Analysis Overview
SHA256
c6e430cd2d68e908ad5649becbac4ed64f415baa5ea225838cfd627df0c70401
Threat Level: No (potentially) malicious behavior was detected
The file 791bf9425ab75b33634711b12821989a_JaffaCakes118 was found to be: No (potentially) malicious behavior was detected.
Malicious Activity Summary
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-27 12:11
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 12:11
Reported
2024-05-27 12:13
Platform
win7-20240419-en
Max time kernel
119s
Max time network
143s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d1000000000200000000001066000000010000200000001c2fbb3979003a786d80b5e443f79eea93e7aec0168e7a9bac63756df5ae6054000000000e80000000020000200000000c10919ba272661c6efb5480dcdee58f0330b09fa9113572a282d3aad0945688200000004278c8a303337730b272437e44c400e78b4ac8a038e7b96e77699fae3eae7fd14000000028d3c5f82f3987680a80d645fdf30411cf7fc531af9b0c27d4834dba88c3797b3b43de261edaa94aca4495312f93c25b97a2adeff37aea8deb183ee77c15a652 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422973752" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10df0e3c2fb0da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d100000000020000000000106600000001000020000000d8fbfb0af705a4f70d86a4f7ef39d1cc96126aa68839ee10fb5427b7e138b4d2000000000e8000000002000020000000a5f440bc85503f41972590801fd6da86f1cb12f986eb93930a45d50a4399e14e90000000ce679c70067030be22905feacb762193cfafbb28491306891845f3549872ef454dc32ef6fbfa5407f873328c1d735b2bb41f0ad9cdfc9c04851c05db8d1b0e96e1319e1743588054b101bb23c208d22dc185467649b8c3b660ea368da9c337396fa7660da481ed2e31fbfad99fc0bd85432cd293cd71644db43f1f3852e7d26aff81964f33b3d08be7ed6a2980c7264340000000ec254eecc2b945f43cdd42a7813a52863a2f86b75017616566625f0897f1ec8fe2d70f8f9c97a2fa8b942ae85e3c262d89bbd77074c37ad60e57c53ec7603d28 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3D3D6411-1C22-11EF-BB79-CEAF39A3A1A9} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2368 wrote to memory of 2860 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2368 wrote to memory of 2860 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2368 wrote to memory of 2860 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2368 wrote to memory of 2860 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\791bf9425ab75b33634711b12821989a_JaffaCakes118.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2368 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | khidr.ae | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab1DDF.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar1E3F.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c6b4db7b20da31bb96b91796eb6b40f3 |
| SHA1 | 7560f0b89f04f20b31e6957dcd9a480e1576a61d |
| SHA256 | 2b7144597c2ab6e48fbe5852650ad77928cb706b5bdfab3fe5aa60d3b1307bee |
| SHA512 | 0869562f97d4ee5335927b47d89c10d06eb5113db5cc4b9b693238a184f02cfb721f334b725526bfd35296949edfffbe9145fd4620ce3506a3e4f4d54c4fc3b7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 78f1bb89e2608662e60243549dde2324 |
| SHA1 | 56ed98304707a9599280b7b39485d78ca3289fd0 |
| SHA256 | 8565f679f8101529648d7662dc31dc9515d9cc28b34fa77fd4b0b4f4f8cd2644 |
| SHA512 | e03f7fd85c2066ec0d36b3d5deb1c6e57ae85a7ccfece56c937d235ddbf0758d198e30f1bf060554487312113b146a023580c9b4b278ec93dfd20c875cdb5832 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 48d9075df96c61971bfa128be095ea9a |
