Malware Analysis Report

2025-05-06 01:31

Sample ID 241103-3fyt2sxhnk
Target 8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118
SHA256 7b00f4851573bb3baf248a20cf5f519d04f9a8bc8bd693406b9075557a580e08
Tags
collection credential_access discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7b00f4851573bb3baf248a20cf5f519d04f9a8bc8bd693406b9075557a580e08

Threat Level: Shows suspicious behavior

The file 8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access discovery spyware stealer

Unsecured Credentials: Credentials In Files

Loads dropped DLL

Reads user/profile data of local email clients

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Accesses Microsoft Outlook profiles

Checks installed software on the system

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 23:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 23:28

Reported

2024-11-04 00:37

Platform

win7-20241010-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 652 set thread context of 2868 N/A C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000feaaa4fb010d96847be16257ed40cadf34911173f779acf8f8b91abc528cdd85000000000e800000000200002000000011dd63b3602675fb5f9c23c6f34251f34ed5d53170a3d21cfca31cc97d4fab0090000000f958277de419875d52766abb72f1398c52108bf070c8d81b4ddc29f01d604e741631208a00d804742f5774871f80e17bf31482159f4eed4e5a0e4c7058b1530bd5467ac20a02e91aabf10ab708202ed037d6e3677d351682be7c640bdd694f4ccf4efd8848e0cc0888159a10b74c8043af2a117bfee115e3c18efd17b48c7aa6cf86fb8377c756ce5d342d784f79794b400000008a7c3047abe6b8ac436dd4ef6638390ad6ef1d264899780f9f26ef442d43dd0f2a428c655732c7211d0b6d7cba478975db1a986536cf5d143addb445b30e797e C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A70B6C21-9A44-11EF-BA45-72BC2935A1B8} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b13190000000002000000000010660000000100002000000065bf81d01d48e9904c300aa95457f7764f00f82c7ac7d702560228e1026040d8000000000e8000000002000020000000106e4ccd1b442e4ddf31aff9d8173d478f27938371124855b4e8422f419fde9920000000e7b89346a45c64fbd77a6dd16a018dd3a8397081d46757ecad342dad9d023a1a400000000b67f79200d5bb9ad0bdd28dcbfb7ca15b67005469770ba58b47d45599defe342b77c60f7fa21e83a0bb84fffd5815fe3e11e9aaa148e7b395629e29463f3c15 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436842381" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8081167c512edb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2328 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe
PID 2328 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe
PID 2328 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe
PID 2328 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe
PID 652 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe
PID 652 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe
PID 652 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe
PID 652 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe
PID 652 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe
PID 652 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe
PID 2328 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2328 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2328 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2328 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2884 wrote to memory of 2752 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2884 wrote to memory of 2752 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2884 wrote to memory of 2752 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2884 wrote to memory of 2752 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe

"C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe"

C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe

C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\542941.gif

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2884 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 ya.ru udp
US 8.8.8.8:53 www.cheba.us udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe

MD5 9ec694b94c8a5d6a0fd8f35f7d6df84b
SHA1 f43e7a2301c759e72f75f715f27efb7e531f51da
SHA256 7d6968458310cb5051f4d706fb4890c200ca637f037fdf370b9125e134dbc458
SHA512 efe796c0921008d1465e8e40bb4e519ee8b6a6343b76f8727a04bfccffacf0953faf49facd803c555072d32c0edd74de073bbf66f19c7038a41ec07d81ded313

memory/2868-15-0x0000000013140000-0x000000001317A000-memory.dmp

memory/652-16-0x0000000010000000-0x0000000010016000-memory.dmp

memory/2868-19-0x0000000013140000-0x000000001317A000-memory.dmp

memory/2868-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2868-12-0x0000000013140000-0x000000001317A000-memory.dmp

memory/2868-23-0x0000000013140000-0x000000001317A000-memory.dmp

memory/2868-21-0x0000000013140000-0x000000001317A000-memory.dmp

memory/2868-20-0x0000000013140000-0x000000001317A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\542941.gif

MD5 8eb1ef360497967f27dc35bc7f5c0ce2
SHA1 271c181ed96278b060b945094708fe72a7b57403
SHA256 ea117ee202b51ebe3c07867d21a03da1d34257ce48407f4898d432ab960a8b87
SHA512 759273df0dfa6580c2aa56368879472efce01f967a9b0e489c9a5b271e7b392fb5cdb1f576613f75424037a9b7f64e656410fa4239ac06a2b771d03968051634

C:\Users\Admin\AppData\Local\Temp\Cab12B8.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1387.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b9be0e18f9dcfab963a2d87c8be3399
SHA1 c1dc615f8e88f23a53c7e4c63a2e45c073a72daf
SHA256 1e0e2f2b4d8fc8264d6e58146d237bfcd15eb910d7182290f4fb1e5754ab819e
SHA512 b3ff9ae1d8f6e8d691cbcc4ae9ffb5cf5e3df47a9d5de4897b1f1a1c99ad38a43703b32724499cad4beedb44e82daaa6e01788ee04e388ab44a9c764c38b0968

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a4feb8ecfc8b5a9dec900ce5ac23faac
SHA1 c1f198315407d288324d35c7aa919f6c64418e15
SHA256 691690a4e9c74e241bd94482eae42adb272f3f8e2a464408038c0629f0b5da62
SHA512 15067e8c6b3063569a8aee7293dcdbc60681495d6c3da0babc2555f017d08d8ee88dfab7ab6f08686812e4b0f6e1c58644c865bf1ca849902e155ef1064311ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 af87cddadc9fe456be13cfdbb48166bc
SHA1 7e8d18fea8541ad45e145f4a6c5a2273f4f1fd43
SHA256 5a795624c7fc3e07326714308807655ffd8026d4d7aa14b7c6b65980189d5e28
SHA512 2d5fb14ae4aeab73f65b097ca7af99f8da68f6a3558322e13f55048b010786b6635c140c22febd18aadf7ccbea595cb791153e6e861e94fe535f3425e575a102

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a81f85b59e5f287b207639032eb6b2b
SHA1 deceb993d5718a941f9786db705f1f599f368f87
SHA256 1efb4570386b98fe5b2f74a3a6e67d65894d318a464a4d6870a60264efba55f0
SHA512 1b576df4b805d4c57fb5f72c8511b69ba0c5b61663370597dd14b9859ef6148438e9b3deef0ff32dc69e9f22bcdea05879e7145490b41029816d956e493c76f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 05e22ea0ac1fed8ae86da9a6a5fb5a1a
SHA1 38faab41a52c85e0097bb45ab85320747bfb1582
SHA256 614f5c580291e1cb748f63001eedc3f8d7b5bdff84b7bb096ba89b660bb2b4ec
SHA512 b4211556b03c493c0d176dfa3624202c10f93ac1f7f44e64d5a382922cc3f09520ac62b0cb6594f058adb520e63d8a581bba6e528e0313e9856598f357a26cfc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c8f4f7a60d60c0c16bea72ccfc5167b4
SHA1 1ef3c84e45fbcf1ca4e73d794f8512cfd8418693
SHA256 1f60f067dcf8194983ff6c4963705a09414bc1ab91d6d3d03e22cd5c0fdcb3ff
SHA512 5196d700c28568b9caa6a4bc5baf8bae90d83f4e71516d1bec2f74e7b51f19b930d1fafd28c874029e57b2fc5592c489df2bdf30155bbad6c77081345cad0b8a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 68a853124087db748b527c1b4cdbcd5c
SHA1 7e686a2289ea87f703afe09237762530806f4e35
SHA256 04b63945caf733103591ffaa97d33408e02a3723200ba8195f5de1662f276c09
SHA512 4bce909cadfc9e65dedb6641c02717e4f1fdc4cb7d0f7fb9c9ab4052295327268397455dbb42fda4d660c3019c65b437617d639b187ed1ca693844b7b053abf5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22bdab0b1e151a1154f7f4753eeeb14f
SHA1 7c57a42f838b9972b83e124bab5d82ba1a989d5d
SHA256 8a49a93c261490ff77f2e2e6a9788983991ddf009c5629c2013cfb3324b122f8
SHA512 d61bef9c89f9e510491bcb5ebca3b9e909180f2d7facc768d0ab5512ba0e3f2676cccc87435c7b582403ee03a4db5032fb80f25aa06914a5eda76e5b0a4eadc7

memory/2868-426-0x0000000013140000-0x000000001317A000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 45493f6f85ebf2329a8c52fe3f57b58c
SHA1 e60a2007cc87e1453e9392f93da04b992069cbc4
SHA256 a012423346088dfe70e53d21805c601c308bfc1ba70684cc46d5e8769aa793fc
SHA512 598af5ec41153b2687d591d96b52d8f49846713983fbca4c7b54beab6165dcc46dea3f34f7a4b73c2d9c3422718777d1bbb6afec0e48c5ff8da7284361b5570e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ebd18d4f64f318a360a77dc4889307e9
SHA1 385e95dacc65189ae97bad41417bc82f6419b402
SHA256 ffe3a0bff39bb2da317f1b7740fb6d395515df1f54f7c8e24a4aeff323b579bd
SHA512 f982dd3d5337386a38d059fd88e3bfddd271eedd54b21cf769e250bd04b96fc15e4751bd713a8f519be4509f16180a57a7a4c1806250ee95bbb671a8838248a2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00781896cfb515a6eb35f5645929995f
SHA1 49853e11381fe5200f57ae35097c217011e8e29f
SHA256 1d86aea56fa4b0d22df618d4f3bc92d2c2ba9a8f343d606cde06b10704a751a3
SHA512 2c79bd87361dbe7dda87b3d0c095427b07606340ecd834f2d2de451fcbc760c826855a174379a0ea6c033bd3a2c7bad3dd063bfe503f4f53f750dda65bf1d32b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 11ae2731b1c58234fd03d3c724fb920d
SHA1 4e5beb319cd2c6298e12d67e0407f99d991d7113
SHA256 44e35319aae0f0c99d2ddf0b5c3f03590c646bcac8ef36b40040f65ae7921d19
SHA512 f75f8e3a60b37abd54941b92f36aac13820ea80a1f5c09d9fd5e487e8677c91261acd42fa5121de931993da098ae82becd72f25eee91c8fa180958c674acdcb2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 73e3bc6764d79065413bd856a3a5f4fc
SHA1 e96c4ae54e5ba8bbb3d36c18487835875c1fff2c
SHA256 a0400ef4ac19faecf77b042670431361670061416b4dd556de01bff0eb0957b4
SHA512 2cf22ac8490b4033c4068d3db20435681a8ca7557e0eed4693156b27bda51c07113f54aea6a7cba1752e446f38372a1cabe382f67a4efd4323ad98574b806388

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd5019d84929eaa6ce67239d0cd30ab8
SHA1 ee4110f16c954af8b48839ccd1a4b1e4228f800d
SHA256 27e3f825e8d340d533428582919fb609bf07f167d5b85b8921153ef8bc063042
SHA512 7991c1d6b2bedfd11304c58444ebe307017a5ffde947f712fb1035d8cdeb8a33280d372a153cf01afaeb15902fb0dda95c9f7cc59ebd631896ccb7f12bad419d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ab26b7aa392f493c24f0069697261d86
SHA1 441906455f558286ea3acadbd34cd0503068b874
SHA256 bf202e6eafebca7b33fc3af069c03a5ab0ca59bb011f134525e92f85c9dbdb41
SHA512 6b9f11d777cbf525d71c4dfb0ce4bdb55d815be614d51890bced744f0a960f794e7faff7936a0b15fb802bb9902131cd7b1209a289a78b39201835551d1b769a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b5e92a0f51eea1ca127c0c701cf16d1d
SHA1 d94a1df7e2500bb0fb05b468c3f5e160ccd6a8ee
SHA256 aeb6c28f9b5c5b92e01b545f8f6e16439b35ddd61c2f6a6fe736d66f3f70d881
SHA512 9406d913b48679896eceaa1fcd2a244d28c8f70d8ec8f59078f573839d954897fe5bcda071f7239798788d1f88fb852893933ef376a66c0e72d94b81742d06d9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4085722bec911e3f5b17ccb9155cdb50
SHA1 d65aef2ea85ec09f02664831626c4df38f244c99
SHA256 73c171600c065917b6ba0099d43bfcc38a220cd393351ade338b43fee9cf32f8
SHA512 05473c6660667b7efbe67102c2c2c32fa1c8d58de8cbe57e46872012e046672aad814ec3203c3334240bf0b2a57ab0cea1c0c02aec6a19a81f52de397360f155

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d602550dc0c44a0aed49fd5f7f70ec43
SHA1 70a9f1feb9ff734daf79a2d98b8475f78d0f7466
SHA256 a6d4f84fd935cab20d0b515dd620d71939739678f74fd6d9547a798e63a1292c
SHA512 f1daf35690876d4b89bd1b26734461e6552fde2202be7069b11ba111e2d38ef65edfcfccbb0516656cb6c21acb29576e2c41469a45a9e70f1f53ca47c7361215

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-03 23:28

Reported

2024-11-04 00:51

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3836 set thread context of 2232 N/A C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31141459" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1503960536" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31141459" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31141459" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000086445aa8a430244a91c2b800ab210a51000000000200000000001066000000010000200000007fa3a87d667fa8512ddacf91b4bab894d1e9379499adbc611951cb2c01a3c3b4000000000e8000000002000020000000dde6e6ab3e4e97b6eee279c1b4c36a6afefd8361d345c3b6253e28597e9777a420000000cd55fd972e8d94544821caafe15051f2207acedae545b4d017456cc8736db05a400000006e268c413560130c7c671b46c7d5f462ff0aa2b1435899458c540bd5238562d9c22d9fe2931ee9e5781b0ac2ac5bbac5a0582555a1bef869bdcca8225afc64ca C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8472CED6-9A46-11EF-AEE2-E26222BAF6A3} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437446288" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1503960536" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0f9a659532edb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31141459" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000086445aa8a430244a91c2b800ab210a5100000000020000000000106600000001000020000000f97ac84be2f4051335cfe6ffaa596da7b0221952dd48814cc0edcd8cbadb489e000000000e8000000002000020000000d3ea78745d282bc519745dddf9647c8b64b6a7179f6072a6202466108805603f200000007db4d0ab59dc26258128a2c90fd990bf90ca3b945e2dbffbff7e1808294e8061400000009dedd5c9b30ef1e5d0612dc9710ec94306ef7e49338da93294ab35199b87b284666406e00022554311afb6a6ff4633e50187422aaa4e26ab552b90a89c414878 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1500679522" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1500679522" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d05c9d59532edb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4840 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe
PID 4840 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe
PID 4840 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe
PID 3836 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe
PID 3836 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe
PID 3836 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe
PID 3836 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe
PID 3836 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe
PID 4840 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4840 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 400 wrote to memory of 1612 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 400 wrote to memory of 1612 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 400 wrote to memory of 1612 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe

"C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe"

C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe

C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\542941.gif

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:400 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 149.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 ya.ru udp
US 8.8.8.8:53 www.cheba.us udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 www.cheba.us udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 www.cheba.us udp
US 8.8.8.8:53 www.cheba.us udp
US 8.8.8.8:53 www.cheba.us udp
US 8.8.8.8:53 www.cheba.us udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 142.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 www.cheba.us udp
US 8.8.8.8:53 www.cheba.us udp
US 8.8.8.8:53 www.cheba.us udp
US 8.8.8.8:53 www.cheba.us udp
US 8.8.8.8:53 www.cheba.us udp
US 8.8.8.8:53 www.cheba.us udp
US 8.8.8.8:53 www.cheba.us udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 www.cheba.us udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 www.cheba.us udp
US 8.8.8.8:53 www.cheba.us udp
US 8.8.8.8:53 www.cheba.us udp
US 8.8.8.8:53 www.cheba.us udp
US 8.8.8.8:53 www.cheba.us udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.cheba.us udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 www.cheba.us udp
US 8.8.8.8:53 www.cheba.us udp
US 8.8.8.8:53 www.cheba.us udp
US 8.8.8.8:53 www.cheba.us udp
US 8.8.8.8:53 www.cheba.us udp
US 8.8.8.8:53 www.cheba.us udp
US 8.8.8.8:53 www.cheba.us udp
US 8.8.8.8:53 www.cheba.us udp
US 8.8.8.8:53 www.cheba.us udp
US 8.8.8.8:53 www.cheba.us udp

Files

C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe

MD5 9ec694b94c8a5d6a0fd8f35f7d6df84b
SHA1 f43e7a2301c759e72f75f715f27efb7e531f51da
SHA256 7d6968458310cb5051f4d706fb4890c200ca637f037fdf370b9125e134dbc458
SHA512 efe796c0921008d1465e8e40bb4e519ee8b6a6343b76f8727a04bfccffacf0953faf49facd803c555072d32c0edd74de073bbf66f19c7038a41ec07d81ded313

memory/2232-9-0x0000000013140000-0x000000001317A000-memory.dmp

memory/2232-12-0x0000000013140000-0x000000001317A000-memory.dmp

memory/2232-17-0x0000000013140000-0x000000001317A000-memory.dmp

memory/2232-15-0x0000000013140000-0x000000001317A000-memory.dmp

memory/3836-13-0x0000000010000000-0x0000000010016000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\542941.gif

MD5 8eb1ef360497967f27dc35bc7f5c0ce2
SHA1 271c181ed96278b060b945094708fe72a7b57403
SHA256 ea117ee202b51ebe3c07867d21a03da1d34257ce48407f4898d432ab960a8b87
SHA512 759273df0dfa6580c2aa56368879472efce01f967a9b0e489c9a5b271e7b392fb5cdb1f576613f75424037a9b7f64e656410fa4239ac06a2b771d03968051634

memory/2232-23-0x0000000013140000-0x000000001317A000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 19d708493ad4a370288ff5a144985118
SHA1 88363e78ecaaa248beb6933a5bf9209455ae459a
SHA256 6b7564f59f84e38a5fec4d3b7e6fa4fd5c8eb5ebbf77fd536b8ebbd4926fe905
SHA512 899bbac7464f4813ac93b566889c25a3f8a5ee372560c43a725d1bbbdc538684c534816aa9c06714c07c0efe48b11d26fea49b3879e88cbb9b377b627fecfaf2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 3bb3bde5ca9684bcfad65c1cc1e82618
SHA1 1f0a1ade374d90a3954d66e55a93fc19a2d9c440
SHA256 4a6a9a14981b3cbf02d080eef44ef4c357abcb9062dc15b6e9124a03f27a4f8b
SHA512 144b3801cbf195006607cd68dfcbd61640e2fee4b29a9417ec96fb15504a70a41ee3b5be86c82a6ecef7f7fa2a8ac37189392844ab24d0768927c75fb358f5da

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver211F.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M6JHG9EK\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee