Analysis Overview
SHA256
3967a858288383757e570a2f7bf6bb143afffcb3cf38281353846d07d734d996
Threat Level: No (potentially) malicious behavior was detected
The file a1d40cb91bfac8051f7517de98f086b7_JaffaCakes118 was found to be: No (potentially) malicious behavior was detected.
Malicious Activity Summary
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 18:49
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 18:49
Reported
2024-06-12 18:52
Platform
win7-20240611-en
Max time kernel
137s
Max time network
140s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb81000000000200000000001066000000010000200000006f5460937e3e028b208788224b79b8b70988fa4995d904b382c49af8b10c5cb9000000000e80000000020000200000000d6959b304edb8c7dc138df5ca12b1160fee218b36eaf435db3aefeacd93cc4120000000b76b87b29cd18261bd5367db1cd074ad84af4663d5e64340df46665b20af09654000000053b813e8e5e0fe138149ad3c1a27baecff94cbd2347f3fa17f1ea744e92b2465d23d57b96580862fd2ab32342d39762c47d65c70b18da699a7e3a2855619bc97 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb8100000000020000000000106600000001000020000000cba3bb53ab0c858a213b84090f271e224142225dd89c74819b3601406bbb6c0d000000000e80000000020000200000000b3bca759336757828421558ed5df9cb608d4b15ffeb034e754979a4b219cecf900000003d1ae7c9b5792e7f5354b00eb0a844f00366280b0ef96f8dbc92ccddcdb052b772cd7d7e2a83c8d1d49f19a977124afcd84a24500a2d2f0b0392ed9c1beeb897660399626565a15035b0b7bdf43a68a831d1949b8c60f87b301f62c22a81ddd8e5b7b1c22269fcfdcf9d7c8ebe5835ca0c278af6d54f44e4aa4d69e4b7e59f0749f0bf321acb059b72533e80f7acdb4e40000000391afd046274dc63d7e8805224110e8754fa14aff4ea5365a34ca1c09b7e10dd3780d82566d51d43f8a81fa6d14df53e0adf3696128a2efecebbdcd09f522381 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60881d58f9bcda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{835C06F1-28EC-11EF-ADBE-DEB4B2C1951C} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424380042" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2212 wrote to memory of 2108 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2212 wrote to memory of 2108 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2212 wrote to memory of 2108 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2212 wrote to memory of 2108 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\a1d40cb91bfac8051f7517de98f086b7_JaffaCakes118.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2212 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.onestepfurtherconsulting.com | udp |
| FR | 92.205.6.126:80 | www.onestepfurtherconsulting.com | tcp |
| FR | 92.205.6.126:80 | www.onestepfurtherconsulting.com | tcp |
| FR | 92.205.6.126:80 | www.onestepfurtherconsulting.com | tcp |
| FR | 92.205.6.126:80 | www.onestepfurtherconsulting.com | tcp |
| FR | 92.205.6.126:80 | www.onestepfurtherconsulting.com | tcp |
| FR | 92.205.6.126:80 | www.onestepfurtherconsulting.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab2A9C.tmp
| MD5 | 2d3dcf90f6c99f47e7593ea250c9e749 |
| SHA1 | 51be82be4a272669983313565b4940d4b1385237 |
| SHA256 | 8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4 |
| SHA512 | 9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5 |
C:\Users\Admin\AppData\Local\Temp\Tar2B4F.tmp
| MD5 | 7186ad693b8ad9444401bd9bcd2217c2 |
| SHA1 | 5c28ca10a650f6026b0df4737078fa4197f3bac1 |
| SHA256 | 9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed |
| SHA512 | 135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 54f45971e97308106ba659f10f43bca6 |
| SHA1 | 1d71065764ada746813f6fde16cc09d654f6f535 |
| SHA256 | 6ed9dbc139429fd6f35cc51870104ac3398b4ece0eed9a77b64bf671a07e64a9 |
| SHA512 | 0bde6cc035a0db269c1781dc432a02efdec884a91ce4483d24b9eb1c001ff99a7a34d1552a669fe2c5df4445907cd732e0cf1ef484012687a95f7c8a8a3adcfb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9e24370d9a79b5adec06d08f417e6334 |
| SHA1 | d75f8c567fe02df205826d3b7a7554435f80b9a8 |
| SHA256 | 792aa14312a8e4d25d90398a2484ddd71ff0e3e2d2f84ee47758dd49dd13082c |
| SHA512 | 6f1d1b5ebe6f1a07d1158cd65d0665a2a81596aceaaa03147d63d5ce07f9c20a213ceef42bc740dc1a5b4c50f3cee3ad65f80fabf1aef252c45079c138c2d369 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1184c7c615894c535ed9c8bb82b74c58 |
| SHA1 | 38123f32668e6fe6b8e5b18f1eac181da9ed433d |
| SHA256 | 5b7973781cd23ba9a17785771308f49edd072270a661426fc275d8e635b53104 |
| SHA512 | a2c8134d5abfd33670f5c7a7e9668d09fc11dd62a7818c808d32be017a8a133a7bcd8689e437a33ae2f17e0ccdbf2aeb797213c8855d46b2b2e5eddeeeb64183 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 508b5b05e9ef07a9231054c856fba0f9 |
| SHA1 | 985aba614af507cb69835c78481d072f7a09e255 |
| SHA256 | bb4a3baf4096e3124acda9579b04931c057c2e5e8a9b644c55aebb7b9245c4b0 |
| SHA512 | b9e96a3332605ac687a8cb2b22070d3a753e53bd9a5649a4ea1420397801a37e27ac92281f84487437b445e1ac36b7dc48449459b78a8b5a37096197b3c71841 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 53b612f028f71e1055b30b208c3fb5dc |
| SHA1 | 4752361ca107aafd9ef2d713b04da1087183118a |
| SHA256 | 204c5543c763dc1c7a9e8b8b987ec543ff998adc81eb55dd25515615b8a89f32 |
| SHA512 | a758688246a18e23a7ddf144f3ba4066382ab561cc938717333ddccdee31c857a38a7266b2b8cbc51a3d29aa9a4085b7f20d8be57690519f63082ea52b455c22 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b305d63f3dfd1b4e15c2646c9027cc8e |
| SHA1 | f4ab21c7ec4c12b40409d477ed641472e75030e6 |
| SHA256 | 15af781a2b724b7f1d485a1efb0c80834f9eda5b0a52ac50d75812b8c080c7aa |
| SHA512 | 6ab30a49545e88387ca77918ccf8bbb1e82dd2f2a7ae4217a8f5826322b180c495c11d6cbf1097d666c3d4d3f2c07ba50593217174248f658c023c3c5820a9da |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0e2b3ece834037f3c9b6742f5bbbcb40 |
| SHA1 | f628efc47437da0ea55447ce25e91ab1785a3ffc |
| SHA256 | 68117c04dd99041ba78b3a89ac01e28008c03e6bba6a4560e2f80f80826e7b87 |
| SHA512 | 2bf2ae13270d251f03904147c4c0b6a6b55761894019b48123b5413c885b2840f7c0e4c3c305b139ef1ea1ac9dbe818af512b7ee00d84a029c1e64af365f0edd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c7c95260bbd1af9ae92afd4e3a1ec851 |
| SHA1 | 15f288a00a40c58d36fde4079006e22a3175d0af |
| SHA256 | 78e2cbed41000efc3f952d57df87c21edbdd6af8470fdcf7f28acfdc4d033dc9 |
| SHA512 | ae7b76e937becd009f3bcb22343ef1bd24846d5ebc322c991e5fc89fc357a1fa8a14050348454fc7295843944835fb7eea7dd13d6dc6daac16578a26366dd47d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e8c899c944b961508ab8cc06f271123d |
| SHA1 | 4f71264af7cd6c64e761e0bbfa70f80ba4666ddd |
| SHA256 | 73ee2a7b949adc0041ec0f002f139059a035a1e736f41b0a9e8cf9831c5c02fb |
| SHA512 | e8be7dff98d58cf0915ba509a8af50550ae651945df1d0700e2dd608633cb6707d4b622a74f7056b08d4c9cfe51c4f13a380b0d0bba5d5073a1ff076e3a85f82 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 206617116a4568dd374a57def92ed641 |
| SHA1 | c152945eecf93f956214f269f66953c5de222dcb |
