Malware Analysis Report

2024-10-24 17:55

Sample ID 240509-tyqfysed74
Target 2ad9ac02ddbd161671b8f49d07d4a029_JaffaCakes118
SHA256 62def0e10623e269ef0b5e4e02dad924498747ae3213269ee21d505fd19c44fc
Tags
gozi 3162 banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

62def0e10623e269ef0b5e4e02dad924498747ae3213269ee21d505fd19c44fc

Threat Level: Known bad

The file 2ad9ac02ddbd161671b8f49d07d4a029_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

gozi 3162 banker isfb trojan

Gozi

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 16:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 16:28

Reported

2024-05-09 16:30

Platform

win7-20240221-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ad9ac02ddbd161671b8f49d07d4a029_JaffaCakes118.exe"

Signatures

Gozi

banker trojan gozi

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f042ad042ea2da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e00000000020000000000106600000001000020000000cccf3b670abf1c154b56d810899fdb9ee03122f8c5b79a4ba83b2d0cd1b3e8f3000000000e8000000002000020000000f78c720e05569231db6b3b64089adb2ac726d801f93098f733dff7989cfeb35c900000006ab9e8985030d9ba22f2e60528246731936e52fc51066f7cd9a6a2ec4434613f6a9b84fceef883fee8291eeef30f4f8f490b7016d2dae4124df919c7601317fdd56e474fdd9ffdc66cdfdfec8a17ae820e7b82fbae0c6d8922ddbde012e718426ea6f121369ef7f26b87cba6c542bbfa05341589795a487db312ddb3bc8b0bcbde7cdd581d4f9f511501e1ee9916b274400000006a4d9047c01fa8a4234308756b02ab4c835d81550259cd64d01f610c488b0238bef9cc6e1f8b332fbb5ac532db443b73ee208789d37ed311cfb96dc736912806 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2FDDBF91-0E21-11EF-B1D1-D2EFD46A7D0E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e000000000200000000001066000000010000200000007350096dec7c2d85780ba13e0cf735870bfdb62d067591ada1d7f2a490c0e147000000000e8000000002000020000000351e49ba8b260a0b035b4f790735aa441c77155f11e6128229b2c9815e532a2a200000007b2fb398faedf90a494a00276dfa11abb20c99bcaf97472f10c6030eea5448be400000004e6edf187e4bef05f99ca5efb8792069cbf1a5d650912e0aa09dd368d579c027c4cf121a5c31ba75afb865aad907477d5086548884005b29a91877c8b6f8ca49 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2ad9ac02ddbd161671b8f49d07d4a029_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2ad9ac02ddbd161671b8f49d07d4a029_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2872 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 menehleibe.com udp
US 15.197.212.58:80 menehleibe.com tcp
US 15.197.212.58:80 menehleibe.com tcp
US 15.197.212.58:443 menehleibe.com tcp

Files

memory/2864-0-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2864-1-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2864-3-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2864-2-0x0000000000435000-0x000000000043A000-memory.dmp

memory/2864-4-0x0000000000270000-0x000000000028B000-memory.dmp

memory/2864-8-0x00000000003C0000-0x00000000003C2000-memory.dmp

memory/2864-13-0x0000000000400000-0x000000000040F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar93DB.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\Cab93D8.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Cab9497.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar94AB.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f911dc03d71153fa7333cf1084ab9fd
SHA1 37094332e40a7c96b5ea67a7531362854c72306b
SHA256 72e04e882e936a1edce5ac3073cb0e619b124e08acac9929abb2ae3f40c27d28
SHA512 548fe089b5dfd06ff2fc939a3e2802eb5a43cc3e83492c68a40e1fb07329d865db57866fede208b88f279f05bc3d502f3cdf393615804b87012e72624b0f0e9a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 73a2f2abb28973e7d19c032cc5bf2739
SHA1 80d49bd480da6d70b3febe27d41d574e9cf28840
SHA256 28b427aefb5e0a2805cc29a3721dea1eaec00f0493aea49013a7d17139e6fd06
SHA512 49655be00f39a5830cd76a7c26bd018710f681c694e3e6d2572bf95f6845fe3ffd16981e459f9c04ecdbad3e40481b2e5b435c9f75a56dc3699813f4dc0539b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4c5871f39bd142a95b0073a55ea03e33
SHA1 fdc21c61d6830ff30966f99e27186525a84c9966
SHA256 670a60c2dee2e986c80a2ece596ffe4634a2ea3c48788c9693230e03b0ee9176
SHA512 b26df51224e05248616d9875ef8408aacf8a87f02d9dbc394b05fe5961c946aab7a7941b04798843e3d58b1090ef4c9d0395767e89883d7243997f4a27df6dd1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cb930afd88d204b33451de3274c56b88
SHA1 ac0208aa2349308b85abd84d89d3063842b7fd43
SHA256 74e8108539cc1f2164416d2da7b5b80d05b4253228b92a0b4e91df8360469b4d
SHA512 4d652c5bf07ba085410fef807f920e0d269e233d17e4e3816cf6fe41ec42936987be3e205d93e1e73a1d89fb8dfe581fa9bc4115fccf89ea15f0e1feb59d73be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2cc00c75184910d97d6236287def091c
SHA1 fba3dd5736eb289163a77672a56bcc6168518335
SHA256 bd038617e14e615d92bc72d5d4b4adc22e9834deb3aa785d5a8efc2576d28e79
SHA512 a6bf7605999ff009359b3d02cf8b4e4d89f665a287ff26106c62b747381e3412786367a8eb8346640268cdd00c434f27535666bd000cfc71ec9bdb5baa9bfa72

