Analysis Overview
SHA256
e2a1e81f67f19119004760d6082e99c5dcf3c53f49ca81afd9780a0ab32c944e
Threat Level: No (potentially) malicious behavior was detected
The file a5d3ddf9ea82f427a8134363afc59d1a_JaffaCakes118 was found to be: No (potentially) malicious behavior was detected.
Malicious Activity Summary
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 13:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 13:38
Reported
2024-06-13 13:40
Platform
win7-20240611-en
Max time kernel
149s
Max time network
143s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424447769" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{32660861-298A-11EF-A155-FAD28091DCF5} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2392 wrote to memory of 2932 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2392 wrote to memory of 2932 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2392 wrote to memory of 2932 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2392 wrote to memory of 2932 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\a5d3ddf9ea82f427a8134363afc59d1a_JaffaCakes118.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2392 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.1yuanbao.com | udp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab6B33.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar6C30.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c9e429708dbd9ab6a531e443123fb2fa |
| SHA1 | 0bb74df39529892c6c59fd682d6c232ef16563d8 |
| SHA256 | 066eafc2ebb7a3dd368aab705d2bf5ab6dbd4878a26a045440a711d09eec0791 |
| SHA512 | d3ed172c0b02d2866fe09eaf3ad30597989ceee70b97cd9d84c85cdc48e29684e5c28071772f56b2d6bde0073e5dc8608fa03f29e8b4f5e8ddfe78f313656026 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 95646ed0181ec3d51df4faefae2e55a5 |
| SHA1 | 30f1deb0abfbfea2f5c0a8b488c4e7d3c4c19af2 |
| SHA256 | a0e72d333f709ed15b2890ec2664e5ac11d48ee6631ee96d6ba329d86ffc54e6 |
| SHA512 | f490790ebee64fa72ffac5e85d3f4b219fffc82e825efb7fa347a024877394f76037bcbfc78de511bb011c0737b6787858304eecb99796b716260f83e612d304 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 20e46e4d5510b590782feb4a84bf2a1b |
| SHA1 | d2be3b8bed3dfef7b51202e696d40872e0f50fae |
| SHA256 | 2116e3c377904a0785b6a94505033e1ca4ed21c7c5b2b7af28b09b8587b7fb39 |
| SHA512 | 4423759daf046e074387e75e2301ce265289d50a30ccdb3895ebbdf1cae11f7b8114fa702e406158b2200aa2b16d959e6f9b66accc817e8e031d5fc44062d5af |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9b16ddbabf52f8a75bdb741ce1fbbdba |
| SHA1 | b7016f2cf539ae65f4c9a21b2960c94a86ca5674 |
| SHA256 | 33708e6f3b854622b949e0277c7b5f60ab2e5a38d12917a243491f3a7c72c7d8 |
| SHA512 | 73022885c693f636a10aefcbe2728a3fc27d0cbb3bd323295fb8bee70a613aa389603530285637bbc7d94d10bb55d1b8d578ba308103d5afb934efd9e8cb4adb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e0f0a73405e524468b2b17a45ce72e19 |
| SHA1 | 5168c36bd793ac53ab5dd6a3b57a36f540e3ee23 |
| SHA256 | 0123e1f8420e0e266b9df8a3ec74a2c79dbcf623aab33ab9f7c8b4ab5e6ad5f2 |
| SHA512 | b05baa712a9f5dabc27cea9890de6c89de62663eb83f511c34166add87857e8e19861626cc5537c0b8a0176f3ff8b6389d41f770c13c1273e75edb1d935fbd1f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 43ec399e02adb63d262dfe739a33b103 |
| SHA1 | 2457185f432caee4289a97483c8394415c39757c |
| SHA256 | e41550cf539c942a35c6eb1c27709c41e2f3902ed6b80e2e7715916ae2c960d8 |
| SHA512 | ab1c2fd7085bbb61998077ce637362df1c434a4e549c0abd2399b49382139e33fd6b96a0ad8dbf109cfb8eec8747130348a85900ce0e0797ab5f6f5af12d4933 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6b64a664367a304fc64149299b7648fc |
| SHA1 | 991d7ee59ec76b759032cc39c69602f9eaf1fbc7 |
| SHA256 | a622c7fb99de5a7ac6f68e3ee50e0be07b2e5a5850652dd3a448105985e8a0b6 |
| SHA512 | 5b5b3d9acac4431da2e0f4f87937f6c5f44a5fcda70a9b6a35ff995c11089f83eb670814aa5ccc29f6bafc75751be461930336af453516946fba9870123dea54 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7ea21549120c2ed86a2f06305d9eace3 |
| SHA1 | 07f9a4246504fa558a151b861874b275b00e5570 |
| SHA256 | fba509ab86da54ea680558e85a400d8436bcd59ca5c683087e0146a8f8e87e2b |
| SHA512 | dc1d4729a81a729be68bc570f60593ab2c13588081e057c04d1069b992d26225dc34bfe98a88a29c36c4b8f396eb76582151e8a2be08093409fcc3bd7759f98a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 84ea3efd739646eb09269089450e2da4 |
| SHA1 | 2b286a04c6d4fbebc25f3a7d7634cb6e883ef931 |
| SHA256 | 25e2180f9a568f4a673478dcd35953034924f9235a390641c696a23ec9de0105 |
| SHA512 | 09522c4b9a9d1920175e3d9fc57c0e941ce10919e993b7993f80c903ec9a736904b0dd903c98f7f56874ddd266cf79ee66241fa5eecb638011ae49198ecd3dbf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 99522e51bd477b973f879dde8a4cf562 |
| SHA1 | 76bd26cbab889d05f732d8f2be8a5335915f2958 |
| SHA256 | 2af42600aea22b4ced589a652150b5502d2ebe52971a17951ad180153552723a |
| SHA512 | 3c409e01db882cc9c2edc9e3e442b6ba9f3e6409f407d990fb12c11fcb839f095ae5a7859734eb25e352db719d4e5e6b922ec76520b296c29e0e61ca862fb115 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b0096f4f130286e56e348e5b8ea4dcb3 |
| SHA1 | 7fc3e05e845f233ae9bd65307e493623898dda8d |
| SHA256 | 5c63e506fcb2d92113ed5e95c7e37df418659330f976e7fa0b36b7dfa26e428a |
| SHA512 | 6eb2201234251adcc36a8912fd2abba29053af8ebaf28a606940970f382a68002f6e8aaf7c15b7fee057310b0889d7f35e070d9a1bc0c14a22f6c298e8b6a0f9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c8729c8e66fd52a6d120abeebf3c9e61 |
| SHA1 | 09c9b940a5c93725ee97b410918396ad7c975b64 |
| SHA256 | eae4867e9bc11cbc266d07417f7206bec6e211db3dcda96ea027e1f226e6ecce |
| SHA512 | f3bba80984ca8d97a66e1edff4d2e99f48fbc0397e99f09ac3edda88801f33913a29eb6c90caf2625ffb4b9f114b1e99de607f712d1d83951e2610ac50c416c4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e91aa48415e67846d039115ce7951de0 |
| SHA1 | 0f69505933d42c2049394e41bca4285ab5f944d1 |
| SHA256 | 41b8684aa32a5e639400b9cd44e5bcdcaf25126c247d1404d67ac803cb82035d |
| SHA512 | 35e36fe3dd38e1c1320fc30dc8f390a7f0e0e56e2d8676a8ec8cd288927c0731ae1bf3144e52991e5ad3ba0012814d82dcbc2171a9999d84a609233b40895ad3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0b91f962bbba608da50d51d71a32dc81 |
| SHA1 | 19fb90a3879d98235fdfcb6e133d5c4ffcbd952c |
| SHA256 | 22718239dab9f1a5277cc517f96b06491ca7cc933ca94aab00110de5c1a0d07a |
| SHA512 | 05fd08815a21b7d5c5724e4a6e0bc3c2a7834b58bc0739d6de02299eb3abb12e9eb30f21da7e9d2c6ecf7d485ba586cbab6dd0eb53db7d7239bb1b1e90a8c0c5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8cd159fa9d36866706143e0879a5ccef |
| SHA1 | 22b5a2319926e3d413743796647de369cfec67f7 |
| SHA256 | a7aa81ea083cb8098e7a7d2639849e467512d4c0a6b0719d37a99a0c851a53d6 |
| SHA512 | aa69bb6b270cd7de82dd315c4b2c0aa694bd20dcd9855141bd5288f963dffa4dd6139e98f208679cf9513ca045418fc79105ec1d0f7e93e72bc857d6b4618320 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 22154adb05ae0f90893f05f3deb3a9d5 |
| SHA1 | eabc58421fa3848b596905123962611f39a18f64 |
| SHA256 | dca16de47ef18b69bf75167bc5bf16593b4264c52c7176ff4c62a47ec98e048c |
| SHA512 | a12ed01ed898deeafe8128fe28ac8fac43187e6958b35a30e56ff6f53474df4096d1b6dee345f39d35a41b8a48793eb447200468ccfc57e74fb854d5464671fb |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 13:38
Reported
2024-06-13 13:40
Platform
win10v2004-20240611-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\a5d3ddf9ea82f427a8134363afc59d1a_JaffaCakes118.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc80da46f8,0x7ffc80da4708,0x7ffc80da4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,15370863706946066675,11578991467067419510,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,15370863706946066675,11578991467067419510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,15370863706946066675,11578991467067419510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15370863706946066675,11578991467067419510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15370863706946066675,11578991467067419510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,15370863706946066675,11578991467067419510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3636 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,15370863706946066675,11578991467067419510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3636 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15370863706946066675,11578991467067419510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15370863706946066675,11578991467067419510,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15370863706946066675,11578991467067419510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2308 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15370863706946066675,11578991467067419510,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,15370863706946066675,11578991467067419510,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4736 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.1yuanbao.com | udp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 131.253.33.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.33.253.131.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| CN | 121.41.102.212:80 | www.1yuanbao.com | tcp |
| US | 8.8.8.8:53 | hm.baidu.com | udp |
| CN | 183.240.98.228:445 | hm.baidu.com | tcp |
| CN | 111.45.11.83:445 | hm.baidu.com | tcp |
| CN | 14.215.182.140:445 | hm.baidu.com | tcp |
| CN | 14.215.183.79:445 | hm.baidu.com | tcp |
| CN | 111.45.3.198:445 | hm.baidu.com | tcp |
| US | 8.8.8.8:53 | hm.baidu.com | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | b4a74bc775caf3de7fc9cde3c30ce482 |
| SHA1 | c6ed3161390e5493f71182a6cb98d51c9063775d |
| SHA256 | dfad4e020a946f85523604816a0a9781091ee4669c870db2cabab027f8b6f280 |
| SHA512 | 55578e254444a645f455ea38480c9e02599ebf9522c32aca50ff37aad33976db30e663d35ebe31ff0ecafb4007362261716f756b3a0d67ac3937ca62ff10e25f |
\??\pipe\LOCAL\crashpad_1820_SENFOKWORYECXGMY
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c5abc082d9d9307e797b7e89a2f755f4 |
| SHA1 | 54c442690a8727f1d3453b6452198d3ec4ec13df |
| SHA256 | a055d69c6aba59e97e632d118b7960a5fdfbe35cfdfaa0de14f194fc6f874716 |
| SHA512 | ad765cddbf89472988de5356db5e0ee254ca3475491c6034fba1897c373702ab7cfa4bd21662ab862eebb48a757c3eb86b1f8ed58629751f71863822a59cd26c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 4a6f7149c74bcc9f916da99805080975 |
| SHA1 | 38442cfa19c86cde8bdb4c06a9cd6b442a6cddc5 |
| SHA256 | 40a33f876dab9cafb36757ee817116d9f6423d67f3a208d258f730a45666dce5 |
| SHA512 | 2b1d6e31051b38cd7ee204e0b923b73db2155e391d0e42e42a571fef52a5cfb3982e2c0cf45d33a297bea6d1e155dded73610efca81d514d3cbe5422e4fb8bd8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | e68ef8e57733db338c1472937c2a1d24 |
| SHA1 | bd0508cb05cb7b485b91649823923bbefbffa958 |
| SHA256 | 2cb9e851511975baf462abf8724e215d143f62a7a343562d96c70cb49dd177b4 |
| SHA512 | b5126f7b0ee531251bc188a7de4c97403198c1802ee6a749274cc3b328df35a659240b2ff39efa5f7417a864805375080e726aba1732e1a238cc8e8a09c04892 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3d6468d78147fc42ffc9061abd0909e9 |
| SHA1 | 73699373184c41622e3d8e7b358f7cc6be484932 |
| SHA256 | 3f3084314431eab78877e448528112667617f7517d72b117333ea1c4d0919d35 |
| SHA512 | 84efad7cbbc7d5e83743da1338cf382e33d0d3d154875f226689957e57238bf634b1613c76356935243470a5de0d61c0286d56f8b5f295150ee61eba5ff84fb7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | aa0515a8a1fe29531dc2f1684f2c0db7 |
| SHA1 | eb164a21e9840028458d9fed6d92d467834a6c6b |
| SHA256 | 7735a6f72a2d5457f33a2abfb02e3d01f30b8d1621ecd056506354073135a095 |
| SHA512 | 374c988fb8b3c52aa620fc6a3050f2a18cd41dbd89891068c7f9bf8d064ba09d7e619502d488c2774c39b8806ed3c71e76da76a89ad7b31b6a3c54bf7df90346 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |