Analysis Overview
SHA256
b57f52fc77c01430f054e586c4d2ec9dbb0a8bf9a7eb31b1bfab4389a04c05bd
Threat Level: Shows suspicious behavior
The file c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Mark of the Web detected: This indicates that the page was originally saved or cloned.
Enumerates physical storage devices
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-26 06:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-26 06:08
Reported
2024-08-26 06:10
Platform
win7-20240729-en
Max time kernel
122s
Max time network
141s
Command Line
Signatures
Mark of the Web detected: This indicates that the page was originally saved or cloned.
| Description | Indicator | Process | Target |
| N/A | https://www.9ccms.net/index.html | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Temp\c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecca440099c424d92937bb9b1db2c9200000000020000000000106600000001000020000000a695f0fd143194c54d9d83d5a9a5fc14ff2e3f90c175cf9669b377d415f8f5f6000000000e800000000200002000000044d817756ee244fb32b898b9ed8a41b0401383ff5f1a069bfb9f03ae9f4a634790000000356a0e253b9a8d6ee4e5ffa46a153736b29f05c0b28323918647b33bf2cb830dcbc7d7b399283aacf706379657c9830041d7c3a15efb33c330a99247b56b7f8df4eef84d97a5e923fc34002277137f0e4d00ecb7918b7af4dec4c9d28469b87deb919137eafef3b82b95b24eaa4d5b41444da0c924904b01746c15b59b5bc9f7b72cc85bb3ef5091add940538ca044e440000000f901046ffa03946b4db152970efa1e5a11b0fc185c752c7583cf27d451b41e67f9876541e6b1110447719a5f0947d19777a66d883942cf220f13914b6b9c81c1 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A286C411-6371-11EF-B88D-EAA2AC88CDB5} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430814385" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecca440099c424d92937bb9b1db2c92000000000200000000001066000000010000200000006a585b1fb1f2067efbd7d41827f0fb19b714b26e095d166e631e43fef580e945000000000e800000000200002000000041429f51c7109e6e978785e6d40f712bb22748ecac36a104aeb528747330d2d2200000008af4739ac098dd2b19a4ac77fb2c1dfb0d23189da057c53f9bd47dea7f953e184000000076b37abae64417350c0360c301a85fc355c325c1e61d8439b92750eba4c16e07389812e43e331a69f189dfeef7829ff8c8a659de6437b532d81c7bd073d1f2a3 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90a2b0797ef7da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Temp\c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.dnfqd.com/
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2052 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.kun0.com | udp |
| US | 8.8.8.8:53 | www.dnfqd.com | udp |
| HK | 43.129.181.123:80 | www.kun0.com | tcp |
| HK | 43.129.181.123:80 | www.kun0.com | tcp |
| HK | 43.129.181.123:80 | www.kun0.com | tcp |
| HK | 43.129.181.123:80 | www.kun0.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/2244-0-0x0000000000400000-0x000000000072D000-memory.dmp
memory/2244-29-0x0000000000400000-0x000000000072D000-memory.dmp
memory/2244-56-0x0000000000400000-0x000000000072D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabD4B0.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarD512.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8d533cf18f9a812317ed6c3ea650d43e |
| SHA1 | 9da143798d7c9f375d21402290868b49db79d2ec |
| SHA256 | eafda2ba252dc10527a6fa6c15967158ea803b9c23c592bc9eb957d1837a9aec |
| SHA512 | 244aa16da83099df20ad8c36468f90baaa99455f10cc28e4cabb1e0143f615cadef312d9066bb4699670720f0309c5fbfbe189caf22aa9a5167f3924ad10a882 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8fbed30d2dde951d1f8caca9b434a5ab |
| SHA1 | 62ef174b569c833c1eafed633cfa1e688d508fe8 |
| SHA256 | ebce61d5afaa06ebf4a2042575aeb0c5b04fa10247a35df8e3f914e5ca390951 |
| SHA512 | 67f05ffaf6e8b7768f769e80f0eb385f24017365002415ff80599b9b8191656cd2def7e0a7059f7f3f934cb7315fc43d6ec9644e36e4ef9fa0c565ebf3ddb44d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ec5eb8305d4aada64e2b993cd52a9410 |
| SHA1 | 89cce5fbe01c2c988a57dbdfde56eb56d4bbf390 |
| SHA256 | 859af7b285cb40f8fcc671a93430018ef75ef9f1fdb60189ebb50a0def349605 |
| SHA512 | 83c6c1b8e1fd3473749d95634e19fbe3e10bf5f8a3ef82646f469cb4eae41647b4edf5ff30df0e89d235e8dff0567d7b0216272372f12ca904e09540d091f651 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 89ef1f54a550010c55fdae07e5c34589 |
| SHA1 | 4bbac6d57967a61b55a944a226b92b8a9585e32d |
| SHA256 | fd6f52fc07650c2b32e29b094e267ca689ccb6450c55c56afee44d77e6de403e |
| SHA512 | 5173badc6b919d19e0ab7905424b104c484624c8daa2b187e9248cc79bd037afa2a832dba97e3cb68c1cb07f576496857f42a841127031defad8948523ed28dd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f4de2008068adf26346665a48b77bc21 |
| SHA1 | f48e3afbdd44065d344f9c1cbe5e4854181addc0 |
| SHA256 | 802ba76afab3dd4ec81e70a650934f25fc9ec730defb01ed74925776a9c16913 |
| SHA512 | 3e2e964669a822fe71cf9e81c93375b9e2a7aaf8cc1e3f46c0e8cd85f0bfe960b3401eb5ce4cc19aa95d15c0d65be31a65af88fa11b435a47bbe22b5fd396713 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9aa1d862d90587d38e0e0646a30351d8 |
| SHA1 | 91a285c2fa67bfcc8822967eabdf05f1ddea7d1b |
| SHA256 | 32fd5e267fe7f5057f5230e8a1be55b31dc6995fddcc9ae6fb16e1d2211cc88c |
| SHA512 | a5ecc51502d55680f78bd330faf92a987b61e08d0f7bf6ecec62bf813bf6f77c558de0588a30da79367b4309a316e624d85409d953b499baad181c583cc3c2ae |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f8ba8a14159104a0500337f2c6779e60 |
| SHA1 | 1cf7c8b77304f7c68541909f300163bd327b6564 |
| SHA256 | 4cba6ae317574929ad93ac0835599b884f35329a3c829b9c3100181f3dd0690a |
| SHA512 | 3cbd83c706cd18844bc0b8e281df26772347e1f34684411a50eac033473540dd8a2bddd2b988f03e9b8ceba44e5639be41110ac6c8a984741a4d2e75e7dc5b96 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4818506fa65d1dc17a57e1b4af7654ac |
| SHA1 | 578d3f190fcb8e6afc1547a4573a5eb6ec264df5 |
| SHA256 | 9747064c487408b2d831de486b84b7e583a144c3dc4b1ed0eae1928728e0bdce |
| SHA512 | 5a50c25b930001970b8feb9aeb9e23b1072ddebf1e237c969deb72a58d745c794029d224abc7de115a642b98606a5d76b4437cb6776bfe34ae980edc80de4316 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a864d4c63772ddee998b1a32e13106a0 |
| SHA1 | 4c3fd33c989f2495c665a8d67ecf2c7a28f9988f |
| SHA256 | c72589b931adec8b26474b8ef638238afd81330c1cb6f30d7d9a0812cc3840df |
| SHA512 | 1ea95416196821ed248193975a8e92229696d8af2863affe13e90924975c64e0f11cbf0760ca6de7274898133e859805e3dc790f8eae39cb843ffa05c5b1e61e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 238f0585a9317b65502eccfb3d95ae51 |
| SHA1 | 17f29f447605e78ad2eff44a634ab27451a0a6ef |
| SHA256 | 87aae130bc4ef792181ea2b68a50cc97d911a7c953840d47d118ad136b7fd667 |
| SHA512 | 025f1313dc5f0c49281c94ba4e6d9c2dd454e1e0b1fad815dc0af48d3f7c5baf86abfd9ba7435e73ea71f40bea0b80a37c2b209921b562c2e5e56a5e68d9bf9a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 99ec2f50e996e7539233e5e6fa9dd5b2 |
| SHA1 | 31ae8186467dc5d56127b96fc5dff63e9b434055 |
| SHA256 | 4e88883345f53b758dc1cde0dc0c205201d5438a51da84bb67b03936e47c9b08 |
| SHA512 | e69b1f8a2877ea526f0661e6e53ef1c5fc81077d9c914ba63f1c47935e7f8a6edefbf2cd602d41030ba5bc1def83f6cc053e040d4e66ebaf5b3b3035b38dff50 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3cd76fb1d9ec9d1786782d0bd1d49441 |
| SHA1 | 6f16315ffe2ed43b4fa5ad6e563ba5b42daf8528 |
| SHA256 | 6864d0c4f7713d636837e4a68568ac2f27ddffc8679feb02355ab4a7ef6fc9b3 |
| SHA512 | b098986b012067fc2c93af41d59c83e083a9a6af44646b536ddb281aa2294a2e88202bc24a92a8fb8c174c489d280758e335a45e4e4deaebf3ccd4da3ccdc533 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a99d0642f40fb6f11cdbe5fdba23a855 |
| SHA1 | db597bdcff7fd7b4d927a928d86c2bd8616dd2aa |
| SHA256 | 95f003e59ba082cbcf46df752fd290c7263ad89ab9effb3f41d57fe2547e3fff |
| SHA512 | 206eb2603d3423e4d2d043d1e0a17fffd06809f30380c6db614ee3e8c62f5927312a0808921be8cd3126caf598f7147b74cccefe45554fb144241ac6ab93c98f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 453d8571705936e180ce133779be536d |
| SHA1 | c9e4a56e6bf994dc48d22a0c44b35aa9398d3277 |
| SHA256 | 00672a90dd0dba0b68d15a8cc26840c93305f0b46352d13e3dea19c69ffcebf8 |
| SHA512 | e6d9d69825b21bd9adf48b9901e51777b2e3d77af4ae548d55132b85da8cb230284a9fb65e1c6657d012e7e09682a16fdfb4608874677487a57fe9ba9020a9c1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 701bd59129e7e83e8096fcc577181e94 |
| SHA1 | 01516466f57f7ad8d137d3bfc6585d1349ec1a05 |
| SHA256 | e45d223ebbf5a51d731fe859a5d57b0fea914dbf9ee67999df4440743c59d834 |
| SHA512 | 0c0e1ca9e7c89fb3ba06af5ede141ee795784fec762877d133f86c4c475271f0da873a1fb918bc627e53c78a8a376cbc3010879de148ae2fce3b83ae744e2999 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0d004dc64ebfc84208b80b82bb8b70bc |
| SHA1 | 67bb44f17244918d3586cc10ad388494ef6ca631 |
| SHA256 | cdbf94a114e4bb48c253a0ac79fda81c1a6eddde87d527892e44946addf6f705 |
| SHA512 | 6f156802a65e06c5917da87e8e6528488606f13d196a9cdf7c246f31441679a1a7a4ae1d275a0094484b2623d55b3347c81ca2ccced0c7542b7c2a786b8c5e2b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 27b3d53a15db1191383abbe6a6e2bd9e |
| SHA1 | fc90e38f574e5e790dc1543e6c0c216b5865c35a |
| SHA256 | de6a18dab9082008ff78d50e86c7988944140b82f06c948ca79366484774e572 |
| SHA512 | a1776f73a97dce9a3c035090a2bf15367d02aa16c9ef213cbc4edbf0beb8990e43f463995354578903898c56240a5c0ca03677e6d8fd92ac5e9d2ed68d3040cd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0872994efa3fc9ac6e706fbcd076e42e |
| SHA1 | 5a60db35f947bc46969b3275fd60b4ec10d22f83 |
| SHA256 | 8c8be36577bd1781650b3ba516b6759995b406b7e8872b3460e0708ec20d410e |
| SHA512 | 9c3d3e7070df66ab34b2e0d484c59fc9919569213fce90439d47c91a7511936244c0b7c953eb3e4ee4e8cabb33ee5d97893a997537a4ba9b18eae830ea7353ea |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 362d409409001778d1ef06f6dd89b997 |
| SHA1 | cd5f7bdb3d2053b24faaf0afb0b63b0fa70a156f |
| SHA256 | 56eadf94ca50fb604dd0cd455c1118019440b5fa2c88bf271fdb28432b5f2c7b |
| SHA512 | 0a46346d948fb903a44762aeeb2dd5fbc4f01f7da61438105edbbda10e739c26b6b6fa51da003228ba8c7f663ed69e5509a5bbb789c898617296cf110a141fd6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-26 06:08
Reported
2024-08-26 06:10
Platform
win10v2004-20240802-en
Max time kernel
134s
Max time network
124s
Command Line
Signatures
Mark of the Web detected: This indicates that the page was originally saved or cloned.
| Description | Indicator | Process | Target |
| N/A | https://www.9ccms.net/index.html | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4936 -ip 4936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 1980
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.kun0.com | udp |
| US | 8.8.8.8:53 | www.dnfqd.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| HK | 43.129.181.123:80 | www.kun0.com | tcp |
| HK | 43.129.181.123:80 | www.kun0.com | tcp |
| US | 8.8.8.8:53 | 123.181.129.43.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/4936-0-0x0000000000400000-0x000000000072D000-memory.dmp
memory/4936-15-0x0000000000400000-0x000000000072D000-memory.dmp