Analysis Overview
SHA256
4ce90c075ccb748a6cd969001c93426e5f1d70664cf69c2a71cd0c053ae66c83
Threat Level: Known bad
The file 1f88b08c3b3370ed0e050822814f3122_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-02 13:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-02 13:54
Reported
2024-07-02 13:57
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
126s
Command Line
Signatures
CyberGate, Rebhip
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2492 set thread context of 1160 | N/A | C:\Users\Admin\AppData\Local\Temp\1f88b08c3b3370ed0e050822814f3122_JaffaCakes118.exe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1f88b08c3b3370ed0e050822814f3122_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1f88b08c3b3370ed0e050822814f3122_JaffaCakes118.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd6b7d46f8,0x7ffd6b7d4708,0x7ffd6b7d4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,11517631142869952832,14300551750450079735,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,11517631142869952832,14300551750450079735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,11517631142869952832,14300551750450079735,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11517631142869952832,14300551750450079735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11517631142869952832,14300551750450079735,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11517631142869952832,14300551750450079735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4260 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11517631142869952832,14300551750450079735,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4284 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,11517631142869952832,14300551750450079735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,11517631142869952832,14300551750450079735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11517631142869952832,14300551750450079735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11517631142869952832,14300551750450079735,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11517631142869952832,14300551750450079735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,11517631142869952832,14300551750450079735,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2756 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp |
Files
memory/2492-0-0x0000000000C40000-0x0000000000C44000-memory.dmp
memory/2492-1-0x00000000027F0000-0x0000000002815000-memory.dmp
memory/2492-5-0x0000000002840000-0x0000000002850000-memory.dmp
memory/2492-4-0x00000000028E0000-0x00000000028F0000-memory.dmp
memory/2492-3-0x00000000778D2000-0x00000000778D3000-memory.dmp
memory/2492-2-0x0000000000C70000-0x0000000000C80000-memory.dmp
memory/2492-6-0x00000000778D3000-0x00000000778D4000-memory.dmp
memory/1160-7-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2492-9-0x00000000027F0000-0x0000000002815000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 612a6c4247ef652299b376221c984213 |
| SHA1 | d306f3b16bde39708aa862aee372345feb559750 |
| SHA256 | 9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a |
| SHA512 | 34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973 |
\??\pipe\LOCAL\crashpad_1160_KMOIWMSLJTXMNZNI
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 56641592f6e69f5f5fb06f2319384490 |
| SHA1 | 6a86be42e2c6d26b7830ad9f4e2627995fd91069 |
| SHA256 | 02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455 |
| SHA512 | c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 39954832a4b1f2b904114a2a426227f4 |
| SHA1 | c4a29312e743e2209aa0ab733585cb177f071617 |
| SHA256 | 79cb812574d3f10e13c1a6ffe56462e42712a57e454eb27513a4a9d9351ef244 |
| SHA512 | 5b79aac22ec83a6bae6aacc04db735f6eaa5fccdb9e9ddada283e478980d2927f699e51aa44659ab9764b92031410d26bb208c3f9c348fae89400f1fd558d83c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | a0444239fecc41f17f82697a6852729f |
| SHA1 | fb8b2894b3476972d74f9e786811efff1e37ca59 |
| SHA256 | 61124abba57f59f038db4bbb665c558ad3d89a31eb8466486724b0d553d6ab3b |
| SHA512 | fa38c04d4864b0fefc4677749c2bc81678d74b77b82079736b3b88b42929741faee569bbc95cd8d06aa226ddac35ae8733404e8e0088fa938ff0ff2b74c9dfe9 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-02 13:54
Reported
2024-07-02 13:57
Platform
win7-20240221-en
Max time kernel
134s
Max time network
128s
Command Line
Signatures
CyberGate, Rebhip
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1676 set thread context of 1732 | N/A | C:\Users\Admin\AppData\Local\Temp\1f88b08c3b3370ed0e050822814f3122_JaffaCakes118.exe | C:\Program Files\Internet Explorer\iexplore.exe |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9E59F5A1-387A-11EF-822E-56D57A935C49} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426090344" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1f88b08c3b3370ed0e050822814f3122_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1f88b08c3b3370ed0e050822814f3122_JaffaCakes118.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1732 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/1676-1-0x0000000000260000-0x0000000000285000-memory.dmp
memory/1676-0-0x0000000000220000-0x0000000000224000-memory.dmp
memory/1676-5-0x0000000000C80000-0x0000000000C90000-memory.dmp
memory/1676-4-0x00000000773CF000-0x00000000773D0000-memory.dmp
memory/1676-3-0x00000000773D0000-0x00000000773D1000-memory.dmp
memory/1676-2-0x00000000003D0000-0x00000000003E0000-memory.dmp
memory/1676-6-0x00000000773D1000-0x00000000773D2000-memory.dmp
memory/1676-7-0x00000000003D0000-0x00000000003E0000-memory.dmp
memory/1732-8-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1676-10-0x0000000000260000-0x0000000000285000-memory.dmp
memory/1676-9-0x0000000000400000-0x0000000000BB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab34F8.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar35E9.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 926051739325c4b5bf40ffe9ab4061f5 |
| SHA1 | b9d929851a1fa8c28c969a24ece3c1a3627e07f1 |
| SHA256 | fd20d66ff8d794cf49278c099b8dbe0e9a74fb792f7f602d15d625343e3fe428 |
| SHA512 | 0fed837528903de08895134dc096f47957029c81ec5b470b5fbc6241bbb6f9218b70f5aa5045e7cb961337fb67ebc3b065ac0e7f6c576a0d1e22f901474b8f65 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 383069f8446d6ee50e045d1c3d50ad7d |
| SHA1 | 020d8eec4b9b6e573bcae25d4d7bcc37b85c05ec |
| SHA256 | b7373327a880dacc0bd0816a8a7c2865cc258863fec34fe002de411d25bbd6a0 |
| SHA512 | 447c6a5097352e7f80daef501fdb5a98b13170a7d169693405447b3a24c64364dee5a5a0c8f6096549245b0af1e9787d9e8c3871af4ce14026a47430579916d0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8773fdc566de6925adb0c27e7a0fb046 |
| SHA1 | cf00977d668d311951f1444725abaa84706a06e2 |
| SHA256 | 4587f882d6c915b312c1a79ca09be773c15242d794f6e158df8aee134543fac2 |
| SHA512 | 4402324c9ea21a048b4c871dfe0f186dbaaee9d3126c1ee0c435230b0b797e3621df2d169ffc1c7b257c76a1b8142c2004b25631ef9a450d0fe847d98c69c436 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1427212c62eeaf610226aeb76ca5b388 |
| SHA1 | 29a6963d7110c2c2e1fbb8579a1dc7fd09f232c2 |
| SHA256 | 7559674a6e3df75352707e812991e21c768c2155d167d44648930396bb3c92c2 |
| SHA512 | c6d46a1e95156d17c0cae4d89950e169bce657a3d2fc16545b8f6114128ee632d128527b0cc468d947bbed5b94c6cf386f70e5d1a3456558de8f8ddc0ba65ebb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 414dd8da481453e23dbb4b379fe22b9e |
| SHA1 | 4a7b80ff4625cde7af936d15fb9ef6710dd81691 |
| SHA256 | 776d6efdaf273a53e7e93e93067f87b4f2b9c9cb3b369b0ff3db351797f25db9 |
| SHA512 | 296d9edd55a20cce2a5cbe4a5e5172ec7995a7ea8e6effb0de2f8bb9df75d9b6afbad46c8852f67d7058f31b7a786a72112c454d2c3b6c3383e72e8b841ed412 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ab5c4b9a89ff44eef97442cd2c6ac441 |
| SHA1 | 0c61f20fb79031b59e9178bbcb5b723245f8899e |
| SHA256 | eb6469a671618db81ca753271db95c6100e6d20147f0978e7aafebedd8c92b9e |
| SHA512 | 5987b781b6e46025a8e564fd18dc86aa98f72c139b763e9014767c46f7c49863d7f15d0b79c8345c1e8181ceb5f76595d09e7ce0cbca5cf1642f43944685b95d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d44610d9cd0344d836df1ce9f7b30fa8 |
| SHA1 | 5b054414ca2ae4afeccf37a1f66c0349d3ab4cea |
| SHA256 | d94d71df6febd56cf66067d87d6c6853de4b537854f566aeed05254ef5eb28b4 |
| SHA512 | 997f45a3267d9bced306c7b3e1e61963480a9ed5992805309369969bba4452a5bfc588833125c97aa9d37cfef26ac503b8a3f7ae448153ea0950496a4660df20 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 35c6888ba509c844974ebd0f5689380b |
| SHA1 | caf4f3d6b917861d962822346ce9631ee0c57beb |
| SHA256 | 95d83966900dcc1022b74a8db3585169e5735352485d103960ca86c7194e9396 |
| SHA512 | 95d0f0f2aba969a8a03fa1be25d5bc0caa77038eb6ed9a83ce1c5e1763e6dbbc1e322df2cfe56ee4ef0270093df993f9afc986da3e2579ba9f17957753c5aa36 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2cc27e620c5510640cfaacd155e08420 |
| SHA1 | 093f227986e98297a581b51398983d1deefa4c20 |
| SHA256 | 39aebcba002ca29632e56eb874d47bb6dde04b3258c0a17f65e579a01fb38c90 |
| SHA512 | a9ed1c64c3c41a8051e6f9194a62605fb69d22fc7354cacc3a6e11f9590f1dfa0040516b383293b9041cb93947c02e6b3fd8f854d7bcda8b722f507ac7cfcf6e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c128caf9ad6385ef11abb43820b46841 |
| SHA1 | bc24a48cb3b080aaa64cd850581cb993a3aaaf44 |
| SHA256 | abe56b67f1c624b9476a36d84c345a3f6b7bfcf76d4c8249e335a14317ad1571 |
| SHA512 | 4aedab8517c0a2d15930dc919d7c28b01b32aac23bd077d422c56639d93919f298db5872d4d8c0cc680c109154713f830b0b61b8efd8ed646d736fba575514f4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 727fdea03973c7e274e83896a536279c |
| SHA1 | 0ed978e66065735e3f0cdebe107d9010e4545f9d |
| SHA256 | 91fd7add95f7fa34571ea2ff13197cc0387eebaa865560f94eca789b0e533731 |
| SHA512 | 350e051893a5783b6c283d4a60ecfd9d7c3ef889d684890f17e7e8a45ec54cd2fbd7032e6ff6af71eb839ce255fb4f47683ac188753cfb17e778de997176c3c2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f43075866862d4e655baf8922ee72b0e |
| SHA1 | 426fca97277284c99d9fac5f31ff1be0c1ae8196 |
| SHA256 | 5146c480f4abbd51503096e2dd65772a34d578568be691de172dde07773645b0 |
| SHA512 | 750153726d0e866eb3cc145deffa6c7b00a2b4002397bd200ecf11d5164044bec07972361528639b0e70919babedad0a046b8bb6cd1fde8e217a5e1c3dbcff39 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b4b259974bfcff97490eac582ae543cc |
| SHA1 | 12c9d5da7105d66fa4b85de5ec5398a16ee0849e |
| SHA256 | ae8241ceee1de5a3c32a71917e95232b771310c182ad33ea222e0da272bd94ba |
| SHA512 | 9b4340bb5629c5d23cce2775bac0cd31ba495662a7fe79090068865164834a88ae8eefedd9f735630950b9f30c6bb30a0166d2c5da5f0bb70e5ad1b03f5f5560 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8d00eae73de5c1faf5097d0b460614f8 |
| SHA1 | 4a48e42125bcc1099ac9b6cab26cb804dc9001a4 |
| SHA256 | ed9bd18b1c687e8a1b9e8255df45591b007bd345618551382a29b2763fecc4a1 |
| SHA512 | 04e03c3173554aa2b937eaae9d2c519235bc7f89200c0828288d5f1d9c858e0f138ba47b982eae73b4000ebe08e48ccf7c854087368400ea150b7e7f853e7706 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d3ab0b6909717850d32104c2adc6be80 |
| SHA1 | 627dfdc8b6be1bf3f0e86a2f85c94a337166633a |
| SHA256 | 9819de61a1d1b80fdae39535cba528b07d8373ecb88a5a7403c2ee75ad36df4a |
| SHA512 | f0ae4e611b8d4a9f5396308e6598b90a605343fd045f44e5ee5c31dc1246791df1abc0bfa6c0c437cb154b41a7a556e18e9c66dcf16821ed3490b9c4c7d72719 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ad0921435edbade88febbc71703d3aa2 |
| SHA1 | dd7bed481e1106dfb457c23c350a4535ddceebd9 |
| SHA256 | e2c8a9ee1e2297f3e2aaa7e115c4498524054600fe89a008178f4fc1a7513870 |
| SHA512 | 407fe51188d1c820ba299fd9e1450b0eb92b0b639911161e0e97fb315a212e1f62697c124b1048ca5e838d3f83ac5c58eabcc817f5c6703e6098043deddb1b42 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b410ef1ac00c630e87e2420aaa332dbb |
| SHA1 | 8dbc39038fcea6da7efb2d5f461b86848fe754b0 |
| SHA256 | 213452c52821e160b7d4ba685f70e73b293b8016e67ced8164a97a4fc0367efb |
| SHA512 | 196e8b4e490afe3b1fb1e653b673cba38f7a175201b93e7566593b5676efd064d6a3b7f4778025dd578a701f95250e4370564c45c64cca06bf3640484ca4ec59 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c415796377e3241832e8efc4e0e84a00 |
| SHA1 | 71968884ecfdfdfe53da119deab073c41ce74f0e |
| SHA256 | 270a6351bfd3a8f926ba41cbde6aacb468fe247352a69cf1e7185ad4dee14b1b |
| SHA512 | 5ffec8bae5605247f04945e848b7778dec761d2abda91e2339c75015e91208f38cdf14cc21467dd283b3065f9b35a0ec4919eeb7f9628f2c1d8174bdb19b870a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d61b1aa4b0c96f160c86829ce21a73c4 |
| SHA1 | c0ffaba6774fcbc8033b5b2182256d06d9cd5954 |
| SHA256 | 34f6c8dcdae5dc36237ccac616eb55596023eb67ecf94da5425314ba61e8f4d3 |
| SHA512 | 4c5a47f35ab8a8fe2807d3c4a0ab26f8187fb854ec45aa184da6b6c2ce8a1a584ef8313dca57544cb65af1869f439fedff5cde8ba4c7db4a844ed5e10c56252d |