Analysis Overview
SHA256
9967e997ee61d56d6202390977d5d76eca075488aaa54ba1222ccb1936e9af20
Threat Level: Likely benign
The file 9bf8a1172efff2d5323635940759f98f_JaffaCakes118 was found to be: Likely benign.
Malicious Activity Summary
Detected potential entity reuse from brand PAYPAL.
System Location Discovery: System Language Discovery
Browser Information Discovery
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-25 14:07
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-25 14:07
Reported
2024-11-25 14:10
Platform
win7-20240903-en
Max time kernel
133s
Max time network
127s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f542000000000200000000001066000000010000200000002e407f483120f44d501134debd30701d30a8531ecf116ecfd40931acffcf8034000000000e8000000002000020000000c64251b59983cdf10e18701e96e3cde183a7b1a7891907fa30ea50eba10580be90000000311e58d7e6e54bfc3744553060c5455d0fd862f60529b8c9ba9c7ec2dd6d62ea0d3f011ad402760b1a47a5b44953d1b248f99fcecfa99f071b258d556711b75067641f747b8b1f3d35efce93fae2d90a1c757b2ed32bade0a5cf86dbc8c1a19270158f8f37ad735dc9976cef8fceae6f03491433f3d986344ec8a8cf292c14369a063fd102def3366d456dbd4ed0b7124000000010798b229b5e355477232094f925520b112f44edcfcd95c49918e9ba234e11569d7ceea56e826fa777ad9afaf407fa2769887be684fa34281a19e2d4faceaf5e | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 306c397f433fdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AAC60AC1-AB36-11EF-B686-FA59FB4FA467} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f5420000000002000000000010660000000100002000000003e4b35b235a8d6f7920db80abde31fa3682ca75fe4d01f65c1a6d8d559f30c4000000000e8000000002000020000000f4514f60db9cdbdb85336de87ea6cab6750ef47af15e9a67a43ac00193a1692820000000682ec8a58fc76df35c339970f08953b6bccc91789998b00839b78344a72260204000000006a9358985765cf29f79eceffa8e8cea2a4f4fb00403bfc5cdb9a4b64a4919569780af6f56708250b6a6a7222420d090f06f76feb2e1ab857221b90142d0b5d2 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438705542" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2644 wrote to memory of 2808 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2644 wrote to memory of 2808 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2644 wrote to memory of 2808 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2644 wrote to memory of 2808 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\9bf8a1172efff2d5323635940759f98f_JaffaCakes118.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2644 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | css.julieslight.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab561.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar5C1.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b5f94810049c5180124136ee533b419f |
| SHA1 | ab8a73ac66d97bb93ada16de534dbb0766b9981f |
| SHA256 | 8bd67ef13d2d507fbe0e6092cecc86b913025e3602b2f7272f0eaa62592f64a8 |
| SHA512 | d5788b75ea9bf623a7ec578dd644e93ee7533e27235a221c7da51e7815e16941753b02633bf735cb827f03f7ba8fa84fc4796a818641b0d71ee0c34707ed3435 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 16b235498c5ed766f0d11fb88b0a9b3c |
| SHA1 | 4ec3a679a9a978bd6b2e4c159dee041766df3ba6 |
| SHA256 | ab35938a4adfbff823c51cd56f9ba7488366d1b773dde4a84f02deabed400b94 |