| SHA256 | 8190f909c9379672aa9e503a8e98174ad6c4c0b4d594b6844199cd5159a453d9 |
| SHA512 | 675b54a2498462dea17495fd3ee58f6082ee2ffecf8dba7f7ffd096dc4ec03895678fc9d867c8bcf1094cc02ceda65b557fffb57b6e12c31312d38d282c41ef3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 543fae991c59838caf385867fc725cd2 |
| SHA1 | 5023140ac45540e68d7ccc688673750f00e7bb0f |
| SHA256 | 60155f947f8235c9444356bc4cbe71f6a1ca158b08c87f8b1bc881b789ab20b7 |
| SHA512 | 7484c3f9e258af4a949dade5b2082add4c5b51c60723ea85ff04df4a4a8399e2d45c57701a43035cc77b9cb7b6ee4bb820922a7d729463bf51f2e2b767f69f43 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6a03dfc0e7bfc8f887287825ed6e80e2 |
| SHA1 | 09403c846b016bd13fdd6e262eeb516fae870997 |
| SHA256 | ce06d4f7e8e2130b58dc34b5521438682053d82563e394d197161cb88840bd5e |
| SHA512 | 6f501d114bda1464ce9c3bbd26f894b9b5133b211f600bdde825e2ac1784bebfc2d46a1d86615f7a388a5ad8e3bab2f18e8026fc2adac9edc63fcf4c093e35bc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4688019fd4eebb12ea9b595e1d4ec531 |
| SHA1 | 93c52a1b7b550c67163cf5b7e3f6f07c635a71d4 |
| SHA256 | c111ece113e7dee3a9667360192c16d422358478170684c1d1d38ef3afdadf3a |
| SHA512 | 1aa3580ade0536ab486146bf290cb531043adf6486df56f4ecc9beaafc0e40d17b5bbb6bfc80b870d8ad34baa5a7ca8221e0a695a20cf19b22cec0f5b1d4d096 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 160b1a774cd67732698f96692d049d40 |
| SHA1 | 40cb26a47da627c4e3e34843ce920d4156db8d93 |
| SHA256 | 1855fa2ad3f1ce1780ac729c33afe2742fa2d3dabde37384c1af28094d33db99 |
| SHA512 | 883f6834172b2d5821314387f12322ac773abc3d64118b1a5a85259712538d39d59f52ad4f74915ce6562f874548feac3920a172d4c76c1b7df99535a7fefa7b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e5e8677b042a806465245c7ef84ab80e |
| SHA1 | 51e13abe6850e1ccd351a58afed39ad15577fa43 |
| SHA256 | a28c9c8dcccf634cbab36093e987e5c606229304dad2401309b9df29e8228c2a |
| SHA512 | 30b0cbfa7541b37090c71b5a70d95a7cf877c7029982b55c1b665bf4625fa2623c3be4dbd779cc8a703480c52cdfb3b286011cfa070161ae2ed4adabd954a3be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a8447a943c2aafe3303dfa32b27811df |
| SHA1 | f1e3e8ee12a64e708eadd16bc6d59819f34ed2d3 |
| SHA256 | 6c791d29497de8f3b4bdba973700897d91c3562db67a98e1301ebcd902ef01f2 |
| SHA512 | aad4c5288ab84c3ed7eca26a8ee9dbf131ef6413d1e656bc6a845c8a059592a832eb4407a9c8c919741e1f7245451a6717e302605288532fe914e66f6a973854 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | be67e875b8956a21101f89a7c50e2722 |
| SHA1 | a5a5b7bc86021e5bbe12aa4678cf6392ccc81039 |
| SHA256 | ef008fc351f0f1b9667f37d265b0690491ab1ffc2449bff9f1baaf85cbe1556b |
| SHA512 | ea4dade07909a8b352c087ed935b3eff71caf4e7660714f9ec7757fb509da3cc7c98310d79a89a5d0740b0b6a3d99cf64bef0290597f635ea0f383a178c773c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3b4349656709ab093f011b232d91a9b5 |
| SHA1 | d057b612c545e245548bc878e38d4abe8882ef98 |
| SHA256 | 4184375366355655ff7ff4484318a8f3870726be367c5490babe31ed0a714984 |
| SHA512 | 7369ec225666a3727065a881bd26f27639f618c126ba3baaf15114ca206e0859fad3a3bbbbbe220a311e5e9b35bc19d8752d7bec09b2f38d25448582e0baac15 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a6ea209358905185a97291df6be87d67 |
| SHA1 | d405ffb5c653c25012ab118d8255b716127789d9 |
| SHA256 | 6cbc56e21c793c43f3f1441791756095107d7ccf10f42e8d0aa7aec9cada0565 |
