Analysis Overview
SHA256
fd6719aec40b59412bf1de5b2e742708896cbe3004e1508adb9b9ef6ab72e7d0
Threat Level: No (potentially) malicious behavior was detected
The file 8c87db351f5c9017318a6be771f9b386_JaffaCakes118 was found to be: No (potentially) malicious behavior was detected.
Malicious Activity Summary
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-02 01:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 01:55
Reported
2024-06-02 01:58
Platform
win7-20240221-en
Max time kernel
137s
Max time network
118s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4000d64a90b4da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009707202a6c862c4898c69a425782bd4a000000000200000000001066000000010000200000005db8d42c8cb64930ccc652f41cdb5faf92d538f16b4c99bb76b84bfded95c556000000000e8000000002000020000000674a88e077a06c8a01dc449944b43b4ef488ffdc37fce85a0aa7ddea7d83e88320000000b50f5b649942f2f14893d50710a7ea92b7e92c08a69c023216252ca53de1111340000000c628125b908a2836a6e2c53b48558f6dc59b541030f3e2c7fae4a7b70dbb0809bfaa3dfae877a061ff95927bada76fc0949789297e452fab4f991f9b2fc712b2 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423455209" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\International\CpMRU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009707202a6c862c4898c69a425782bd4a00000000020000000000106600000001000020000000039aba757fc45a77a8c9d98d3210245da146e7bd9bf9d330e954e627c46e6ba3000000000e80000000020000200000009a01116cfe6d297296091d178f1d37d7a679f80a0645f27d165a0f2e11c0569a9000000091f410e983efff4d3732498d40d2ca7b49f7b268a7d62270b6bae41c0986675a22e55b537bb4d7c6eb618f799d94ac88e3e4caf095ab662f4ebaa996360cc3393e7fc5ff1f14b46cdd2f75bb792b48ab7adfcc4a6a5270d44e7d8b6a1b7e15846ac54f60273e321427b17cd5ab66f3850e9a1ef5783363bad9a0f8ed0089fcb6e1859b7f6a6dcdfdd7c19255b931526b40000000094a7ebd77dca3659f7a4bdc96b3c92237b5c442054a20b630dd85fce03c291cf27333c5500ba3b281642247183cd7a8e7cc36fd6db3157980b11ee53c78a7be | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{36D5AB41-2083-11EF-A8CB-6EAD7206CC74} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2220 wrote to memory of 1156 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2220 wrote to memory of 1156 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2220 wrote to memory of 1156 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2220 wrote to memory of 1156 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\8c87db351f5c9017318a6be771f9b386_JaffaCakes118.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2220 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bdimg.share.baidu.com | udp |
| CN | 39.156.68.163:80 | bdimg.share.baidu.com | tcp |
| CN | 39.156.68.163:80 | bdimg.share.baidu.com | tcp |
| US | 8.8.8.8:53 | push.zhanzhang.baidu.com | udp |
| CN | 39.156.68.163:80 | push.zhanzhang.baidu.com | tcp |
| CN | 39.156.68.163:80 | push.zhanzhang.baidu.com | tcp |
| CN | 112.34.113.148:80 | push.zhanzhang.baidu.com | tcp |
| CN | 112.34.113.148:80 | push.zhanzhang.baidu.com | tcp |
| CN | 112.34.113.148:80 | push.zhanzhang.baidu.com | tcp |
| CN | 112.34.113.148:80 | push.zhanzhang.baidu.com | tcp |