| SHA512 | 0abf442be6a0f7a805813153af7f2821185ea98954f31d4414561731ff8a40229d095df1a86c8669fb2c71485afdb121ba84d0dc483ba50e4a3dd62c2033d65c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c4c1e4ce66ad18811f24ad2a357e620a |
| SHA1 | 928dbe07c4c64cee2b9e74b260d7a2c5a773ff93 |
| SHA256 | 3b852f5730563d27df3579aa9b0b51d49146ffecf3dd9edc8ba6bf695838a918 |
| SHA512 | b4988c7bc7021b1bf043b2813648feafc6f712053e844cc972e7f61646a491a1592aacd7380304af4d9077bc0463dfb7b8d6c000310bb68ab474927700f908a9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0db79ad8caaa5b03c491b4aaaab127f0 |
| SHA1 | 6251778d6a5f398a4c8ea9622e1fbb5fb67a7065 |
| SHA256 | fda9bf9ac0cc868d9891de9734c46e873121b3cb7c29e656ae67c716190d743c |
| SHA512 | 3fc45e7bbf0a2eb49dc63561cd0674c7d8422f6f30549582da0734ed827bce82a1e1b339537b96a96de6b9a922a2da4a2639343ae1ecf843e049f4ceb6d0a36e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1bdf9cb76fa7594776fbceb9548404b0 |
| SHA1 | 951a29061fc045c3d250ab05b63ed7c78c077c0a |
| SHA256 | 32a1cffd7ecba0b05e39ac7266957900c19315e1adabaae43c1331954e09ef77 |
| SHA512 | 97b50f5d18c05dcae24948a24afcd45474ab8fe2fa958b1b3768c8471a0565fea60880e0fdb3695d1befdab6345664db6c9e84e6dd1ef7f7b7ba9480934f7784 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f61077406a7d9a655333b088ed007a43 |
| SHA1 | 9146a8022ae4a63c32c95c07cb357bd8150801b9 |
| SHA256 | 419e5ee5b4c2acfea3f472758b859d084af3d363bb50143a0dde645cd538ae9a |
| SHA512 | 1fe565f808d9f18d7179b4acdb6a918614ddbbd1dff3d243f0b6a9df0af71843fa59003d841a49fe8f0fcd32e82f02934aefcfb6c04e57efb4b5bd9ffabbe3cd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 32f46beb6e743ef2e803f3f06fa9e41d |
| SHA1 | 0f21cd0d511446f925c3de88af2ab83599c5fc9b |
| SHA256 | ed678e450ff42518bf302d263a4ab074b99a2e44b12b7ccfea24f612d645f465 |
| SHA512 | e183c8fccb351d845e807610b2d7eecf6d051f6eb871528b7cab593051efc2844802f22faa28c1de3a01d6d4cb5e516b80b8f987cd983108878e0764e899d3e4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f3327fe4ff79e8f810150d8c07ec7da9 |
| SHA1 | ceecdd61ae9b38b1b29cbc252b5ece565f5b1826 |
| SHA256 | 7cf8a62c3d7dfeed927a0b3df4105e565beeaeda65315ad02ab2905d3e63a894 |
| SHA512 | 54c6c5559b0520b07d7603209159d4a0cd299a74fce5ad432ff68a5be780c919c0b067c29d96da8b572d8e70080fba739afe688ff1b5687b1ac167d7d4226c10 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | de149623fcf3f1b62f05a601c5a46091 |
| SHA1 | 64815346742c4de6fc8771f2eb36ab5a128957a5 |
| SHA256 | 38405c85633ff0e74409e3a415918c2b093ba51fc66dae5a11a134ee817497fd |
| SHA512 | 6b4fb4cf7d0552434284384ac4b9c2d066289459238d6e28d3988c94af989542b0eeabe76bd1323a54d239a5ac75e815c7b1ae5917b41395094a233043944c97 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e69c269e3b5113164a7810845b80c014 |
| SHA1 | 8388ea7fdc42208df9568da392564c77c345bd28 |
| SHA256 | ed5c9cac5540045e2b22fe097438dc13f83a3532ace5245e2b08b2e0ccb5c818 |
| SHA512 | bd3bd8a15d3d29ebf8607cf0e27caa948dabbfcb0ae34186b0ce0afbc9e9edd337588a87cfbfed211aec3d4f314d7539377b2512101e8a8056d5b943be55d994 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fd600463adde34d854ae7b5b9790f326 |
| SHA1 | 3f0f858a60b6befc394c8e5681064e38d8b5adf1 |
| SHA256 | 4d83103dad6598d0751b9a975ca4b22eba6172e216e795bc5cd5a8d96b3b3509 |
| SHA512 | d40f655e0e6636b1dd1c11c9ada543d56b880f9132c085f368acb630c24b385000e1d2d5295178904ab920d395981ddaccb6e50b496fd2cab5949205697aab8a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 867f7015bb756a259d28637b781cc6a8 |
| SHA1 | dccbf573c0a8bd8f0091f141af4b4336f5bcf098 |
| SHA256 | 8364bef424ef7e864a80a1afce8491d74f2f408bf1762f730e60555f592a583b |
| SHA512 | d93cd62a466c752808a24c884e2a41ac3a6d7800ae3c0885dd13fd5280a5f506fdd64a68d565fe331e916c801bc9a53f70f6d3e3bb3a46662d940426b17cbe81 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c511a7f9320280b4e7a9e9cd6b0ced8e |
| SHA1 | fe5a06bdc6de659ce0489b430f58b0981ba0618a |
| SHA256 | 38b61706da995a0d2ec832f49f23ecfe338fa0305c5632d85d99ca358e104b76 |
| SHA512 | 3871081ec1731cda50a74440163196c6973ea3767c794307abde90a946ac9e78789ed2f6f9d17f780867e4f9dc7bc5ae3191beead8caebf8c780eeec74473d04 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ee6a080f68120885d023082bc48c5f99 |
| SHA1 | fa02896af0de57a958cc0792f949766e7cfcd7d0 |
| SHA256 | 66521560f5e56cc3df4c0d659a75c601ca700a5b4ac6cc6099980f2bb1ed92b1 |
| SHA512 | a5c28cbf0308776f260f11d9793f2f6073bb714293b5c821f504641b78e820136c4da5b88f1704ed29cde915138672866089af17980d53b792837fd7bc09085f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e2156489f2fdc1d724b91a711396d6c5 |
| SHA1 | cf7ea9720ce8f659a33a830d51636313ef9add69 |
| SHA256 | b8da08424ebc2bc39a2c34719d54ad8f266f66f7c007b6b2c84fbef375088b9b |
| SHA512 | c6b28256a84cadfece2c9db1ebe6bd46d28861d1f5afa796fefdb2b47849003de095aadad21535a98109edb960d90769a4b55257a9bf5623cc32d545ccffbb0b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 097b7aecc79194110e100c8512d145fd |
| SHA1 | 96e8abe682aa0e8e1cab0df40f4a855b82f69d37 |
| SHA256 | e2bcada2e25360a65538f728931e4c6888674f10a130d452d1b2c1c7950d3460 |
| SHA512 | 60b5017bf8291ee9b2c7d8d89d58352419c7978e4d9fb368473509f78b555925bd1602894f5b968d7c6061d3c04b6f2fac4733ff9473099111d52e325e4d3721 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 861dabe0a3701b9f3a11bca1460653ef |
| SHA1 | 02815fc9f8c4687dfa1a5b99aeeba50bb43e1c27 |
| SHA256 | 16be08cdf4b96919d12becf9241c35aa464f5169a2f622dc59fca8e1bc8492f5 |
| SHA512 | 45b4692454e74bcbd4633bb093369b98401015ad91d246caef9871ee9eeaa2a02bb7ac599a407e9738284caed47c7a272bced5cca74a2e44db0d3de967a62df6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7487ce7844b6d43d5e34531e8ab6a08f |
| SHA1 | a761cfae071bf8c71fa912ad9bd60505ffeba74c |
| SHA256 | 7f7c3e7ba45f6330bf20506c6e56f8168933b0e129e7024ab2fc0cffaaf3045a |
| SHA512 | 34b73d4152f0aaff3bc7b0c2d595139807717317e8cc19724eed506697afb5257770e19edde26349ec0de13a3302a5e4a8ef5abcb396fb48cad04568426f6118 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bfd7992fc79e6f4ae324f29a02cd5dea |
| SHA1 | 03da922bf59e83e415f4b94b2e0959563a1830ea |
| SHA256 | e24fcfe6972082fd0657e79d48b35e45c105fd2814994d6bfa8e53b77577276a |
| SHA512 | e2d446bc4b03857a7e219a62f084182c769edb8e8a4eab1b939dbfe9109e00b42b3630f952bc4d904998d4b3e8e70b60a0603773b48caf183c848d3764cc98e7 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-25 14:07
Reported
2024-11-25 14:10
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
142s
Command Line
Signatures
Detected potential entity reuse from brand PAYPAL.
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\9bf8a1172efff2d5323635940759f98f_JaffaCakes118.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbbb3346f8,0x7ffbbb334708,0x7ffbbb334718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,13813718268333256124,8773673841718019140,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,13813718268333256124,8773673841718019140,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,13813718268333256124,8773673841718019140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13813718268333256124,8773673841718019140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13813718268333256124,8773673841718019140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,13813718268333256124,8773673841718019140,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,13813718268333256124,8773673841718019140,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13813718268333256124,8773673841718019140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13813718268333256124,8773673841718019140,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13813718268333256124,8773673841718019140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13813718268333256124,8773673841718019140,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,13813718268333256124,8773673841718019140,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2340 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | css.julieslight.com | udp |
| US | 8.8.8.8:53 | www.paypalobjects.com | udp |
| SE | 192.229.221.25:80 | www.paypalobjects.com | tcp |
| SE | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 36988ca14952e1848e81a959880ea217 |
| SHA1 | a0482ef725657760502c2d1a5abe0bb37aebaadb |
| SHA256 | d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6 |
| SHA512 | d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173 |
\??\pipe\LOCAL\crashpad_4752_NFMOAJWMRSTBDCYM
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | fab8d8d865e33fe195732aa7dcb91c30 |
| SHA1 | 2637e832f38acc70af3e511f5eba80fbd7461f2c |
| SHA256 | 1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea |
| SHA512 | 39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a552b22f5301c2883ce234438c64355e |
| SHA1 | c6f3e2c324440d008d1d3f96da9201c4e72954d3 |
| SHA256 | 7ca183104280aa5199804a98b2fd27fe0f0b42da8a37cf52aac68c223deb2370 |
| SHA512 | cefe0611d03b3d8ff2d30b915514c7338b175a75930efe1f5797369e2bfbac02b4275286ec640f3df2a6e0741134c8e9d331f9691b9c91f151c98d68c962af14 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 99a95e235fb0802761ebd9ad0685d976 |
| SHA1 | 445191652c1ae52126773b5b4a7a7c110f98177b |
| SHA256 | 76c841f10b6dabab45b2631ffc687d41d4e03b78ee82372118cbd86b0bc94a88 |
| SHA512 | 6e286ac9972dca3e7ccdfb9f19495ba36f37f0ffdc031e3c83be0827ebd180d680bc1cff24264a088a10ed958e621a7bd0d4b608874de510efa3ee971e681a9f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f5418c6f269ba561c49fe91ff4f385da |
| SHA1 | fb509ae5c42e6c1d4867f81693852c7a8d1fbf2c |
| SHA256 | 2fde5e5743d6bb9aaf77e3b04a1d5d0e3871dc0cab4fc7c11cb1c43378e3c623 |
| SHA512 | ac05f1b8e0057b7f2eb2d74096b70545edb1ffe9d3ae0d3137a083fc589045ae2c26496946a03d05bb47080e17eb9ad12a84f1346a0f0ebbec15d5ad4d5819e4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | efd079652ad21c50d69ad30ccf61a40d |
| SHA1 | 000bc74057bb6ab42d2a160349e1597edb211bc2 |
| SHA256 | 045646bc1a87f1ce57c87ba8a6ed5332e36f71e667ac712be1df2fef80385f8f |
| SHA512 | 35f643af8bb12bb445e3e6ce7577376dc69010ddf8d7e76752d703cb50f091bdeb9947b9718baa6e9e286d69df19a794522e446f29d58dc26dfea571045f51ab |