab07b822f27c235d9df2dcfdc894eeb9da077c94c3b7ae80d84d45e0d093151d9fca9c022d3edc9e4dd8e507a71258148dfdcb6954537ddc70c1671f89dbd

C:\Users\Admin\AppData\Local\Temp\CabAA46.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarAB37.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 72d1476f28799f186ea77a984967b5b4
SHA1 441ad16f368b8002a4657cf61a2673d8d939d1fe
SHA256 e961fae273a092568372e83ac9c49afd4bb39db38f3176b64646416ccf77b9b0
SHA512 13c6a8aa939411c8761212e8e664957cdca8c1f870f3318998f984d944bad58d5ef78da6eb7e88861c080983c8eb674c840a96858a756d7dfc978f03f7b985ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a79c9b3b36cf4fb2b091df8ec14e6e58
SHA1 6cba78480364c8f71eb1ab3abffdb5ea56513263
SHA256 f38573c56e5bb155fb224c40c43cb9c67dd36b36175aa5f04de4a41b15d0e012
SHA512 b32a12e1b7c5db3e06304f07de68b5107eef6bf06ce6763195a2ce99c4d3814a578f342906b2d1093e7aedb671704729959c1d59f0679d2b80e31834c03c7846

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a70d6cad0773611cd00ed34cc56cc25
SHA1 1c07fabeb9f0916db0c81de12042cbbd6bd58eae
SHA256 b8451532dba2584bea69863f56d5903a8b42dd43d0f4e8eaebd1caffc513b4ee
SHA512 fbb81ef0c95ba9782ac3ddf6ec7141ca381e3bd6108a76a7c2af551596f0764743e2d61edbc203453e836d2a095bd53d9b160fae4e52d9d67ac464b34d922857

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad3b9a3951deff54477909bb67428ef1
SHA1 fa58c902302fdf5f86af74d116592c3a1ca57c3f
SHA256 801ba89344c2afad7ff17a1cc16d92ba7741832ea17d954e320bfb846c68f8dc
SHA512 9ee1ec8ea2e956902dc428687cbb03e351befffc5cc49c4783833af3cf4ea0be108a44f5e1e4e7a52f454e9f64628140d316df060c2cb7595ee6f438fa59b9cd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c8cf2f7d4d2baa2fec32ca6dc76dc05f
SHA1 5222a3aae2a5d89a53ad24e995d6898eb7313590
SHA256 528bf208d71296153285897fa7b2318ed1f36372138169ac307dc6e8cedc077e
SHA512 2ba16d77a642b2e7a7b2c924aaf913917b30e8464e43cf2df7f6cf2eb7269fc80c7f0c2116159fa39f6635fe5452af54eef29e4dbb23c04ebd209a848ae3b6f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b2dec94baf1e62d0392ea29d59594a6
SHA1 9d4ef746a2b9275dfb09c1ea5c9c492c8e25e2b8
SHA256 a525a23bed2f5a9aacf1204f970db506a638dd23faace987cfec866e113431b7
SHA512 0ba0875ad530df63cf7f173a861f491682f28b48537fe965e5af8cfac3b19e08e843e41c9a5616f34ebc868fcd37721259c44bce1b12619f44f2c71ce1c2f9d9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 504db0284adfc9c0c2e1292f4ef2fb81
SHA1 9cc13383994c48a3988358a22d44077a9124d03a
SHA256 6c9b541462c903d2189241729f570cfd4369a05207ef204465137f72536c4132
SHA512 7a51ce41bc9e7de74080ac826ce3a6380837582045d4c0489fc7e559bf19010396ab18122449704629818cb78519386c6faf879e1f6150676c409d1e9bff7555

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3cac8828b3f4f24ba4c447fca652fe4e
SHA1 74261544670ae0563fe8916715c97e19354127a6
SHA256 dedea17d3f10e567a2965cefb7f7b3d887269916372b953de7f2fcab8839e280
SHA512 07b664309ee97f5657c07d29ad74006bcb69c5dcfd5c8935c87be9ac3d2320873d122bbe16f8304c3fc7042a8d8469729a5011437e901fcafc737b18bd9edfc2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 04f8fbd9820c9dac38241e436b431fc6
SHA1 b3330c866bd20194d55a3421beaace4f2c8e4edf
SHA256 45b7147ea6401c9a515772965cadda45e5f33fa7f69d16217b6127cbe0eb27f4
SHA512 6ae2d3b215352710c9898be540ef169523e9f2f87a54dcad489906f069f0d98e2e60ffaa98bc58ecd9aead308dadbda618fc7dd5648d84fd78d53f6d213ea2e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 41dd4b2990b81b2352194c7826d39364
SHA1 49449074027ad93736d9d4da60f6b472be9d89be
SHA256 c1e8d6b5256e07b9e27046c8eb822de4b0455a8fa1a0718af7b96f25d8b6239a
SHA512 ccceb6b67217bce40a746d1213502a0322b1ba1b23c0fc933b7ea925d73406d5b50e3e88594e08f518e2358af0e1ff59ec9436c2f4ff2136c777c07a98dadf4a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e904411619c55bf125d6f2001dc6f00f
SHA1 e994b73aa101c205e9a76d23277cb3daee8962b8
SHA256 688ae85c2382ac2962f1a4b003eaecd19e59f0736d6318a5e9bc1acce6519aa0
SHA512 e7153d625db7262bdfb4870e484cad89122413c13576a68a5faa2d6c861903b42c268a2dc234ef984f7d2ceb9d42db5e1077c55318e922c4ba39c3de11512d68

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b6d04e08d7ad4144520d16aae1a245f
SHA1 697afa5c4acc3e901900a84123788d0723096c02
SHA256 1d078396522ba1f072247a6279bd9841ca8a0503b4ae0c8f104a59373cca4e3e
SHA512 15d86fe88d4e6f282aa987932b4ff46fb0481e7f11efb2abf7cb396db77f809be27329767a0e6694b3855491beee23dc628ad9ae9d77dd3dfc72e14af813efca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fdaef087a232c299a5253bfba7abdfbf
SHA1 97f412188760d06e3b0d37073fe222afe43b0631
SHA256 a98310b5a62c36eadb7d973a75a687bc0efb12d1f9d476d3cef399e1b57747e0
SHA512 191cb734e027187f2667a5c0d64d4b370046fbf7ffa9f94484e28d79752e078ee4d147903e5ed4dd4f4ef2e45017d08c2f1861dfade50ee556c919de4f2443b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4cb44ec6fcc27bb3e2a1bfb2f692ec84
SHA1 12cb56d9affc8c3b69f6c62a18dd09613cf91038
SHA256 5be782478bf88909354ded62701a75d7d46615b8193c9cca3cb8ada202ad332f
SHA512 7c75dd0d439d04609f0f1247ec8872f68e59bb803ecbe41ec5bbab1dba0c3c9de5ea8b176517cfa8e8ba46a6c38947cfbccd84fe1daed60acb9fb9afa58ae3e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b974aff2b621753df5b3bd83f7e5a5a4
SHA1 ab23bad2c2f4d9b1fd1b766d4f587ea84257345a
SHA256 3f2a53a9af8e5ba07834d9ef6df55d7b76c52048294e755d4d4620ec50f27a73
SHA512 d314cd1981442ace2177eae67403bc7b9c8f7ef126099cc080688f838baaa0e1a5f7d2b3a3101982196931c2eed04529983aee16c5d1fe378ed50d7df805d4b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a8c8bbdbd167536055a581d8bf235fc2
SHA1 a322bb2d8afc59d855affde67005eeed424cac04
SHA256 41ee93cc5040b8ff5a6fd6b847e863e675b36478070a81cedbc329258738d4af
SHA512 884ec23520e2ad08aa55526253ad9cc1efb149468e8b389e60e83e09a3a8efce6235e93c5f1c19c6e9cf70d5ab8b7ad70f7408cd43b071d6d175f54b0a39fe9a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7db3a694625af304f4f2d711773af4a
SHA1 d3fc5a21493d8267222608a446a28ba8ff619541
SHA256 09c851364d20d4a65e1dc39ee00e28e20af8ef0b9db9ca2d8875df11e258e52a
SHA512 5a07ce83ec46b0e3560e5d1e458b92bc71c4366904353863792ceeb2ad964f95a9be62a8efd52f63d8440af1feec8b6ec28bb40351b745969e83adb004582053

