Malware Analysis Report

2024-09-22 09:05

Sample ID 240801-qgjejawfld
Target 809c47b646c7f09b3560feff503ff533_JaffaCakes118
SHA256 3ea1672072c73c71b4d43e7d2d7d269c678107ff7995e9cdcfc2ce6935bd6b91
Tags
cybergate cyber discovery stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3ea1672072c73c71b4d43e7d2d7d269c678107ff7995e9cdcfc2ce6935bd6b91

Threat Level: Known bad

The file 809c47b646c7f09b3560feff503ff533_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

cybergate cyber discovery stealer trojan

CyberGate, Rebhip

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-08-01 13:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-01 13:13

Reported

2024-08-01 13:16

Platform

win10v2004-20240730-en

Max time kernel

93s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1652 set thread context of 4552 N/A C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31122452" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31122452" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "429283010" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E7EFD726-5007-11EF-B921-E6F77E306424} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3158568194" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3158568194" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3163568211" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31122452" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1652 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1652 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1652 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1652 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1652 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1652 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1652 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1652 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1652 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1652 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1652 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1652 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1652 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4552 wrote to memory of 1020 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4552 wrote to memory of 1020 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4552 wrote to memory of 1020 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4552 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/1652-0-0x00000000746A2000-0x00000000746A3000-memory.dmp

memory/1652-1-0x00000000746A0000-0x0000000074C51000-memory.dmp

memory/1652-2-0x00000000746A0000-0x0000000074C51000-memory.dmp

memory/4552-3-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1652-5-0x00000000746A0000-0x0000000074C51000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1IHQ3R7P\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-01 13:13

Reported

2024-08-01 13:16

Platform

win7-20240705-en

Max time kernel

134s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1724 set thread context of 2352 N/A C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E7474701-5007-11EF-B6C3-72D3501DAA0F} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428679902" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1724 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1724 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1724 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1724 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1724 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1724 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1724 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1724 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1724 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1724 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1724 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1724 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1724 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1724 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2352 wrote to memory of 1496 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2352 wrote to memory of 1496 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2352 wrote to memory of 1496 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2352 wrote to memory of 1496 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\809c47b646c7f09b3560feff503ff533_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2352 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1724-0-0x0000000074BB1000-0x0000000074BB2000-memory.dmp

memory/1724-1-0x0000000074BB0000-0x000000007515B000-memory.dmp

memory/1724-2-0x0000000074BB0000-0x000000007515B000-memory.dmp

memory/2352-3-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1724-4-0x0000000074BB0000-0x000000007515B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabF3E2.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarF454.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1b78c29500c07913e9d1b6d8eb49e8b6
SHA1 003ad6e55de5f565028d041bbd8f4d526816fa73
SHA256 72773c807a0588452752ea94031f6711b678baaf46cf0557856b0379052751dc
SHA512 7cd9ad575e60948a8fcceb87fce0bb9ec071de17d4ceb28b55b2ff9534ce4177b4fa8611931ee9ab0af20a8487710596b96ca906e60c16e65a85ae56a5f94db2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 397b51b2c05d0b1b869ba680f06e0fcb
SHA1 3af6ed6a16a9ceaae009f27aae5a044e93e73103
SHA256 56ca7bce662bfa759ab112cb5a33d198463d38f3fc4ccec0158cf9ab3a1cbd10
SHA512 e3d22f86c32d83bd42df0cff6489c11c6dcbb54e3a3f9ff346167d5190ad1d85217edd3047d563c8397c0b5620e85f9809dd381290a72feb51581fca58d4d412

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1213ed411eb613535bed1f8dc72b895a
SHA1 75dcb4821ede423e7b82c8dac8afe5a59a736b23
SHA256 6382fb1fa1e54397354386ed5c6f9efe5a24f4d510d97ffc1aeb6e6fb78f2aba
SHA512 c0ad6c8d5130835a41522cc9fc7cb5176dcd2592a8964bbf209c3fe70a1b703613f7b24f771e23667a3137574270f818f60d83df5c022791c0a26685177e2815

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 078b1bff9471e6db266bda2912a7ee07
SHA1 897a806ad9b577dd3a073473036d0b3a59248c18
SHA256 69f3610b8c3876cbe94c746632d0f9c812542c4d96196e9c08ae055d5ad5b0b8
SHA512 b1bb5fde1c60f872e59472b21048eb3475b88487eb21a97e327cd82e2a12d9bdc0709b1b08a902288ec1494b0e5f4373abd7dd0978a5d4ac03758b8d23bb1d6f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1422b80e64ff1b0cfd4e0af2e3515833
SHA1 634af2f585604a6c2abd2adae70fc0db326e9f1f
SHA256 635e90209b0c4472613536af2fde4cbcd42bbd9986be16f9608316919758a500
SHA512 064c68b76241d821f9b3bb31ae5dbc84166cc02fff7731e78fa93b79a04a688048f1fb1c91b2b3481281f8b5d50a67e17f047923bfc69d49fcdb546bf811573a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 09393c9db65198474db0cca79aa1cca2
SHA1 20c8aafc4501bae302e5d6e16ee9f997fd85c63a
SHA256 74037fff695d845db784edc4b0d70d423bcdafb7c8b632f4419837c063657005
SHA512 a403bccc0f983c40dab9aff2eb9a33b14233ad5ca51f2f00c8ce8bdc77b88f5d67ce1808d3020174ea41a49d871b309e0349582a366814120e94f176f28b9ffe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eaa5f3a2cd17a8a79c74b21d0644e058
SHA1 198f35b8861f7ea0bc02e061bca8323df9e36154
SHA256 54a8acbdfc65e5050ad3a786051ecb964518321dc3b965d5e523dc39148d51ff
SHA512 f68eaa5468978f5923483dc215557107f4f3c6feeb110b2f8f74e3987300fbd2864dee3ba4f30dc1f83f05b2c5447287db2f5946fbb08d7a847efe810f1000d9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27a18cc227c9548ba749ffd67603e76d
SHA1 bd2662cad0f603fb68b560245f00f28c075e0649
SHA256 020d38f20956b5bf82b713ca191d17587d98e393f10a5f87f1b7e2797a2db2a5
SHA512 1918a976f29d7c5c4a411ce29fa7076503e77cf10687a13ffaf996d798c8d90fa8e469e5bf4cfff01dda4ab72991086e1294f703acd9d47ad574874a675a1e74

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3fdd56a89d098f9f7b48d34cae7e03bc
SHA1 fca1339d864486a428db3eb8af1b158140053e44
SHA256 e5bc4d6471d48be2609104c030c075e878e1d675f41db33462c02ccee8b8b9bd
SHA512 9ef718fa4cf79c11b8807f73f7c355010849c9a04dec966f6ddafb256256da6c0a95a6171f72503c5d845abae58b544042bbde9e64fa37c34a9cd927b6166b39

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5f762fca1f8c9a22bb28cdb8423e8108
SHA1 ac62cfef809ecd8ea86bc01e214834e21c3da020
SHA256 91a13ffb56e8f2d21ba1c75d3e48d21f159afe7f301ae4cad3709fb96bd3c3c7
SHA512 125a5523dbebb4aae40d85794475d92296838765f06ee80db597e4019049fcc148fe538e1ab4c54105dd8a93628a3acd30bf954afd0cf1e4aebcb72957ffe411

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6662600bc857326ea1f7ecd0e7e1c594
SHA1 34a2b51a32aa2b19404c3996118ed08d5ebf3ec6
SHA256 ad66c03ff2bf9c58f4a98182e7894923fdb337c7de36bcd0d2c38d61145a29c1
SHA512 d25d9be359c2c82ab63d8239e6f4cdd2e13713d3c3f9e2e54f303d5e43232e44555c9d79fed5a831ca32ae87097784337000d39467a3cc6fac1dfae911da4373

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e8a10359c29821c8f0ce128178a3677e
SHA1 b7b7eec25472cd4ec3fd0eeac33402a5090bd287
SHA256 5a2204e99394abca455f8b5c2fa4ab5d6ce9385e1c01c65078cb4b1b845b7151
SHA512 8087582425f1b4688e272ea87b4e537d71a8d267d40cf3307834625c2a9c773cf73009dc5a3da6d48148429f4f8175e849315e5fb570891b72e0b10dd5cac0a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b14d0d19fcff071f60afebeb0563cd6
SHA1 74380e39ae08618a03e24c4a21624b43ebb4c2de
SHA256 937b93ba6db1ed7d23c5bce909a28ab9bcd94a2ede2f9b84fabb2302e8368f18
SHA512 54ea5527194fbbef6a0c53d0f067d46542f1868e2a1032cb4eef34f4858d31ec5afc396a3d79953c25a9bb697a054e34f8d17aab060d3bf5fe2d0d0820d29503

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db49dc6ccaaa6e866120f9067d653a39
SHA1 7a6cff3343179fc8f602c2a5d1c0d5b11a1a223c
SHA256 18872cc55f3d0268ca500eb2e746170c840d99ae1da47e13217bd5f9358fdd22
SHA512 222dfc61b92ab81fc5d273a66e8d2d499a7a0384604d552fe143292314abb0d8688d259ad6528c3c790734054e318d5256e43aeb9995e4ce167a42e9b6cfade8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 45d3206a388fb8694b338a0a299fa9e4
SHA1 1e03de8dabb08d66d155bb0532ac03b37c15075e
SHA256 022027da2b53f98ab56ac8f0e0f60bcb565e6746fdcad73a2c86cd2f3a5844ca
SHA512 989f3b934231eee7fe9f1851e060c5c98ce1484251972dff9542a8ff5f9dfe33f7ba2bec4bdeae382a340da266f29f06ec4f4c9fb6965c5b4481fc418f3d59d8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ad3001c5c7849c9563f14caa00d5de3
SHA1 933b7d05e5461d705af64e05ae2a8a268adb7a62
SHA256 7b2c8ebd64b5a17a1961835819bc4b93488f5944a17f97976e74da4f069505a8
SHA512 8aff00435ad29c59d5a8922abc6ec53e266d6109392ca33c442e35c5710dae5abf8f1beaa14c79442ea1b45420ce11aad70588fa8692e339fe9a45d6cddc0884

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fad357a0cefe595338b6c8082dc6f7a1
SHA1 0833a1b36f3cfc107599d1721d80dc2ef2355ec9
SHA256 a83acee4fcadac99f3f5901c93dc3d238f5245820c27735d13a6586fec5305ee
SHA512 c02bcab203fec000c903be3436de435d338e82bdc3d4fd2ca70ee072f040150195c9c550642adf7aa8c82a9a6ff535858555dd65b35364fc1f17e88bb8d917b9