Malware Analysis Report

2024-08-06 14:18

Sample ID 240619-y6ndsazepc
Target 0054700707d5b6c6bd34b0b47631124f_JaffaCakes118
SHA256 22ef698972355c98c72df206757d3ddbf1ba915975646716ef024bf4487ce9c9
Tags
modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

22ef698972355c98c72df206757d3ddbf1ba915975646716ef024bf4487ce9c9

Threat Level: Known bad

The file 0054700707d5b6c6bd34b0b47631124f_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader trojan

Modiloader family

ModiLoader, DBatLoader

ModiLoader Second Stage

ModiLoader Second Stage

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-19 20:24

Signatures

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modiloader family

modiloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 20:24

Reported

2024-06-19 20:26

Platform

win10v2004-20240508-en

Max time kernel

125s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4584 set thread context of 1296 N/A C:\Users\Admin\AppData\Local\Temp\0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt C:\Users\Admin\AppData\Local\Temp\0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3024663451" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425593620" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DF41CD14-2E79-11EF-B8C0-5AA21198C1D4} = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3028100669" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31113862" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3028100669" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31113862" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\VersionManager C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31113862" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3024663451" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31113862" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\program files\internet explorer\IEXPLORE.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\program files\internet explorer\IEXPLORE.EXE N/A
N/A N/A C:\program files\internet explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4584 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 4584 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 4584 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 1296 wrote to memory of 2904 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1296 wrote to memory of 2904 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1296 wrote to memory of 2904 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exe"

C:\program files\internet explorer\IEXPLORE.EXE

"C:\program files\internet explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1296 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4180,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4080 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

memory/4584-0-0x0000000000790000-0x0000000000791000-memory.dmp

memory/1296-2-0x0000000000B00000-0x0000000000BB8000-memory.dmp

memory/4584-3-0x0000000000400000-0x00000000004B8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 a85d42b03692b5b7b0b07075d97baf05
SHA1 ca8279d05864b07610b07d873a8d648262326b37
SHA256 4614fa9ab2cce9113b6220a963dd2ff7f94ed5025e8ed62d256045e37b45e4ae
SHA512 373ded567f1447f08e0bc24fd2028c4dd71654d07170790bfaf69f8bd621335be0c6c9a742cf92106574c304b337776796dcdea9d39afb4f1b272af3643f9c94

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 a20dcdd581a69f44e7dcbeeab5084fb4
SHA1 61e152b89ab8a04af1843bbfee557d193924ec51
SHA256 009768e52ded8da33ac7d96d521e882eef9765278997f2ce47311f637696d9c7
SHA512 77de84bf9c5480e704991bc16d8f555dc10891e3a5a7044fe2b133cc49d20ebb78c68bbdd4c9a4acd8e7424bce28a00bd3651f3b852a2a726f3f879a741cc7ae

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver7896.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\44ZGVQ6R\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 20:24

Reported

2024-06-19 20:26

Platform

win7-20240419-en

Max time kernel

122s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1968 set thread context of 1144 N/A C:\Users\Admin\AppData\Local\Temp\0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt C:\Users\Admin\AppData\Local\Temp\0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424990517" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DEB5B6D1-2E79-11EF-84D8-C2F93164A635} = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\program files\internet explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\program files\internet explorer\IEXPLORE.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\program files\internet explorer\IEXPLORE.EXE N/A
N/A N/A C:\program files\internet explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 1968 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 1968 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 1968 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 1968 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 1144 wrote to memory of 2600 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1144 wrote to memory of 2600 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1144 wrote to memory of 2600 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1144 wrote to memory of 2600 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exe"

C:\program files\internet explorer\IEXPLORE.EXE

"C:\program files\internet explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1144 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1968-1-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1144-2-0x0000000000170000-0x0000000000228000-memory.dmp

memory/1968-3-0x0000000000400000-0x00000000004B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab318F.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar3222.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6e3481f86094ecc9fd68bdd67adbaea7
SHA1 17a837ea02093ada96d0a14492c68e0b77fae204
SHA256 47ca63bb2e99f21edd2cc028960b86a8226795be69ba56e9320d7cb6ff023b1b
SHA512 d463fffd990161d120de5fb2420ec40a97418cc34649da8aad49d19a140d5585291adb0ad557fe8fc9d80b76e1ab6c6875597f72d5c8c0006961e34928427c75

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bfef44f0547b32e9f5011a2451115e05
SHA1 85ec6b8af75f6749444a010f027f62f35b45cb3a
SHA256 eceba880734b4156dd66fd49b79df9cf6f56501dce1b1ee7af0c47090fb9c734
SHA512 f52317be8e24d8790ac1702e4e4bd20341f7beff1293b76727b62c1df1c2c3414f6d7585330cc759e334724029627c7198136ede1d3f3b7c49f1964a993ce320

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5ab1045d73befe4c5e41487d26d38226
SHA1 352fcf6cdf97b860bc667930d588a97082562450
SHA256 c103f80196529dcc3b4c6241035e2ae3993d5f010f84b96d638b3d2ca399f5ea
SHA512 a0420d295188c241cbecbbc550bfdcf8850f3d7648d94dc40bc4dd9bd1408a9d97acefae945cc3eec63f1a97aba4adf3727964a69af6e9d0e397212531cc5677

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 60b4c6cf4580ed8e2c6c084c01c4952e
SHA1 4debbc0ff0a7c0775afec7859941353e79fe12ce
SHA256 7708cd98a98e45cf562b30b4fb5c7b8a21dacf1347da4fc7c03b30a37a0b0054
SHA512 595a1a43c40ea7f6bfed9f06c2c450da72268f99f60cb68d47518d2af927a112e3d67d128cd9223a4e6f4b20b4f6d4c2c8f810fb2530b4aadf9e5714f7a7a645

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 afe22070ecc7bc0fbc9a62f0a0f1e3ea
SHA1 f3f8fa480625d4af5ad9f0bc0c58573c82bf91a3
SHA256 74407d3c02f0650027b9f816dc7f284456c2560cb75731c93daa82485fbe428e
SHA512 c4e927feaff88d67469288df95211670d9b241efe150208d5053e508f32143301f8e02baae812348c35067bc9c7eee8edc518e97ac5df8fd25112f59b13a448b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 56b5e2b556a39593d67bcfb8e125034c
SHA1 dbf2144065a49ab4bb6f50b47b9103bfd5e2985f
SHA256 826eabb9e0590514f31598e8b7b81b8e2f6f03576cdf6c6a83740dd9346c0e0f
SHA512 946601f21499e8efff390e70ba026aff973979d53fd71b7df4a56480d391f87a2bba6e7473195ee67f3bfdadf69e7f34ab69c58ea9b0f82d50112f2976ca94a1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 227da828e4cf3b7c04f54613c1db034f
SHA1 9117328d0706c995da701912e1e2c996a8a28f5d
SHA256 ff284fbf82bfb3f9f683be8d99860c072da8510fa55e9ed18241e5b634f6c3e5
SHA512 3ac843942a993eef0f2e01974bfaba53e0e3c18adecfaed9d71abf3ab077fcfaad466697fd55b2f406d9e36c4a6563bcf2b98df77b6dcc50c6dc8dce4cd4e1b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0319b83a8cf4dc903e825a765215aecb
SHA1 d14bbb0ec4cf743429f43c202f92f2dad0e7e0c7
SHA256 f1478acd59eaca138eb331f77df020aeb9ac14362cfaa6fdf9899424a6c2d71a
SHA512 a206a1353181a929a7b053ec49d804308af72950715fa6fdd5928d84ad2be09e1f9f0e2ef6283b1fee7cee45d9e42327e317f59d56dd9bd1cbb7061e18dbc1bd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a6f01cf2f5f92833c0880fe67ec51f47
SHA1 eef27ffacd8915b3e78a7d547c5e46e7b2692212
SHA256 a0f5e08b174a2605f6747c816192c67b354de7f0d9aab4b930ea46c08e9f401c
SHA512 1a21b5c6accf561c0e25fed8374430697e1db385368e39201ca6cc393e0f35eb161347eaffdf87acde9a533798f39453f5af4afd796612436f405ec4dd2e3cf0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d80ab97d617ee0e9f36f40bf9b0e7509
SHA1 1c3baf9cafa4dd892a89bbeefaec9ec439e4f22f
SHA256 f93112866c6a5d663448bd0e122d32490cc502f0440b2113eb574492da735c16
SHA512 fe711d138a83064e901df83c9c81c8e36a52c66756ce793c837b7f5f04f1afe768efdbdb16fae9426e2312d404aa81890659706ea9cd677954b12065f76c3901

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 80f26bda660b63c4e71157c55a8459fb
SHA1 f9e5f2b9a92aae47a129b55fe211c3e4ef72077f
SHA256 69ec8e4cf21cf2990253d104d42c86f6755b047d524baa8dab5730149afdee07
SHA512 496d1ba8c4bd9b7bd77d0d31a94d3fae39549307eece2119a488cdad0e830c4dc846eacb397e8873ade537b6d1209051e85d4256ac3bacaf1238dad0183d8964

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eeec808d2061d1683b6c1aef89ac504c
SHA1 3b2741bc0b342139b2459c92dd1c78d51f8eeb35
SHA256 d39eb7641e575fd32e07a7b752e195d2b2644afd745adcd2077637d984e3ef7f
SHA512 f6e489015265a03c814461ebade690ee31bca4dcd7998b4d349a66b998b9c710762a008cd39cc1fd22075339638a1270f2b071d799d59e08954fdd803f992aa9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a096c46fb7cd63f616cef661aaa74d0
SHA1 bb4b5083f8d9193ea32162d0ca884e605bab8912
SHA256 41dbb53ebe58baa2629b80d5fcc668958caf6c2396bdefd144d67efc83408d2b
SHA512 e53b767858f7de3b3bd4a41afeb2e95456b2805c0897c88c7913c37bbc7579053e2f3100eae194cb062deae789ef12ba5a3e5518e0145efdaf378d8f75468f18

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4558d3a059d335bff7ef3d554a942f9d
SHA1 4edf3bfc3329d9c27397290b202b50523df343ab
SHA256 a83747b5c5182feefc285b081fb7a171ff2937dccb753b5ea7b45564a5feda42
SHA512 8cffc60e9792cad436ecc91b3ec7e2b0f845ed4e59e7783e6baa943fa2dc996ba6116e9d8cd9913e3acce6aa74166bcf1c764849f2a9153f9809d92c00c607e0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 35af4f3dd6c6e41800c2c2e72db23138
SHA1 288a4d44e1d79e4ef92c98cb6bffe14514a6e1ae
SHA256 505651596787492414ce602f6671cf37223cf00d391adcb929598e6cfbe808cf
SHA512 38422c032d6c551d22a8d78068b1c23702b2a5d66d430d80102894b0ce4d22b55a98d98b93c86be6cb1c1fd0933c04b4667ad3885c5d9e2658ff34412d955ce1