Analysis Overview
SHA256
304f7501552d0a933254977577bcbd70f7fd0011093e2007e31ecf5e9d6047ca
Threat Level: Shows suspicious behavior
The file 8789e75833411f2d8f6e9628073ed6a9_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Enumerates connected drives
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-31 15:50
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 15:50
Reported
2024-05-31 15:53
Platform
win7-20240221-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
Enumerates connected drives
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e02f527ef9f0024697b32b56ae114b7e0000000002000000000010660000000100002000000050374fc8abcc5c49969cc185483e96d1a142079541739966b6b3ffbaa007f380000000000e800000000200002000000074d59b20c79ed832abb98280839157dd384022a58cd68898cc6c71ddf96f4f72200000003673515f141af6d67c6e93ea96d0a2673f81e64a5a16987711679b51847f6cc640000000f99353a8ee3ef98e89e6955d1f67598c0a1bb9e39178a724b1981ae03078a8d1f45de8d334b77b671b806047d20e97bbcdfd719c42e6c9498dd1e4e739d9da2d | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{815286D1-1F65-11EF-8E23-7EEA931DE775} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e02f527ef9f0024697b32b56ae114b7e00000000020000000000106600000001000020000000ed3ca0435c0611a871bf799580235a92ce344b1f6eb7d56d65f0719916d77fd4000000000e80000000020000200000002abf1a5b432ef021b93a231a4851fbbacd82f09f0e40cf29431794f4b8ccd6ca90000000aa0dd17fe0a8b56741ff461a9e9a4e21a7ebffa6678f6cc859390acdf66c10547c1491ea31fa13d49032689d5ef3010013edb9fc03ace357fbb594d2604515d7e3680f7eca17de77566e1b23e2339c47a954e260113c5fbea00f2ba7ffef19bc4a9bf7eb9f1c0749baf66a5c23af5ed0164c074ca5e11852ba30ae8810a744ae220b5b8a8e8eb7fb8281092818cc6c194000000047a629bc4fd48431a0892b35be887b80cc0803f4c02efa3d611868b494eb62de2ab46bfc0b666c7511f106dc84e20fd8b3599cdb27059b6e0176f719b2373bc0 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423332497" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5037e69472b3da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\International\CpMRU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2876 wrote to memory of 2800 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2876 wrote to memory of 2800 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2876 wrote to memory of 2800 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2876 wrote to memory of 2800 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\8789e75833411f2d8f6e9628073ed6a9_JaffaCakes118.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2876 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | v2.uyan.cc | udp |
| US | 8.8.8.8:53 | bdimg.share.baidu.com | udp |
| CA | 43.130.192.184:80 | v2.uyan.cc | tcp |
| CA | 43.130.192.184:80 | v2.uyan.cc | tcp |
| CN | 39.156.68.163:80 | bdimg.share.baidu.com | tcp |
| CN | 39.156.68.163:80 | bdimg.share.baidu.com | tcp |
| CA | 43.130.192.184:80 | v2.uyan.cc | tcp |
| CA | 43.130.192.184:80 | v2.uyan.cc | tcp |
| CN | 112.34.113.148:80 | bdimg.share.baidu.com | tcp |
| CN | 112.34.113.148:80 | bdimg.share.baidu.com | tcp |
| CN | 163.177.17.97:80 | bdimg.share.baidu.com | tcp |
| CN | 163.177.17.97:80 | bdimg.share.baidu.com | tcp |
| CN | 180.101.212.103:80 | bdimg.share.baidu.com | tcp |
| CN | 180.101.212.103:80 | bdimg.share.baidu.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| CN | 182.61.201.93:80 | bdimg.share.baidu.com | tcp |
| CN | 182.61.201.93:80 | bdimg.share.baidu.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab1B1F.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Cab1C0D.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar1C21.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 58f7ad2c9a2bbae11cb4971fc1c01d6f |
| SHA1 | f397febe1dc0ae7ade6436947e5dcf5bbfd35b78 |
| SHA256 | 9212941e6a524c0469a3ab922cafc42e60d3ecbccef9a5477be3ddaee0c39d71 |
| SHA512 | 7675a1fd9587558648ac97b9098ccb3f1187f69a71b731f4e7b97dc68cfc943f312dcbd6c6241adc50c2cea409cbdd5aacd8e7f4513df2499f54f44624b6ca61 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f65b7072d17e31bcf005c885c5da9096 |
| SHA1 | 447fc32179847d8136b29217b4805ea558b0ac9e |
| SHA256 | 404b333b29c169af4ca632936602e5acf97b78f6d7b16f454ae108d6e2896073 |
| SHA512 | 34766459a187562764787040ad2bbec42ce3f635dbf7be501f0a284744b13beb4d086fe39a6001bd306c31c0e8adaa46c0a8558560fb4a3b084cf4e83ad0a8ef |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9986c5d2afb0ce5c69f4665191a745d3 |
| SHA1 | 21c3d128bda8aa7a8c30c5058ba413194b1cf04e |
| SHA256 | ee384bc48df2dc42d76e830ee6439dd6d8a8e8aa025019e6b7c662d9cb4c52e5 |
| SHA512 | 09b9002f91dc0a6929184083a5824a7aef06be74dd5e76ef8c6b0992e94cc742dfd1d0eae44f9a9236714fb6f30ae55809b418ca4fa96643b5f52e5f7334a949 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7de17870a6d46867bc0a0c8a6c1e4d32 |
| SHA1 | 67d0522f75c1f2bc82d631f0dadf9644375613b6 |
| SHA256 | 929ad2960716c366fb7d2fd7e7897b9353439962a8213d80070847be4e595ef8 |
| SHA512 | ddb197437507fa40e508bb00de44c13cce8ed66047588421a04076d8067f0425280facd44cf1b0af35b722a026db7e7e001b6553e4043870e041510dd47e0ec2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2ed0aee5fddb3d20c373d3c75ddef2c5 |
| SHA1 | 96e55eb82f932209243946ca933a9ac508a1d8a4 |
| SHA256 | 188c4ce24028e78e2012d77f6d810ddf2bf3ec13ef6bf1770e85fcc230a8e14c |
| SHA512 | ed13c02c907cc3d756a59ea1f1ce46d3dd1d62f97a1cd7131bb4db7c6e1631e05904b42e6ce0d8ad508dd4c2e7abe7bf1102837c5271542aa96d49df1368147b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | de0ecc9271fd58750598bf05ba55f5f5 |
| SHA1 | cdae56e63f7de7a2ae8aaabc5bf3224abb5dc6d5 |
| SHA256 | 8fcf978d95caa4e38f0ab68e4bde3ad6c536447c28eccc2aef24770732318d9f |
| SHA512 | eab72a28195f189290864f9e30042c0bd4362481792d1345fccea6a85da42279fcace148c0431a0f308f6a4dea8790d74508d5f62182a974476634e28cc6f220 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8999440cbf9ef8f151fb68556a5dbe88 |
| SHA1 | 139b86b6e768c937e479a7cf94fc4a19c19bde84 |
| SHA256 | d3710a906624cf9799e50b567ba37791c600f8279463c3bfbae931788f809472 |
| SHA512 | 95de2f8b8a5bf57a586fc8ea0d1ef33067ad6694f2c523158db92a5503c281e60a875d366423e5e8927cdc0182eb0b9665070a0115ad1385035afc4dcd7da6b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 39ceceee9d0b3e0ca6357ace94333bf7 |
| SHA1 | 036deed467e7b078a27efdd1f60af63ef3b426ba |
| SHA256 | 51a7819b251247d6690e1335bd640a75f104126c7a50aa56645a4cdc3b5480c2 |
| SHA512 | 74545c5bfc85e0d6e064ec345ec329f2a6a3aecd177abae59fd59998b0c9125a2e875844f00e1732af6b605039897a348baf8ace1896dc4bcaa138714fa59ecd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1b19f9085313529b5938d48ab3edde5e |
| SHA1 | adebd3456483666cb09381b09e3ed04f7369ef43 |
| SHA256 | f046e503055a36c6c633f09ec1f6348cae2f6414831e6f2fb96f51f0efacf46a |
| SHA512 | bf1ae46209d9890b646acd78cb8b3292ad21cc912b1f6621680d9172dc9b4c447fba31c99cfad38a731099cd05ac6541dcdc92eac103a26e1a2a39b73bd968e7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c7ca3db19969e79df6f767c43e283f7c |
| SHA1 | e84885d39f18c1c50f9d060a2f889e1dbff9b4db |
| SHA256 | 710b7eb7abdb57391fbeb47056298d90928d344cafc2595b475a9d9f740ebae3 |
| SHA512 | 5259a2b03e06389b72f4513d7277dda9657c2ac72937727301600dc8579aa98c6d31ca45cb80393844a61a4d8c2c5ff848dff2c0ac1f0f553b29a265867ade4a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5f67aea0289152fc42cb43164774b3ef |
| SHA1 | 8c0fb36ef6a4130e39d3b74c48ab8820541f6a27 |
| SHA256 | 5edf9929e34452e8c2864045230b68122f45da9c4674886ec2a152dbf4512189 |
| SHA512 | 0f931fdddc0f51b54488e3a49af713e60ce5a521a32068e85c274e5cbd7f0540ee6201403dcd5900bf2644417ec36ee46071f051df6eaa86cba7d3c0aa32efa6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 204502d85cedf6277970c223af2399bd |
| SHA1 | 71ad45f0ae803606aa5f225971aa4465b778c0a9 |
| SHA256 | 393c70e4b035681bddaa8e0a0962a126dec7532cc0c23515763493a936abe748 |
| SHA512 | 68380bebc7f925d694a3ace80f4c9c8e8757c5ccf5b4d5aec68da0605280947d842824e882d4dd7b1887e64cb9834f393b23aa57805f39109246cf46e6ad9eeb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 49ca6193eaf4b437592eab41f0064a2e |
| SHA1 | 8079761c012a82b02578d13ecdd9e6a344327c9f |
| SHA256 | b533d4fa1a42aec4df3100ebe07221453792c02af441f9f016dfa09ffa891939 |
| SHA512 | a832f6262021e4d847b11dc879be69d1ab0f9644054a7165fb835b2ef6299440e36b19ffaa654dd7368e2debd35c09a3d5804f7b3bf8bc6c1f9e2e4bf45b763e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cdff93665f5c621ec6cb65f1108d36de |
| SHA1 | 4e28d79cee1439ab70c8193e2ecc221483b9eefd |
| SHA256 | 60c259773567ee749c9015da3972ed7491ccad6960a4295ac2acc8cda8c1a12e |
| SHA512 | 6d1a7783fb3b65b5492ea517f8e3034456aadacbeb891746adbdeca00dbc34fe5646b66c4b7d848be2fb3bc3f86af7d605dd7b9a229d4c94ab2779e162b67d33 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cab05657ad536f5912eea3aec461fdca |
| SHA1 | bf378eb58be8b1397895fc280bfd870b3a8295ce |
| SHA256 | 490493e61c0c3f05a7eb8ac99d380f73ed6dd49affbfc6a9281ca781d2754acc |
| SHA512 | 028b5ca36ae6d3a1f53d18a1ebeb840cf55ace945ce9e18d4ca8ecfe7bbdcb43279ca14d69bf1c5b3a8443ac674f922781912447e7b7dbf055b6f8c3d76c8bda |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c3130f43a436ed4b018872bb18708bf4 |
| SHA1 | 6f2315883899e38730609945dbebb7015d6d8c42 |
| SHA256 | 6c521bab6cbca66a5cb718adc8b31a65ad032760903c051fd223a287be8fe018 |
| SHA512 | 0075ffc9ea5e48e6582ebe0a5b2cfdb9b8ce243ea9290629727e1cb746750fcf13fc993d39944c87238feea5b651243a015871bad551df59b070d79c9c5b436e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9cefee92155158087e5634759ad54533 |
| SHA1 | b57e5f9465026ed296c7d7cb41512673a2348963 |
| SHA256 | c60b3d75a3b2708e74509695a96b8b4071fe9ce9e88a0caf1f9c1759a7207533 |
| SHA512 | 0e2e60b36a7d84e5efd5186e4ddd27d9625e16239adae0395f21b568fa35da2df42cd26b918a8049bd1c1d90b93c8fd9a1198cf6dd7fdeed25b47965d96c6355 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 41ee19506877c7944ea6f11d157cf65f |
| SHA1 | 767cf1f92b22150e4ff90f0ec5a18f95a3d5f1b3 |
| SHA256 | 9b393ff0301b32c95eb46c433d77cd2701b6e5f21faf10b82b50de27704dd1b0 |
| SHA512 | a04acf491ec08613e8e8e927e69ef1120e71179554f01e8abd84d35ded854a204615f0589cc9c59e3da6eb52487406c27970a62a61d9cfb3e6cb7f76556f37a5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f7eaf6ce8c5a1a64a33d5c001d3a6d40 |
| SHA1 | 5cc8b281f4ee20be2617a243896cfead189ef3cf |
| SHA256 | 033a2aa7c91bfe071486177b85f7adfadbcfcfcfd1755362e635213261f2c8c5 |
| SHA512 | 40641cb97cfb308c94ae00fe97144942b0fa8ed87dc1185e927b28dedc071f105270f7b6335ac54a97e9f6e51a8bd544439967838e811e5d4b045013aa294905 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-31 15:50
Reported
2024-05-31 15:53
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\8789e75833411f2d8f6e9628073ed6a9_JaffaCakes118.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8e7e846f8,0x7ff8e7e84708,0x7ff8e7e84718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,4009522145883058317,14377142368070925769,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,4009522145883058317,14377142368070925769,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,4009522145883058317,14377142368070925769,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4009522145883058317,14377142368070925769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4009522145883058317,14377142368070925769,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,4009522145883058317,14377142368070925769,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2796 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | v2.uyan.cc | udp |
| US | 8.8.8.8:53 | bdimg.share.baidu.com | udp |
| CN | 182.61.201.94:80 | bdimg.share.baidu.com | tcp |
| CA | 43.130.192.184:80 | v2.uyan.cc | tcp |
| CA | 43.130.192.184:80 | v2.uyan.cc | tcp |
| CN | 182.61.201.94:80 | bdimg.share.baidu.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.90.14.23.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| CN | 182.61.244.229:80 | bdimg.share.baidu.com | tcp |
| CN | 182.61.244.229:80 | bdimg.share.baidu.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| CN | 14.215.182.161:80 | bdimg.share.baidu.com | tcp |
| CN | 14.215.182.161:80 | bdimg.share.baidu.com | tcp |
| CN | 39.156.68.163:80 | bdimg.share.baidu.com | tcp |
| CN | 39.156.68.163:80 | bdimg.share.baidu.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| CN | 112.34.113.148:80 | bdimg.share.baidu.com | tcp |
| CN | 112.34.113.148:80 | bdimg.share.baidu.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| CN | 163.177.17.97:80 | bdimg.share.baidu.com | tcp |
| CN | 163.177.17.97:80 | bdimg.share.baidu.com | tcp |
| CN | 180.101.212.103:80 | bdimg.share.baidu.com | tcp |
| CN | 180.101.212.103:80 | bdimg.share.baidu.com | tcp |
| CN | 182.61.201.93:80 | bdimg.share.baidu.com | tcp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
| CN | 182.61.201.93:80 | bdimg.share.baidu.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 87f7abeb82600e1e640b843ad50fe0a1 |
| SHA1 | 045bbada3f23fc59941bf7d0210fb160cb78ae87 |
| SHA256 | b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262 |
| SHA512 | ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618 |
\??\pipe\LOCAL\crashpad_1036_DQQZCIGNJPPMAPTP
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f61fa5143fe872d1d8f1e9f8dc6544f9 |
| SHA1 | df44bab94d7388fb38c63085ec4db80cfc5eb009 |
| SHA256 | 284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64 |
| SHA512 | 971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0f240867655cffd602f40a175c412292 |
| SHA1 | 73089969bc55fc815ad566afb0a53c3472418ee4 |
| SHA256 | fdb20a0cd9d617966ed77cb277285386a1eb3da6e226e7cc80dc9aacc8057ea5 |
| SHA512 | f7fa99e7af44e71e5c164d282b15a0ac4db9089d22529008afa2d3aa113e1c9c21a8e67bbddcb702b3f2767396b154a437b5ae18b39c4c58be6fe4b8fd8804de |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | ce0c9069e86776e4563e33592a261d67 |
| SHA1 | 8ff70a70dae981aa45fe7e397f6cca6839d516f8 |
| SHA256 | 2ce2661dd084478b389a43ef857f87bc482589e6cc56c0404cb594ed87354b30 |
| SHA512 | eec245709844c3627c7886d2f30f0d3264ebf4cbd34ef8a58bbe1b0c9970d840338909b2e8384e5f1ffed7fe6dc0874410507fea6c85c2b1e0d996d8231b0565 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 93c1f61a399073e3b53a4deef4ed5bd8 |
| SHA1 | cea3dc469a4d3689aa9c31dfba1e20420f12645b |
| SHA256 | 872f0d5583532cdb9d357acf74f9b06869fa1626978881aece53491cfc3e0701 |
| SHA512 | d6c95e890288a70ffc05ded9f7ffcbf708b94769a82f65492e2ac6abd4430ca06287c8b89429861f543e6a75a203102fd7ce626aa32024b3a0791eb1a1095ef9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 881660e560fc52adadf0e2a510b993f5 |
| SHA1 | a02bce0998115305c24fc548330d539322995568 |
| SHA256 | cf2a53c847d12145008742d6191ed8391b2efb02a4c5b07a63c1c18c4d52fe1f |
| SHA512 | 96dd7a29cf2a15439b05b64cfabac312c3e75225cf8036abe3dcfae78a41cd898775189caa78a7db7208a50f43c9941ec0b2e35da72954ffd456ec4966ed0390 |