| SHA1 | d9a8b50fe5af4098270913074dc477593432d300 |
| SHA256 | 67b729bdbb606e2fe710ebb35d0e78b0148a191fdb9a791a7871d246d4e92c2f |
| SHA512 | df5d53712d2ea9f52e2f58ec82218aa54ae0336122f2d4754aab5229e1ce58579bdbcdbdc231e1ac4f79e563ec9a291b81b708c4660bf4fa0d6d0ef013f997b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fa66163858fb5cf3a80b788caadbb8fe |
| SHA1 | e13a93a7e30691fd16acb3afbe9b26ff9064080d |
| SHA256 | 25df4eaa2a8c4d72d4576a69c56331cbb2b6366eccdf57c25bfc441b4d2b81fb |
| SHA512 | 4cdb097ea736d5eaa0792f6ecf18fcd4fc6fbb42877cf87770c8d892c58d4ef45ac64fbb0a2baa15fcc87f28a5250666782ad4104dcf1084f1aaa0ce5a30b67e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 60f33812469be67290d9cf86b0d41ac6 |
| SHA1 | 459b7ccf2040293931167609d290933fd3381040 |
| SHA256 | 594d8c2501fc1584bfe8db1cc0480f5dc3a719d59285424b5495f29775976fe6 |
| SHA512 | f4f792665acd5b69e1c7514cdfb32c2f6730b30013ea3b895e53702a181f73e31223e61ee5ae5976cab78d297476a3f70692f232dd2d3a611b900be1331ff6d2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 99768111978a18633e533b8167c2822c |
| SHA1 | 81f70748c1318d375445f7635ab7b670b9a2edc3 |
| SHA256 | f2979e47a366f0e180d3395ff44f496f40c4eccffabc896ccf96ede5396d76e7 |
| SHA512 | a5f10e12e4a1186c3271300e28de3b9002d943195c2f94c77cd455666a7dd658fe4a2c24a6916f91e74f9e2e83a54fd6e6999ce2e858aa52c4acfa48bf86f8b3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 902b6766d297bcf22b774972518ee3c4 |
| SHA1 | 21f2f79626503ff0c4a2b90932146f7f15eb0293 |
| SHA256 | ea3847e921b8e207df9e5b88539faf1b95e97ec96ff8e59ab401797bf8a732ff |
| SHA512 | 957a74d3c8952d48e6191c795e9ae558d758c70979146daf54c469443187100769ba818d1a3e1b89b630b101de09cb6ecf600f032a886399afbf1da718434b5f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c41e2554c6ca72d430299240660c3ee3 |
| SHA1 | b23ae513618c7a3bab0d3592c6c1efa239259813 |
| SHA256 | 10efa7233f9cbcdea53e6ebea7d3f4168dab75979fbbb1d3cf2ddec0d3bdd59f |
| SHA512 | 8e31a9add97c39a0ad53bd5b22c347588f5553db0a50f26283d34f4c63ffc7765a4ef5857f8b6dca627ae4952197a55d7ab864ca2a883074989b9a07b9d5534e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eff259df3e6a4413205b32d7041d00ce |
| SHA1 | 92cde05499dfcb7f1064889f1ada3fb2b77e11d2 |
| SHA256 | e18d620b74763af1aa0e2ac11ff6a403164c6b5a484ad22c3e52e2e9b14e02af |
| SHA512 | 23e7fe8588c36409bdbc089164d997bd0c3b05092b4f0159c0ea6bc566b4302f61158d2104dcb3d12cc1a4bb839ce0a414f41c0987fbdd84e34ed94ef831dd14 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f394d066de7eae89e1131a1410f26bad |
| SHA1 | 2d589aaa6520771d50962369a65b26cb4b06cd34 |
| SHA256 | 3437eb33fbfda51796bd4c5f3a496155e0be99a36aedd45cd49707f80a25eefe |
| SHA512 | 5d389ed12c821d6cf89e6ce3e27d4b5be755a8f15252b464aae3a8096293a3d86f9c5251f5300a7cfe27465f9b0fe03404c902d99d44ca8e2334619b679afb46 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dad15151762243edf3045d1e226152b0 |
| SHA1 | 66f75e0c771f20e3bc549e4d35fa0541be6b90c1 |
| SHA256 | 2177fd25014443ff9e41b309eed6ec57cab810fdb1fdc31e52bddf7cc5910f20 |
| SHA512 | 97c50a5de2500ba02600a884e879fdbfff20fa5999d105036c40e3806c9147c798a8f3c241d9a4e0dc849bd4eb5a060bde0cd7c0be08ca5d1c2e71627508be1b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 20c5b3841dc2a19326d89868e47bfb77 |
| SHA1 | 0b4d7e6c2b560a617a7c0cc2c2d821bbdbe4def4 |
| SHA256 | 196e8a2a64b25e8cdd935413792099681eb29f3b770f7d42f1c20d94b0e09b64 |