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bafcd5d6b58256c6ff0257e9d93a8057
SHA1 39aca2effbbe267cbd620bc40522fca3aa4f007b
SHA256 0b9dfd44aa58b1483ce0e96aa51546025a4ffc282096d440ad4f7fc43e63ba35
SHA512 996368f5bf2bfa344938319369409b20fb4bfbcb819b389778a283e11b3b05a7a958ae6fc1ce407596806eb09e1d30e6b91c8389832bfc725216632105b5c454

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 19f90fa0aa0aa1eba566818ebdea5e1d
SHA1 180c2a523ec2adff4e0a74a43e6ebfc524456551
SHA256 bffdc7281383fc0aaca33c857ab8571466c842996e36bcb4994a4f2dc38c5cb9
SHA512 ddb30eb3e7f5f3a55322b5c7f19aa58ea23f2a80b8c30382185be5edc1f1a4ce7c00e68a19a6bdfae263cf385dbb03529f76416616180eba21f33aef759a398e

C:\Users\Admin\AppData\Local\Temp\~DF0DD8407DAD44A52A.TMP

MD5 5c06efd9bb824fef7e79dc3f906d1559
SHA1 ce0ea30a579dfcb0a73759fa80dceb3747629965
SHA256 fdfc02aac5028a2b80f41d74889b684befa3ecbd807190ffabd9067ac66b8571
SHA512 95a989d0c5ec3b4b6265a2630518ce882d7de9267cb53b54cc25784de8f26c355b3abd95ddf115b81e8db721762f0d84717b7ce7e8431ca9373c3e56904f737c

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 17:38

Reported

2024-04-04 17:41

Platform

win10v2004-20240319-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\be879277e08563a258358f6762643974_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\program files (x86)\microsoft\edge\application\msedge.exe C:\Users\Admin\AppData\Local\Temp\be879277e08563a258358f6762643974_JaffaCakes118.exe N/A
File created \??\c:\program files (x86)\adobe\acrotray .exe C:\Users\Admin\AppData\Local\Temp\be879277e08563a258358f6762643974_JaffaCakes118.exe N/A
File created \??\c:\program files (x86)\adobe\acrotray.exe C:\Users\Admin\AppData\Local\Temp\be879277e08563a258358f6762643974_JaffaCakes118.exe N/A
File created \??\c:\program files (x86)\internet explorer\wmpscfgs.exe C:\Users\Admin\AppData\Local\Temp\be879277e08563a258358f6762643974_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\be879277e08563a258358f6762643974_JaffaCakes118.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\be879277e08563a258358f6762643974_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\be879277e08563a258358f6762643974_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 2912 -ip 2912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3864 --field-trial-handle=2264,i,1475924722205134884,16549311107360026087,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 186.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 167.161.23.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 182.5.22.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 41.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 224.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 185.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 227.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 35.34.16.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 163.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

memory/2912-0-0x0000000010000000-0x0000000010010000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

MD5 28eec21fdecd132be3395f188499195a
SHA1 06b7cafa58d2afa0be619c2170f81151c2d066e2
SHA256 26add03ea318e94a247079daf523fccaa6c309b535fcb0f049929f6ff2161ca7
SHA512 0b2bfbfb20e6effd6341be3612c587ec656a5386f85681706293e6c409cd854e59e03f40dcc788dc467c6bbeb087279d0bcbb9fca2bfdd0c8742167ca872f04a

memory/3972-8-0x0000019C5F5A0000-0x0000019C5F5B0000-memory.dmp

memory/3972-24-0x0000019C5F6A0000-0x0000019C5F6B0000-memory.dmp

memory/3972-40-0x0000019C67A10000-0x0000019C67A11000-memory.dmp

memory/3972-42-0x0000019C67A40000-0x0000019C67A41000-memory.dmp

memory/3972-43-0x0000019C67A40000-0x0000019C67A41000-memory.dmp

memory/3972-44-0x0000019C67B50000-0x0000019C67B51000-memory.dmp