Analysis Overview
SHA256
aa6f3520d36429e2760360decc4bf1a8925f25f5d066712fb2a2fc6a69389df4
Threat Level: Shows suspicious behavior
The file a505b32688b66c9f52b2e3e28c28b4a3_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 10:11
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 10:11
Reported
2024-06-13 10:14
Platform
win7-20240611-en
Max time kernel
135s
Max time network
142s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | sites.google.com | N/A | N/A |
| N/A | sites.google.com | N/A | N/A |
| N/A | sites.google.com | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424435374" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a80760000000002000000000010660000000100002000000010fd98d8c9b762ab1d66beef2fda617c21cbefa22e755c18a8664e8b06342001000000000e800000000200002000000066941a88af5ae754731327a161270437da9790ad3c9fcef17012af271e7adffd200000003546543db1b5c59a03fcdcb60d95a9c77483dae8ab43cdd3292a418f22748f68400000008b60b551b3982f2c6c569d7e219b631c416fec50f674a85b683bb036524bb91e3a6029eec616a56cc4a8e9fbe4b85f9985366744b79b652bd7e4c472daf9ee85 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5688CA11-296D-11EF-8156-CE03E2754020} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a80760000000002000000000010660000000100002000000014ddc4baf02ab01db14fb11c464a1829ceca5969a47d52d3c824980a97af31df000000000e8000000002000020000000f4160eb5c86d7e07cc7245bef81cd52de3dc9d84f11250af32af198e6297bdf090000000eece503b70a984f7547d116e9bd9c9f5314b15570acf3ac753c2d03bac0a1e0352ba80d362165ae0b9c4a1039a278f8f1b5847466c02c486de246137c12cd34d40c176431a5389e8e46a89e4c634257a0595ba2fdec306fac8508cf0582c9bd52aece63de8cd45e71f8e289131e98d378ea2513008dc5804fae565dbd95164b6a143b8958fc80e389b3a98fb8395fddb40000000cea358ae56e0aec196529b140c1871456d1803b920d69a7463d56899c77ac822fe15a136e345212df3347e5400333401efc809618ab63964c3072a98afd6d05e | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e08a162e7abdda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2596 wrote to memory of 2052 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2596 wrote to memory of 2052 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2596 wrote to memory of 2052 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2596 wrote to memory of 2052 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\a505b32688b66c9f52b2e3e28c28b4a3_JaffaCakes118.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2596 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | graph.facebook.com | udp |
| US | 8.8.8.8:53 | sites.google.com | udp |
| US | 8.8.8.8:53 | quangphu.info | udp |
| GB | 163.70.151.23:443 | graph.facebook.com | tcp |
| GB | 142.250.179.238:443 | sites.google.com | tcp |
| GB | 163.70.151.23:443 | graph.facebook.com | tcp |
| GB | 142.250.179.238:443 | sites.google.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.27.84:443 | accounts.google.com | tcp |
| NL | 142.250.27.84:443 | accounts.google.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab98E7.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar99F4.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1cf6b272997aa2264284055619651f22 |
| SHA1 | 1d721a7bdfa273ba29e0ce62edb5c6940f277137 |
| SHA256 | ca187368d02b3d1e68649623f77372576e8d8503a03a8f60c4e850be10c34207 |
| SHA512 | 3effc8a464d616f8cc287e73f24bbde8af200db5612f7eb9e1566daec2b885f09731445919c87b36d35cc48cf7bd4dc32436181bdcf1228fe4e31cd972594959 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f92df69f7817bba1d82e43dcefaf0102 |
| SHA1 | 984fcef12f037af25d87ef79acfaf66c955c784e |
| SHA256 | 0f298eb881f4c14e66929fb56225e11b6278fef56b8262956a8c27ba87cf3480 |
| SHA512 | 77fbbdd2a287ed9275c6602999aeaeadccb29e6dad274513c10ad3be3fe03876261fe78ff7520890ddb5258e9109883f13ec377b7f0d0540dc512a41ce1e56ad |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 313baaedd8df959749c00ef07243fbdf |
| SHA1 | ce3fb151323d7950bc20361dc341cc5cd62c32c4 |
| SHA256 | e5c0cc666090f89b33f419f690bdc6c21c884fb68cff50f0c444b495d4fc97ca |
| SHA512 | 01b31fbf777621804f4b9cf837ed596539a2b5b62a49dcebc2fa177326a6094675f656cbaeb1e3273ac064c725cb1e37ec5bb27c8eb3fd78e65a04f0ce1f4892 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d8ac1d0b05db025943628263f2b24d62 |
| SHA1 | 8fca469f491f2e3d8c9570970700046ea3476993 |
| SHA256 | 3753e82051af79155a90301719b90bc713f7653440d08d07dc463a2fe6a48f90 |
| SHA512 | c4afbe8278bff22fbe76a5eb7ec2e1ca0e97c24eadac627bfcd779d718b6dc22f7a041f26dbeac04d7d69d9a76aa3459397d2e7bd42bed382185a6cfb908437e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1ada3f4af810cd182620084c66c25117 |
| SHA1 | 930d9c5acde35cd5365f8c8c189ac0b5f9423f4b |
| SHA256 | 0b33a685e9f7f8b331d283cbe7521a92af760ff2d799f712fcfa352932a3207a |
| SHA512 | 0450f896f4734cb66d3ddebbaf74cbf93a99256c4193a1dbfcf7b1fa84b2c81e177fb7d8c9fc6bca24e143879ed815efd62d7ca0d479e80780f7453e53a272f8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 24585ae086467db9015e244dcf9d547d |
| SHA1 | b5550bd20f2a3937fc5ac5c74a71338eeb332b68 |
| SHA256 | a8495e2b8b10bf003020a77b9b9912124c10fa2c23511ceaa0d435654ac245bc |
| SHA512 | 968756140c1ba007f3b67c8ea09e520df51ac3c3f6fe76e066966ef6d2bc522959a15e3a58838b7c351e0d2b7029846ebc18038f6c727cc28302d97e8857e9c1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ca4c86bb5c4334c15b3cc281dd1ebf19 |
| SHA1 | f50066f4d9c061c5616715b5e657fb08def7453c |
| SHA256 | e685e067e972c87775935692175d55f9145254617e294ba95b8c146af9b09734 |
| SHA512 | ecaefe9884db1d9d9474f0575c8fe6b2534b698540aeddce416a78f3f1a74118101ff55c293443182cbf6c557a522fd689c744ba3e9d888bd6b4ad141046e779 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ec497affee5e7e50e7deb14585c42582 |
| SHA1 | 6455e486e7c38a044c3f4486b7134b1de6b30415 |
| SHA256 | e4c7ccec3e46fde2b3b0a7d39c6ecae8477d785dca07591bf2247aaec5ba3b9c |
| SHA512 | 0607a2f6127e7c3422a1749df14ed47fb92d99d235266806f23e3d03c062f97a2a503218068837f00473097c40adcde4a44b77e864a7ecfa6b80860b54839efd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7c9d5ab8ef25d0b9327232c946634ce7 |
| SHA1 | ba4f5f8b69646ae0154e97dc02d52fb6671dc212 |
| SHA256 | 07266790337cce857e139fcbfae3f0b9eaa3be4a1489c7deff7eb64473419b3d |
| SHA512 | 0a112221b99e691f84b676d9d8e1dd94ff3f2b244aecaed6d9e49e7ea45097cc0a2b7f02e1a746c11e1982b74c5d086f9eb46d97a3f01d8b44a7228d302f85da |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 92c87f7cf9d03e15599d1e184606e68e |
| SHA1 | 89385b7d2934f3ec3055f6d4febb5f8fdc83c746 |
| SHA256 | 930cc571afece88394898b276f3bb5f5830e06e9e996c798fc8a4c5d92bc9894 |
| SHA512 | cbebea82fc059013cca990ccb8942e5bf2443a8d02ca1d39ab93b210d39800fc737bca82e3a1597029c883660d05b83fc94d637bf1c09b262af122c9a24cc251 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a02305d3761318f97121831edc17ad99 |
| SHA1 | 16c578f09d386b735cc06f0af5fbf0a346f2dc1e |
| SHA256 | c386ba0132579e08598d7c7c8beb9eb7c4793db76e00ff162d9ea182ce10a6cf |
| SHA512 | 6846e5b4edec6b7e39136db86b68c21013aff4e3c165efb836413e0ecc739ba275cc540268c5a7b422929edb0b6184a8f9a0c81994c7b167ce07a7d4e2dbc316 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | de77d29591a17113c9feb88603e26a86 |
| SHA1 | a3fe7c5e9da40e42a93e4fe94922c989ddcce948 |
| SHA256 | e3672bc19f1d1e5ea3e92876ce76b9d1a4e1398118e2eef5296506c47bcaee5b |
| SHA512 | e9e26757552a3329dbec18c5b23dadc873ee028a293f3983a113b60d0acb84313f6defe46ffbbef4edaca8ec16cbf152339d2bd922af1cf44bd4d0690121bc75 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b02bfb4202fe9008f58bbd1c87dc624c |
| SHA1 | e85fb284053fa48617f319a22d8d3039707951fe |
| SHA256 | 76902bd1d2fd51b6afffb53bb982d212a60119c04d3c630084b1fa375596ed8e |
| SHA512 | a1412f06be92ffc1af15c93363c1c86e7823e927388d33dea97b4e4847905363f9852e9815d11899b1be4a3fd479f45f67549120c4e42e3d1b018e61de65e819 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 734565be87d7ba50dc247f7732c245c5 |
| SHA1 | b6ac5967166db7f217bc54416fe2d1cd7c3bab67 |
| SHA256 | ee7bcd50cb0bcfa6f372c8851d0519fe87a7282bdc3aaada8b2efda282943398 |
| SHA512 | 7d08228c29485333d4936f3c5e04885fa24f7f459370fc0127b81d77380886a2bf4a366c7d83a3a833a548f606d1075268e99c28258d73a19dbffcfd3fb795a7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d07bb17b097d1204a7109bcd19450e3b |
| SHA1 | 43c39ce2a4ae16d5c49101694b79379841da4e75 |
| SHA256 | a609ad5957f17ab814a5cb487550c58949e9f837f3ba3dedd48f03170f7ba0f6 |
| SHA512 | 16679f52078585dffb9941ad9d6102f7a79315172cce05bf2d054cd3929b8b9eabdd552c99c68354e956196a446af67ddeede3329b786de7f1ac4735db970902 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | de5a50d9d22167ae9e40e50d24d33923 |
| SHA1 | 335411cb04260b2a3e68d7b57137eab8ade20a2c |
| SHA256 | 2d688df5941cdae618845201d66c01d09012945e9850589468140483099d6c70 |
| SHA512 | c4e7be8c599b43a6c1e549917beef720ee675c925564d479144bff041130b75bd53f4b0ead083f31415004886b6ffa5480d9ab22aa4f4c46f83f17a6118a413c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0fb2803e4bf9f5cb9fa1a9747ad90e67 |
| SHA1 | 7db91f76323ba1277faa508e37ca18c6b2e28764 |
| SHA256 | ac04828e0b2db14c7e4f9979ee9c03937a95607ec4134f7d73c7659806a33e52 |
| SHA512 | a6503772d3a38379517f023944826e2288afeda4f707b02c48e01d5ca0fb071713023a8150edec9eadb78d7e159608a357465dac216e9002782b6c47e6eb218f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 662778a31dbae207bfb5cde27ee47a08 |
| SHA1 | 0e9dd0650809b57a49d9991460eda9f0058529fb |
| SHA256 | 9ededa374969181fe15316237d00554ae6d5587d2b65956b7a82818b06e89c61 |
| SHA512 | 8dd82a3733abbd1a7600020f88e275a84e8e5cf23cdd00d5637c47c30cd8aa6773e4282273be0945fd31eaa54b8f29393785db1c246c8fb9188f4c4fbd41f608 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b5ea36c416fac9a6685a5c8393e4accb |
| SHA1 | be4bfca31e7052795d0deef06b9b74e75d64f7c8 |
| SHA256 | 7627df20f9aef0bc13d1bea11b47c2114fcac205d97143e6b8735dfb3a4d02a3 |
| SHA512 | 920e1e7d269d0a68fa54e6bb91afebc1428c62326e3f11802b005feb5bcc2adbd0cb4b143f4a62bc7f65a7236e37cffcef4ec611a823cbcbc0156f0bbc85f46e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 84b197f019a442b6bf5ccfbfef1e2310 |
| SHA1 | a243724c4933f9cb63f05a72696a2ad9fed9335e |
| SHA256 | 4b7948082cde20c88356ff8cb0e3e8e241eccfaab1d50f9fa51a2489e9e9f339 |
| SHA512 | 9e342b98d07ea440c899116280020e611ab8edba30b162a09400c0b393dd488005403cf8860ac9f1f69b9ecd1f7a1eab0fed23515d9ffbd3ab198e64f5ecc171 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 150e679e96daee4a9601696ed99f1014 |
| SHA1 | 3a1e20cc8dde8f1c6ace5ab7b56a354587c349b9 |
| SHA256 | b60f58728f11d4b6b902a223d092d3fee23c3303c063e8ecbe180de18908e8ac |
| SHA512 | 701a9fd36ebf5cf3e66d8fe450bc821130a16a582cdf1cb6b1b946df368e51ee25576ed32221272c0680c25e401a2961c012c61a574b2d76f79aa818c31c13eb |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 10:11
Reported
2024-06-13 10:14
Platform
win10v2004-20240611-en
Max time kernel
145s
Max time network
138s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | sites.google.com | N/A | N/A |
| N/A | sites.google.com | N/A | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\a505b32688b66c9f52b2e3e28c28b4a3_JaffaCakes118.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0d7546f8,0x7ffc0d754708,0x7ffc0d754718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,17923370056158114560,528100260748865614,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,17923370056158114560,528100260748865614,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,17923370056158114560,528100260748865614,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17923370056158114560,528100260748865614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17923370056158114560,528100260748865614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,17923370056158114560,528100260748865614,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,17923370056158114560,528100260748865614,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17923370056158114560,528100260748865614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17923370056158114560,528100260748865614,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17923370056158114560,528100260748865614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17923370056158114560,528100260748865614,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,17923370056158114560,528100260748865614,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4232 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sites.google.com | udp |
| US | 8.8.8.8:53 | graph.facebook.com | udp |
| US | 8.8.8.8:53 | quangphu.info | udp |
| US | 8.8.8.8:53 | connect.facebook.net | udp |
| GB | 142.250.179.238:443 | sites.google.com | tcp |
| GB | 163.70.151.23:443 | graph.facebook.com | tcp |
| GB | 163.70.151.21:445 | connect.facebook.net | tcp |
| GB | 142.250.179.238:443 | sites.google.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.27.84:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| NL | 142.250.27.84:443 | accounts.google.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | connect.facebook.net | udp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| GB | 163.70.151.21:139 | connect.facebook.net | tcp |
| US | 8.8.8.8:53 | 84.27.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | b704c9ca0493bd4548ac9c69dc4a4f27 |
| SHA1 | a3e5e54e630dabe55ca18a798d9f5681e0620ba7 |
| SHA256 | 2ebd5229b9dc642afba36a27c7ac12d90196b1c50985c37e94f4c17474e15411 |
| SHA512 | 69c8116fb542b344a8c55e2658078bd3e0d3564b1e4c889b072dbc99d2b070dacbc4394dedbc22a4968a8cf9448e71f69ec71ded018c1bacc0e195b3b3072d32 |
\??\pipe\LOCAL\crashpad_3648_ZFWXDGYUWELLIJMH
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 477462b6ad8eaaf8d38f5e3a4daf17b0 |
| SHA1 | 86174e670c44767c08a39cc2a53c09c318326201 |
| SHA256 | e6bbd4933b9baa1df4bb633319174de07db176ec215e71c8568d27c5c577184d |
| SHA512 | a0acc2ef7fd0fcf413572eeb94d1e38aa6a682195cc03d6eaaaa0bc9e5f4b2c0033da0b835f4617aebc52069d0a10b52fc31ed53c2fe7943a480b55b7481dd4e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | faa09427eabd9fe3be25fb1bb649c222 |
| SHA1 | 9b4578ef4fcf5e3258c9a6b8746257b875b29be3 |
| SHA256 | f4a6560a0b3e8643ac0187d4e087e7f3d31bee638365f2467ef9d3876d1cd3f1 |
| SHA512 | e78ea830a8300875f97a901a450d64965f7e05faf43f273fb4effe1b2ee24e8510e9e778f0950eace9e1a08f689eb1b3b7324f9b243947ff4287485f7acdb466 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f12ec93170c7a63d4660df52a9456fed |
| SHA1 | 7c66b490d7cb6573608559e8c109976f7147d5f0 |
| SHA256 | 3266037d679d72253cbb392b487a382565caccc21c8e596d9031fa5cc5e029c6 |
| SHA512 | 416bbe9c982236077f65707ea872435ba8adaf16b8c386119439fc21e00b4a81dca2ba7377d2d6bf8ea06bf6b2def5390c11359e1806cb70668d2f3a57938a83 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | bcb5396d0053aed8a6dba93d09368fd9 |
| SHA1 | df2e2de1dc9eae7c0a0e578e4d605ff67f976494 |
| SHA256 | 029bdf90b0cf4877306dd4ee27ec310f3784493bfecc7ee90641ee6b5fff115b |
| SHA512 | 04e9f58585a8296bde36a45755ceabdda37461f940bdb85fa7a65b836377c1a4772729c8ccc624d0b3043db366d4dc196dee84430f8af57a4118288734a839d7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 4b55d98bbb3e166e32c459eefcba4f2f |
| SHA1 | 81f38368d226b03c495fa7f956259c40569730d3 |
| SHA256 | c6403f174ae621381ac9c16c575193b99f329d1c9ab96a5c5a84927140098a39 |
| SHA512 | 77518b3646ebbb9ac947a2c23e45ed51ba29a56b44122ea472f4b8d1c8f0c6bb655de5373f7c50b1396cf988c5889c5aecd0addf8eb2de8b166ebf7a45e31635 |