Analysis Overview
SHA256
d9230befe6ba2faa7f6902abf1a13df5b754fa2776706e981ed0caf3dab63705
Threat Level: Shows suspicious behavior
The file 01b0a06783e1e96fef5ce32966e0e48c_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Adds Run key to start application
Installs/modifies Browser Helper Object
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 10:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 10:36
Reported
2024-06-22 10:39
Platform
win7-20240611-en
Max time kernel
118s
Max time network
127s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\akiegzqvzzhryaugv = "C:\\Windows\\System32\\regsvr32.exe /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\01b0a06783e1e96fef5ce32966e0e48c_JaffaCakes118.dll\"" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02B6DAF0-BA97-3840-D6F7-C14F5C9A3576} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{02B6DAF0-BA97-3840-D6F7-C14F5C9A3576}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8010d41e90c4da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a03905000000000200000000001066000000010000200000007c980c2170781c0ca6c5a1c1514f09bfdf6b7b57fea9eef36014cfa3713aa5fa000000000e8000000002000020000000804134b0027c0fe44c1f17f16e6fafaa99b47e934581be2e86a560189c340e1b9000000071283a3516f6e2c920748c50a5608784c043738777cb53545fcc21c1d1846fa8c6f402d428950cbd2f929508262797d51e88441cc7ac2bbe0983c5963c99cd6d89a0e64d618d1c4044dd77d3c00604d5824a1159d5cea8da74709f38b3b92ec53367585ae81d306601de50e107e74ca0dd2cd27e4f7ccd265718030183d41b6f7f160b002d2893a694241cdceb9559a34000000017621c5829032f1e2fc6c42393df0ff90e16bf0c05da0cd8c887fe5c6ded9f502573696a703de94e18c2441be6c11b0ef94c03b50ea3b52e9df7597e3d192b22 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4A1778E1-3083-11EF-A490-4A2B752F9250} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425214459" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a03905000000000200000000001066000000010000200000009bfc513ec0dfa181030f6e955e6150807bb23d9e371f4079e1beea7ffcaabba7000000000e80000000020000200000003ee5fff1901d6bb34ff5507356f5282aa4d72b01ae9749edd770207992a2e053200000005d95a58f931037639911906e845755edbc0c9d6476f647cf3cebaef073c391a3400000008fea5f383256eb7202d84adc43f0d5285448a35a4bae3cb9380e0c10d9c0e1afc4e11c7e6085453d7fab96ca024a27d8284f735846b95325c66431ca178ff9d5 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{02B6DAF0-BA97-3840-D6F7-C14F5C9A3576}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{02B6DAF0-BA97-3840-D6F7-C14F5C9A3576}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{02B6DAF0-BA97-3840-D6F7-C14F5C9A3576}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\01b0a06783e1e96fef5ce32966e0e48c_JaffaCakes118.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{02B6DAF0-BA97-3840-D6F7-C14F5C9A3576} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{02B6DAF0-BA97-3840-D6F7-C14F5C9A3576}\ = "precisead browser enhancer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\01b0a06783e1e96fef5ce32966e0e48c_JaffaCakes118.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\01b0a06783e1e96fef5ce32966e0e48c_JaffaCakes118.dll
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:892 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ads.precisead.biz | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/2060-0-0x00000000001B0000-0x00000000001B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab24D2.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar2562.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fecf2d5496141207e07111efc9052136 |
| SHA1 | 40ef2d93f74fc6700b365594f1aaf42eea421877 |
| SHA256 | 28197e7977d0680f2b6cebd18a22d0ddfdaa4aa334089f0d61315d97a7f30d43 |
| SHA512 | 2872a9412ee8fe8231e2199ef4a3c22cfa7a00ef772d19c3cbe791858317c8d0c5c0bd2742681f63e055f29e3a018eda2c1feb051141cd6394e667b069a9fcfa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 37d90e4571bbbe13feeec1a53ccaf1fb |
| SHA1 | e60119c9edc52faa03cbda59ff20fbcc37ef6f5b |
| SHA256 | 663610dcdb374d415d3399d72aa24841763425ca0c89d2e988d16310f5f331d1 |
| SHA512 | 389414eb0cdbdfc26187bf0a6a9fd7aa8dcb0b6d4a7bb1d1fb2429020000a6e6e441d597ad2d88f76f2d5a60b09d201d201c12e69251c7e89ac2fbbbd8db566a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e3552799e3f6ca18100e28b1404d7268 |
| SHA1 | 45ca99d7c5a51078c620451b6d6d1aeeb0edfd2d |
| SHA256 | 3249887f14c824ddd7d46adc093c7caf6a2a3ccfb9016fcbecaa18d5ec0a46fd |
| SHA512 | 74f8ee0102bbf9119add568cb0388bca4c080575b3e68c8cc626516da41607940a35c046a5742d9665a7c4b10df554a27136001037d11e70914695ad79bfcfb5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b4a02732b1b3605f913132dbe0282d78 |
| SHA1 | a3c424c1a7f0ffaed6862f18186c65717782a088 |
| SHA256 | 1b908931bb2798d351b415b724d0460c80f1456ee17df135a36e9b8205e5c9a2 |
| SHA512 | 0e77dd2e43a72fd7763baa1cda25424a2cb6a2df768d57cc9088e8aa4122c777168aebd66e10d95ed7bfbd4826fcc284395d98d0e441476ac940996f4860a708 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 915f3445d1eee57c9df30a6a9d8cd739 |
| SHA1 | e5a50b3aee9ba1b7aa507af89b73d775fd48ba8d |
| SHA256 | 6fe432c8141e07b81da8146d98556bdebc4b029ac4a954df8a47771690ea2f3b |
| SHA512 | 07e41d1e588dcb2bb3856c2bc021b28c7a3821c5397b1daea312889d0637f3fd361547da345eddc19049af5664f250f116091ccc9edf69dffc828b026b494510 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | af4ede803c11a8e4894bf68936302a2e |
| SHA1 | 16b097b9da444839ecdbaed76225c435250f77c4 |
| SHA256 | 450aba414ff3b5855258878493c20a9d88f376a241962b613f22335ceb6760e1 |
| SHA512 | 630fd341f6431b1415eed04f881f0269ba10cee7d804c8a5a2a2e26f0ebf67be81f0014208e54b6f1d346deaf19d629eba6eb9462d285ddd33ea9e1755ff0b65 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | db325700db081f0810f81389bc8f3979 |
| SHA1 | cf5a59c3e0195822100499128b20ffa895b41245 |
| SHA256 | 6c3b6bdd87a1d402efaf13f0cc84975c323771e0d8dd9a929b7a7adaf6901442 |
| SHA512 | b3895153e5f452428c1eddbc73a4f7c06200115df02d26bd09b9e1727046b7081cf11e8b131e50b73b489ca177bd2c8f0f64598ecb94695e80b63f14f9cfb429 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | aed6d5ae22c765cb3bb50de5f7346d8e |
| SHA1 | dea238731c68dda76bd6719c870e99e7925d6912 |
| SHA256 | 543bf62e5a7b0148f6790086a0eba697cd2b6463ed6a392b0ea1e4222f9c67d5 |
| SHA512 | b76726628eea5e2e02cdcac76c257b8ec079a242d0953311bb87b81a51d25a416c330b691abf79c40956343c05e39c0446c777aca0f6a794fee1f25ab8fa9802 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0a9643e57f705d372df4f3ab5e6d7aae |
| SHA1 | 40848b1935471ff3b73f5b855dc0435e814c0734 |
| SHA256 | c279c7a1b0cc5ab5e6038ccfeb2b74aff1651ff674196cda7ba413237334baf8 |
| SHA512 | e7eb9da8b3e336273c8559e48e6112239106700e955d4984e47e3dabbf8ea1042f639d9f29d3c3045f617d1cb76fe5df6972fb5b1036658c3e260a5fa4021ff8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 60210b78c7174a989d076ed5835b33d8 |
| SHA1 | d0f31e4a5232c5d74a3338f7cf275a92ba529243 |
| SHA256 | a0f04332f1d002d6ef383705d9edc2d819323c3f21193cc53dbddb25d56aef60 |
| SHA512 | 9ef82a0bd0a0588b5cee750298221571eccb0719cbc0cb07eb4b93fae560d1a79eca17ad0c3f79aed901fbc0f846a599cb7d56ad64a57fb961f0d94da9672a5f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9ae5b559dc5f6b8c9de9328945ec4e8a |
| SHA1 | 14876d6cef9f0fcd984135893e9f34d6d19cf1d8 |
| SHA256 | 7ff78211440833d82d6efab698a2e31e8db28e34738c3a9ae795345fb9e2386a |
| SHA512 | 3cdf230fbcc298ca441f7fc5a15a1d6c9699d509db08710e1ea720bf59edf2e759aadd9081551aa4ff8b559dc0870509c4cd0afa090b3a92cf88d8d48915f948 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 87500408f6467221a721c42f04143ea4 |
| SHA1 | 6b528bba1b8fd886a8c796ba66b6e4880c6dfc80 |
| SHA256 | ad1659d9c694fe57e71733b711c9de159008dcbf450b1fbcbbcf63ce0d3e4e6a |
| SHA512 | 8b3e5bbf3fd42cfe424a8483d7a7602b54c81f157add43404d0a69dab458f47d8dc62905d2e9d6ffa7871583c25cb1b86c9cb362c601779d7c6e57a1d62fde59 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 462adfed55cfa5ce8d8e6fe3b2dda4f0 |
| SHA1 | 0bd9bdc137f0b2b8a48eddf583a467470b7e0a07 |
| SHA256 | 6ba5cb2ffb3ce33f2d6ee7f5f9ddcfd724b4a9afb9e82596c60182868fbc101a |
| SHA512 | 5a6ea2bdb1bd75d90952e04e75cbabc8f78469db2a63c647a8df6ed9e994965538c6dfea5e8cd9ad3503d3048d5232835d79bb0a1ba1a3692feb3a72ae1c9ebc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 58d726e04e2a381d3bd5e3a1a6782676 |
| SHA1 | 0479008ffe71e55baddfb77128df5fd3af52fc39 |
| SHA256 | a84b0dcb3df8cee020d51e842be9bcf8485f6513f91f23f3720467f030dea6f5 |
| SHA512 | c75a45825ba4aacf21a2e58b093d4b7d63ad5f8f6726e6f017a83dfd5ea88971c9ba8109d7b586cfe50e48a3126aebd08ee68a27460814b087e744685eac0c50 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8437115f517b85f28413ba10844626e5 |
| SHA1 | 3c5e16fb26c54db29a92e1aec8705cb3c404b321 |
| SHA256 | 1df62b4d2cbb984769f2d1761630572f78650fc110f6321bb48bafa72fb6f71f |
| SHA512 | 571e4e686c2eb1428822452913e0fa7b500e439d98fb9c1cfb5381a42b6dc192a2b66a568eabdc41005766e80d6adaab3ce5b9d2fa1d31ec529cb8b416aedda2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d88777e39f7b7f6400a557351c46fa48 |
| SHA1 | 340243f07e565d9555a956e24d7b89bb8fde887a |
| SHA256 | 9d7a5f816707ac4e652294ae47faf7dbbf3a7f8f4e690af001df83f362b04078 |
| SHA512 | 07c2acc35ef14300a7ff2e6c77a5d40b1575c93767c953c1411c1fc27ff3f46620f979d7450ed2ece3bcb7699faab7e7d70d24ba0e48c29597543b29aa52a3bc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c3a4d807a4f7c5973adfc65cf431cdeb |
| SHA1 | 4605b11115bd9891839b5fba06d920f66037fb8e |
| SHA256 | d4f08611aa5ed024edc91130918a1782da2b238aa685bf491791f0af7e4b4c3b |
| SHA512 | 3bc610c52992ef6475b05c6031b7480672e50caa853c65cfa5109ce2b43c96691387f10e9a3048db5d78fe93cfdd185f315b0e0c4c5572c42b6f6be2d048b822 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 315fe415d189365d8150036baa463ba6 |
| SHA1 | 785f66c593584594ba010a66eb27c3baeacaea00 |
| SHA256 | bd5d955588f1aca84bcb5e920ea8019730732709c8bf02cdab4e77fbc0f8acc5 |
| SHA512 | c408529703621fa2a4c95290237a3e78809f65a1ecd8946a3e5db19ff24e2a5e9129d63b95838e3ed4f705372a5cda24b6f7e7f22da5b80b20c2a68987748e98 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f713a26b0cdc1017cb83d31bce035261 |
| SHA1 | 6319aa2577489e387482add0a86054727fb37047 |
| SHA256 | 46134548dbdefd246dce0a4153fa25491cdb997de4b1443749ed6d53de4dd711 |
| SHA512 | 126a2f57e8715be7eb71e87e20e0fe1db2f95394d7cba7263c9e55eb2427dd54c1a39c597aa45c10194170dc0cd934d2c2f98917282ea6408262c0822750a209 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fa738fe5c0e6a388cd3db8d8fea5162a |
| SHA1 | 7022a3c99a736238378ee6b80636c33a78b91c23 |
| SHA256 | ec23ac45aa7edb2477e6f44f77b1e29c4a2a2120d74758b3f3f63de0181a1ac4 |
| SHA512 | d0982d8c622d8e6e0c9b368110a3fbd07bb27be194ebb071dae11f324f5b842d384f116e7d86a22469994d6d776630e640913c566d39c9e7c72bed18b6d122d0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 10:36
Reported
2024-06-22 10:39
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gzrnnozfiotd = "C:\\Windows\\System32\\regsvr32.exe /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\01b0a06783e1e96fef5ce32966e0e48c_JaffaCakes118.dll\"" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E0397038-FACA-6933-997F-CF586D331643} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E0397038-FACA-6933-997F-CF586D331643}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4ABC823B-3083-11EF-9519-FEF50CB5D633} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425214471" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d08d562e90c4da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0485b2e90c4da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078f1237f04e5404da848d5bad8ef862600000000020000000000106600000001000020000000bc90d463a6f669f3fe5b87d37dac78c0dc2a0c5ad76a03b32c71f06a7c200e18000000000e800000000200002000000036bacad50fb019ff9e80d176fe560c7946e98bb3c57ed2c65b6a70d99ed98dfe200000008c917c19a4a45779db592ae3f96de7de7821443ac60b7ed5055dd4ebbc8a9fbb4000000051d6778cf112175d46975a8fc61a4e69c7530ecd9510d3f76a24cfa1286e1046da0a5dd7017d4508276f320d553f658dfeda36281cd5802a9a79b9916d0ce984 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078f1237f04e5404da848d5bad8ef862600000000020000000000106600000001000020000000a47be636e587ab0b463f10a0f93802efc42342fcf5ce7d483840baf4a05d350f000000000e800000000200002000000024e479c8ec01d3539a1efa663aaa6984830f71c3c04e46b2151e2bb36566201920000000d68c7181031da34857ac639c8e63c6ea5dca33d310d83a4059a484ff32b790cf400000004fe1f25dc8e0098e6683f77f9716d466573bfd29655099c3e3f5e99b6e889c133a6fefc8a564c2c8d27a31564dcefcd69fc5694ea62cb1eadad552790af53788 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0397038-FACA-6933-997F-CF586D331643} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0397038-FACA-6933-997F-CF586D331643}\ = "precisead browser enhancer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0397038-FACA-6933-997F-CF586D331643}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0397038-FACA-6933-997F-CF586D331643}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0397038-FACA-6933-997F-CF586D331643}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\01b0a06783e1e96fef5ce32966e0e48c_JaffaCakes118.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2652 wrote to memory of 4780 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2652 wrote to memory of 4780 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2652 wrote to memory of 4780 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4788 wrote to memory of 1700 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 4788 wrote to memory of 1700 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 4788 wrote to memory of 1700 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\01b0a06783e1e96fef5ce32966e0e48c_JaffaCakes118.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\01b0a06783e1e96fef5ce32966e0e48c_JaffaCakes118.dll
C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4788 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ads.precisead.biz | udp |
| US | 8.8.8.8:53 | ads.precisead.biz | udp |