Analysis Overview
SHA256
c9ba5242f0aa65ac11636c17fa5f61a6fc641facf1c37f1ebd53a6ba8a5cecf6
Threat Level: Known bad
The file ff5d52042a34a4669aabcdd009e9db48_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gozi
System Location Discovery: System Language Discovery
Unsigned PE
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-29 21:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-29 21:33
Reported
2024-09-29 21:36
Platform
win7-20240903-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Gozi
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ff5d52042a34a4669aabcdd009e9db48_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30aa976eb712db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b0000000002000000000010660000000100002000000032a2447f5cbb13a7140e235623abf403e8cefca957a3ed2710ef107ae81fc981000000000e80000000020000200000008557cd55562004f00ddc2a0cb456882e7bce5644d988b8efba18bf50008f35b5900000009eca47e552b28d9596a2b78808258f4f6f428697b34ebfa8d4130d3b131951e1ea7ae4e5d5158b132a9226d843359fd6797a25249f5404399ce47938148b4fb9fc4e6b3ecefbe9a08ae7f7ea40da048b73b61afa7bb403cd41b93e69f63a152e522b5bd49a608260d0b02205bcc608a7f7b7c0af00f7a176eccbf09d57b0a113d4d989cf616f87668d796dc60bc20724400000002c582232b06c21cac713a73ba688b7807d6f170f5387ad602fdcef4c44fde0d1e7cb29d16b565481b09a1d0dc1295c0466ebea10774bca441b4a6cff03e8524e | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433807530" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b00000000020000000000106600000001000020000000e73d6baa72ac244ef54eff3371d33d73c3b3610eefaa3bdf47a1f54b5962f137000000000e8000000002000020000000ba11a98190c9de8f8cf4c60b8624e00aa8e5b95d1f7500b2ce4890cd4991004620000000a2af75d6a68f21c919c71fe61d88a86169b44136e7abda312b8a0c63a45e22f640000000a2708280f06813b0fde675d4e2e42702741ada1b417ef98434093c7fb79b805036cac4280e2d0017cfd066d83cfd1c163541e4fd3bab1cd74859072af9036f41 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9721B721-7EAA-11EF-AA6F-523A95B0E536} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2816 wrote to memory of 2756 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2816 wrote to memory of 2756 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2816 wrote to memory of 2756 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2816 wrote to memory of 2756 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\ff5d52042a34a4669aabcdd009e9db48_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff5d52042a34a4669aabcdd009e9db48_JaffaCakes118.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2816 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zardinglog.com | udp |
| US | 44.221.84.105:80 | zardinglog.com | tcp |
| US | 44.221.84.105:80 | zardinglog.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/940-0-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/940-1-0x00000000001B0000-0x0000000000203000-memory.dmp
memory/940-2-0x0000000000120000-0x000000000013B000-memory.dmp
memory/940-6-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/940-7-0x0000000000160000-0x0000000000162000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab740A.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar74F7.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2cc8e6285b833e88e108cd208980a6b5 |
| SHA1 | ffaa52d2cdef2ba94238a36cb01286b199e368e9 |
| SHA256 | d27ddf2731c76a76eb9f39f8e5f9f11cb4d9ebfd083e4c3a9a82e8b92cc72a2d |
| SHA512 | 927671961af04df58e72563a9040d58d09bc179dce4707b14c7d234b3adb6b414a7ae1b2c3c8b84eb2fc191c85e58e552ea0bc817af1a6c114bc5c74ca0b200e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4ea391e573f83d1a272ffab84e63c233 |
| SHA1 | 3dda6cbc26482a1fc3fc42876256c0e67be14e5e |
| SHA256 | 208e498132629c143d6e1e6ca8bdcbc94fe78ff7a09731e0c52d674733fd9de2 |
| SHA512 | 96ca8562fca9efce0ffdff46505b77951916b22a4a0aba9fc0538d19ff64c81b2149e48ceb4040a5ea07828efab3367f899e6059f1b11220a5ff29e09ffc1dcb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 080fb50717f222a45567dbe7b0770e3b |
| SHA1 | 4c4715e0ab480b6118a158663acd6e75d2dfac21 |
| SHA256 | 73b9fffabd7887668dd8a424bbbf33db1ba9429a867fce9970dea2d2b296ea84 |
| SHA512 | eb1f64e0ae752e1e754bc0dfb01703bb6c7c1ebe577715bcb6c40ac91076a659648e4843753ecd09e655e90576a9a3af93e4fe4c4707d60d22016bac2ccdc41a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2bf0ed668434159ea95bd74a6436a8b1 |
| SHA1 | 2564f5c1ac94d8840bbe2461200cbc3d42c933a0 |
| SHA256 | da290bc9987f7e1478a35374510d1f2ba777a6bfbf62bf7f88c2ce1b38e3a1bc |
| SHA512 | 6c625db1caf7f3c115fae1d65fba05725131d493d098ee76eab3211790b0460ebaaaeb1ecce9e17f64c2cee717683bb75fa836e016fcc3e3698a3c6fb6e8d4aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3452aa2623635f7f305e9af57ebcbc61 |
| SHA1 | d76a0899b705d6ccab76fda20e7a2edd246c197b |
| SHA256 | 71c9c46851461f0f8c54304aa4c8ce354fd960c92457f283efa98e6089f8325b |
| SHA512 | 14e621e9cf0feee41643aee2db1249c17e3f4fc9262617acb9413fe36d263307dfc2792d786d3bb017f8e5e368fc74900eda2908691bed43597d7947bdaa30ca |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1d81f7e181c509d80929af9f389115b1 |
| SHA1 | 19304ec6154d669f477624abb43c3d6122186b21 |
| SHA256 | 382c434db5eacbe8872863d60f1d884363da3747d69bd08205fe73c1b232104a |
| SHA512 | ff6d49832632be827bae99fd75fef08e54f8b2141f3d84cb52dbc10f7df7288b907a1112ac09165b420f4dee9577b7b6c2a86cf925b5722bf90a631597aa893e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5063072b28e8bc10904e7f0b80145968 |
| SHA1 | eb6fb1a50e745ba38de5858ad8f5c6d8bd1ef7c7 |
| SHA256 | ca4f62a06fd6f738bf8283adac898bdf097cbda127c1eda2a5e16826d0b12166 |
| SHA512 | 39abcd619f91d56bff0e9f630d30c4f7e2ca04b62bfab41d9c855e30965ac6460ace06ad1ed00e8dbc4b6b72c3b11234c688c425bf82fdab3496628164d765e6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eb655a89d65432472abcfce62a65efd3 |
| SHA1 | e94ba6c2934ebe26b645e1b66087a213afd81c4a |
| SHA256 | 3af5591ddaf130893bb4209bfb04e944147747df689fc1efdfb7af4b761c6869 |
| SHA512 | bf946835beef0679d26b1d1afc239c351522fd04b758bf2b9c27c6dbb1994c325d81e35fd284cacf43a3adc70fd6d55a9a5b5c9e9cff66c5be082307b4a850e1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4bf583e0a633c9e6a34f2507d31243eb |
| SHA1 | b258968f126c46795a2d3efda5c476560bb85d36 |
| SHA256 | 6a285c81d5a9301d6a07a73cb906a345157bb3ed5adf68cdd4fbd4f91bf70213 |
| SHA512 | 795587b4ba9d0c2ce899aa5d931522ddef4133c70b1b138d8e39e2c180a9188b9638b6cebb97b4af15da33df53dbeda45dbc4ea7b9091b8fca724c295086df9f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5e309584ea7e401a0d44f9069eef3db0 |
| SHA1 | 6292239c327d40818be8da3bb5213e2c6c357689 |
| SHA256 | 301df1186d8aec91c61b98e057334bb2c18557ca46a98017d34e38d0435d016e |
| SHA512 | cf6f34b9bfb3fd39d2969dccf374369b89b0db07b1282d47f6d62815974c82c45d9a022dbe6e892fa13f8792c1e08cce164a95c44741e95082309235896966a6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 85c268376260257aefcc9d22aeae06d6 |
| SHA1 | a9ccd861b57e8b3daf303852b1d1dbbbbf8631b5 |
| SHA256 | 7bf3332ee9b86f8a4407883898d93fcc4bebbc42b7dea3a111f992780a61b605 |
| SHA512 | e7efe50cb6f9dc802bb5320f2913e96e06be559134243fcb9ef124db30b54dbb08e00d5f0c959987ed382cf438aafba77b4659b992144318457e959a3cf47788 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0edd557a52c73d6960322a213e0495ae |
| SHA1 | 299dd857f576a3a390d347ac2ab780c515ffad97 |
| SHA256 | 04c878c18d436f489e1b81d6b8f8e3047952b473c9412fc7122a573f9f92f25c |
| SHA512 | 0912be4153801597942fc228e073491a5d7100b88865a959f26350c35afc2dc569eb0e9297b3107303bf7efc5864b62d32476c1436f50ef4f7e0fc5ad9dea4b4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 38aadac34b7ded188ec11fa23f36ec51 |
| SHA1 | b6cd123c12eb392600fdf3687fbd285e191a4bfb |
| SHA256 | 623f83539a3cfea0da8a0632de05e7aa9d7ec1dfda7fc6735cc846a302d99112 |
| SHA512 | f884a27b21024482dce4ae0eebc6cb58e814da928cb431b31eb45ebee1b228766c29548d86e225ae8f6c62377f3359cb8e73b4481cc1c8d2e3a115031d008e3e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1f369dbdab88f9b993192454269b8536 |
| SHA1 | c818524d55195c89c7d7789b03ab2963c1da54ed |
| SHA256 | 930c0cd2a7dfff7687b36a7dbd5c6f3487808ab60d15735d6c6068c4d11cd4a6 |
| SHA512 | 59dfad464eaf071dfe04c52da9bf2fc913383e43744a914f9b557242f525df571cceb636743b612d20236092065e78a071bf178fdcbf661045ee892a9cf2229e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9e1d822e9f28bd69caba4115c38849ea |
| SHA1 | 5fb54147b0c2fc95871da4941fc68f44c9d295db |
| SHA256 | 2d7c791903160fd6e55475b630a6fb8012503ea67dee54aea8b27a43e40cfc02 |
| SHA512 | cad0a02de4536371cd24762ec7a80c3d79913b1467cf24c2e751312212fb494e6bab38aac20249dc2fdd615201227784f8050813d0b6c3b67ae06371c5f2d43d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 16cb88e6956f59fa63a1dea605cf79ec |
| SHA1 | 5c3514a44ff63991675e47d57e86693eebb9f00f |
| SHA256 | f7819a5c6a0a9ee03bb368e31dee19fda33537cae99218ce2fa113cafa194048 |
| SHA512 | f93278ec1a5897280d089eeb42199c80f1a4720e33b978348059b0140385ca6322a6890c1f3273b42f16c178b4265f4ff838ab7112e1f974d4590ef5c5b5d024 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8572ab5b7f42e69ee5bd840fc0b5ecb4 |
| SHA1 | 270e1665109d826746c86b6aeda2ae9e6bcc7f58 |
| SHA256 | d94fc5a47bd7323abd0ed0d42ef5e908b65437abf7fc0baebef33942889ca3e4 |
| SHA512 | 986995478339cb1467fa90ae78108e579a6e1751b6ebcc5b737cada69703c260b199ae9227234b619230c958533345685f51a979b8ca2c2878a4ca87e9998870 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ad25c7cdd9d9041c034526abe33e66f9 |
| SHA1 | e9816a2650aabbffe93169cc83ba344c5137dd1e |
| SHA256 | c9b42b474d4657de3039c77ac0ff6512c686070b180228506a235740d370ac21 |
| SHA512 | 267d8b5f166a1ffd76af76ca0aa008b9d62e5462916f2cff4171bdfe2ae3e7d9d24609ac64c9eb44766ea674fdc29210a2505d2cc75ff6569d00ae204b831f7c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d6889a9afcc4315a5db3736be52cd709 |
| SHA1 | ce9dc2e39d9d19f5400a25c5008961a2a0a0a70d |
| SHA256 | 21c368951c4877c5938e223042d765d8d993c675b261ec4ac545aeff966032b7 |
| SHA512 | 87f8bed3df106289d2409ec73a6fe61b98b7404d1e47366b12d86aae11cc09b0c9a0cafac1ebc02b25361d2b71d2e2cd05283c53e66852f46bf3eb560c2de870 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-29 21:33
Reported
2024-09-29 21:36
Platform
win10v2004-20240910-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Gozi
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\ielowutil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ff5d52042a34a4669aabcdd009e9db48_JaffaCakes118.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1776564118" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d74c4a2d6d7764449694ff5b3c3fbde300000000020000000000106600000001000020000000924b702a8f2427ee8edc16e93fa4bd355f3d5a1f723f5b38288850b69648eb01000000000e8000000002000020000000ae0247a4200957ae1d6dc032ea7a4691b47d8c2558ae592c08a535f5650ab9dd2000000039e036243462cdaa7c0329ac53571901661b5e25c2c133101be26e2ad9333721400000009b189034376abcb300be055d73a230665442511d3fd36ebeede3a46899de3420fddc55312b4b1c291beee73a4a741fd0f19d4d8b44e883b463b9c622f65f8501 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31134391" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0b1886ab712db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1776564118" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8027926ab712db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{957F71EE-7EAA-11EF-B35C-4ED88B793F16} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31134391" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d74c4a2d6d7764449694ff5b3c3fbde300000000020000000000106600000001000020000000f1ee5389a1faac152b09b6b0170e4fb6a98d17590e46d55cd81fbdbd5da5ec55000000000e800000000200002000000002171504cd6c8a52767900b692f8aa73047fb208d7d98f174a63512508c50bf8200000007d21bac83c8f9c3560b2f14e9179d74d7e390e12ec2696c12a154fb5d05330064000000046f4c89cf561df13ff5c239294d9a0c1452203aa9f79b2eecdd9539d40af7f9ae0aa339f502a7b8efb6a670c84dc84c9f3b1234451d542790d63697dbfc1eaa5 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2084 wrote to memory of 2328 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2084 wrote to memory of 2328 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2084 wrote to memory of 2328 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\ff5d52042a34a4669aabcdd009e9db48_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff5d52042a34a4669aabcdd009e9db48_JaffaCakes118.exe"
C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2084 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zardinglog.com | udp |
| US | 44.221.84.105:80 | zardinglog.com | tcp |
| US | 44.221.84.105:80 | zardinglog.com | tcp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
Files
memory/1392-0-0x00000000013A0000-0x00000000013A1000-memory.dmp
memory/1392-1-0x0000000000120000-0x0000000000173000-memory.dmp
memory/1392-2-0x0000000002DB0000-0x0000000002DCB000-memory.dmp
memory/1392-6-0x00000000013A0000-0x00000000013A1000-memory.dmp