Malware Analysis Report

2024-09-09 17:13

Sample ID 240517-3cx4cagf36
Target 5063fe8e4cb6b4e7184b0b52302b9afcJaffaCakes118.bin
SHA256 291e0044801f1ab77fc565541f82fdeabf6edd53b96f980baf135468ebeaa083
Tags
gozi 3151 banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

291e0044801f1ab77fc565541f82fdeabf6edd53b96f980baf135468ebeaa083

Threat Level: Known bad

The file 5063fe8e4cb6b4e7184b0b52302b9afcJaffaCakes118.bin was found to be: Known bad.

Malicious Activity Summary

gozi 3151 banker isfb trojan

Gozi

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-17 23:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 23:22

Reported

2024-05-17 23:25

Platform

win7-20240508-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5063fe8e4cb6b4e7184b0b52302b9afcJaffaCakes118.exe"

Signatures

Gozi

banker trojan gozi

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0446641b1a8da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a23000000000200000000001066000000010000200000004217d087657b507f3d65ae2bbc164d42b565e583a34e8d13bd19365bd5979a40000000000e80000000020000200000006c9aafa9e6ce68ea5438cd425b053be73fbb62f93bb7f7e607bd7daa82db69aa90000000ce5ced93913e17c29fa8542735e3eabf5e7bcefb9da2bcb63df7bf926c5ec89a3f13dc96f8e6bd8ac31bdddc6f6ba11e7c37e2fd2dc35a5383c9f7f1915ccdf504abf8cc64eb52ab88dc0f92c8e0a8ae899c136b45bc69eaabc9b501404bd350ab828d52d2910782de15d7b9c46126f81ff0af670911c2bff3cbfa99c19472b64f26f58b0ff47ea29f8567dcd662b2f840000000a520c64bce03f54c171208ae9fc7105cee54a187547b54451350108aa46816a0a7b71ae739bb26af3f99bc31a3f56bf34eb5966e109de76958a48e6929cc3e11 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a23000000000200000000001066000000010000200000004b7fb37a406c9d7205a4a23fdb97cfa0f615cf74594947577a3485dad78a12ab000000000e80000000020000200000001312e27abd37b4414674c58fdc9a66c9172b17f0d490f5a777fa0f66126d5f27200000002227b90884d6389174911c7c0341de2ea8cdc8cece18acacc562e72a83a2606840000000d31b3b45305e4f4dca65c9987fec1c33df25352d2c15e76d1ba95cbf99f83bc1851e3650b52d9a4199babd8b0cfdd033d496ec113f8d527bee684884585e0b5f C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6CBCC7B1-14A4-11EF-B8F6-D6B84878A518} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5063fe8e4cb6b4e7184b0b52302b9afcJaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5063fe8e4cb6b4e7184b0b52302b9afcJaffaCakes118.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2680 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 zardinglog.com udp
US 44.221.84.105:80 zardinglog.com tcp
US 44.221.84.105:80 zardinglog.com tcp

Files

memory/2988-0-0x0000000000D40000-0x0000000000D93000-memory.dmp

memory/2988-1-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2988-2-0x00000000001B0000-0x00000000001CB000-memory.dmp

memory/2988-6-0x0000000000320000-0x0000000000322000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab9261.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar92D3.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 65f179d3a4caf7fea2225f02a82161c7
SHA1 4fbd8d1c087136604761e44162551c376764b509
SHA256 b2d8e8749d9ed95aa8243e6330d4d5f700cae3098234590f6612e316e5f3962b
SHA512 426f54f07a562b47c209cbe5719fa26689a6a8f97c83f69efa93a7ee0d025fae1fbdc21f3135feb54a784f0d628422b84fd968d8d38161f545c4bbd0c4074032

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ec238a6b00328d82f45c37a5bb2571a
SHA1 4bc3db95408e5a688f9e6c949091b81c7347d305
SHA256 f178a49b0d1221f1d2e618e327f3f0db9292abf0b34de8a2168ccc12a8d0c433
SHA512 919cf1734f114588be3266f3ab2636cb8b8c3803f05cc3f8af9118fb3698c22952cc5dc1e5937c4d3162e9115c2ea0ecc92212eed9e3799712864e225ecb7cbc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d0f3f3707c368c7d4ad42519e9c0dc9b
SHA1 e49b7fcd38f14aeda280b4d2184b1342c9044e24
SHA256 a949fa485aab348d33f1d089244a9301375501ce34949e9c65b79f3cf24dae5b
SHA512 fff7fd33adc931e7d7875414fd21c24e9fff3dc19a645a882736094b1322faa8bf36f9c54b308adff9525a95e6262177480517806cdb890f4fd3b01656e2dd37

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 74f1217d70acd538ef04109d24cec66a
SHA1 b799779e163acd5f11b0b207633bcf9518b54994
SHA256 fb418cd8f160932e8b3da1d01339007b3534e6165c17f07a385bffffc49d1ad7
SHA512 fc4e4fe52916672ebb24cb8e0d968890804a1bc4e81bba603299855b456f80c96d33172fba16167308c348cacee1539365c370dcd367b493efa758ae7f595354

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 652ff5107bf8d5da464a877ccf71dc7c
SHA1 9f3f74cf8ad14007c922c970343d9d28a8b9b04b
SHA256 f3d0c3e9f40843e4dbf2d7034ba436717dc3b0de9fb85128d3b2475abd62057f
SHA512 067454b96959ef64f386411a3f7fd4de2a0faf6ef17ba5de6ff4ca842d79b925c9efc9bc6ebfdf5f06fd01551a2390b1f53e2d747ea88e56c43ac7f0d16fa576

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc7ae00fca8b442b9a952b1040f3195a
SHA1 ef1089054219b1098ba017a6dcd3ef941e5d69a4
SHA256 bffc212915740a82b19b97b1fc91a7e9888ca24e02514af982087c1c58da15cc
SHA512 8bd7f7680028204769bf10ae6e7aae8e3ccf0f92caa53432b1d6e7ee8c5458445cc78fa18f88998ed0e021243d3da5dd24e808fc05a37a71a2b8273eda0852e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2774108e35204093ef67b3f3debf9b4
SHA1 ccbdff609b687c5c45ccd79d2165e28494aad370
SHA256 4dd6de5c3aa6be36fec7ee2b6a61f72576ff1435571c80dcb08de8b381544df9
SHA512 fb39a6914deb5edde06fba1f270da44d43ff3c9866a4eb95343979e8dac5c582ac06b159d1c899e56e9f80d80c840da718163ab416965790ac46a15147082774

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dfe79cbbcdc0b47cfab25ff865c9bd75
SHA1 20aa31adf595d20754092920a0d924eeb6b08151
SHA256 4163f6ca6aaac0d8c368e157e853d4dbc069b8a4ad7103be5f2ec3a6256e142b
SHA512 8d9715daad12bd2a7f7d6ed9dfa72ab2c4929df834224a3e8b04729201eeb8e61e17939a1b180671f68988280995c0d177daa5d280d5905f109833a2eedac293

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c1f878291f81e61633833196bdac7d77
SHA1 691f51fdf379af038b074d07f9d5d5b3ab9be137
SHA256 013664a708afd015fe360a83eb33a863047d8acddcd690828e2c6b64e7b4f58f
SHA512 4ab78af35d6b972bf3012865313a1572ca3baa941bec225abbd367cea585b7c1c88a10b3245e72a3c9e4d1819064724aef70a6111173d30e7c20a9be3b9ba321

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 23:22

Reported

2024-05-17 23:25

Platform

win10v2004-20240426-en

Max time kernel

135s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5063fe8e4cb6b4e7184b0b52302b9afcJaffaCakes118.exe"

Signatures

Gozi

banker trojan gozi

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 903dec41b1a8da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1097726481" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6CFD46C7-14A4-11EF-A2D1-FE9C19C479B8} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1097726481" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90aeee41b1a8da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31107249" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31107249" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004f8caa1c9f4cba428e26b677a31a634000000000020000000000106600000001000020000000e624980c6e282e6832da71ae2f2db339b5369c2e2223ae24637f559a0104fa60000000000e8000000002000020000000f226b0c17780b9d60fd9d5d58dcc2da6302058c221f93f236c1627c4437ecd7320000000b182e5dc2ef057cefc9d0f9bc61399adebd0b95281828d641a02c9fdefaaa02740000000d933ee08951fdfb92839fb15e99b3692b5600811bf657649c51ba676b5bea6393283fe39391e7655f073b0d6376e91c157302424feface0394b1793e3d2201b7 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004f8caa1c9f4cba428e26b677a31a634000000000020000000000106600000001000020000000ba58753b1ee71d6246fcd68ca1051135460a8098d5ab7baa4ef00e53cd5b5fe3000000000e80000000020000200000008cc193af23db2ec6fe0b85a64c12c6370907a18736be83811208fd9ac9fe985a20000000f4328646d5475e368e04eda8913179ba8b69f0cca7a601b4a22e820d436c175d4000000043b898e9a16dae5f034920f3537a4a61abdfa8e0acd88c6735600b2e5ea3030c392724ff2a6d32b166408105745ccaca568c2e3bc0886ac8b477630f27ae681f C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5063fe8e4cb6b4e7184b0b52302b9afcJaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5063fe8e4cb6b4e7184b0b52302b9afcJaffaCakes118.exe"

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2852 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 zardinglog.com udp
US 44.221.84.105:80 zardinglog.com tcp
US 44.221.84.105:80 zardinglog.com tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/1840-0-0x0000000000F40000-0x0000000000F93000-memory.dmp

memory/1840-1-0x0000000000D10000-0x0000000000D11000-memory.dmp

memory/1840-2-0x0000000000EE0000-0x0000000000EFB000-memory.dmp