| CN | 163.177.17.97:80 | push.zhanzhang.baidu.com | tcp |
| CN | 163.177.17.97:80 | push.zhanzhang.baidu.com | tcp |
| CN | 163.177.17.97:80 | push.zhanzhang.baidu.com | tcp |
| CN | 163.177.17.97:80 | push.zhanzhang.baidu.com | tcp |
| CN | 180.101.212.103:80 | push.zhanzhang.baidu.com | tcp |
| CN | 180.101.212.103:80 | push.zhanzhang.baidu.com | tcp |
| CN | 180.101.212.103:80 | push.zhanzhang.baidu.com | tcp |
| CN | 180.101.212.103:80 | push.zhanzhang.baidu.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| CN | 182.61.201.93:80 | push.zhanzhang.baidu.com | tcp |
| CN | 182.61.201.93:80 | push.zhanzhang.baidu.com | tcp |
| CN | 182.61.201.93:80 | push.zhanzhang.baidu.com | tcp |
| CN | 182.61.201.93:80 | push.zhanzhang.baidu.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab1D50.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Cab1E3E.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar1E63.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 58825447527a0a2c9aa830bfa20b4ab3 |
| SHA1 | 47a3bd5a4aa13b181fae3a83ed6b550f0c501215 |
| SHA256 | 50ac658d93146b4ab90898ca218a00af43a0c0328df4241a341ce7ca42a1abdd |
| SHA512 | 71f85fac513379bf53c01091486db89d445ef7e2ce1e6eca48338b821d286cf84f649c0d2d2ed257f7fbc2967150ef7e96007c2834b5583c7d05101e0dad91ad |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a20c9ec1b7b5686c0c4cd3885c1b22bd |
| SHA1 | 650050c99979fb05b1071defa1c026f35d31edfb |
| SHA256 | 1277ae5cd8d20120f593921a1dae47eb4068e2f1cbafa386d51328bbfd1e78bd |
| SHA512 | be3d7cc1f775cd8ecda01e69de98ed89276a8564d3a542bcb81fa66c151f51d87b0a1edd1e69a4c4cafbc71c9c0349f9947999240c6011d387dc0f7ce97e31f4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6fb6c0acd349b3ef92c85be2049a81f2 |
| SHA1 | 025f961439eb39925240756d3a5bebe153937613 |
| SHA256 | 53bfd8f40748ab5d6d8ebdd1367a963c4d1043e4b09e23d47b7dc9cef223d25d |
| SHA512 | ff5d9db6b024c8da6f0a85b8ac13119043f2027a24321c59e08df83d320975ebcb5afd095cd28b19be9cc53de96aba7b3342904d6961c32532938e34de785610 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 066be56273a9d951f143d40d008f1336 |
| SHA1 | 638281a46d2059199e8a685dfdf5e887538925de |
| SHA256 | fdc7dac724a3ea3b951c47a2d51c619888051eb27c0f5f9a74047b3935a7cc66 |
| SHA512 | bfaba5a605dd75921ace3155623395fa31475e5a0e903770ddc9b7c2b8cb522f8caf153328ae6b48def1e3e94bf5b141f5d19bbeb7e95b5c34b057cb0176b4f8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5a2172f0a886bb17832a26faa295436e |
| SHA1 | 63bf9ac2db79f26a6a0f7e112e894654a1eb5e88 |
| SHA256 | ab3fe32660b6f178e88487271367a89cca2de2e0eafa6dc0e1b17fa122e67764 |
| SHA512 | e6979a523c876e2feb82b001998359d34d787f6f858789779f8b8fb90d77b3c6c0738e87afaa585f9bffab7c5c842b94c4f24910ac7847083d730e0c1b67b140 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 121881b8711b28aa1f812d4d141f442d |
| SHA1 | 7da881b2ee405f54acbf5b1319656d4ffba5238c |
| SHA256 | 7c0b394de6455317f33ca825865c07cb59d27928d5dacc31158045e6575747a6 |
| SHA512 | f4b28f3bb3d717c2a65d29217c71d4a4cf7aa897264ab59bb73d42195c0eaf5794073a4d1caac7acd0a7fe34c5eadd2a8e4cfcba51728796d52da3f9819bff9c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 95660b5619fe02d511fd5934a35051c3 |
| SHA1 | a93efea54cc3af2455f49e1b5ef349f12355138f |
| SHA256 | d55731758ebf8cff871bbc21444ba9101c50a3e8fa28e881ed38194d3c3a6568 |
| SHA512 | 40459711028a4b13940f96b6737d1b97cc9d9aaf720e9120aac4bcee50b1653056381aef232aacfdd9479b3928e82b4be06fb0db1715224e8c16b3c0fe6a046c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a94303f0bdb40a3703444d0999f2aed9 |
| SHA1 | 9aa1a61a7062c3ba80fcbdd9a75511f0bff52d2b |
| SHA256 | fc15ac599ccb1e8dfc09301155fd0a78fb34bfbc67a263e6241b0a019a814b99 |
| SHA512 | ef4e51e631618c763bfb7163b68c65f4f8f8fbcbabbe042ef228d0bf3c0c91a611fb6e0ded76a9349830b10855b0129f441f2dd0e4bf342b95535ce8d42eca15 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a5da211ff3d4eb7017fdc2003e75882c |
| SHA1 | ccd59e1af6020f894e117fe4fb3ae1816a6ffaf6 |
| SHA256 | 496c3987d1704ca3878df4672e5d5a1f43daa8dcf0c7b8f208ca05dcf8f6881a |
| SHA512 | 945bf7bed1733e4853e518b95ea51ee2bd131d4b2d6d073134338b6d83528b9b37ad9a60d2431d09e5b1e1068a17347e8696d223bfd8e93148767955650c1a00 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e38ebdd0b34a436be7ab85da3e9f93a9 |
| SHA1 | f56846882c2293ed2b0a5f12b257d50f24de6b9e |
| SHA256 | e7e466e652ceffae7b0c5689f9cc4b375a4394f045a4bf69057bbc91ef4961a6 |
| SHA512 | abcda6945f58c6c46ae93923aa7693568b7ca9a836ba08a38e1606e6d31f64316f4edea80bbf02adeb971667c75850e77008501767a285de7190d72714bb5d85 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ed7798bf22e21613ba4804178f74852c |
| SHA1 | 53d75ea0abd552f4257095b6c983a3f8f1dcfb6f |
| SHA256 | 37beae0607d08be101a7ca280df492fc9fbe652ea9944b6a9f4d17a83726bb73 |
| SHA512 | e78bd0a6fc5a5e4a76619867f8fee9324fa711e21f7e5038d941ea97a9b16d980de5acc9b4c839da2cc7d3075c58b95ef80172a0afca4b870e87922ddca44108 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f57165d7043b7a2836fda7e0ea3f6c4e |
| SHA1 | 2203ced35a1d6394ef25fc2851641a28b6f709be |
| SHA256 | 35649d67feb21fd2f5410c616eacfabf479c7e018f70783e555e3f9dfbad11fb |
| SHA512 | 1b7be2c976340894e2085083ce54b3fa4340b62f3ed2295f99f42614e356f5058139c6535ae44cdc7218d1fb8112d0a56893a39532a45cbaa70cb4429921376d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a3aa4888c839824284a7cb6a9f25b0df |
| SHA1 | 1d0656d0a0821d9a2ef7a5ea5cc6f4dc7bf236be |
| SHA256 | 2e1cd05ca4d20d237f591eb257ad51cef0e61920033ed995ff3f2aa6604bf841 |
| SHA512 | e8f4cb80e5ac9b682f2c1d95dda971c1177da9fde2f2f73bb9124141d61f2e5c4f87aca29eee1c42c21314a55ab9058dd549d643d4f02e2fbe6b77743c310b4e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9b007e81042fc2ed11f4021450383c96 |
| SHA1 | e26128b86cb0217ecf9b3b5aa417480c557f9700 |
| SHA256 | 8cca792ab3d4e46d15142e24b6ff893b7dbee28ae8708a2ebb30c141492c477f |
| SHA512 | dfb12036087c72fca2ccaafd8dc80d985ca8750effce6556f3f625c298687540a5c9157861d948974ab7c0f73f9547d03925661e3b49b282aa341c0dbc3b9e8e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | de443694c97a0b5b7d06048b1c8433a0 |
| SHA1 | 388a40ba42b1e610a69863135222c5e48656a1fe |
| SHA256 | 267925954b6b3100b0ba9a2f9095b0c3735fd434615bcac9c38253fac810ee74 |
| SHA512 | 6e6dbbbbeab378a38d46932ad9e2f30e03260b1672c581edcbea885e7819f4a4ad86fdb23b33c68d02d63dd5692aba6a74d915e1110f668ad6c40cfb8aada83a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 005c5677dd279a056312e0355bf00a35 |
