Malware Analysis Report

2025-01-22 12:42

Sample ID 240622-2pstqayajb
Target 043862e148d35418b3a8ed03ec8c5f4d_JaffaCakes118
SHA256 3f281cd4aa6af1db67bb84107781a503b3c01afb00f81c582aff15cb775b06ed
Tags
persistence aspackv2
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3f281cd4aa6af1db67bb84107781a503b3c01afb00f81c582aff15cb775b06ed

Threat Level: Shows suspicious behavior

The file 043862e148d35418b3a8ed03ec8c5f4d_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence aspackv2

ASPack v2.12-2.42

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Checks processor information in registry

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 22:45

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 22:45

Reported

2024-06-22 22:48

Platform

win10v2004-20240611-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\043862e148d35418b3a8ed03ec8c5f4d_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Crack_Mails_by_M-UNIT = "c:\\M-UNIT Systems\\Crack Mails by M-UNIT.exe" C:\Users\Admin\AppData\Local\Temp\043862e148d35418b3a8ed03ec8c5f4d_JaffaCakes118.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\043862e148d35418b3a8ed03ec8c5f4d_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\043862e148d35418b3a8ed03ec8c5f4d_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\043862e148d35418b3a8ed03ec8c5f4d_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\043862e148d35418b3a8ed03ec8c5f4d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\043862e148d35418b3a8ed03ec8c5f4d_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://m-unit.xxxaker.ru/?from=CrackMail*s_6.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --field-trial-handle=3956,i,2029050989380753659,15333598055019363793,262144 --variations-seed-version --mojo-platform-channel-handle=3236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --field-trial-handle=4892,i,2029050989380753659,15333598055019363793,262144 --variations-seed-version --mojo-platform-channel-handle=5112 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5352,i,2029050989380753659,15333598055019363793,262144 --variations-seed-version --mojo-platform-channel-handle=5396 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5364,i,2029050989380753659,15333598055019363793,262144 --variations-seed-version --mojo-platform-channel-handle=5436 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --field-trial-handle=5808,i,2029050989380753659,15333598055019363793,262144 --variations-seed-version --mojo-platform-channel-handle=5736 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --field-trial-handle=6012,i,2029050989380753659,15333598055019363793,262144 --variations-seed-version --mojo-platform-channel-handle=6048 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=6056,i,2029050989380753659,15333598055019363793,262144 --variations-seed-version --mojo-platform-channel-handle=6084 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=6156,i,2029050989380753659,15333598055019363793,262144 --variations-seed-version --mojo-platform-channel-handle=5760 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5752,i,2029050989380753659,15333598055019363793,262144 --variations-seed-version --mojo-platform-channel-handle=5856 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=6152,i,2029050989380753659,15333598055019363793,262144 --variations-seed-version --mojo-platform-channel-handle=3840 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 m-unit.xxxaker.ru udp
US 8.8.8.8:53 m-unit.xxxaker.ru udp
US 8.8.8.8:53 m-unit.xxxaker.ru udp
US 8.8.8.8:53 m-unit.xxxaker.ru udp
US 8.8.8.8:53 m-unit.xxxaker.ru udp
US 8.8.8.8:53 m-unit.xxxaker.ru udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 m-unit.xxxaker.ru udp
US 8.8.8.8:53 m-unit.xxxaker.ru udp
US 13.107.6.158:443 business.bing.com tcp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 m-unit.xxxaker.ru udp
US 8.8.8.8:53 m-unit.xxxaker.ru udp
US 8.8.8.8:53 m-unit.xxxaker.ru udp
US 8.8.8.8:53 m-unit.xxxaker.ru udp
US 8.8.8.8:53 m-unit.xxxaker.ru udp
US 8.8.8.8:53 m-unit.xxxaker.ru udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 2.20.12.101:443 bzib.nelreports.net tcp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 101.12.20.2.in-addr.arpa udp
GB 172.165.69.228:443 nav-edge.smartscreen.microsoft.com tcp
GB 172.165.69.228:443 nav-edge.smartscreen.microsoft.com tcp
GB 172.165.69.228:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 data-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 data-edge.smartscreen.microsoft.com udp
GB 172.165.61.93:443 data-edge.smartscreen.microsoft.com tcp
GB 172.165.61.93:443 data-edge.smartscreen.microsoft.com tcp
GB 172.165.61.93:443 data-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 228.69.165.172.in-addr.arpa udp
US 8.8.8.8:53 93.61.165.172.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 m-unit.xxxaker.ru udp
US 8.8.8.8:53 m-unit.xxxaker.ru udp
US 8.8.8.8:53 m-unit.xxxaker.ru udp
GB 52.123.242.9:443 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
GB 52.123.242.49:443 tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 m-unit.xxxaker.ru udp
US 8.8.8.8:53 m-unit.xxxaker.ru udp
US 8.8.8.8:53 m-unit.xxxaker.ru udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 m-unit.xxxaker.ru udp
US 8.8.8.8:53 m-unit.xxxaker.ru udp
US 8.8.8.8:53 m-unit.xxxaker.ru udp
US 8.8.8.8:53 m-unit.xxxaker.ru udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 m-unit.xxxaker.ru udp
US 8.8.8.8:53 m-unit.xxxaker.ru udp
US 8.8.8.8:53 m-unit.xxxaker.ru udp
US 8.8.8.8:53 m-unit.xxxaker.ru udp
NL 23.62.61.97:443 www.bing.com tcp

Files

memory/376-0-0x0000000000400000-0x000000000091B000-memory.dmp

memory/376-1-0x00000000026D0000-0x00000000026D1000-memory.dmp

memory/376-15-0x0000000000400000-0x000000000091B000-memory.dmp

memory/376-17-0x00000000026D0000-0x00000000026D1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 22:45

Reported

2024-06-22 22:48

Platform

win7-20240611-en

Max time kernel

141s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\043862e148d35418b3a8ed03ec8c5f4d_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Crack_Mails_by_M-UNIT = "c:\\M-UNIT Systems\\Crack Mails by M-UNIT.exe" C:\Users\Admin\AppData\Local\Temp\043862e148d35418b3a8ed03ec8c5f4d_JaffaCakes118.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\043862e148d35418b3a8ed03ec8c5f4d_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\043862e148d35418b3a8ed03ec8c5f4d_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{37745211-30E9-11EF-B3FC-D2ACEE0A983D} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a807600000000020000000000106600000001000020000000fb8f27a0e66fb1a6d4822021f0f9586045b3d937520ff80c8b195f140d6a916f000000000e80000000020000200000004c2ac12ca104519efdf7c8e79e243b62b821cccce9c226b7cf2f1852b3a8043c900000009d29d8380e1ae746dcddc2e55c821ea778db5a0474a32dc7d2ade4ff5e0f72a379d08f6912507cea87391ff5490ffc3da765340cf828ed6317cccc5b6a0d4be5b43b7a76284e0b861a1ade053c4adba2efa0ce07f82238f0d03989342413a61f63aed2fa47bfd7ceede64b871a150e47c327a90325d4c97d64b05c61c01bb8c8c6deb6357ce12ea28187490558bc983c40000000c3c06be0a2e0762d77945165a33f8e16631f00bbae941686375e67d75e692c53f3387b610e4d580909cddd142d88045c7f891b438ce84e20e62a2ee8284f075a C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\043862e148d35418b3a8ed03ec8c5f4d_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a807600000000020000000000106600000001000020000000e96cb69208b06874d477231c5911b5dbb250a3ac2fc4b747e4e9d070991473cc000000000e8000000002000020000000552d3a0a339c948c1e071b2553c6096d9ad6438b2e9fb9fdeda0144be4e4ed7c20000000892ba9c3cd6659f4db693e27e20711f03c2a8f976a75459d6c610cb8efeb7f61400000008a81d8451de95f57727912f4f23f563ad6e926a4b2f5181ce4bec775c1eabb78afd3eb1d80f7e5b1c3d94550e45cce9de1d6cc94baa09489fd0f73eab51a968f C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b083410cf6c4da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425258237" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\043862e148d35418b3a8ed03ec8c5f4d_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\043862e148d35418b3a8ed03ec8c5f4d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\043862e148d35418b3a8ed03ec8c5f4d_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://m-unit.xxxaker.ru/?from=CrackMail*s_6.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2676 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 m-unit.xxxaker.ru udp
US 8.8.8.8:53 m-unit.xxxaker.ru udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2860-0-0x0000000000400000-0x000000000091B000-memory.dmp

memory/2860-1-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2860-4-0x0000000003490000-0x0000000003491000-memory.dmp

memory/2860-5-0x0000000000400000-0x000000000091B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabA9B9.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarAAA7.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b40cb20ff921ffefa3a194eb616a68e
SHA1 ea55b2194cdcb7de1748ac4b38556c779799b1c4
SHA256 3d7576ae84f6b25b98320001699bc478a70c9b469b4a970a154cdc12a6ab19ce
SHA512 16564dddf87146b639d231c2541729c022b4ad5806462198c9507b0355cbaa63c531480199f096050f55e3701a1a8951620d56950b227f32b3dd329acc4d300f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 108d537ae565afbf03409614df5f773f
SHA1 1af8b199250f2f47845fae4a0d2a365e7244d666
SHA256 bf97b4bf2181a353171b4bafc85a2ac9a5c6239dc88840b2a466fd03a57ee090
SHA512 65397fbf5e55d05532082bd6128fb71646300d6f63acd8e8ea2f2db73238113f36d7751e74f97dcb71f1d1f49b7f123efecc8a3003e63e98a262daa4f1dd9b69

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1eff4fb442f2d55277571108d0522b8e
SHA1 6b18e4a21176718bc220b599fb036f191141df03
SHA256 1813eae70879d0e8698b97f971abb2863c9c26607b9e3e4724e9bf7e5adc59c3
SHA512 3410c8561fb4a1f7c191ef9a6c89daed5bce0babc660377557c6c531391a4450bde72b44983d794cf74e796c64ef7423f8b4936cce5791abe9c66a5a2451aafe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dce7a38d8541b1b37cdd9dbd447f58d1
SHA1 6380bd203e63c1452b160de59202e47b684c3716
SHA256 378ce27d2a924e64644a632a31583e9b396b9a73066266d476ccdf5db364cc03
SHA512 356ccf1ba7c8bd16d11791a960f7e643591e432148a5d5ae466bb8eece7008d6f3df40ca092587e307d8598c72067ae336718052c4135e29bb4fee7099862dc9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4d7029ac90c2950693177eb4fd75c0ce
SHA1 4c01e7eb777b2bb6b546e6f4f95ea27c46323023
SHA256 1502cea073a74e806221fe50833b874a08ea78bade7dae7f55971b0f2a09a1e1
SHA512 4717de41182976d5d18518f9bd61a5178771677a6b0229336d3d390647352fba4ec13802de48a07f6f33fdc2872f0febed95b0713e569644687defe4b4dc33f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8e4b33cabf28839387af56b9e0ed9db6
SHA1 d0dfbde0fada33f5d202fd931607cfcfccc6eea8
SHA256 d34fd79897eb0fd175851c89ea842b841a84f9b789ad18fd4aedf20dd1b5d89b
SHA512 4c91d765521d1285a7b34333af3597d1f1aad48f1a0150924c6d8f1bb056989511cdfe753891496bb664bc970e866327cb4a0a18413f8db89823fd58bb50cd77

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ea1281707d934ac83cef830a262c4bca
SHA1 bdcde4129e77448566283494faff451b3cbf1eaa
SHA256 eaa488052ee13498f5e2e289377104df9ee7a8af2184d806ae7e18077873bd80
SHA512 d0bdeaa01d2b5be41a1cf932115cad8b92eec05174955f26c8c3039e790ff65db75d857d259db3443606528d53cca71e256a48746dc67df93d3a8c7246c20926

memory/2860-240-0x0000000000400000-0x000000000091B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f7c3a0fa4967ea6d50deac74ecd2f9be
SHA1 38b01cc89aa26214feb593ce6780a0b4e82ba786
SHA256 db09782a25c9cd8de26d42a44706f5add030ef170e08734807bbf789135bd192
SHA512 56bafadd34e65b7829cad71b4bb70bd0952b4bad0db45600bf654e87cd1084abcbf5d1beb6ff83c372f08f2bfc90a1004cc6d5b847caedb8286d8d09552f20de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 18000069521c838877daf07f4782bb51
SHA1 66cd180b9f7aae392600caf5ff81388a585de6a2
SHA256 0113c22fb1de9c57832661f8560cc85ee682bb986dac60d40a076b05f0bad256
SHA512 8f59aa996d8c49f30fd8daa211d824e437c6deeb91413d7c5e990113c6c6fb4b3b48f645ba36ba4a6c64ea94d3da3ce9789357e902affeffe37187650397a2bb

memory/2860-448-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2860-450-0x0000000003490000-0x0000000003491000-memory.dmp

memory/2860-449-0x0000000000400000-0x000000000091B000-memory.dmp

memory/2860-451-0x0000000000400000-0x000000000091B000-memory.dmp

memory/2860-452-0x0000000000400000-0x000000000091B000-memory.dmp

memory/2860-453-0x0000000000400000-0x000000000091B000-memory.dmp

memory/2860-454-0x0000000000400000-0x000000000091B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2d0b3a947ccb5b29f4fd5dfe0e9023e
SHA1 e656189c9b671a4cdd1954f5aa81087c2c1aa3e4
SHA256 87d472c3ca56c5a789131e31f2b85bad18a1beb12acaecf45fb531fa0d9cfc7c
SHA512 6c9d3bb57842789d68f5337575ef863f565567d1e43f666ac793128a8c3d70dc7a40850f21369f79634ec92ae59b06aec82ed6b86777462fcd5297a61418fc33

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d31e742f037e068d62147ac7d25a1555
SHA1 0a9037c7da877d8b02d2c19689123152ae6e510c
SHA256 7fe82e9503865441f6d77259e967be919cf8e9bd68645cc4ec9d2f0862e1a80d
SHA512 4d485501b61e0bc7166f3d03a39af7e37bd4a0b3aa48893f5b6796304ef790810c561580bd78aa71b7398a8b9bec878608e569974c7f9836b62f1fdce180e722

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a2ff3232c4f6026f554e40256f6a659f
SHA1 c870ccf291ae3ba79975387eb6533a23150fc1aa
SHA256 04b35a1cd55f077decd17163904a4f4e339ff41a13d92bb27ada64bc63c23834
SHA512 099fb58ec2ee79733c93cda77073a6e048a16d2e96b0b8294a365d2d071d365eeeceb3473dc0c44a13a8ae261751675ac968a60d8345c69227f677895bd467a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd2082f09e14f6c950d0ca53b8a522d4
SHA1 6663aea4673ee3f311382e5408c4b765317f8265
SHA256 a0a16ed919614cb7a5de80848f7df9ac7609a8e25abc2a06326160dcbed00903
SHA512 37422fe5c6141283a96a9bd1fce431103102d44416cd69ee708099397f07e09ccb712997faf32f1edec3182e1c294b000eba6fde5792213a4a54f5381ea68b3c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1326525461ab1244c8a7aceb4d3bfae9
SHA1 d073fbc00cb8ffd81aacdf3c64879edc8c51b33a
SHA256 1ccf64c5fe98cdcda2f6b4c306d3bfe211e26a15195b4341ccc0ab3a52c64fe1
SHA512 8eda3d4d6d16646f96b2d75e67b87d9bc3a31bdf32974f3ab123c063920d20ee34085ed2c495c42e037f969123db89cec2a6f1b634aa231dfb4ac2bbccda79b8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 99ff34a14ad3743ed31eba6aeb64514f
SHA1 94d155e73586940208fe710d72389917d13c874d
SHA256 a4161e729ec976524ff8b626088b06d8b2b129f9822b58143bf762e0f4c36bca
SHA512 5801de0159e4e622a3456ea0f7ead00b5da964dd2f3e0b401969d28338f60a874e82a6461eb8dfc4a746181e630740cf81db01ee161e15f4e54fd873a9899839

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8a54644063c3e866630f8e856e72f02c
SHA1 3279257c547d3672ea514520af55d793eb0c086f
SHA256 6f8ff2c69ffc50d99f3f2428c4479591c7d3c33cbd2b749eaa798253d3d299e5
SHA512 7792116c36cdfbbfe1021d89453ff9599f1a473bf49bb7082cbf91a30c9714779b233bb9af56e090796f638524ffc16f2406d3de0b9f2e053f83bfec75b45083

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aaa6b94e4d8fe477687eb02bab959888
SHA1 4ef3446385ab6efa5c2caa581842ac94901d909c
SHA256 da299cc25bbf7c1eea111bb51f9c834be873cfd71df368506fc9be77052272aa
SHA512 05502f51537f231c5b55b2c5e211c5880ddebf0f30ea2a07304c11096468abaf7b3d8c2556648dbdba0bb71cbbff55b19bd29967cc7608b104ecb826117729fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3dbda917294be82fef8b254a417a81ec
SHA1 9b621fb336a5792e9ee33cd663d9dc1a3aa8cef7
SHA256 37a3efdc8a6fcec3e903bd8d15a664436aa6655a0ff131faa15697e81a71a4a9
SHA512 1751dd5accfb443f77a95adb9bf988dcf799075dd2d191e5ee8b9e91aad4235c9ab8549a8300d4b18a5db6c5b45f5bce8f027fdf28a00bc7d83e04c1de768d96

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a8c6d7f514d9c68fb893a1d3c4dccc29
SHA1 c7983584d199817cc44e215c70e36f3057b0552f
SHA256 bbf8666365cb4331d534d2a8b6d0efa1856cd46f5c26c872fc95efca27225854
SHA512 2f8de7a0c61a7851b1166189fac6e565e7da4d63c2dc4e72a0f35c1b191672e5edf7493c8076f4983728169f4668d53a248fd90ccea0e5170109f02195967b19

memory/2860-887-0x0000000000400000-0x000000000091B000-memory.dmp

memory/2860-888-0x0000000000400000-0x000000000091B000-memory.dmp

memory/2860-889-0x0000000000400000-0x000000000091B000-memory.dmp

memory/2860-890-0x0000000000400000-0x000000000091B000-memory.dmp

memory/2860-891-0x0000000000400000-0x000000000091B000-memory.dmp

memory/2860-892-0x0000000000400000-0x000000000091B000-memory.dmp

memory/2860-893-0x0000000000400000-0x000000000091B000-memory.dmp