Malware Analysis Report

2025-01-17 22:48

Sample ID 240603-qw3rqahf49
Target 91fa882f06b293eb1e6e4a13435a7280_JaffaCakes118
SHA256 369c452e782fc3a980468f7a722d7568dbf3ed3bf2536028340dbe45112e0c54
Tags
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

369c452e782fc3a980468f7a722d7568dbf3ed3bf2536028340dbe45112e0c54

Threat Level: Shows suspicious behavior

The file 91fa882f06b293eb1e6e4a13435a7280_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Legitimate hosting services abused for malware hosting/C2

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 13:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 13:37

Reported

2024-06-03 13:40

Platform

win7-20240508-en

Max time kernel

124s

Max time network

140s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\91fa882f06b293eb1e6e4a13435a7280_JaffaCakes118.html

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423583721" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6DE36561-21AE-11EF-8F47-7A4B76010719} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\91fa882f06b293eb1e6e4a13435a7280_JaffaCakes118.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1700 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.blogger.com udp
US 8.8.8.8:53 img1.blogblog.com udp
US 8.8.8.8:53 sites.google.com udp
US 8.8.8.8:53 soft-best.net udp
US 8.8.8.8:53 angrybirdsjournal.com udp
US 8.8.8.8:53 i1270.photobucket.com udp
US 8.8.8.8:53 www.hixxysoft.com udp
US 8.8.8.8:53 frappular.com udp
US 8.8.8.8:53 i754.photobucket.com udp
US 8.8.8.8:53 sciencebuddies.info udp
US 8.8.8.8:53 cur.cursors-4u.net udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.178.9:443 img1.blogblog.com tcp
GB 3.162.20.109:80 i754.photobucket.com tcp
GB 142.250.200.14:443 apis.google.com tcp
US 96.43.128.66:80 cur.cursors-4u.net tcp
GB 142.250.178.9:443 img1.blogblog.com tcp
GB 142.250.178.9:443 img1.blogblog.com tcp
GB 3.162.20.24:80 i754.photobucket.com tcp
GB 3.162.20.109:80 i754.photobucket.com tcp
GB 142.250.179.238:443 sites.google.com tcp
GB 142.250.178.9:443 img1.blogblog.com tcp
GB 142.250.178.9:443 img1.blogblog.com tcp
GB 142.250.179.238:443 sites.google.com tcp
GB 142.250.179.238:443 sites.google.com tcp
US 96.43.128.66:80 cur.cursors-4u.net tcp
GB 142.250.178.9:443 img1.blogblog.com tcp
GB 142.250.200.14:443 apis.google.com tcp
GB 3.162.20.24:80 i754.photobucket.com tcp
GB 213.175.208.156:80 www.hixxysoft.com tcp
GB 213.175.208.156:80 www.hixxysoft.com tcp
GB 3.162.20.24:443 i754.photobucket.com tcp
GB 3.162.20.109:443 i754.photobucket.com tcp
US 208.91.196.152:80 soft-best.net tcp
US 208.91.196.152:80 soft-best.net tcp
US 96.43.128.66:443 cur.cursors-4u.net tcp
US 96.43.128.66:443 cur.cursors-4u.net tcp
US 8.8.8.8:53 accounts.google.com udp
US 96.43.128.66:443 cur.cursors-4u.net tcp
NL 142.250.27.84:443 accounts.google.com tcp
NL 142.250.27.84:443 accounts.google.com tcp
US 96.43.128.66:443 cur.cursors-4u.net tcp
NL 142.250.27.84:443 accounts.google.com tcp
US 8.8.8.8:53 4.bp.blogspot.com udp
GB 142.250.180.1:80 4.bp.blogspot.com tcp
GB 142.250.180.1:80 4.bp.blogspot.com tcp
US 8.8.8.8:53 2.bp.blogspot.com udp
US 8.8.8.8:53 1.bp.blogspot.com udp
GB 142.250.180.1:80 1.bp.blogspot.com tcp
GB 142.250.180.1:80 1.bp.blogspot.com tcp
GB 142.250.180.1:80 1.bp.blogspot.com tcp
GB 142.250.180.1:80 1.bp.blogspot.com tcp
US 8.8.8.8:53 www4.cbox.ws udp
US 8.8.8.8:53 www.facebook.com udp
DE 195.201.153.71:80 www4.cbox.ws tcp
DE 195.201.153.71:80 www4.cbox.ws tcp
US 8.8.8.8:53 3.bp.blogspot.com udp
GB 163.70.151.35:80 www.facebook.com tcp
GB 163.70.151.35:80 www.facebook.com tcp
GB 142.250.180.1:80 3.bp.blogspot.com tcp
GB 142.250.180.1:80 3.bp.blogspot.com tcp
GB 163.70.151.35:443 www.facebook.com tcp
GB 163.70.151.35:443 www.facebook.com tcp
US 96.43.128.66:443 cur.cursors-4u.net tcp
US 8.8.8.8:53 tkj2.name udp
GB 142.250.200.14:443 apis.google.com tcp
US 8.8.8.8:53 developers.google.com udp
GB 216.58.201.110:80 developers.google.com tcp
GB 216.58.201.110:80 developers.google.com tcp
US 96.43.128.66:443 cur.cursors-4u.net tcp
US 8.8.8.8:53 ssl.gstatic.com udp
GB 172.217.169.3:443 ssl.gstatic.com tcp
GB 172.217.169.3:443 ssl.gstatic.com tcp
GB 216.58.201.110:443 developers.google.com tcp
US 8.8.8.8:53 resources.blogblog.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.9:443 resources.blogblog.com tcp
GB 142.250.178.9:443 resources.blogblog.com tcp
US 96.43.128.66:443 cur.cursors-4u.net tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 96.43.128.66:443 cur.cursors-4u.net tcp
US 96.43.128.66:443 cur.cursors-4u.net tcp
US 96.43.128.66:443 cur.cursors-4u.net tcp
GB 216.58.201.110:443 developers.google.com tcp
US 96.43.128.66:443 cur.cursors-4u.net tcp
US 96.43.128.66:443 cur.cursors-4u.net tcp
NL 142.250.27.84:443 accounts.google.com tcp
NL 142.250.27.84:443 accounts.google.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 13ed5e0369cedc64c8437eb9a493a981
SHA1 880053c91809fef7b2a3d688143f554d5a05c0bd
SHA256 3560614f2f62c19498d2ad6c3b9fa8f232883167479de05e924a5a3ab19a8454
SHA512 18b3c940a3b722b58c476af4141ab987ed9f7557c1e52f3f20548b2c209abd67c943761d22e20ed59c36d69f8cd911285aff7efdf2d20f51c35cad62932aefa0

C:\Users\Admin\AppData\Local\Temp\Cab1E6B.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 8ac218cff07af31ecbb77caf4816faa7
SHA1 60c7f676c19def2f24916ddef169b354961ac459
SHA256 dbb88c62de50d786795eac48e293bb2964b456cf8683c05d2248a2f5643ae586
SHA512 1eb657915dc6b46823870258d818881a484026415ea6adbe66ffa09e9aa5fbc5d967c8abb148245f7ebcab8661c869bd51fcc9c78ddca4e92539cb43ae6b44be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 10457be97b748dbcca4f82234ab65f4e
SHA1 4d4d811d18e5fe3c912070dc1b0492af22218f28
SHA256 dde44cbd5f1ccf2d5cfdf6c334684d3b802ed9ff5185d5425aa0d1e778d47f20
SHA512 c72728de77d1a6f9c5ed6239e9e5801c5fe1382c347e1acb26e03c785542197063b381f94cc7c69c40ce8f6b81dd918ff1b2a723d17f68fd2ea769977edd4fc9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 ac89a852c2aaa3d389b2d2dd312ad367
SHA1 8f421dd6493c61dbda6b839e2debb7b50a20c930
SHA256 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512 c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

C:\Users\Admin\AppData\Local\Temp\Tar1EDB.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_827A2BD464611B5891D523F77B43FEB1

MD5 3cbd995f8bc61a3669d6dccec2391d8a
SHA1 39e5903bb99f1d045f6b0c2429b43ea8e2d551da
SHA256 d302d7266945490d5d06e91e1c2557830688004c572f39343357dfd57ada50e5
SHA512 6335e0e9db04d46564a47818a02c3ed714ee705dbc70ecadf252f2813ef62ed14bf739ea545d69e3214d21600a2d9257013545ab3bd7eeba17fe1fb07b2a22ba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1F3F.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b8f293d553b62ccd78f2bdf9f5a2955
SHA1 c61f2488508a9d80912ac99a62adcb4b82c31bf3
SHA256 46b584a33b69db0622c23b543e447b91b2adadb7bf4c8232ece37c2d0bfdff61
SHA512 fde2f6e2b7c035850745651e61f2d9f6105e336e59f94f67ad6372c68e3d944a7c3bd43f50b0a9164210b7769d2083b4c01677afb8d73254e357b82b11b71918

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba43399d59d39db9c653f450826f3ee6
SHA1 88aff3703f5104255f8a5a4b472fc5e9ca0e4708
SHA256 6d1ac2c45ab8a6db92afc074c7717d052ba17cd6f5dc59a4c2c73941974d0690
SHA512 71a1c0dba201cc82bb6a814af20964924f9df6e622099d5e8925849db704788f29f8aaacb4f1d32e3c5819485b8617f6f823fb74ca607192833589767a2c666b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

MD5 e8df3a8cd8a304a682c51ed2f235818b
SHA1 89ac4d161b66cbe57ee3efa3f24aa7a3db57ce8a
SHA256 86e50d94d07a6501729d9e299db6eb7658d055d0622297975550e7194561b48b
SHA512 691e0c9fb54e6d0efcb0ea2fce1984d305c8af38813713518c8849376ad40dcb2fe1e92805a5d071a22c53335c3b2c80bc566713eae28cdb6098e9cb1f7938a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22a3ce7613160697f62dab99e42510fd
SHA1 8341ad25e9e1cb64847df58e12e83c2d923f18be
SHA256 99294f9c63a1bd0bbdc96585a830c9f905c09e678e389bd69cdf3bdf67142e54
SHA512 71aed1da6dff700289654f786fabb10c6afe02c02ca0587ebd62d1767fef9977f9feaa505d881e770314a3170947ff3c8fc2f3b48ec62ed5e6d73037095e77e8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fe5cc35778a63735e87a812f2612381b
SHA1 2355483ea64d3e7753220e81e380db7ec3409123
SHA256 143eb8da280d6a9a1a2336f95c788ac023798d9325ed73c79ce8fefc5748b538
SHA512 40396470af33bcb08abda848addd59106c41d42b6b60cabeefd38ef1c35c1a43170af00dd857285caf72195518fd6b07799ce23302b47db330705a1956b2f6c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 565efd97643a7b51b7d17af59ce26295
SHA1 021c71a6964b7ee084f8008c676a9e1fe87fff27
SHA256 15e57d0a3ad09b1cfb9a5261310cd4da41847788c3069f849a6e179248cbd29c
SHA512 03a99bcd0828e8a4fa06e9c161ca96d872fc9b31491b2c195d014612249b93cdbe9080c96a50895c03633089f6a5a7787aad1439247fe09bcb8f53f296da2a52

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e6393b2404bb71387cde53db8427a301
SHA1 e784a62722c15c18ee721b97a582b1a646cbfc62
SHA256 56b5a33a407f4708919ab02e4388aa5177a2f23de2d292400eb78f4bce20b742
SHA512 d7efdffeb5fb73b864f57228cbaff3b2d4bb357ee83b924d432b0301649dcc84407ff65b293304ccc95036d65e30e17def26e62d7597b6d7807b5552620b03bc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb2286d4291784bcef5ad4152a82418b
SHA1 04f5a06cc048ca204490de15c912a0b92908cdb2
SHA256 d7049a3d708e85feb74339ba3247fa5a96c8eaacc08f9e8a7ee00dde6a566d69
SHA512 afdf5607ee42a6a77e622f18b417b5771f534e83a461d5804904e3950a53a65a701066d9eecf280406b6c02ca00c4fa4ae242d45662ee0ad078970313a709f95

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IW68H88T\cb=gapi[1].js

MD5 0fe383a7ddb9bbaefc3105b3297f5583
SHA1 f80c9d789f251909c7560bd91a9e1b9a10c26362
SHA256 d7ad4aad4e48174c30ef21fc32c9380659d2c99a5c39680e10ed9752139d8683
SHA512 31de1f59377bc76e5d602d02273867ce750bbbccb7edc8f2803c0188002ecae6752ac3ec31c2108e64b0d871b01e6a8a06711969dc68bd9823303def0e7c1ee4

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NVDR4C1U\3604799710-postmessagerelay[1].js

MD5 40aaadf2a7451d276b940cddefb2d0ed
SHA1 b2fc8129a4f5e5a0c8cb631218f40a4230444d9e
SHA256 4b515a19e688085b55f51f1eda7bc3e51404e8f59b64652e094994baf7be28f2
SHA512 6f66544481257ff36cda85da81960a848ebcf86c2eb7bbe685c9b6a0e91bca9fc9879c4844315c90afd9158f1d54398f0f1d650d50204e77692e48b39a038d50

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NVDR4C1U\rpc_shindig_random[1].js

MD5 6a90a8e611705b6e5953757cc549ce8c
SHA1 3e7416db7afe4cfdf3980daba308df560b4bede6
SHA256 51fdd911dc05b1208911b0123aed6b542e9d9f04c94d7504c63d89ca259ef679
SHA512 583636571c015af525cddd5b8dc2ac9964aba5a7a9b0acd3908e4aeb4c2ee74cdfaabe49b0aa13d7b142748542426864e91e88e90d7f73bc647f0bfecb0ff7bd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f77edd08bd1344825d2203c120d45658
SHA1 b09e7bf4d1f724936aa5c95dc1d8bf0567207318
SHA256 bbca5a0deadea5344e2dc79607b378aad739d09e130827a3674c99aec04c945d
SHA512 689477d1033448c9048899c31a2fc1dc653743065b759102da2b6c3cfdd8fc2f5766343649acd39061091f648ed579924d3ddcac916fbcf49529a72aa296afd4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a446fc06130458a1eded4c856edc778
SHA1 4c832178134508d82fd1315aec242cd0d3c55833
SHA256 121e909396bdd6b4e083d5f114cc0d75a558d51ee368eb00bca744ac06826744
SHA512 a6b833dced27668ae3d75023be9079a5f68ffdbe5093b503a24ab1e3103e8eea29b535c4d9595e475b743e468bafc07d73ae729d7407e0bfb214b485a8cabf12

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 13:37

Reported

2024-06-03 13:40

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\91fa882f06b293eb1e6e4a13435a7280_JaffaCakes118.html

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\91fa882f06b293eb1e6e4a13435a7280_JaffaCakes118.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4896 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3876 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5384 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5520 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5516 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5292 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=6156 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=5512 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=6316 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --mojo-platform-channel-handle=6548 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --mojo-platform-channel-handle=6776 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 www.blogger.com udp
US 8.8.8.8:53 www.blogger.com udp
US 8.8.8.8:53 i1270.photobucket.com udp
US 8.8.8.8:53 i1270.photobucket.com udp
US 8.8.8.8:53 sites.google.com udp
US 8.8.8.8:53 sites.google.com udp
GB 3.162.20.109:80 i1270.photobucket.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
BE 2.21.17.194:443 www.microsoft.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 i1270.photobucket.com udp
US 8.8.8.8:53 i1270.photobucket.com udp
GB 3.162.20.23:443 i1270.photobucket.com tcp
US 8.8.8.8:53 lh4.googleusercontent.com udp
GB 172.217.16.225:445 lh4.googleusercontent.com tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 194.17.21.2.in-addr.arpa udp
US 8.8.8.8:53 23.20.162.3.in-addr.arpa udp
US 8.8.8.8:53 109.20.162.3.in-addr.arpa udp
US 8.8.8.8:53 angrybirdsjournal.com udp
US 8.8.8.8:53 angrybirdsjournal.com udp
US 8.8.8.8:53 angrybirdsjournal.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 soft-best.net udp
US 8.8.8.8:53 soft-best.net udp
US 208.91.196.152:80 soft-best.net tcp
US 8.8.8.8:53 www.blogger.com udp
US 8.8.8.8:53 www.blogger.com udp
US 8.8.8.8:53 sites.google.com udp
GB 142.250.178.9:443 www.blogger.com tcp
GB 142.250.178.9:443 www.blogger.com tcp
GB 142.250.179.238:443 sites.google.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 2.17.251.21:443 bzib.nelreports.net tcp
GB 142.250.178.9:443 www.blogger.com udp
GB 142.250.179.238:443 sites.google.com udp
US 8.8.8.8:53 lh4.googleusercontent.com udp
US 8.8.8.8:53 www.hixxysoft.com udp
US 8.8.8.8:53 www.hixxysoft.com udp
US 8.8.8.8:53 frappular.com udp
US 8.8.8.8:53 frappular.com udp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 img1.blogblog.com udp
US 8.8.8.8:53 152.196.91.208.in-addr.arpa udp
US 8.8.8.8:53 img1.blogblog.com udp
US 8.8.8.8:53 i754.photobucket.com udp
US 8.8.8.8:53 9.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 i754.photobucket.com udp
US 8.8.8.8:53 sciencebuddies.info udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 sciencebuddies.info udp
US 8.8.8.8:53 21.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 cur.cursors-4u.net udp
US 8.8.8.8:53 cur.cursors-4u.net udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 4.bp.blogspot.com udp
US 8.8.8.8:53 4.bp.blogspot.com udp
GB 213.175.208.156:80 www.hixxysoft.com tcp
GB 142.250.200.14:443 apis.google.com tcp
US 8.8.8.8:53 frappular.com udp
US 96.43.128.66:80 cur.cursors-4u.net tcp
GB 142.250.180.1:80 4.bp.blogspot.com tcp
GB 142.250.178.9:443 img1.blogblog.com tcp
FR 3.160.188.9:80 i754.photobucket.com tcp
US 8.8.8.8:53 sciencebuddies.info udp
US 8.8.8.8:53 i754.photobucket.com udp
US 8.8.8.8:53 i754.photobucket.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 cur.cursors-4u.net udp
US 8.8.8.8:53 cur.cursors-4u.net udp
NL 142.250.27.84:443 accounts.google.com tcp
NL 142.250.27.84:443 accounts.google.com tcp
NL 142.250.27.84:443 accounts.google.com tcp
US 96.43.128.66:443 cur.cursors-4u.net tcp
NL 142.250.27.84:443 accounts.google.com udp
US 8.8.8.8:53 1.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 9.188.160.3.in-addr.arpa udp
US 8.8.8.8:53 66.128.43.96.in-addr.arpa udp
US 8.8.8.8:53 84.27.250.142.in-addr.arpa udp
US 8.8.8.8:53 156.208.175.213.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
GB 172.217.16.225:139 lh4.googleusercontent.com tcp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 www.blogger.com udp
US 8.8.8.8:53 www.blogger.com udp
US 8.8.8.8:53 www.blogger.com udp
US 8.8.8.8:53 1.bp.blogspot.com udp
US 8.8.8.8:53 1.bp.blogspot.com udp
US 8.8.8.8:53 2.bp.blogspot.com udp
US 8.8.8.8:53 2.bp.blogspot.com udp
US 8.8.8.8:53 3.bp.blogspot.com udp
US 8.8.8.8:53 3.bp.blogspot.com udp
GB 142.250.178.9:443 www.blogger.com tcp
GB 142.250.178.9:443 www.blogger.com tcp
GB 142.250.180.1:80 3.bp.blogspot.com tcp
GB 142.250.180.1:80 3.bp.blogspot.com tcp
GB 142.250.180.1:80 3.bp.blogspot.com tcp
US 8.8.8.8:53 64.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.27.84:443 accounts.google.com tcp
US 8.8.8.8:53 www.blogger.com udp
GB 142.250.178.9:443 www.blogger.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 resources.blogblog.com udp
US 8.8.8.8:53 resources.blogblog.com udp
GB 142.250.178.9:443 resources.blogblog.com tcp
GB 142.250.178.9:443 resources.blogblog.com tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 52.168.117.173:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 173.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
GB 142.250.187.196:445 www.google.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 www4.cbox.ws udp
US 8.8.8.8:53 www4.cbox.ws udp
US 8.8.8.8:53 www4.cbox.ws udp
US 8.8.8.8:53 www4.cbox.ws udp
DE 195.201.153.71:80 www4.cbox.ws tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 www.facebook.com udp
DE 195.201.153.71:80 www4.cbox.ws tcp
DE 195.201.153.71:80 www4.cbox.ws tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 apis.google.com udp
GB 163.70.151.35:443 www.facebook.com tcp
GB 142.250.200.14:443 apis.google.com tcp
US 96.43.128.66:80 cur.cursors-4u.net tcp
US 96.43.128.66:80 cur.cursors-4u.net tcp
GB 142.250.200.14:443 apis.google.com tcp
GB 142.250.180.1:80 3.bp.blogspot.com tcp
GB 142.250.200.14:443 apis.google.com udp
US 8.8.8.8:53 www.facebook.com udp
GB 163.70.151.35:443 www.facebook.com tcp
US 8.8.8.8:53 71.153.201.195.in-addr.arpa udp
US 8.8.8.8:53 developers.google.com udp
US 8.8.8.8:53 developers.google.com udp
US 8.8.8.8:53 developers.google.com udp
NL 142.250.27.84:443 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 96.43.128.66:443 cur.cursors-4u.net tcp
US 96.43.128.66:443 cur.cursors-4u.net tcp
US 8.8.8.8:53 csi.gstatic.com udp
US 8.8.8.8:53 csi.gstatic.com udp
GB 216.58.201.110:80 developers.google.com tcp
US 142.250.190.3:80 csi.gstatic.com tcp
US 142.250.190.3:80 csi.gstatic.com tcp
US 142.250.190.3:80 csi.gstatic.com tcp
US 8.8.8.8:53 ssl.gstatic.com udp
US 8.8.8.8:53 ssl.gstatic.com udp
GB 142.250.200.14:443 apis.google.com udp
US 8.8.8.8:53 developers.google.com udp
US 8.8.8.8:53 developers.google.com udp
US 8.8.8.8:53 developers.google.com udp
GB 172.217.169.3:443 ssl.gstatic.com tcp
GB 216.58.201.110:443 developers.google.com tcp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 3.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 3.190.250.142.in-addr.arpa udp
GB 142.250.178.9:443 resources.blogblog.com udp
US 8.8.8.8:53 eka-setiadi.blogspot.de udp
US 8.8.8.8:53 eka-setiadi.blogspot.de udp
GB 142.250.200.1:80 eka-setiadi.blogspot.de tcp
US 8.8.8.8:53 eka-setiadi.blogspot.com udp
US 8.8.8.8:53 eka-setiadi.blogspot.com udp
GB 142.250.200.1:80 eka-setiadi.blogspot.com tcp
N/A 224.0.0.251:5353 udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp

Files

N/A