| SHA512 | 98217110cb840df45e56e6f3429d120d0b22a020f41683dfeff38c517c834ec058cf43dfa1de09f2945af41cabdb7298e1193e33c3f473e0e151efd447fb6fcb |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 18:49
Reported
2024-06-12 18:52
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
127s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\a1d40cb91bfac8051f7517de98f086b7_JaffaCakes118.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef94246f8,0x7ffef9424708,0x7ffef9424718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,5972668861438597456,12405825788075279231,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1984 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,5972668861438597456,12405825788075279231,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,5972668861438597456,12405825788075279231,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,5972668861438597456,12405825788075279231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,5972668861438597456,12405825788075279231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,5972668861438597456,12405825788075279231,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,5972668861438597456,12405825788075279231,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,5972668861438597456,12405825788075279231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4300 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,5972668861438597456,12405825788075279231,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4272 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,5972668861438597456,12405825788075279231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,5972668861438597456,12405825788075279231,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,5972668861438597456,12405825788075279231,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3140 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.onestepfurtherconsulting.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | www.onestepfurtherconsulting.com | udp |
| US | 8.8.8.8:53 | www.onestepfurtherconsulting.com | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 87f7abeb82600e1e640b843ad50fe0a1 |
| SHA1 | 045bbada3f23fc59941bf7d0210fb160cb78ae87 |
| SHA256 | b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262 |
| SHA512 | ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618 |
\??\pipe\LOCAL\crashpad_2372_HWIDDWZGYRVFYLNF
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f61fa5143fe872d1d8f1e9f8dc6544f9 |
| SHA1 | df44bab94d7388fb38c63085ec4db80cfc5eb009 |
| SHA256 | 284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64 |
| SHA512 | 971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e877706bd0d8ca9c343a5cd60917c585 |
| SHA1 | 9b7716f860d4ce7c96c3062541426c8f9b46c4f7 |
| SHA256 | 59babac1854baec7d42e31b87c300d8e40b1f49ff9261bb079fdcdef6e11cd90 |
| SHA512 | 08414cd89dee9bdbe2b1358530b9bb7193f5cf444f067d4098dcb1fca5bb2665a81a5a89a768d59ec3b75d29aaadf47270ee5c7b0388d0186675b51c104aab09 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b403cbb8583aeb53f327761598ca6c48 |
| SHA1 | 12c6c5b44d74f7392d674c9452fb5170f57fcc33 |
| SHA256 | 2eef1233a241ec5f16df0026cd27aaa4a13b63ed9007945afb4e0524700b5ffe |
| SHA512 | 743aa2590f3359ad9bfb95b1da7748c53dca06df3786f6c49471f584f861fe6c86b938e3a56d4f2a18b604fcc0b33592305d568d18201386726452a906d49965 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |