Malware Analysis Report

2025-03-15 04:10

Sample ID 240826-gv3kwszhqm
Target c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118
SHA256 b57f52fc77c01430f054e586c4d2ec9dbb0a8bf9a7eb31b1bfab4389a04c05bd
Tags
discovery motw phishing
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

b57f52fc77c01430f054e586c4d2ec9dbb0a8bf9a7eb31b1bfab4389a04c05bd

Threat Level: Shows suspicious behavior

The file c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery motw phishing

Mark of the Web detected: This indicates that the page was originally saved or cloned.

Enumerates physical storage devices

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-26 06:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-26 06:08

Reported

2024-08-26 06:10

Platform

win7-20240729-en

Max time kernel

122s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118.exe"

Signatures

Mark of the Web detected: This indicates that the page was originally saved or cloned.

phishing motw
Description Indicator Process Target
N/A https://www.9ccms.net/index.html N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecca440099c424d92937bb9b1db2c9200000000020000000000106600000001000020000000a695f0fd143194c54d9d83d5a9a5fc14ff2e3f90c175cf9669b377d415f8f5f6000000000e800000000200002000000044d817756ee244fb32b898b9ed8a41b0401383ff5f1a069bfb9f03ae9f4a634790000000356a0e253b9a8d6ee4e5ffa46a153736b29f05c0b28323918647b33bf2cb830dcbc7d7b399283aacf706379657c9830041d7c3a15efb33c330a99247b56b7f8df4eef84d97a5e923fc34002277137f0e4d00ecb7918b7af4dec4c9d28469b87deb919137eafef3b82b95b24eaa4d5b41444da0c924904b01746c15b59b5bc9f7b72cc85bb3ef5091add940538ca044e440000000f901046ffa03946b4db152970efa1e5a11b0fc185c752c7583cf27d451b41e67f9876541e6b1110447719a5f0947d19777a66d883942cf220f13914b6b9c81c1 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A286C411-6371-11EF-B88D-EAA2AC88CDB5} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430814385" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecca440099c424d92937bb9b1db2c92000000000200000000001066000000010000200000006a585b1fb1f2067efbd7d41827f0fb19b714b26e095d166e631e43fef580e945000000000e800000000200002000000041429f51c7109e6e978785e6d40f712bb22748ecac36a104aeb528747330d2d2200000008af4739ac098dd2b19a4ac77fb2c1dfb0d23189da057c53f9bd47dea7f953e184000000076b37abae64417350c0360c301a85fc355c325c1e61d8439b92750eba4c16e07389812e43e331a69f189dfeef7829ff8c8a659de6437b532d81c7bd073d1f2a3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90a2b0797ef7da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.dnfqd.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2052 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.kun0.com udp
US 8.8.8.8:53 www.dnfqd.com udp
HK 43.129.181.123:80 www.kun0.com tcp
HK 43.129.181.123:80 www.kun0.com tcp
HK 43.129.181.123:80 www.kun0.com tcp
HK 43.129.181.123:80 www.kun0.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2244-0-0x0000000000400000-0x000000000072D000-memory.dmp

memory/2244-29-0x0000000000400000-0x000000000072D000-memory.dmp

memory/2244-56-0x0000000000400000-0x000000000072D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabD4B0.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarD512.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8d533cf18f9a812317ed6c3ea650d43e
SHA1 9da143798d7c9f375d21402290868b49db79d2ec
SHA256 eafda2ba252dc10527a6fa6c15967158ea803b9c23c592bc9eb957d1837a9aec
SHA512 244aa16da83099df20ad8c36468f90baaa99455f10cc28e4cabb1e0143f615cadef312d9066bb4699670720f0309c5fbfbe189caf22aa9a5167f3924ad10a882

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8fbed30d2dde951d1f8caca9b434a5ab
SHA1 62ef174b569c833c1eafed633cfa1e688d508fe8
SHA256 ebce61d5afaa06ebf4a2042575aeb0c5b04fa10247a35df8e3f914e5ca390951
SHA512 67f05ffaf6e8b7768f769e80f0eb385f24017365002415ff80599b9b8191656cd2def7e0a7059f7f3f934cb7315fc43d6ec9644e36e4ef9fa0c565ebf3ddb44d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ec5eb8305d4aada64e2b993cd52a9410
SHA1 89cce5fbe01c2c988a57dbdfde56eb56d4bbf390
SHA256 859af7b285cb40f8fcc671a93430018ef75ef9f1fdb60189ebb50a0def349605
SHA512 83c6c1b8e1fd3473749d95634e19fbe3e10bf5f8a3ef82646f469cb4eae41647b4edf5ff30df0e89d235e8dff0567d7b0216272372f12ca904e09540d091f651

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89ef1f54a550010c55fdae07e5c34589
SHA1 4bbac6d57967a61b55a944a226b92b8a9585e32d
SHA256 fd6f52fc07650c2b32e29b094e267ca689ccb6450c55c56afee44d77e6de403e
SHA512 5173badc6b919d19e0ab7905424b104c484624c8daa2b187e9248cc79bd037afa2a832dba97e3cb68c1cb07f576496857f42a841127031defad8948523ed28dd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f4de2008068adf26346665a48b77bc21
SHA1 f48e3afbdd44065d344f9c1cbe5e4854181addc0
SHA256 802ba76afab3dd4ec81e70a650934f25fc9ec730defb01ed74925776a9c16913
SHA512 3e2e964669a822fe71cf9e81c93375b9e2a7aaf8cc1e3f46c0e8cd85f0bfe960b3401eb5ce4cc19aa95d15c0d65be31a65af88fa11b435a47bbe22b5fd396713

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9aa1d862d90587d38e0e0646a30351d8
SHA1 91a285c2fa67bfcc8822967eabdf05f1ddea7d1b
SHA256 32fd5e267fe7f5057f5230e8a1be55b31dc6995fddcc9ae6fb16e1d2211cc88c
SHA512 a5ecc51502d55680f78bd330faf92a987b61e08d0f7bf6ecec62bf813bf6f77c558de0588a30da79367b4309a316e624d85409d953b499baad181c583cc3c2ae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f8ba8a14159104a0500337f2c6779e60
SHA1 1cf7c8b77304f7c68541909f300163bd327b6564
SHA256 4cba6ae317574929ad93ac0835599b884f35329a3c829b9c3100181f3dd0690a
SHA512 3cbd83c706cd18844bc0b8e281df26772347e1f34684411a50eac033473540dd8a2bddd2b988f03e9b8ceba44e5639be41110ac6c8a984741a4d2e75e7dc5b96

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4818506fa65d1dc17a57e1b4af7654ac
SHA1 578d3f190fcb8e6afc1547a4573a5eb6ec264df5
SHA256 9747064c487408b2d831de486b84b7e583a144c3dc4b1ed0eae1928728e0bdce
SHA512 5a50c25b930001970b8feb9aeb9e23b1072ddebf1e237c969deb72a58d745c794029d224abc7de115a642b98606a5d76b4437cb6776bfe34ae980edc80de4316

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a864d4c63772ddee998b1a32e13106a0
SHA1 4c3fd33c989f2495c665a8d67ecf2c7a28f9988f
SHA256 c72589b931adec8b26474b8ef638238afd81330c1cb6f30d7d9a0812cc3840df
SHA512 1ea95416196821ed248193975a8e92229696d8af2863affe13e90924975c64e0f11cbf0760ca6de7274898133e859805e3dc790f8eae39cb843ffa05c5b1e61e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 238f0585a9317b65502eccfb3d95ae51
SHA1 17f29f447605e78ad2eff44a634ab27451a0a6ef
SHA256 87aae130bc4ef792181ea2b68a50cc97d911a7c953840d47d118ad136b7fd667
SHA512 025f1313dc5f0c49281c94ba4e6d9c2dd454e1e0b1fad815dc0af48d3f7c5baf86abfd9ba7435e73ea71f40bea0b80a37c2b209921b562c2e5e56a5e68d9bf9a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 99ec2f50e996e7539233e5e6fa9dd5b2
SHA1 31ae8186467dc5d56127b96fc5dff63e9b434055
SHA256 4e88883345f53b758dc1cde0dc0c205201d5438a51da84bb67b03936e47c9b08
SHA512 e69b1f8a2877ea526f0661e6e53ef1c5fc81077d9c914ba63f1c47935e7f8a6edefbf2cd602d41030ba5bc1def83f6cc053e040d4e66ebaf5b3b3035b38dff50

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3cd76fb1d9ec9d1786782d0bd1d49441
SHA1 6f16315ffe2ed43b4fa5ad6e563ba5b42daf8528
SHA256 6864d0c4f7713d636837e4a68568ac2f27ddffc8679feb02355ab4a7ef6fc9b3
SHA512 b098986b012067fc2c93af41d59c83e083a9a6af44646b536ddb281aa2294a2e88202bc24a92a8fb8c174c489d280758e335a45e4e4deaebf3ccd4da3ccdc533

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a99d0642f40fb6f11cdbe5fdba23a855
SHA1 db597bdcff7fd7b4d927a928d86c2bd8616dd2aa
SHA256 95f003e59ba082cbcf46df752fd290c7263ad89ab9effb3f41d57fe2547e3fff
SHA512 206eb2603d3423e4d2d043d1e0a17fffd06809f30380c6db614ee3e8c62f5927312a0808921be8cd3126caf598f7147b74cccefe45554fb144241ac6ab93c98f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 453d8571705936e180ce133779be536d
SHA1 c9e4a56e6bf994dc48d22a0c44b35aa9398d3277
SHA256 00672a90dd0dba0b68d15a8cc26840c93305f0b46352d13e3dea19c69ffcebf8
SHA512 e6d9d69825b21bd9adf48b9901e51777b2e3d77af4ae548d55132b85da8cb230284a9fb65e1c6657d012e7e09682a16fdfb4608874677487a57fe9ba9020a9c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 701bd59129e7e83e8096fcc577181e94
SHA1 01516466f57f7ad8d137d3bfc6585d1349ec1a05
SHA256 e45d223ebbf5a51d731fe859a5d57b0fea914dbf9ee67999df4440743c59d834
SHA512 0c0e1ca9e7c89fb3ba06af5ede141ee795784fec762877d133f86c4c475271f0da873a1fb918bc627e53c78a8a376cbc3010879de148ae2fce3b83ae744e2999

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d004dc64ebfc84208b80b82bb8b70bc
SHA1 67bb44f17244918d3586cc10ad388494ef6ca631
SHA256 cdbf94a114e4bb48c253a0ac79fda81c1a6eddde87d527892e44946addf6f705
SHA512 6f156802a65e06c5917da87e8e6528488606f13d196a9cdf7c246f31441679a1a7a4ae1d275a0094484b2623d55b3347c81ca2ccced0c7542b7c2a786b8c5e2b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27b3d53a15db1191383abbe6a6e2bd9e
SHA1 fc90e38f574e5e790dc1543e6c0c216b5865c35a
SHA256 de6a18dab9082008ff78d50e86c7988944140b82f06c948ca79366484774e572
SHA512 a1776f73a97dce9a3c035090a2bf15367d02aa16c9ef213cbc4edbf0beb8990e43f463995354578903898c56240a5c0ca03677e6d8fd92ac5e9d2ed68d3040cd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0872994efa3fc9ac6e706fbcd076e42e
SHA1 5a60db35f947bc46969b3275fd60b4ec10d22f83
SHA256 8c8be36577bd1781650b3ba516b6759995b406b7e8872b3460e0708ec20d410e
SHA512 9c3d3e7070df66ab34b2e0d484c59fc9919569213fce90439d47c91a7511936244c0b7c953eb3e4ee4e8cabb33ee5d97893a997537a4ba9b18eae830ea7353ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 362d409409001778d1ef06f6dd89b997
SHA1 cd5f7bdb3d2053b24faaf0afb0b63b0fa70a156f
SHA256 56eadf94ca50fb604dd0cd455c1118019440b5fa2c88bf271fdb28432b5f2c7b
SHA512 0a46346d948fb903a44762aeeb2dd5fbc4f01f7da61438105edbbda10e739c26b6b6fa51da003228ba8c7f663ed69e5509a5bbb789c898617296cf110a141fd6

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-26 06:08

Reported

2024-08-26 06:10

Platform

win10v2004-20240802-en

Max time kernel

134s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118.exe"

Signatures

Mark of the Web detected: This indicates that the page was originally saved or cloned.

phishing motw
Description Indicator Process Target
N/A https://www.9ccms.net/index.html N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c26d1209f342a79ce30df7a4bfe3cad0_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4936 -ip 4936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 1980

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.kun0.com udp
US 8.8.8.8:53 www.dnfqd.com udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
HK 43.129.181.123:80 www.kun0.com tcp
HK 43.129.181.123:80 www.kun0.com tcp
US 8.8.8.8:53 123.181.129.43.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/4936-0-0x0000000000400000-0x000000000072D000-memory.dmp

memory/4936-15-0x0000000000400000-0x000000000072D000-memory.dmp