Malware Analysis Report

2025-03-15 04:36

Sample ID 241027-19z8vs1pgs
Target 763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118
SHA256 32cbdaea91453b9e80db92346d60ada7cb954d2c2fc24cb0997645c142ae1a91
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

32cbdaea91453b9e80db92346d60ada7cb954d2c2fc24cb0997645c142ae1a91

Threat Level: Shows suspicious behavior

The file 763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

Browser Information Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 22:21

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 22:21

Reported

2024-10-27 22:26

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe
PID 3012 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe
PID 3012 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe
PID 3012 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe
PID 3012 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe
PID 3012 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe
PID 3012 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe
PID 3012 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe
PID 3012 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe
PID 3012 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe
PID 4408 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4408 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2400 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 3456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 3456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2512 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://post-install.com/cancel.php?pid=464390&type=Your+Software&et=0&adm=1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd6e2346f8,0x7ffd6e234708,0x7ffd6e234718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,607895885235020337,6076280045355854732,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,607895885235020337,6076280045355854732,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,607895885235020337,6076280045355854732,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,607895885235020337,6076280045355854732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,607895885235020337,6076280045355854732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,607895885235020337,6076280045355854732,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,607895885235020337,6076280045355854732,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,607895885235020337,6076280045355854732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,607895885235020337,6076280045355854732,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,607895885235020337,6076280045355854732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,607895885235020337,6076280045355854732,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,607895885235020337,6076280045355854732,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1924 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 imp.oi-imp1.com udp
US 8.8.8.8:53 config.oi-config3.com udp
US 8.8.8.8:53 post-install.com udp
US 199.191.50.185:80 post-install.com tcp
US 199.191.50.185:80 post-install.com tcp
US 199.191.50.185:80 post-install.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 185.50.191.199.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/4408-0-0x0000000000400000-0x00000000004F6000-memory.dmp

memory/4408-1-0x0000000000400000-0x00000000004F6000-memory.dmp

memory/4408-2-0x0000000000400000-0x00000000004F6000-memory.dmp

memory/4408-3-0x0000000000400000-0x00000000004F6000-memory.dmp

memory/4408-5-0x0000000000400000-0x00000000004F6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 443a627d539ca4eab732bad0cbe7332b
SHA1 86b18b906a1acd2a22f4b2c78ac3564c394a9569
SHA256 1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9
SHA512 923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 99afa4934d1e3c56bbce114b356e8a99
SHA1 3f0e7a1a28d9d9c06b6663df5d83a65c84d52581
SHA256 08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8
SHA512 76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

\??\pipe\LOCAL\crashpad_2512_ZNLTRYFCMVYNAXTP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9b0fed1dfe9f335dd8d4fc5c017455b9
SHA1 50014c86f95844990cbb605c5064b970ce1428de
SHA256 de0b7fc8660ebaf71b5224557e2dab32487280d8eb3306d377e175c381280b20
SHA512 382e3dcae02d9775db86885d0f3087f7957b4abaac5cfe391f2c9285501dc5b55a13fc7244a2a50e074d8c261e2a8162146ec7a713eba318036cf8c1d9f0cb98

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

memory/4408-54-0x0000000000400000-0x00000000004F6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0aadf4f631ef82fbceb916ebc0a4e5c8
SHA1 7432f9b386bd413d5cae1b076fc180bf0716088d
SHA256 73bdfab9067a22723c4d8b2a6bc98360f47bd68de0a20691b9d0a44a1f68e1ae
SHA512 13cb82bf93e98c0115ee0940fd308157ff401ba029903f68e09db4c99388f1fdd778a6c3dfbf13d6c520ead1e5a8a82b644d6b6f7285669eab63b29dfcea068d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b076ca462415d61206ca5c41a03a8726
SHA1 1836f68626e6cc2d7e8690158285bfaceef07178
SHA256 8e93a5bf00ecf5daa287dce00edf65c21d8e6a8ae5107befacaa490673a55c94
SHA512 9bb80ab2f30f7f019bd5f0724c689950271526769420ef24017d2f2bdfce3265a790d87d9274342d1fe31a03f52bedaaf499df263040cd0c7ec5e864ed751261

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 22:21

Reported

2024-10-27 22:24

Platform

win7-20241010-en

Max time kernel

97s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436229608" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5049bbc3be28db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000006a35812aed7847372438bf81686042dbeca0dc2c61451c9fb28701d54c354f50000000000e80000000020000200000003c5dc69d1e862d3e8cd4b89866d7a02488e9bf43639879a98f2f2e5a49d31c4790000000bfd288dc7c2cce8169985c2fb4cf1c71e43f567edc531d731197f4ed7c67087584cb2cbfc8e25e91425f4eb8f294ff28cf3bba4cc04d770b985bd068859230d7507c2dae669cb92ffd32ea792ea2984051cbe2f90c005c5794b3e4bc458f769d2514c8f3c2cbcb3710cc9fa0c2970792d07204b7d36ae5d992fe820f8e0757a13d5ddd38f323de1e5c6fef3341fe270d40000000223cc9bb052c05a56bb9be3156b2d61218927e5358768e30f6195a81ccafb1f1ff7407a74f3781a7debd5fb448a88b61e84747c27244bbee93f140bcd6e9f20c C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EE3464A1-94B1-11EF-A723-5ADFF6BE2048} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000d5c870240f16e3dcd4435b1fc113397175d2c024464540cd60ed8f6451d47999000000000e80000000020000200000003262948321d86a6647a3591a2e68f1f6f68a013bc4be4973239363f3e65a9c752000000059d0b86fb04d3d3bd3f82c9d5b0e25a8aa6f065d93a6684ac2e4bf353cab3a6c40000000a641bd77a36db89c1e4125780a336cf8b982c27d12e669ab1dadbaf2264c446774bdaed80dae3db9578e3d3e0a702b7ad0786df3ab5d2c3aceed712bb10d1135 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1820 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe
PID 1820 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe
PID 1820 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe
PID 1820 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe
PID 1820 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe
PID 1820 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe
PID 1820 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe
PID 1820 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe
PID 1820 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe
PID 1820 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe
PID 1820 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe
PID 2124 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2124 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2124 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2124 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2812 wrote to memory of 2556 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2812 wrote to memory of 2556 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2812 wrote to memory of 2556 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2812 wrote to memory of 2556 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\763c56e7e32ebc7f26796bfb47c28567_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://post-install.com/cancel.php?pid=464390&type=Your+Software&et=0&adm=1

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2812 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 imp.oi-imp1.com udp
US 8.8.8.8:53 config.oi-config3.com udp
US 8.8.8.8:53 post-install.com udp
US 199.191.50.185:80 post-install.com tcp
US 199.191.50.185:80 post-install.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2124-0-0x0000000000400000-0x00000000004F6000-memory.dmp

memory/2124-14-0x0000000000400000-0x00000000004F6000-memory.dmp

memory/2124-8-0x0000000000400000-0x00000000004F6000-memory.dmp

memory/2124-16-0x0000000000400000-0x00000000004F6000-memory.dmp

memory/2124-17-0x0000000000400000-0x00000000004F6000-memory.dmp

memory/2124-7-0x0000000000400000-0x00000000004F6000-memory.dmp

memory/2124-4-0x0000000000400000-0x00000000004F6000-memory.dmp

memory/2124-2-0x0000000000400000-0x00000000004F6000-memory.dmp

memory/2124-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2124-10-0x0000000000400000-0x00000000004F6000-memory.dmp

memory/2124-19-0x0000000000400000-0x00000000004F6000-memory.dmp

memory/2124-20-0x0000000000400000-0x00000000004F6000-memory.dmp

memory/2124-21-0x0000000000400000-0x00000000004F6000-memory.dmp

memory/2124-25-0x0000000000400000-0x00000000004F6000-memory.dmp

memory/2124-26-0x0000000000400000-0x00000000004F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab569B.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar575A.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 737e4850ae3d8726f8ac7ffdf89b87b5
SHA1 47dbe7012e1f256e50283f915041313d78658aed
SHA256 f1641dfab374720fb5b849dbf9afdd36877bdc9efa25b4a33930b365de465ebb
SHA512 061de7a7c35206e7077dc1eb62a036be56b09adb293ff835cb5095c0f2c7989f57bfb814e5d8c3bbda72fa81fdcf8587ad2f503d966225173d8e9d1aa11d0dc1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ced25c1ea7f121de9bf9e53329dce0ea
SHA1 153efc5be45d194cc53ece65d97e4429963f3eae
SHA256 c5c5fcc4b9d881466ca2e5f415b50d300c7bd2f96e4ffeac6c8a14e416fac6ef
SHA512 1d21c74582397ef86b759114b332cb58f3a92ef23de488806ed1ddf746b037e02863d8ae136e97842b6749203ecf811af645374d9f8db8e7de1395cf43da3c58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 178ef59e58337eda4dcab72aca76a6a4
SHA1 e9d0cf642b6999641b4446f14464a2f3c80f6893
SHA256 3a576b84751fcf78d11595ad02858545282269e7072e019ac64a2a51439b21fb
SHA512 d50af497fe4f240823ced6ef27cca4523039c1305a4cb2eceb909078891784f850d255f06f57d1bd9310981d7f9ed4f9bd36d4146bfcffb55605fb861869a444

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b9c04f5d7c180b1a1c1759a506629dd
SHA1 b57ce89f50c8e887b3338f1eae3910a510729fcc
SHA256 1c4384f775188cb43eb071324b4959326320331cbaa37e9aaeba8d695d33b840
SHA512 9a3ad37a1a92263b1ab4ee39dd60e0c1641d98e273b48ccb87a434d72f95a01ffc1a071e41dd19311efdc1f5230aa117a646e7b649b3e67385fd0a35b53bf724

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5ed1f91737bea1069a26943eb43d2693
SHA1 1f7145d71536392019642042d750708256248d31
SHA256 713d8ea0b1e526ce7366af358790cdaa4816240d7f8421c2e15be99232efad29
SHA512 9e502d572c521ac179079551b64f65cd87e2f174295f89001868f24c4464161450370698b41d0ea58cc9b2c6b5c37f8a002f5d966c839085966cb6d8219b9b1b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 97b48b4ce7029949710d8bfcae477605
SHA1 f11aca3b79bae07f1404ce2c3e87da1aeb1498d5
SHA256 532868ada57c5e400d845b2fa0064970d9e083e6be695f81f117fac03b5b73af
SHA512 4f02b1d4a4801f28235d222b5c393d077ad2a5e1a91ca6676dc37fe7954b817653c25582f4568705c39dc7c539a29072efe6f7d2130aa561543147ccd9a48b35

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 73d719a18ee68d06673fa60084c29def
SHA1 b4c2b3aeaabdc0c8ad5668ccad339f98d6c6ba27
SHA256 25fef909efbadfbb5ef3de862df8f17fa35b0aa27f7605ee9dbf5db08abbe4c9
SHA512 9476eb88e578bdb2fddb4ea8d914a4c6f9ca0aae3246a23feff9c2e8b9ac21d85ae53c3a70275a496fa2788ad9536583851def5e0540b4a33e4f0e1a798767d8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89c0fb2b54724fc097886362febca34d
SHA1 628c68c54805fb8531556fc47865104cce864150
SHA256 6c0e85338e2308f26e660533ae8d62c375a2bcc6c8f4708c767eaa80c7dad48f
SHA512 e68bdea64e1a83f242466bf0af20be72e6858207cdd556fe58fb24fc23fbd2c0d0cb11e62a2f044028b65b4e821ca8162ac0bc094b1ded81a7998095318b3d82

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ed429a32f1186298a9760a57cd9afdb
SHA1 6e291d190616c28b267fdbaa8a6c5e3609420631
SHA256 ad51b177f1b0c2840c9e23b3b3f576d457c3d71c00d473f5d6cae96c73a456c5
SHA512 9f1f8994cbef4630f539f6df87e435cd81c12d066bac46caf1347d753332b955226d75c72c6022046390987b80e95689c818b9890b42728867fbb26724537c36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76df95bbe117f176acd2dc12ec748e81
SHA1 fb860522e7d78e834943cad60b9156d0d7e0beb4
SHA256 cc7616f48f4d635d01d790019da1cfb742d85bb6a84a3baa3706b345e6c9a7f0
SHA512 6e947d44fda5a3c7b71ed402c3669a7f77479f784b620e2601b78b8e71d1b4e728e9f5c2f6cb407d1e1daa8f30dc3cb210ffec53a6ae5b7c8a1492f531a228de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db17bbe2034ec6ce9e0f0db6b55fcd01
SHA1 5aa8cb9ca60c7c4c5cb6388a293c0df0f5d42dae
SHA256 9179fd3f2e174f79a014ca3d11bb5b2139afd80e547ee744cea27fc5e2081735
SHA512 ce09a4c6fed3d4e28c398c38b538184c139d403e30c1bf7f1dcee22ae2d570da2e9085f50a40dce9ba3bdf13903c11e45742d26ceeda9a5b7f8e348b507605f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 779ec43d3584ac2cfecd4919381f4bb7
SHA1 5722641766b7ff5489d78d79b78bd35a6e6176b9
SHA256 bc85018218019d6793fb5a35f0083714b177b1eae26582d1d807aec54317d91e
SHA512 9d336b8c4d289a0d44c694bf6663629133bfae21c1e28a7dd9acb8753de3f82ab4bbfeddece9c515a4f7e2f8ff9be83ddb91f3d0726748c447fb188968b0d847

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ce98a95e4d9c8799e0847fcf251f51a
SHA1 83e34b23e84612cb1e7071e58f4293997a2b0604
SHA256 0ca3298f1eb061f422119be85cec7b54bf401c80aca73ffdc19636d549e34ea4
SHA512 f7e563e2cdf77f9b83bc85e09b9a5d486f20fc8a739021875b448215c23114eb9a899bfa8fc514d8cd4c7f27bac827d91eb5575c0b82f8bac0de94382501e584

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d6fdf19cf165e3a1047f72ea04c98f3c
SHA1 f7b0cc8cfc54fa89320a9d9f7c115ec96b96e5c0
SHA256 b8b44213e8650c5ec975e743768a3eee9ad0d25a50d2baeada170eb873e0743f
SHA512 bece09c1deca0280a2510db48b6446a354ce4fe08b77d8893ccac87caa980025f9211f6f52acd1f8e4e2f779c891bb5e96f5556379b2810b4e8f27799bf65467

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2f72094e3b9a84345df4ad31e2af0c07
SHA1 2ccae2d8689a1919eaf682153330af3d7c59b468
SHA256 e78e2778539d9bfa6165a934ad76e7bedc2499dae791c21f2394e50bce0ed802
SHA512 e5fd3057a1ba9b1a5870f0a91c52abac00a837a854dbfdf815b008830b5bf7c2eda2e4e2b0a59a71ab14675e37ef30b23837e41c260cfac3e88bfcebbcb146c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d0789f3fe7f61482122cc7e825f77aa
SHA1 170bc505b086aa39805e2c64566852e0231ce9f4
SHA256 4bf2bc7804a8d3ba10dcf8eb3af182e7393d293a256d0f81883b598013163863
SHA512 e5668af092b5ad3539bb55a82050fee0171cd56a321a1c01e39e991d6850a860635e96723ac36be1d0fc6855f243b6ea26830be45a84904e14dabab111ec67fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee182e25b75eaf02f110fcb0f9dd530c
SHA1 05e97a85638174c6d6a0870e0986f6fa4def9671
SHA256 f429f261cce355209454d7a249f24d377edba42661622552522574ce550fab94
SHA512 326d5b0af8a29eeaaf30c11635892d86d0d84627a4fad0cd9b8e22f8fcf0b74e48d081531477f485831e0a6c7e5435e254cd790752e12ad9f81c4564baecd4e8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 74577febc2bfc4f1e8e311e578a1b62f
SHA1 2d178690d88803efc7f0cefa424afeb59431d65a
SHA256 a442a2de37dddfbd8163ac9226f7bc61b2508c614cbc90025a385bea58bb9a18
SHA512 6a294da59c94a41a5e8f9de746f0147b0ab828ff4819389addeefb56192e0a3d32de0347c5c781e5aa31c4c415fb20da63550531b313549a19b35b1638966b4b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cdc9b0a0a171e87cddbf35753e0e6e90
SHA1 7a45e08416f85aa8ed174aac5bce31b743eac9bd
SHA256 fc1d69a424aef828226c1e0ca67f3682b235aad3385dffd4bc4bd697670e7bfc
SHA512 87599d3d6891ab43c0825d20c30b9a1d3b5ec5368cb22912701b0082c498507a9b63689bd1a9319672dd18f55061e15f256f53d8adfc996514e4943b53313eb3