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 04881079c511e5f1dfc25b88202f16be
SHA1 25bd7eda97db19caa9bc9fcd4f1a30ce9950d739
SHA256 09d47b167a94b3d466f364dbcd773835859f6de318370a9fa4ca1ddf63cc8fe8
SHA512 84701fec392739fe3f671f8e27793699cecd6cf356f0a3f3678826a03adcc2b8654a155ed0487713d7234ac441169780a5f69b36e549add36dd358399b9849bd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 39cc38bea2e048588b7b786189bc93d1
SHA1 0d887969567a0586cd8232cd53755ae79edab0f5
SHA256 a43438db170747544dea4b4cb85821c511206a3444dc87c658124e54fc4758bb
SHA512 ce5a2e26c0146bbd39a4c0a478d8a2462699f9f613b5e6fde8175714438f0e7f978e5f1ef5fa64b3be6e0a54e83ec3867831f47fe75180ac4e7260f3ddfcd1ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2acfbb80ab737857f94147f8121b00ce
SHA1 01c0f7884797f6c719ff5c08aba98ffa3bf18287
SHA256 2367da6f462fa0b47f2c98ccda6c29616ad2e3b3d1fdc2a651d822003b400745
SHA512 ce95c7b67b25136455653d4436fb032438c2ef0a891287acca1d2ebb846591c438e1e1aa1773e08b5b1d1381cc84dcea537e56b08fc3a65d85b6c06b506139f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1d729933769f33afba370c6b75c01c70
SHA1 45f88e177cefccbd29f8ea056799c785d013c744
SHA256 8e752b6f4e961b179dedce946ad3a9f68d75bb567bdfce691d3dba21964b5806
SHA512 0ea56d729455e8cd6353d0b034a4f13f52d8c3786b17265b839dde0deaa1402ed609450199c59df17fa321b3c4e554061a7787e54a12e5d92cbeab93f3bd23bd

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 16:28

Reported

2024-05-09 16:30

Platform

win10v2004-20240426-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ad9ac02ddbd161671b8f49d07d4a029_JaffaCakes118.exe"

Signatures

Gozi

banker trojan gozi

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31105582" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "71835107" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31105582" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 302bcb042ea2da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "71835107" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2FCDE242-0E21-11EF-8FD7-5EF7A92F669A} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40ffc3042ea2da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006dd375db7411044b87316e7a135016a6000000000200000000001066000000010000200000005124aed7ab32814ae70184026effcc0d6221bdae65f8e61ab0fb4345f65f48f3000000000e80000000020000200000003a07ee1c2818ab602fc787e371250297769c9a1bf4125dc1d4d487ac966f5b5220000000987f5c35f6e963056db49919d4325309bed0a16cc5675dadd41b10d9c1ebe2ef4000000047265ec038b7e6bd9d384503113ee97f484911adc9ca5f3175de92704142bc54757d09a73236776aff7332501d27b246bfacbf7a5766bd1ea4c2120d934462e8 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006dd375db7411044b87316e7a135016a600000000020000000000106600000001000020000000cbe06ccabf606b3882cc01f498bdca9276665b702535dd8a892ebd6903232e5d000000000e80000000020000200000006a78857fc883a35b03a7968b152ca8050909cf5e30e961874dc7f036f65c819820000000d5a486674b241588f3438824271ef915e3511045ccb0f3d8c8abc7bee8e3783440000000f144aecff2c820009715d91165dcf8f643769c1c95139a14abbfd70276dc1a087166f62216e791362b165bfa5466a5d11c5ad392efa28abbc0d14bfb1d21a789 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2ad9ac02ddbd161671b8f49d07d4a029_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2ad9ac02ddbd161671b8f49d07d4a029_JaffaCakes118.exe"

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3084 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.200:443 www.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.83.221.88.in-addr.arpa udp
BE 88.221.83.200:443 www.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 menehleibe.com udp
US 15.197.212.58:80 menehleibe.com tcp
US 15.197.212.58:80 menehleibe.com tcp
US 15.197.212.58:443 menehleibe.com tcp
US 8.8.8.8:53 58.212.197.15.in-addr.arpa udp
US 8.8.8.8:53 36.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

memory/2460-0-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2460-1-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2460-3-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2460-2-0x0000000000435000-0x000000000043A000-memory.dmp

memory/2460-4-0x00000000008F0000-0x000000000090B000-memory.dmp

memory/2460-14-0x0000000000400000-0x000000000040F000-memory.dmp