Malware Analysis Report

2024-09-09 17:13

Sample ID 240506-b5tg3sga37
Target 1a2d7345b070dba6f9a428a8f4c5cba5_JaffaCakes118
SHA256 235b6eb216ba9e617be5ced3220992a3ee716165ca58a3a00f3e1b0174cd20dd
Tags
gozi 3151 banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

235b6eb216ba9e617be5ced3220992a3ee716165ca58a3a00f3e1b0174cd20dd

Threat Level: Known bad

The file 1a2d7345b070dba6f9a428a8f4c5cba5_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gozi 3151 banker isfb trojan

Gozi

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-06 01:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-06 01:44

Reported

2024-05-06 01:46

Platform

win7-20240221-en

Max time kernel

120s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a2d7345b070dba6f9a428a8f4c5cba5_JaffaCakes118.exe"

Signatures

Gozi

banker trojan gozi

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7019ed0b579fda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000f2a281efc8a9d9c4a22c971cbceca1c2c46bf1580920e61b413b30693322764f000000000e8000000002000020000000f90b175734e28b652abfbad95162c0a112251edbbacc4a94116a06c8fcf27acf90000000d1a7df809a7f8b89d9f42651db469080a784caa51f503206d0647ca3d802014bc0a6224c441442535f373f291ba28343595418c2b45cee06785451a2e4f642434ff7f5260a0e5cf3e3a9150a2f116348465de0e72bb0335982bf564d458188b7297286e067c2c2d160f8650bb349c08e75a571dcd906c266ae162cbd0bf9de510f12084552ba6f58a64d77ab25029ed1400000004b406b63e5daf3f206fa87d1cdb5e70cecddfb7c9e1943866f026e11ef7e042a0a4b5c4aa3ae8841740ca93860cae15f9d3bd60d164e2a043af38a7d9c71b358 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{32430851-0B4A-11EF-BCB4-4AADDC6219DF} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b000000000200000000001066000000010000200000003ce3af5060fc5badcc5ec74996b535bb59658c988b3b89efde95c5997dcb1afd000000000e80000000020000200000007b144de527d4f287b5f1cd0b6578a18aa010e5203e0bb9b250b2e8b9626a960520000000909d8e3bd06e44f5795dc41c8011017001d7709b68ba2dff08beeedc6fbf9d2f400000004932a6d9800b02cf80d48a7348d64a05f1bdf4d809e6d4b7ea73dcc407ba4fae5f2699ddf1ead1a1813c6ad76a20a3cdb25880cd30aa2468fb211fc80f460938 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1a2d7345b070dba6f9a428a8f4c5cba5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1a2d7345b070dba6f9a428a8f4c5cba5_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2464 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 zardinglog.com udp
US 8.8.8.8:53 zardinglog.com udp
US 34.174.61.199:80 zardinglog.com tcp
US 34.174.61.199:80 zardinglog.com tcp
US 34.174.61.199:80 zardinglog.com tcp

Files

memory/1936-0-0x0000000000100000-0x0000000000153000-memory.dmp

memory/1936-1-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/1936-2-0x00000000001D0000-0x00000000001EB000-memory.dmp

memory/1936-6-0x0000000000200000-0x0000000000202000-memory.dmp

memory/1936-11-0x0000000000100000-0x0000000000153000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab3795.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar3878.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba9c9f0336f0d2a4c26573dcfa09041b
SHA1 8e1b1335e5c68b58eaf580fc5ead7c04d1b65784
SHA256 5672362e8ef46fce6cebfbf48dcd279be9e2c17fe3ea54fec71d8e5d549890df
SHA512 3d4f6e7a77c8b6d104f1b0c7fe56528890f887076953d8edbb23567acdb237ff69e5bf895f45fbf45ef3f58f7300020525b8ed9d34ad55828069118cbd2b3e2b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 425d0e450dfbb645bd6ce9b087b4f8a3
SHA1 956b3ca5b47ed782f2e588401ef71b618671b0d0
SHA256 8ac24da075c487dfcafb22888f21a6d655bb8059e840515af18b3f9afe5c3fb6
SHA512 f07839edf0c13f823f0a9dd03569fa17273bd6728eadd0a43c9e04044f2c25c785a1375b724ae8a5142d9ee8eb9bf25b53e9eb49084ec0feec6a0353ad0668c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e0679b06a13486a7e4e5ad305b37479b
SHA1 611f0557874443d3f89e6e07ae547102d24c7835
SHA256 d784dd4038e4191703e15c46afb0b86edcfd9226c34bbb6670f02188b047b77b
SHA512 d530a61e974e39d1393180f6a851559c8e30f801ad73fae2fbfcb4ef79ff039613d96991b12f7f388d09ebde181f153591318a16458119c5a0138b79ba17624b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c0aba4f55fa83269a0d6117a0fcac01
SHA1 a9f2fe5c50b95c3c7022bd130ef7d29faf6897c4
SHA256 6364b400445edf62e85cf24c436b773de8e355468fe6efeaabf7251222f6b20c
SHA512 a63e90933483e2e80d3b7155bca9caa6cb948f23a524ebb65f391043edee22f5f1a8e679d6f61c24efc300397211e9cac3a7ed52ce9497daafd32c031279f47d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 200d55a034c76ae224069d0c5a2cb43e
SHA1 57843072a21ec096ba6702f22dc9cb4f5476f237
SHA256 4b74a02d02ee466825d9ffbe1e2501f481c26a6cc84aa714e606c8518c861613
SHA512 96964c409e1bb77ab008fba7155404c960c5f995f97d53e91c0c14b8f632a299f03ef75738c9dce9e7b3e0f7178a98cad5f9514ba977de65986e9535d816a6c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b5b59a315ed3284a7bbf5a28fed47cd
SHA1 92a766eda8ee2ba365b1e1d746963248216374bf
SHA256 5efd177ee5ee213f902f7ad3412c8bb55a9165efe40c88f86d6eaecd94410310
SHA512 41cb8bb3c51c8109036dfe0cd4dceb169c7d464253435a9c1b08429eb413d8fb3e883077f888f88026a929e7b55f795c7079c721e979b35f2e6a012c3e405c95

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 13a68f7a781c24380a2a91037435903f
SHA1 1064989d199bc1ddc71540ceb62cf26a1f5c6484
SHA256 1c3cfd1626e9828a0a7ca359658b2008b2888c7e19535a69efb965090d857da7
SHA512 47cec6d603cc90a3ab8f773f3d7826d4c6f1bdfd465714dd6628234edd3024afcc77622c58a7dd715b9f7565f4f26dd649a7441d82faf38aba1e06de06a8c045

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8779829e11bc02360ba56df62f23c513
SHA1 307372eada91978eceba61dbc2692ae805bb8af5
SHA256 d4e2142c7b7c315e8622e23fe09ab9beaae873a7b24eb43c2e208a79e60c07f6
SHA512 50d9dcb7196c7e75d5c96055e945d75d7e5023a6af769b47b58c2606df9578e50607d78c05fd0641a6e91e6aa7e33b8b584c7a60b7c9e596cfde1a383f08ef79

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 242837c04c7749c412b3de9533e37524
SHA1 64ba091809697cfd9b3db29d37aa30edc34ec40a
SHA256 3bba104540fa17f1f0a2267b3973607d7f12e43e906bd8fdcfb29329bf8bc329
SHA512 21c61b5c46a9d037ac988e05b041798d86ce7626c7ab832df505d7f0fb86fc1020b37f70fc7a2ac089a3c9fb00a59d990dc531611f7740457de29b4e69e26c91

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-06 01:44

Reported

2024-05-06 01:46

Platform

win10v2004-20240226-en

Max time kernel

139s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a2d7345b070dba6f9a428a8f4c5cba5_JaffaCakes118.exe"

Signatures

Gozi

banker trojan gozi

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e15d6e14f38454ea63b5f1bfd95170200000000020000000000106600000001000020000000d7d5477463dd2c348e537960865f9bc7f96f893db0d35aa2905fe6df069c95bb000000000e8000000002000020000000a3dbb75e2d018a724ebcdb9124301da30b72d95685b8c0ee7fe8627fe902ee3520000000a248bfcd5cbd0055d1fc0f556f1ee31453d802f20308f4b4900e883c8ba24a0d40000000d5aa66afcf22ac75202f1a76fe6466660c25cf1c0b53a21dec11b14b3dbc8c81564adc2f286ffa8c622c0e6e45e8025ccc24bbb01c8d2010446349c38f3e3803 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "452010796" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31104855" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "452010796" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e15d6e14f38454ea63b5f1bfd951702000000000200000000001066000000010000200000004de94bbec6ca8cd9756192469ac030cc79e6ca06d350b426f192408f161da823000000000e80000000020000200000001767296324fa9e750d642d07ff3343adb02ec77512efc1fabceca5101a4d5eab20000000fcdc7fc2e4dd5aa63c4276e0285028aad2e91e48129af1e58aaeb3e63a2f2d9f400000001544797fd72fb3a5182a2b4d8a58cda9a04c6c2b1b35e908ed6cb81d897c24e1fc0a04248b8da8facb7dc702f5b08764565f5401d4a4aec388dd63be18a4307d C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{45632140-0B4A-11EF-B9F7-E27D0092C90A} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30814f2c579fda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31104855" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7042352c579fda01 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1a2d7345b070dba6f9a428a8f4c5cba5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1a2d7345b070dba6f9a428a8f4c5cba5_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3552 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 zardinglog.com udp
US 34.174.61.199:80 zardinglog.com tcp
US 34.174.61.199:80 zardinglog.com tcp
US 8.8.8.8:53 199.61.174.34.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 152.141.79.40.in-addr.arpa udp

Files

memory/2992-0-0x00000000003A0000-0x00000000003F3000-memory.dmp

memory/2992-1-0x0000000001270000-0x0000000001271000-memory.dmp

memory/2992-2-0x0000000002F20000-0x0000000002F3B000-memory.dmp