| SHA1 | dedae6dd9acc688e5556d021922256926a76dcc1 |
| SHA256 | 75d4c6df74f2ef3373e8cd783d15d1ba50b6fb7c9e60e5996f611777ddb532c5 |
| SHA512 | e61362d718a9d3ee0a0f5c17f5a37ac8789d613114f66f03c91f31df5e2a5d7a21cf35d6a6ddb6be265cba9396dd1d734012ea09b718c0c7f55b82ff263c989f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 69196000e470f15a2a2edb842cc6ee75 |
| SHA1 | d2119a2fda4e0f6c8807f89bac0fb426859ee1c3 |
| SHA256 | b74577b76d4802dfad15ebf10bfa542f49ba85e95ab2e4d9ef5508ee2b6af8ad |
| SHA512 | 8c957549e0957478225d8bcdc918a8c3093dabe39d55dd7a149e73646113315ec05aa902100787889c4e5f67fed21e38b1acb14b87a0ef0f901239bef6ac70ed |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e286123e3e30a179364c2fccdaf24b43 |
| SHA1 | e64fe94e4f5cdb022422192471e4a8089ef334c3 |
| SHA256 | fdc0b27f03f9d022a638776cefeef661085c5a90b746e9ee9124c6fd10a29bfc |
| SHA512 | 6a655db5cb6131bbaf6f6761cf0b106933560eb4c4b9acbaac6da49b0abc67d88b3a2e8d3ac4ae70929446e6e24827c31b102c20d398340b507c3b64cd1845e3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 84b1484311be655d57a59b62d9eba2cf |
| SHA1 | e7f1bf57fd9d8b2e04bbd7325c74feb83d9d2afd |
| SHA256 | 6b57f210845da2dc5d01a6ed506191451d2fbb5d7ac3c8cda644e5d0440c9221 |
| SHA512 | 0adc6b629e0c2a6da100f3e25b11e6b948da72a88e7f52beec136f99c540cd3d8179226c7c79cc612cb1307c19300d9efb8ad015aaa09bd666856f83de86d4e3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 01:55
Reported
2024-06-02 01:58
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\8c87db351f5c9017318a6be771f9b386_JaffaCakes118.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff76e346f8,0x7fff76e34708,0x7fff76e34718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,6324434108359586544,12747591701938651550,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,6324434108359586544,12747591701938651550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,6324434108359586544,12747591701938651550,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6324434108359586544,12747591701938651550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6324434108359586544,12747591701938651550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,6324434108359586544,12747591701938651550,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bdimg.share.baidu.com | udp |
| US | 8.8.8.8:53 | push.zhanzhang.baidu.com | udp |
| CN | 39.156.68.163:80 | push.zhanzhang.baidu.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| CN | 39.156.68.163:80 | push.zhanzhang.baidu.com | tcp |
| CN | 112.34.113.148:80 | push.zhanzhang.baidu.com | tcp |
| CN | 112.34.113.148:80 | push.zhanzhang.baidu.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| CN | 112.34.113.148:80 | push.zhanzhang.baidu.com | tcp |
| CN | 112.34.113.148:80 | push.zhanzhang.baidu.com | tcp |
| CN | 163.177.17.97:80 | push.zhanzhang.baidu.com | tcp |
| CN | 163.177.17.97:80 | push.zhanzhang.baidu.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| CN | 163.177.17.97:80 | push.zhanzhang.baidu.com | tcp |
| CN | 163.177.17.97:80 | push.zhanzhang.baidu.com | tcp |