| SHA512 | d21210d26189f44cfe83ca59613cf0cf8d1639be4a805d1bdab214dbddafc435a6c5af2feb07384cd499773932a530ae657ad74491348f778b1743ae51947f3b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 54cb9e81e973427803ddb6a45ccbc77b |
| SHA1 | b69e5157716d26b8a61caeb19cfa99d5fb6a794d |
| SHA256 | 26cb3a6be025c6851387b1728777d76a01f0615bdf5a11be11072df02e03429b |
| SHA512 | 3ba598e983e7f68e9a7386c2d470412181b2720b7673a6f704832a233a44c17efdf47dd56781df5b79fc67a867e1dff10fdeae2a54d7737b2355920f3ec3964d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e4b519712449b99af0ff547c34b80b4b |
| SHA1 | 986ef1d2f0109ac4817a1bbe2ff79f9d015e8c4e |
| SHA256 | 0e0416d3498515acdbf5a5c88925aa8ab8ec0d4f6bacb4e985cb2691e01df866 |
| SHA512 | 1fffae246dc71765f1bef6d23479badb992745763b05e3d3f8585c58de8ef99b87b0b399992c59ecfbd36aa650feafee9e88dd0dd609e494f0cff5d593f73d93 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8b1fb87f7fee9ab37d8fa2e8c57b528a |
| SHA1 | a87e4978703af9a7ecd74a0ca5a2b6ce29f02ec4 |
| SHA256 | 1799432a9ebaa5e4ef40e45855e09a5235e38c332d8faab299675d6225e713c0 |
| SHA512 | 469c3292e8052aecf6f7f222ab35f227707ab522658dc0f83799a6eaae9509727f58735caf39c5fdb74a2b4322e4cd0c163a9105c4e39313ca9531bbefad5540 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5e331e6df125467148773dee52cb825f |
| SHA1 | fbd68015b56356122a6d4cf19e79d14ceefdb552 |
| SHA256 | 9bdf15e956dd4cea0af3c9fa52e8f7dffe27fe20d3cddecb10f4683c200dde4e |
| SHA512 | d44c73e2d756c94bf932be151f1b301aba7876cdf9502d958850a352d98c67145a09530a3f8d69b3edfd7b571c3a8c76e36bf77ad4f2ca0e94b8d7bb5dfb1bc4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e157353b3cb3e13ce925c2ee8ab12849 |
| SHA1 | fcc34ad0acc7c2425dcb47b5233b40356142c708 |
| SHA256 | d32a7d0838dd9e711f0f2b51bf18054db0b40696589b8a158b10d994fe6c0c2c |
| SHA512 | e959a2040dd4e2944b4534919992159e3793f8ae842badb71c7988ff5268dc9399d3d7c5affbf88baf019816df483acd597c091a93c95ab959ff764ddd2b1a0e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 39d7731381bf621b6669f99b9c797ad0 |
| SHA1 | e2875ee052e92c662545ec56c6724b3d8bced38f |
| SHA256 | a241ddfc795eddeac3980541876231716f7a597dbe5f2ca4b89b9a2d8ae4a87b |
| SHA512 | 0cf826cc7ed8cf110e0fddaa8606fc44eb89b2169798e197a908205e2e7992d0fcf7cbe6ac2da37fcaf03a3189588cb17f141efad840a8531ef4541874efbfd4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-27 12:11
Reported
2024-05-27 12:13
Platform
win10v2004-20240426-en
Max time kernel
145s
Max time network
130s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\791bf9425ab75b33634711b12821989a_JaffaCakes118.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff85efe46f8,0x7ff85efe4708,0x7ff85efe4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,17458632640216816767,5427212919576649072,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,17458632640216816767,5427212919576649072,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,17458632640216816767,5427212919576649072,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17458632640216816767,5427212919576649072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17458632640216816767,5427212919576649072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,17458632640216816767,5427212919576649072,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6132 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,17458632640216816767,5427212919576649072,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6132 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17458632640216816767,5427212919576649072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17458632640216816767,5427212919576649072,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17458632640216816767,5427212919576649072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17458632640216816767,5427212919576649072,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,17458632640216816767,5427212919576649072,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5844 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | khidr.ae | udp |
| FR | 216.58.215.42:445 | fonts.googleapis.com | tcp |
| US | 8.8.8.8:53 | khidr.ae | udp |
| US | 8.8.8.8:53 | 90.242.123.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FR | 216.58.215.42:139 | fonts.googleapis.com | tcp |
| US | 20.231.121.79:80 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 104.17.25.14:445 | cdnjs.cloudflare.com | tcp |
| US | 104.17.24.14:445 | cdnjs.cloudflare.com | tcp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 104.17.25.14:139 | cdnjs.cloudflare.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | khidr.ae | udp |
| US | 8.8.8.8:53 | connect.facebook.net | udp |
| GB | 163.70.151.21:445 | connect.facebook.net | tcp |
| US | 8.8.8.8:53 | connect.facebook.net | udp |
| GB | 163.70.151.21:139 | connect.facebook.net | tcp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | khidr.ae | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f53207a5ca2ef5c7e976cbb3cb26d870 |
| SHA1 | 49a8cc44f53da77bb3dfb36fc7676ed54675db43 |
| SHA256 | 19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23 |
| SHA512 | be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ae54e9db2e89f2c54da8cc0bfcbd26bd |
| SHA1 | a88af6c673609ecbc51a1a60dfbc8577830d2b5d |
| SHA256 | 5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af |
| SHA512 | e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 75017f08f299a648f3abe4bdd43a1805 |
| SHA1 | 843884ad86649d0c19cc127c372c2fd4426b6804 |
| SHA256 | 796d880b0d3ab61deb0f852957241870fa76505d1a11f33f8ed5be2399d182fd |
| SHA512 | 8e81f01712625186b5db94d470044c9c246d5fbe9b96d8e8543ae4d89779423c7f390cedaa721ae120c6ffeb04d4ca8af79c43239d84d649cad9e10b9f1419d7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 62943ea5cb0791ad4c757d381c5c72a4 |
| SHA1 | a5e500f4bdd252580917c94f4360e53f441717f5 |
| SHA256 | 33b31a87211f0ad78afd9221323d143041626f4372b2ed2f0328cc99cd77b619 |
| SHA512 | 39629546cbebcd5ded633a4ca3537b8b526f497431cb5201251dbf65e54af3b43a8de3c73edca7cb942c802f1c2b29dd4eecb8834eb57e3d1016a6ace1a48aa3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6ddf39ef0500a4f73f839f4488763571 |
| SHA1 | 71c23d57156400f7623afce2851b8bc7afab33df |
| SHA256 | 8d4783f58eb66e7cbee7fea6e7eca645ab0f5734bd37d6e9a573fb7dc43e8dd1 |
| SHA512 | 0e41425eaa36ee4a317eb2e1d954b3f851aa35f686bf7a0152a6f0d53f18150169bc82e3475761dd0358b11a48ffe01ffb3292a148289295bb0d7c0860e84ebb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b726f0408bb131a51c6904be8402b2a7 |
| SHA1 | 8364318b1289c80efa484bde9062db9d3dda2a86 |
| SHA256 | 4501e9ed1e89fb3d0621dedf702c788b6157ac8c064ce52f6ca5f8b913b8a378 |
| SHA512 | 0b18113d707713b5939c4cbe3e0f4ad9ec04069274c45c9920096c6bf3d613fbb8f7d7bf92fc998c6c04de0b2307b551cb2ab37878fefafddfc97e0d4005c8bc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |