Malware Analysis Report

2024-10-23 17:25

Sample ID 240510-vtvqjsbf28
Target 302f26f73d615a152efa2788ba1b8d9b_JaffaCakes118
SHA256 1d433a9db414ebca5d90ee55218abd0a8c8702462faf0a5831cfe5edc6e247db
Tags
socgholish downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1d433a9db414ebca5d90ee55218abd0a8c8702462faf0a5831cfe5edc6e247db

Threat Level: Known bad

The file 302f26f73d615a152efa2788ba1b8d9b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

socgholish downloader

SocGholish

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 17:17

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 17:17

Reported

2024-05-10 17:20

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

160s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\302f26f73d615a152efa2788ba1b8d9b_JaffaCakes118.html

Signatures

N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\302f26f73d615a152efa2788ba1b8d9b_JaffaCakes118.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3964 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5064 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4840 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5392 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5096 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5788 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=5944 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=6296 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=6344 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4892 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=4672 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 13.107.6.158:443 business.bing.com tcp
GB 172.165.69.228:443 nav-edge.smartscreen.microsoft.com tcp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 228.69.165.172.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
BE 2.21.17.194:443 www.microsoft.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
NL 2.18.121.23:443 bzib.nelreports.net tcp
NL 2.18.121.23:443 bzib.nelreports.net tcp
US 8.8.8.8:53 194.17.21.2.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.blogger.com udp
US 8.8.8.8:53 www.blogger.com udp
US 8.8.8.8:53 www.potter.web.id udp
US 8.8.8.8:53 www.potter.web.id udp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 g.imagehost.org udp
US 8.8.8.8:53 g.imagehost.org udp
US 8.8.8.8:53 2.bp.blogspot.com udp
US 8.8.8.8:53 2.bp.blogspot.com udp
GB 142.250.187.225:80 2.bp.blogspot.com tcp
GB 142.250.200.9:443 www.blogger.com tcp
GB 216.58.201.110:443 apis.google.com tcp
NL 172.233.44.120:80 g.imagehost.org tcp
SG 172.105.122.89:80 www.potter.web.id tcp
SG 172.105.122.89:80 www.potter.web.id tcp
US 8.8.8.8:53 23.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 225.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 9.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 120.44.233.172.in-addr.arpa udp
US 8.8.8.8:53 kumpulblogger.com udp
US 8.8.8.8:53 kumpulblogger.com udp
US 69.195.73.201:80 kumpulblogger.com tcp
US 8.8.8.8:53 connect.facebook.net udp
US 8.8.8.8:53 connect.facebook.net udp
GB 163.70.151.21:443 connect.facebook.net tcp
GB 142.250.200.9:443 www.blogger.com udp
US 8.8.8.8:53 89.122.105.172.in-addr.arpa udp
US 8.8.8.8:53 201.73.195.69.in-addr.arpa udp
US 8.8.8.8:53 21.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 tweetmeme.com udp
US 8.8.8.8:53 tweetmeme.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.linkwithin.com udp
US 8.8.8.8:53 www.linkwithin.com udp
US 8.8.8.8:53 resources.blogblog.com udp
US 8.8.8.8:53 resources.blogblog.com udp
US 8.8.8.8:53 static.ak.fbcdn.net udp
US 8.8.8.8:53 static.ak.fbcdn.net udp
GB 216.58.201.110:443 apis.google.com udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 www.blogblog.com udp
US 8.8.8.8:53 www.blogblog.com udp
SG 118.139.179.30:80 www.linkwithin.com tcp
SG 118.139.179.30:80 www.linkwithin.com tcp
GB 142.250.179.226:445 pagead2.googlesyndication.com tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
GB 142.250.200.9:443 www.blogblog.com tcp
GB 142.250.200.9:80 www.blogblog.com tcp
GB 142.250.200.9:80 www.blogblog.com tcp
US 8.8.8.8:53 static.ak.fbcdn.net udp
US 8.8.8.8:53 tweetmeme.com udp
GB 163.70.151.21:443 connect.facebook.net udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 static.ak.fbcdn.net udp
US 8.8.8.8:53 static.ak.fbcdn.net udp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 www.blogger.com udp
US 8.8.8.8:53 www.blogger.com udp
US 8.8.8.8:53 www.blogger.com udp
SG 118.139.179.30:80 www.linkwithin.com tcp
GB 142.250.200.9:443 www.blogger.com tcp
GB 142.250.200.9:443 www.blogger.com tcp
US 8.8.8.8:53 30.179.139.118.in-addr.arpa udp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 resources.blogblog.com udp
US 8.8.8.8:53 resources.blogblog.com udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 www.facebook.com udp
GB 216.58.201.110:443 apis.google.com tcp
GB 142.250.200.9:443 resources.blogblog.com tcp
GB 142.250.200.9:443 resources.blogblog.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
US 8.8.8.8:53 www.facebook.com udp
GB 142.250.179.226:139 pagead2.googlesyndication.com tcp
US 8.8.8.8:53 35.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.42.73.29:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 29.73.42.20.in-addr.arpa udp
GB 157.240.221.35:443 www.facebook.com udp
US 8.8.8.8:53 www.facebook.com udp
GB 216.58.201.110:443 apis.google.com udp
US 8.8.8.8:53 apis.google.com udp
SG 118.139.179.30:80 www.linkwithin.com tcp
GB 157.240.221.35:443 www.facebook.com udp
GB 216.58.201.110:443 apis.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
IE 209.85.203.84:443 accounts.google.com tcp
US 8.8.8.8:53 developers.google.com udp
US 8.8.8.8:53 developers.google.com udp
US 8.8.8.8:53 developers.google.com udp
GB 216.58.212.238:80 developers.google.com tcp
SG 118.139.179.30:80 www.linkwithin.com tcp
US 8.8.8.8:53 developers.google.com udp
US 8.8.8.8:53 developers.google.com udp
US 8.8.8.8:53 developers.google.com udp
GB 216.58.212.238:443 developers.google.com tcp
US 8.8.8.8:53 ssl.gstatic.com udp
US 8.8.8.8:53 ssl.gstatic.com udp
GB 216.58.212.238:443 developers.google.com tcp
GB 142.250.179.227:443 ssl.gstatic.com tcp
US 8.8.8.8:53 84.203.85.209.in-addr.arpa udp
US 8.8.8.8:53 238.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 tercopy.blogspot.com udp
GB 142.250.200.42:443 chromewebstore.googleapis.com tcp
GB 216.58.201.97:80 tercopy.blogspot.com tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 developers.google.com udp
GB 216.58.212.238:443 developers.google.com udp
US 8.8.8.8:53 developers.google.com udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 97.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
BE 88.221.83.235:443 www.bing.com tcp
US 8.8.8.8:53 235.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
BE 88.221.83.219:443 www.bing.com tcp
US 8.8.8.8:53 219.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp
IE 209.85.203.84:443 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 17:17

Reported

2024-05-10 17:19

Platform

win7-20240419-en

Max time kernel

143s

Max time network

146s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\302f26f73d615a152efa2788ba1b8d9b_JaffaCakes118.html

Signatures

SocGholish

downloader socgholish

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d1000000000200000000001066000000010000200000008578521faf00e4b64367fa6a43c0fcb8224fcdf12c320c7e5c49b0000970a236000000000e80000000020000200000008697ae660aedf60694525a2993bea196e67e4008dbb697876e3b652e1a4b3400900000008d3378123df9703fdaafc47d4b0494cd43b272ed00cf895e1db7220a84e547269be4bbedfadc1a8d03d167bd7a3e958fd014cc340c50ac9e432b500d9617c10aae8b39faa8f5324b1d2457b1c2db4835d459b5ad486dfbd3f0fc81b24d7077ee70c36bdd0c13b29376b59443cd8e62c4983d75696760f1b35cd0a1f873ed6e1360e30ea3b70ce969bf2f59d5eef6d818400000000061ed7c46c6701a098d246425ff5bb8b29a295ff6df43cf5b0cbe36a3c7f331e00b75fc20e7439eedc03acc064630bdef528674380222f21e0992ee79c12af1 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421523309" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d100000000020000000000106600000001000020000000bedf433b231f7aa3b83713dc89061b79f17e66b95a579f081267e8d4e6085aff000000000e800000000200002000000087516700c577041278da2d9675ccd5f972149497cdb2c4aeb71c64f6ceab8066200000002ce5ac95ca353928d3c2e364cca9361c7e6718b27fb47bc0c9325eea808991b140000000fe4248f771e46aceb670f1cbc6b5fc37b271140bbe0db96c8dc23d400a4f4286e244a7938242819fc4b9661a8f155ff78d569f91df78f29cf1490179fa62a7d5 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0fd3202fea2da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{29D28B51-0EF1-11EF-9A67-52FD63057C4C} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\302f26f73d615a152efa2788ba1b8d9b_JaffaCakes118.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2424 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.blogger.com udp
GB 142.250.200.9:443 www.blogger.com tcp
GB 142.250.200.9:443 www.blogger.com tcp
US 8.8.8.8:53 www.potter.web.id udp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 g.imagehost.org udp
US 8.8.8.8:53 resources.blogblog.com udp
US 8.8.8.8:53 2.bp.blogspot.com udp
GB 142.250.187.225:80 2.bp.blogspot.com tcp
GB 142.250.187.225:80 2.bp.blogspot.com tcp
GB 216.58.201.110:443 apis.google.com tcp
GB 216.58.201.110:443 apis.google.com tcp
NL 172.233.44.120:80 g.imagehost.org tcp
NL 172.233.44.120:80 g.imagehost.org tcp
GB 142.250.200.9:443 resources.blogblog.com tcp
GB 142.250.200.9:443 resources.blogblog.com tcp
SG 172.105.122.89:80 www.potter.web.id tcp
SG 172.105.122.89:80 www.potter.web.id tcp
US 8.8.8.8:53 kumpulblogger.com udp
US 8.8.8.8:53 static.ak.fbcdn.net udp
GB 216.58.201.110:80 apis.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 tweetmeme.com udp
US 8.8.8.8:53 connect.facebook.net udp
US 8.8.8.8:53 www.linkwithin.com udp
US 69.195.73.201:80 kumpulblogger.com tcp
US 69.195.73.201:80 kumpulblogger.com tcp
GB 163.70.151.21:80 connect.facebook.net tcp
GB 163.70.151.21:80 connect.facebook.net tcp
SG 118.139.179.30:80 www.linkwithin.com tcp
SG 118.139.179.30:80 www.linkwithin.com tcp
US 8.8.8.8:53 www.blogblog.com udp
GB 163.70.151.21:443 connect.facebook.net tcp
GB 142.250.200.9:80 www.blogblog.com tcp
GB 142.250.200.9:80 www.blogblog.com tcp
GB 142.250.178.4:80 www.google.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 8.8.8.8:53 www.facebook.com udp
GB 157.240.221.35:80 www.facebook.com tcp
GB 157.240.221.35:80 www.facebook.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
GB 142.250.178.4:80 www.google.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab19AA.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar1A49.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OV51DDG5\plusone[1].js

MD5 fb86282646c76d835cd2e6c49b8625f7
SHA1 d1b33142b0ce10c3e883e4799dcb0a2f9ddaa3d0
SHA256 638374c6c6251af66fe3f5018eb3ff62b47df830a0137afb51e36ac3279d8109
SHA512 07dff3229f08df2d213f24f62a4610f2736b3d1092599b8fc27602330aafbb5bd1cd9039ffee7f76958f4b75796bb75dd7cd483eaa278c9902e712c256a9b7b9

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\528EVS6A\all[1].js

MD5 b8ab3e77149375288faa9bc5d5562dff
SHA1 dca3bc747b2e27cd4ad22c7f4f2e3c24f56e6221
SHA256 99c413ea4717c36d5c091044a0a074f18cb6f3436b03fca0bf485cb4689144a9
SHA512 5f26befc2df45434fb28646ac740eae8114a119717b72b48792190d27f6b8ca8f62f9601f8220ae6fe1d892f42af1b6ffe1fc23f35af3aa0442e59d76d7a71fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 61c515b0e561946ac55482c5a3fb82c2
SHA1 f7c0e4f8695e97f78bcca5fac4e5bf85a94fca81
SHA256 fea29766498fad36b387df34ebc5232a17c59e3269e4c0e3aad5db366cfe0753
SHA512 c8f05de4385f922ee3b0ce9b96fbe43d818636285d8f74ab3137185a1d3987db982fe24e45971b79385b0369b55a5ca65e4775434e33fe3c1f2f9068de017f0c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ac2345956209d32545ec52210494ed09
SHA1 d1c90c6408dad43cd12692486eb8d00859328d49
SHA256 6bfa9ad7704f71b627496da0c7e37c5aeca53277a20501cc139eadb5e45932ba
SHA512 5314fe0beb041281b104bcace3100e2aefa29b05c32c1e20b0cba0d6b7328cce6317d1b97fe3b64fd1c5d1138b4bea81fc67e3a8358f2a983aba62358509e674

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2eb8d5c03f2f763972e07dfe24909a6d
SHA1 fa0a917428daee03b9c494fc42c64e1a85af7e28
SHA256 a40ae6a623a093a902b111d656f9a956defdfcfc96ba2a3463e18d0fb5209643
SHA512 c7d32cf87a5a9c51a004329f0f5fb6082ff9abd4cb6519a01690d08907f01b932e18734df744f04a21a16eccac98c5f45ec3f93196a0b92bda8aa94d5b5fd089

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 527556366674d8f5101654969675fabd
SHA1 095f162e4803ea748804d467fd5add6a858b3978
SHA256 52c183d20ae88b20f4bd753292657cba5511894eb321ae935716acb7cc5735b1
SHA512 50c729b1e40aca1cbb2853428016b7930609ad70cccce6a7672a6c66bea28782ccf7bda47ac70ccb99ad678ce229e476ec83ac584e1440665284f31cb69f5147

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc6efcd0371205f614660d7e14334c60
SHA1 5aa489fa32c302a86eb70c3fef5b648f41f99329
SHA256 dd99868367e684edcc3a397acc8613950247f3fd85ea6822896dd30fe4cb847a
SHA512 b64d6f5d9310106752e3e0a4b5f73d480d9a47789a8fa2b13327d26aadaa917a187937f2e8deb58212d4f6ab689c7c13c3c6097efd755b6b9778831740c9c85c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b06877b897bc5e2104f6630b7c93070a
SHA1 90ada77722607c4602ee30d0d878e3da6e5aae69
SHA256 ffcdb718d3015deda8ab80e372d1fc08526987a9fe3eec169dc50cb08c255de7
SHA512 9a104d6ad9d8528802eae142f1ff03da8f29b6c181e6e5d9d030d956545c10744625945121d393682cf3fc5bb6a4e31a80e8ae5b6f80d7621b36e8ba57812d8f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e65b89f9a420a8fc558d28ad88f0254f
SHA1 a97650a9d1e7eeeadfc08875ea5d4c575bd887e2
SHA256 a52449cf021561415fd98e923a09773ed6e2e55eefad064d424a48b52b9d72e6
SHA512 0e9fd14b85e0eb4c739cd9ea87fcff98acd42807a78313323267fa51e4e4d61937739d131d24be3e7d7e945101e5e34273710781c23568494d8e6493695fe801

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 32eff306b77cfaf86cfe091d41b83b33
SHA1 e5be7fdf1c2128431cffa75279d9c10a7652e4d3
SHA256 e7bdc838964797b7a12383a192219dfbb055fd058db660633650effaaa1b9aa5
SHA512 1b672d8fc37132e0363df67328975615fe5cc7c1c7b54f1936cf6daa3fa63a6dce53a6d801f09854fbb01b5440002d1c31ac2be488a423f5a30b2864eac74380

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3a2d675ebc3774736da307f9f0241d4b
SHA1 6555fc63db65f01a9db78c2043a32f9d9677a001
SHA256 f88b617c11fbfa3261692683fd96b941493de7a1826503304c4a6ddec9baa444
SHA512 9731fd5ea719d0f665826fef9f2aada7d99703839cbf14c0bc9017c7463f7b99f86321889aefe3d07e7c0ae107c5d0cc170b4edb2a9ec614574425bdef1cb7ae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 63a06f9ef092cfe1c66acffad0fd4f70
SHA1 037c85ac2cb7e4e0a0b71679131ac665770041c1
SHA256 3561ceff34f640bf8a61576d7dbb6f785a4c0efc4eeb830bdbcbf09936b212e1
SHA512 5de79f8b12669e22b1775d6156de6cd5124c8bc01b7b81c64819ed58d3707dc855345b0113d595bd1da286704077389bc1c9e123315d68f607f41780302d6649

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5f86965f64dfbd32e3142f59dd11c452
SHA1 5c16c29ed448282a884f7478af33fa6e09685eab
SHA256 6347ff409ac2b3d9976b2132c29a1f504720cd3a3c3bbf664c0cfb6ef9668a28
SHA512 18602b5615317a5df4f668bdf3c9a73c7fd710bdfd5fc82fd3d3c350ad63b52a4ff82d3f1e713d156e3b9c768c457e1b02aff6de7e53ece359659c4f8df7da4d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 648fee867e0133d7910e08e99ed44a88
SHA1 35d8b32e70dd0fc2cd63b51b2dd4c2256c86ac68
SHA256 8fd7837b10fb46d28de70cf052fc099cca63eb242ea2f9f9a8c5dff351107fdc
SHA512 65a8db68bac99368f29d6cad8251d5ef069a968e7238f2b622008c5f724541506db4b6f0979ba7a5e577c15056bd00d2a8c8ce8c55a7e6dd35e6d2deedd9456c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 73f89b52bb8f4ac5c90d45c7441f792f
SHA1 1a2a7809c8abd53189c7610790df6ebc4a4706ec
SHA256 57f47e752e71f8ba4af53604071145c961672ccde93423ffc4ea1e01aef5305f
SHA512 7604e69e9c823f4eabd0bdf67bc01af5b5ad982277ee8e1c1c3e1ac7ad80615bd19de49f610ebc862903dab8e3da92704196cdde7ce21b3fd2715fc8294884a2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b4876f8d98b3d42da8fc2f9b912f793d
SHA1 e7061148385b43a8a18c5cc4e604bb789a172257
SHA256 ee33174f8ef2847b7ee7aa52087695ac6ba0322f3f3835add463642ea86c4e0a
SHA512 6f8479b7f9e80684b39eb60b87a9bb2165f118538ea607b80728406cdf97fca2bd1e2ff6fe1e31f2c761af0549efd0b3d32f0f6e4149ffa6712b2362d56e4ee9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d3d751fe7c2d4e7b40890f69cb5f79c
SHA1 de2ee477bbd7bd21cbdf8ae55e496a5830c8916e
SHA256 65f13c5aff5c31bc4c661597c477e5735e5de9b7e19b36c67af2d9d8cbcadb05
SHA512 477ae9dc20f5af81791d38a2e8ba7328fbd8d8c1f888637596d3886489d250edb125e77e1df7ef7de75e1a788d90e37ef7a7e9e2ea2725c73e47be8a75c330c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 36b380a87a37fbf494872b55dbfa2de3
SHA1 ff0558354b211ab384a3a44e8bcc439f36e354af
SHA256 821d960b30c3624c52048af0b710b9d4a8ebd424b93e4409dc555713c9f42aeb
SHA512 dcf1d5fe953b9a90874a2bea2af4be4d5f68c78d4fbe59596d8a3ff71e10463916b21ea9dfc69cbc05009af9af454c1cbb74e3915fdbe0d59ac9147716f3369c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a134006e1bb35d3765c5dbaa37d05cd1
SHA1 92341b75774c11489afbca33c728e65facaebce2
SHA256 fd3a70b96264bacd7ff57c61b7e55c9d452bb18396dd17019e19613aaf6d3cbd
SHA512 62d44e5df18380dbd748205a4808fd2657fc1d447786615d07744011fdcd4c7c3765ffded05888a04b45335b8d1ac620279b48dc37609ab91229dbd9503d9583

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c530943aa150c5dc033a64ce39db71e9
SHA1 9244961f5f37f45c91d9d43db2071ca6a930024f
SHA256 1b918d555d7db12bc84237c4eb7901ffb5b0e06be5855cc9b2811be1dbe3a653
SHA512 0d4a460333380bad28336ec6b9bb37e7715fe5231f61c3026cc50bbb67bcdef7b419632396bc45a5a653061f3ee251ec02e6dd7b1f59b4585bc36f4f69d80432