Analysis Overview
SHA256
9857963ccac964640480f5261281289de9a93344a3aeec6603fa2b3ec7e6a298
Threat Level: Known bad
The file 16634e7acb723a3bae693c4d3a972b6d_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Ramnit
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Browser Information Discovery
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-05 05:43
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-05 05:43
Reported
2024-10-05 05:45
Platform
win10v2004-20240802-en
Max time kernel
145s
Max time network
126s
Command Line
Signatures
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\16634e7acb723a3bae693c4d3a972b6d_JaffaCakes118.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab34b46f8,0x7ffab34b4708,0x7ffab34b4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,5729118479958465076,2956827700726894716,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,5729118479958465076,2956827700726894716,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,5729118479958465076,2956827700726894716,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5729118479958465076,2956827700726894716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5729118479958465076,2956827700726894716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,5729118479958465076,2956827700726894716,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2404 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.221.208.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 983cbc1f706a155d63496ebc4d66515e |
| SHA1 | 223d0071718b80cad9239e58c5e8e64df6e2a2fe |
| SHA256 | cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c |
| SHA512 | d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd |
\??\pipe\LOCAL\crashpad_4528_CUDOHBADKSQYIIOC
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 111c361619c017b5d09a13a56938bd54 |
| SHA1 | e02b363a8ceb95751623f25025a9299a2c931e07 |
| SHA256 | d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc |
| SHA512 | fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a1c6ed23b169ce43836b0c69fa8705eb |
| SHA1 | 099a4867a898a91f39b67dffce8479e8ec6a5c63 |
| SHA256 | b9e2ff5230c20223169b976ccd2c9cfab71767b03d5b22114e91b24c46fdeb1b |
| SHA512 | d6428f9caf34e8fe546d3ffe4a491db71bb1f1838b6f77feab102659b254c8926275682aff93f93abf59c1a03a20fb1d3db56631861f15d003b07581fc7d5417 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 3577c70c8959e72c604e8b3f605d4864 |
| SHA1 | 0a7db6f022b16cd3287a0a66c6380c403d2114d7 |
| SHA256 | fc18615a02fcf867de3ade1d89255286162ee97aaaae880c48a6d6034b6ab399 |
| SHA512 | 8b0fc5b8070441ac2243e57ae078a4527f1cbc4b9a466f1af0cd17ab40f0399bf9b5bfa87f8bf8e759eac2a281eb8fb579d65472fdcb37c5ac69d80d97d610fe |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 472c8f0650eb3a19dc4f2f02813437cb |
| SHA1 | 2440eea187ab1897540ac9c570752969fed68ba1 |
| SHA256 | 9adf239f620f4493a8980964bdff3dda8ddc3fe8f839f295e95a5da0b67fe6f2 |
| SHA512 | 7f8551b95e9ac5d517d8dd9099e2d0d3bc40b055622d5471ea289d445618141d0743e898458d21213d975a8cfab306ffd30d3eab1ce63734edf41cdc2127c6a4 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-05 05:43
Reported
2024-10-05 05:45
Platform
win7-20240903-en
Max time kernel
143s
Max time network
153s
Command Line
Signatures
Ramnit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\px9656.tmp | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B9B43DE1-82DC-11EF-A7B5-EAF82BEC9AF0} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434268869" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 204cb092e916db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b000000000200000000001066000000010000200000002bb7185a67a3fbf7b12913c44b82bc4843d77b2ac3fa085b2c68964dc8ff72fb000000000e800000000200002000000005274666effe99a62c14837ca2657bc5be80eee0f79b4128fad8aae05db799262000000091e38ea0a43779abaed1451cd81a62d18275f5257c39f7750e0bff666574758340000000425e165c845b22ee4c2600488e9b2bf7d44d63dd6d58d96351e2fdcf8ac413bb0e7f93a6663ee620987b1f91b3bdd2da12a8f7d2e1cc79765b1f2c1edf6f97f4 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b000000000200000000001066000000010000200000007db3a581d7487e513abf1e45d51b8c2f8d764f05f1c8c5d22cf91bebfca8875a000000000e80000000020000200000003bd7def2cd0979ddf90ad22d72f64bc2f6325c1fb14d5fda1336b723289c57ce90000000db6a71b846844f2e55b8a92854b7391a05b7d7ab711b3886f5079c65a1000a8bfb5ec45fefafa23ea5493509bbb09b2ccab932839a911d45a595661b995644b52837d4cb5b0cc4f4dc371469799a764f09262dc3543643eaa0aff93e631fe47608cbf9ffa6e62534b569704fd46eedf46430361c99c2a86658ec6138051e7aaca0a88b68985ecd377049975546f2b3c34000000065f1fdd2404e6f725bfd5f42a2b816b49b9fa6f0e56f3814848bfd12266aa1cadfe9b6b5ef12bb7d7be0f03f96fbcf3d2b4dae55ac320e019931fd4fde84875f | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wininit.exe
wininit.exe
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\16634e7acb723a3bae693c4d3a972b6d_JaffaCakes118.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1992 CREDAT:275457 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.webmsn.cn | udp |
| US | 8.8.8.8:53 | www.braccosine.com | udp |
| US | 34.204.18.91:80 | www.braccosine.com | tcp |
| US | 34.204.18.91:80 | www.braccosine.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | df455f0fa8fb3fa4e6699ad57ef54db6 |
| SHA1 | 51a06248c251d614d3a81ac9d842ba807204d17c |
| SHA256 | 15068b86edc0473a4f96f109830318e0540af348197e2b65f2e90ff32cfb14a1 |
| SHA512 | f69dea5b68e4fc8737fc0e6ef48476d3ed0a5ebd2f9dccc9d966df137f9ffdbb51e413a0852c22399afab53ea8a2755664afdcee6897a1cf387a9a620481b2a6 |
memory/2864-6-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2864-11-0x0000000000290000-0x000000000029F000-memory.dmp
memory/2864-13-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2864-9-0x00000000771A0000-0x00000000771A1000-memory.dmp
memory/2864-8-0x000000007719F000-0x00000000771A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabC093.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarC181.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8602f7bf8e1902e89fdfa0baf142bbb8 |
| SHA1 | 6a5dcb395ea06c4879f22a1cd45119a4f1dd23e7 |
| SHA256 | 8b6b2daea5eeb6a77cf5612a0c60fdcbacad3db36bfe107c7c21417c2aca3643 |
| SHA512 | 0f3d3b41898f6bd221672a500d07ce914efc31ab8c44970086c458aa243899d3e90e6dcd0ab5d5f9d9ae496af9971fbdb8697812d28e40acbe644b624903cbe2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e344f3450caeb5a951e6dc066ab6fa49 |
| SHA1 | b47ac68df0ec614103dda348a4eeac0a76e0eaec |
| SHA256 | e23b4122313e26ff4bc3120ba1a4c175c7e510a55cfa70df2964ff8fe65c9cdb |
| SHA512 | 946e2647e22bedc971413cceb38ef0102c3a478499e0787b9181b9e19268cc287d5180184668613d8d4c105b29c637329f68e211b1cee6e5cea42f1e8572ec8d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7af26b9fe9a2c3446e2bfa4c3b810acf |
| SHA1 | 38fd4d7e917e2f9a2ee018540b7665a9051bbbc0 |
| SHA256 | e9d758e01b2482ea050d1a9f313153fe7788bac8448f0fe7124c4fa4b8a0efc0 |
| SHA512 | 38ae75e309ca4d9f450d14e1c51c82dd7abd5ac6854d1ea2db632bc311e40d692c3454f7bcdace6f4b09cccf42a9a80bd175920023dd69ebd6fcd55fbddad4d0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 782bb8f4e51f8f5c56218d390094c019 |
| SHA1 | 37d0524b22bec27e5310ac800f1e8bcedd4ca1c4 |
| SHA256 | 850b7bf40e813272d6acbd3a119494d2f4a0a2a85eb69e69e387868fb82e48f8 |
| SHA512 | 3595df95cd241feef2f9048b4dd8e21c2b94d8787e4e48a8b14ce4b5984779a340c86f959286667822e66c06a57f318307ce791e370d8b350f99449107ab8c4c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8a84f71a12164e214effb413da986321 |
| SHA1 | 8477ff998c35d25008cadd50fc45b9af32ce70cc |
| SHA256 | f6cae5596d6b3270409b66a51e92e8695979563d89b00adb4a94e272da4aa7b1 |
| SHA512 | 25a73e3d226a51f6b7a6e6e8bdf3db140c9e3c4c79d680a82c497ee8c43bcb0b9ace9ef539274bf0de825ebd89d1c07288b6369ea688483d0c1360074a65ffe5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f3d22b4158413f0f81ac903956446345 |
| SHA1 | 881e81a26414069cd6c8df45bf3fc7c0196ddd5c |
| SHA256 | b7cdf6aaf461118a1c19780d9cb9f2f16413ea05a116b2b314f96ff12e6cf4cd |
| SHA512 | 41565214e9ae1ed4efc40aa1f9a0ca6ea0beb591ee7381d0da84bd7af2bfce08d53f45a42d0aa9902d354801eae49bd1a48a75fd444fbf6e9e16aa52b33ad0e5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a899f7ae29d46cbad1062ccc41e339e4 |
| SHA1 | 36d9a50e06d12dc86b7e403237160c1d8df2f3cd |
| SHA256 | fa51b96e38fa69749f4981c741b82993fa3789091f7abb2b59c67375bed04bd8 |
| SHA512 | d3dde98b1a669ee3fbf5c325a36c2346269c71e4bff3eecf24b73c7e067fb60c5b6da8e1161d704bacfe2c307b4df517737cf0a71c0a73fe9fae07338fa63ea4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d10433d81bb13ec0eb2fa81bb6fc865e |
| SHA1 | b9909fa0c0078d2d1310497b5bf93398992c9791 |
| SHA256 | 32acfa81c06a40056548d724f4c33116dcf42f663165f4347e1d4377c39ff4ba |
| SHA512 | 5d8aadda93c61ab071df1791e672cb0d5a62c7d9f8c5dd7968cbfdba23108c14d98e8175abbbcb7cbea7c6ad9ab8e3e16f7ec04b46efd314d6154bd61d1d13bb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | beb4fd2d83832c5cf84c38470e6e682c |
| SHA1 | 534a2a223dec6ba0aae68e1be47620dee8396366 |
| SHA256 | c7887a7dacba82e93fac3d47cfa8faf2adc913fd3decd9237e43dab4f9a65da2 |
| SHA512 | e524532050ab30bfdfab0acefe56b532244d07cf1d5ad1b2c1e4b514c3b525aca40cbb3c34c2b6f41048e9656c76537c43101f7b60c466e745f908a673574f96 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1aa5fc09999dd3201854c3cf09e36617 |
| SHA1 | 95edab60fa52021b84d8a97add1e3021a3816a37 |
| SHA256 | 31083ee9b805dc92157f1a456a9258baba3159be40acb7cf3f4cfb7b73f9b944 |
| SHA512 | c0251b7d98a5e85bb213bc12cbf4a33ae22326df3cfbe13147d3155ababd1386aea3b9f611477709fb05e71e193144578a4a68bc1e28e3e027fc9b02b4f99a82 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bbf1580507a7fd6e2496944199bfda17 |
| SHA1 | f1e5acc5ea64d552a98d94f98533e5ec986992c3 |
| SHA256 | 1ee5fc87664d53cb3f7751983d721406886bf70dab4022c794645d35d39ea123 |
| SHA512 | 9ebdde1d553f71dff0212cc0506783e151ddce7f624a5d9d5e580c3ac803aec6dfbceb6d6cc5dd5941c3941ccafe14878600caf7fb856a14c88654e395d0fb80 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 806beedeeab992741feecaa6e27cde32 |
| SHA1 | 3a821d8e96266324531bb5b872b8df374fd4a77d |
| SHA256 | d3393267e12e200ee197c79b5eb0e15ae2f3e7615a03a74ef2db0f4acf8438dd |
| SHA512 | 3c2a5de7d1b120707a427e3d9d93ef4b8e01d187569a92983bab22c7c0e475de83543d1ba94a0278d50120c7854eccb2dcda8ba5e1705feaadbeff578da91d18 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 95f22cba8c957b4123c4a281a65b23bc |
| SHA1 | b24c523d5493cd23162499d5cb7d1ee5fc9f4d21 |
| SHA256 | ee3f36bdbd62783e7efd4e255833a6b314ae066301633418b333cb074fe2e0a6 |
| SHA512 | 495f9fafd6836d9d63113d46731859268354f2bfb71b421a5fe00b3c5cd621f18fd6ad6f8be78b9c3c102fe99a04cb76cb7f9f57e4a7f5a89f2ec896c4ba9365 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b720db8fae19ec72e06fa8b80a49cef8 |
| SHA1 | f4e6e719fe771ccdf34dcae0a8a07b5bc646ecd2 |
| SHA256 | 642b774e8a59f7b8aab29fd02b848d48a931699783592bba122fa46a459530fa |
| SHA512 | 412dc712613fe2fbe3f24a4be1ea788c3a18c2db33aaa085156abfc33a4ac36ef8b91cb8609b6e72579071c7d144962c17e752c8cd328b61d99654a2e5041235 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2173e4a2e59b96d6bbf59ae47195ac45 |
| SHA1 | f2fcbbeaa4d724d246e70603f407d06f33782aed |
| SHA256 | acd20963ae3dd8cfb3230716ee27fc713a61be08436da095cc39ed6a6ee41c41 |
| SHA512 | 68b3775861e6c5238519ee981998196f753220149081fdd77928b9b3cf4628ea0ec2739a0d2cdfca6c354a821b2849b3625165454101d616a1472a13ef1c7c8e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 94607fb97ad6c43f7cba9953c10e4e86 |
| SHA1 | 403c2fab4576e044f9bc9c2b779751c3cd9d2409 |
| SHA256 | 9f97e3d2d93d2ac8fa8fda43508f088b15d2a96d9921785ce646471a803b94d5 |
| SHA512 | 4becf81b6a704d9cf01913e3439c0994905b4dbcbd742a96bf4e2b0d6879b8235ab155479bed02cc795b6f5865cbd80a7bdf4c4e6115df5b2e9f1112ce19bfd8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e18060414ab5230bbef1e9604e548f32 |
| SHA1 | ed495536946d4709ec15e9984b4baa6405a1ed39 |
| SHA256 | c7647996f8781468b89e448369c9d8a037154a72c40b1dbd07f8e4405a1fc4ab |
| SHA512 | a5e8e5c2d87d75d79f91c5c82494a338c7bdf7a3a9d82c0f8cda0440030b034932ee40db2c4ff9534ac20ae036434f5024352f89376ab2a286b4e53c5f801ddb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1bb32d07c7f7b43e858812968e11daf5 |
| SHA1 | 912a5e39fc0aa5e419500f5a3d71c8814a091f2b |
| SHA256 | 285e8794d8db41437c387f3f38551c45b66c1a0f97adada09124f3ab86093592 |
| SHA512 | a56357be948102d6f823743c740d74bdd3dd5e07d958589bb9343dbd67ff172e5d387a911b8f4100077500bfa9267542cc79f505f80d6a18125cffb15b3d190a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a4ba2d3669b97470a91bf2607f68620a |
| SHA1 | 2a9d30f7a58cda74d7107358e060e8fa88370090 |
| SHA256 | 00e65cb4f0791f31a797ad7473843cae507bd73862d8c5aa29a7a04904ccea04 |
| SHA512 | 11c0bb7f18572eda988e4c18e7e1d07b5b44852bcdecddaa5d99a2e1677eedf28c8102b3162d92702d4a1840d1602beec582a3164196c688bcf9d08bbb8e0367 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bc6e5b65d11fc3e516aed911d1bc8237 |
| SHA1 | b378ffbbd22e207e5418e46e13adf02ccb596449 |
| SHA256 | 3891ec75769807b13954f81c8f893ef6a1192e7066c46fa4ab0f21fdf7d2adb2 |
| SHA512 | ad5110e900a5f4534e6a791f1b26e73b6b8b6de8544c24d9f7576697d94fa14b022d699f71e5e4382774bca9d4c78f4cf740b0e4bf18ac14c8706df8aa934933 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8a01e8506913c7ac6c5c5ced88a4aa96 |
| SHA1 | e2c17f3ee61eaf7f679300f759273275e463ad2b |
| SHA256 | 2fd65ce233aa859da9a6e88bf4947d47f38b1a0abd2d385f9c65af00cc7a41b5 |
| SHA512 | 873fc870c8548f5d35e4667f86f308fb5a82c6045c3c5c8e6327612eeeac9627bd3c7470b4dd43d4ba82bb4848df64670b5dd05b249f8c413492426c8176a2be |