| CN | 180.101.212.103:80 | push.zhanzhang.baidu.com | tcp |
| CN | 180.101.212.103:80 | push.zhanzhang.baidu.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| CN | 180.101.212.103:80 | push.zhanzhang.baidu.com | tcp |
| CN | 180.101.212.103:80 | push.zhanzhang.baidu.com | tcp |
| CN | 182.61.201.93:80 | push.zhanzhang.baidu.com | tcp |
| CN | 182.61.201.93:80 | push.zhanzhang.baidu.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| CN | 182.61.201.93:80 | push.zhanzhang.baidu.com | tcp |
| CN | 182.61.201.93:80 | push.zhanzhang.baidu.com | tcp |
| CN | 182.61.201.94:80 | push.zhanzhang.baidu.com | tcp |
| CN | 182.61.201.94:80 | push.zhanzhang.baidu.com | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| CN | 182.61.201.94:80 | push.zhanzhang.baidu.com | tcp |
| CN | 182.61.201.94:80 | push.zhanzhang.baidu.com | tcp |
| CN | 182.61.244.229:80 | push.zhanzhang.baidu.com | tcp |
| CN | 182.61.244.229:80 | push.zhanzhang.baidu.com | tcp |
| CN | 182.61.244.229:80 | push.zhanzhang.baidu.com | tcp |
| CN | 182.61.244.229:80 | push.zhanzhang.baidu.com | tcp |
| CN | 14.215.182.161:80 | push.zhanzhang.baidu.com | tcp |
| CN | 14.215.182.161:80 | push.zhanzhang.baidu.com | tcp |
| US | 8.8.8.8:53 | 95.16.208.104.in-addr.arpa | udp |
| CN | 14.215.182.161:80 | push.zhanzhang.baidu.com | tcp |
| CN | 14.215.182.161:80 | push.zhanzhang.baidu.com | tcp |
| CN | 39.156.68.163:80 | push.zhanzhang.baidu.com | tcp |
| CN | 39.156.68.163:80 | push.zhanzhang.baidu.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 439b5e04ca18c7fb02cf406e6eb24167 |
| SHA1 | e0c5bb6216903934726e3570b7d63295b9d28987 |
| SHA256 | 247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654 |
| SHA512 | d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2 |
\??\pipe\LOCAL\crashpad_4092_RWDOTVYOPASOZXHV
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a8e767fd33edd97d306efb6905f93252 |
| SHA1 | a6f80ace2b57599f64b0ae3c7381f34e9456f9d3 |
| SHA256 | c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb |
| SHA512 | 07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b47ecc52b157e76775cd05fed0a26676 |
| SHA1 | abed391dc985b71e47a0a3b660ca58b729adbf40 |
| SHA256 | 98c4f8a8cea7cfa4ae814a3b6fd84e571257a7d42942c57d83e806f09fa44319 |
| SHA512 | 6412667136f54f27d79abe6ef9065edc3addd633fd0549cb2f256242f831f88a51f728c8fc5489c64d6fc8dd14ff94e481522a4ef55b932cf168348e728339b4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | eb9274ed8249c4045ffb0b4f0bb3b509 |
| SHA1 | f0096ba9c31489214d655bef96361a4bb67fc391 |
| SHA256 | d6a97f0b31cb5c454b8a4aa43ad9414081ca8cd582f29af00eb6d71abe4fd871 |
| SHA512 | 65d3a28b06b70d99319ca7ec6663fb7e9ddea16e19e5f85014f08a7c23e09fb5784b16f4e34caa3b609bd5b1475be1115332df0c694b31271e16cff0420ea9b6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | bc25fb7d837352f8d38b36b8d8673a10 |
| SHA1 | 530ae5ab43597031480b7b9a479b4cf0cfabe210 |
| SHA256 | ee6da2ebe5b1302f8ba10539dd87a804e363c4323d37632f171b304d19be9862 |
| SHA512 | c83a4df0edde77c458e2c7f9a3422de8ef1dfbfe8f99d7ee08660c5ef891f8cd4203b49056356232af0efa887c0ab8808c7bd8c2863bab4e76cd2385bc7709c2 |