Analysis Overview
SHA256
33b184e58f93b2743c1a68fc9c33f80974820b753e8b4bc223e17208dca8cec6
Threat Level: Likely benign
The file a8f95a80cb276dd0659c063e45107b8e_JaffaCakes118 was found to be: Likely benign.
Malicious Activity Summary
Detected potential entity reuse from brand PAYPAL.
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-27 17:47
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-27 17:47
Reported
2024-11-27 17:49
Platform
win7-20240903-en
Max time kernel
120s
Max time network
127s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9BC78DC1-ACE7-11EF-9F4F-6E295C7D81A3} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f54200000000020000000000106600000001000020000000e9707f3085a67db24c7a4cb8c1854d72986627a491bee5b77f1cdf4ee8852301000000000e8000000002000020000000809bf2bcab70765cfa9436cc0043275ec0dc318baf6fe6ccf261d0ff4b86c942900000004ed7b2f7f6fd307dfdd87dbe57e5046c3d659fb6011443b3ba568c97ab43d29e4575255c4bccf24b3fe52b3d74dfd27f190af419e54d9a36461750adbea96b446822ad1ef309bad696702333382800574e9f0cc1303775dc022303773da2f9cb455e5275c34b1a6568c3eac0052e425b4e0f912fae1ed7cbd69bfe939435394a87755d9463646fda0e487172a7b40628400000003b69e09e0fbc740b4026f682dd2eac2f3bc35599980473621a9c9e4f8bc7b7c55ade81da3992901ec667fd5d7277bafff0f535560364322ed56b7fe06de2fc27 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f542000000000200000000001066000000010000200000009f575fb7f33d61c98a95358bae2ca6d4957f61b40f0ccf00b8b1c80f56974f84000000000e800000000200002000000041409a54f3c53a48fcff9bdcc0fa25ff977671f2b2f4c90f5c9e0a5925577ef720000000548ede3d9f9644b09d791efa3589d802abdb692c2dfc43d242587b0e7f24648140000000240650deb81af324f571e2805f90ce26d4b0e5a18c8cf84ebb4c6d5f199eab12ee4c7dd90e16478166d8d318705e113ba5833bae5af142c5c17f43b043724660 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0a9c771f440db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438891489" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2424 wrote to memory of 3060 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2424 wrote to memory of 3060 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2424 wrote to memory of 3060 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2424 wrote to memory of 3060 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\a8f95a80cb276dd0659c063e45107b8e_JaffaCakes118.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2424 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | css.julieslight.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabDA2C.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarDABD.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ded67f86fbeed186065560c3d781aace |
| SHA1 | a967590b51b522e409392ad7127187044efbfebc |
| SHA256 | 355a1c1ba1f7ada7b263d779665309f61185d0824f4a720ddf2f81030042df14 |
| SHA512 | b7699c67f0d9d27cdc3312fad0994f5fffaaecfe7d5d08321ab5bf867c6a02fd37c37f7f0e1a89df5cceda37235d467b5984a0e0acd357124054e8c5b1321b8f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 127ad1ec69dbc2fb627481f594fc22de |
| SHA1 | 9f2272010c7d58f0abe74887ee9e053ef10f054d |
| SHA256 | 2af7695c1f783ac6626ce6c42d3337eb88572bf3eb9abf0ada765da7e60fbca3 |
| SHA512 | caf86ca6ff256457846cd3d3535ec14ec79377858701fae452227741cd10bad35daf0d771eb7a1f83f0d42b9970036df1d82b9f51d8c4ffd361458dd2ff17c3c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 76abbe56a621a2bfd9d77970b64defaf |
| SHA1 | 01b0a40e7ae7dd74f906d578d788cb9c86bdfa36 |
| SHA256 | a460ba0d9362b1dc784d267dbe6ccfa7a2c3a651bcf95b6ccf670543cba9b9c7 |
| SHA512 | ffd1b0819b952ec48b069772a97a57b0b245fa3bcfc48813195b30f4e19f2f220d51a915cab8f70ac0a83e35892fab793db50f7edb26e1316c720cf24aa2b255 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 514a4346a24cec2e4cd533f886c54e61 |
| SHA1 | e792c2a6b6c06a6d7a7d75f900d9c76f4fac3631 |
| SHA256 | 1da63e7588dba3006a061a52e59905a56717384c30115189a3366b5c4abdc4e5 |
| SHA512 | e9106ef6508225f533aaf7f6c5a0e2e7133396815958b3313b1000578dff8c3010712f18b898489159ff5d4a31f1fe68d36da60a2c312bbaf9c332ff3eb3d705 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e36fb7fc2167a21167ecc24f0f7b14a0 |
| SHA1 | 789aa4ffee44e17b68a845f8e0a871a78dca60c2 |
| SHA256 | ceaee6a1eee8ea11f20f3589a6bbc7bfc001384fe9dc85b1abfb058eb95fa847 |
| SHA512 | b59c763d0c6237e134c10c174173028b2e1b02fedcba391124cd13e48c855ad018a685126944af5672197450709c1a17c98aca7442ba9206822cbfe6dad1635d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 57c9b0890a96660a1fea239189b09595 |
| SHA1 | c8e134e69b0f4d2607fb809ffcbe636c2c3cac88 |
| SHA256 | d32503bb5e6d712ea55fdc0c64bd3a99e407ecbd46051b91816c0b6368efd05f |
| SHA512 | f8b75fd1b067e7e583566d0976361f77e9e50920f06d789b41ecd4baa895a563ed2cf28573983d022417a476186432a877c432af6a8bf294e940fcd7fc4d5ee7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5b3df0aad7a9ca75d44f3f6366412935 |
| SHA1 | eb8058d57db43af2fb579a23317be02d75d63103 |
| SHA256 | 8c4761af210f2ab578d825f0408c1ef6b2600f75fe6d7b66cc184cfd83c6c9ac |
| SHA512 | 2b03b35e4b5dd880e48fc2e8117f8d843f4a86e066d15973b54bad4eb828cd20d44e4aa313454e030ae2ee31d04a0bfb84b2f83ce9920b799a2cb4cd9d337a5b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eca85a454156bcc088a4090071d00722 |
| SHA1 | a2f7dd62da23f2673bdcd93f9fafbf4f7c7debe5 |
| SHA256 | 49a8730aec2b2988942b21ab089dce7a410d5164db9e9063ab128a346fe7d2a2 |
| SHA512 | bac535c088465f94b90d7bf5dcb744e50f76b0855acf70fa68d8cdfb6c76dd7062462be50d714bae5cda89d08f037250f745ff646db405f0edfc92e5062d5d34 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bac466388c569e7e5d746cd7dcc85592 |
| SHA1 | 80bfc9a950396510d63a36000817e363f3e6664f |
| SHA256 | c806555c940582cd895fe84d5cfd8a1073d5e82424e8bae23cc5e9b3547c552e |
| SHA512 | dcb66507768c6e60fc159833573f4d573db07438db305afbacb121444bdfcc7d39cd9ee44383bf7e6e669dac42592e23ae6653e305ae66c0f0487c1b004ab22c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d1d4154f9b0b75cf436fa27432be0935 |
| SHA1 | 8a3fe8b22e14cd4108dae2ff559834ecba6b30f6 |
| SHA256 | 90d85884c759b65e61885edfabdd3761c612fdc22208ed1687e9a8ee339e07b2 |
| SHA512 | 9b1a081949c392445d28aecde9f7c15751945173b461b0259c8a5002bac66f5456b10ea9458fbdbabd5848b03ff7bcd1bacae4b1cead6a14f55c2e0e4daf6b5a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | db57bf1209485a0aab67b5871407014d |
| SHA1 | 33f8e1820228c714b231bda78c3f0da5473fe27d |
| SHA256 | 0d0eceb1db72433fac16cffd7be2dd89a4e1d79c4d545d22f083e2b4be0304cb |
| SHA512 | dd60127d07847d49dd644323e883b1d457c3be50770a1b6e6e0153ca101dc83406792b01f445657cbcc6a7981d2561df060152a784d2b6e5a5333161b7d5941f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | adbaad0bda96c4d8766f45d241d0689b |
| SHA1 | ec57caec4411675d34beeebc959d2f66e27beb06 |
| SHA256 | 75504ce29c4a2e6ed734ab41da2ad93017ab86e7801237193de7d816b5f5ef32 |
| SHA512 | 309177a4fd7043586c288910e237684682dd4c2a7c8149dd297e2d526874c1a8de82e6eec086144109991c55e13fd100e2b689c339fc7a7794c2a88f58b68120 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 114f9a9ded4abccff688ec65135efd8b |
| SHA1 | afee8ff59fed539e3e822cc8faba59e968c207eb |
| SHA256 | 14e9893776c96de610fb775c0ff5d0bdd4e9dabcadb5cac0c58ba6a98acc1dd5 |
| SHA512 | 6e44cdca3bd18792bc9511529c7ddb53755b8080ba8c4bc281cd1988066b1c25fb95c7d66d07137b2342c9294fa4a0b784ab7afdca0257a85592eb23e30ebc99 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1c7aba06a39ed93c60bd7719e26ad623 |
| SHA1 | 7c935feb07b1ac5de7e170ee2ab5a7b7d03efe41 |
| SHA256 | c586124f521227872271ef4b33d77914548ff3872702e4278e15d9e4e08f6703 |
| SHA512 | eeaf0c119c38a510d0e2782288c45acf84dd56746a74d76b4f27315416f47e3769d7e849d558e2716636cd52dbd7515ae939f01c6ea7d5f3a02d83038a35d1b0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8f79bf0d1d7cb90504a315b12e8e7bc4 |
| SHA1 | 4975791150868f4b680d8ebca2273bad9cb14435 |
| SHA256 | 83ddf2873c460cbf6806a27eaa9999306209bcbbba59143ed82f01a4bb9b5036 |
| SHA512 | 777e2e96e9d1a7ad64a00c5584921136a4f1f401c9f1a3a2e38b0a96559ea32ee53589a6daacdd1d4146fcdb00b5ff827b719cc8198bae1bc419a76be474baaa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 37f4521460a8373ed4136d0299cbe540 |
| SHA1 | 470ad2d6b79637631b405d73d4ef0d2edbec2956 |
| SHA256 | ca9e59ed4cd629c8f412f28e3677336f5d14370084027785af79fd576928e579 |
| SHA512 | ec24a9b8ff3e2c7a6673becdbc4c5478b7f25c039c9a4ab2cde62a1db6e5ebe5a383ca8a477ad257deab75bb2576b4901452b13eb3684e071d970821e740c034 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 40b2a995d5db14f08fa828d8fb8913c0 |
| SHA1 | 3444765b805b78efdfa844ced00ec69768de915a |
| SHA256 | b808c72d3336a881aca4ba66512a3f1e3378d7c3cdc1e4e23766ac7ebdc2077f |
| SHA512 | 053776ecbc28bf155f1795784b938127450ab69820b942caf824e0db177b896a49b84408acc1dc95ef57dada807b3689fa7f3e218ae4c4ae209bfcc5981486ba |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 84635577cea99264deaa3c5fe026f552 |
| SHA1 | effb21880add526e081a5f463a37b33014f2d070 |
| SHA256 | 7f669825856179d64576250fe54e7b7f9505997896975fa5197607f9b806419a |
| SHA512 | 19ca34cdd29336e786f6764928d2a23548aa9f3a73187bb83c2437be5bb6618da42c000e26b8bf960d7a982b1ebbdc894a0b1dc5bd0dd629f1e79a2d0cebda43 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2a2bcfd67ce7227abd320d44cd179bd4 |
| SHA1 | ee48cd94db8d14c83d631ac67ba888f2206f6fb7 |
| SHA256 | a44cd07f7135f589d1993b1baa9fe4279405b067b2d2ce6b28c108dcafaa24c6 |
| SHA512 | 2019ffe49a63fe7c2a3fc1eba68102253bdb42ca6eca729722a22473406396f88782f3a1ddc5bb400b02469ee5bee2b3ff8a404cf5c528aa85097011c40cd458 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cb307142a25521e29b35812c113a9c04 |
| SHA1 | 3b3e4db54841cef6df1c3a802a14f5032ba68842 |
| SHA256 | b1a6027ca28ed89b3e4783ae313ab6a672171e3af477d2d586c246160c22cb88 |
| SHA512 | 78b50c3b001d37e8a6891dd2ef03ef6e93544c9ed27a2ef806d8cf3129f987ddc4ace16d9306cd11b12b9593a889bbc738d7064dd90ff4caa677fe8411b4d051 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7a95ee2fe9bb2be9e0c587f2efeb31e2 |
| SHA1 | d857b88f47531dea66295b58430a0bcbf66c5c14 |
| SHA256 | 017913b5431960482547833d4bd7f36b831a1755c451799572fd549591bfd7d1 |
| SHA512 | ea63a389d7a71cf51d898a298594bead86902285a6565c0922fb49bca383cf36ddb41af6d7c500dd8301ea6087a9820fa18595dafffa915f7f7b6d55afb6e17b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-27 17:47
Reported
2024-11-27 17:49
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
143s
Command Line
Signatures
Detected potential entity reuse from brand PAYPAL.
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\a8f95a80cb276dd0659c063e45107b8e_JaffaCakes118.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa569546f8,0x7ffa56954708,0x7ffa56954718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,11861637395355785077,1724483248741577513,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,11861637395355785077,1724483248741577513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,11861637395355785077,1724483248741577513,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11861637395355785077,1724483248741577513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11861637395355785077,1724483248741577513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,11861637395355785077,1724483248741577513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,11861637395355785077,1724483248741577513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11861637395355785077,1724483248741577513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11861637395355785077,1724483248741577513,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11861637395355785077,1724483248741577513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11861637395355785077,1724483248741577513,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,11861637395355785077,1724483248741577513,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5416 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | css.julieslight.com | udp |
| US | 8.8.8.8:53 | www.paypalobjects.com | udp |
| SE | 192.229.221.25:80 | www.paypalobjects.com | tcp |
| US | 8.8.8.8:53 | 25.221.229.192.in-addr.arpa | udp |
| SE | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c2d9eeb3fdd75834f0ac3f9767de8d6f |
| SHA1 | 4d16a7e82190f8490a00008bd53d85fb92e379b0 |
| SHA256 | 1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66 |
| SHA512 | d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd |
\??\pipe\LOCAL\crashpad_2036_WZHDGCKECMTEZRKX
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e55832d7cd7e868a2c087c4c73678018 |
| SHA1 | ed7a2f6d6437e907218ffba9128802eaf414a0eb |
| SHA256 | a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574 |
| SHA512 | 897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ba0538c3daa6735ee21e6f4bd11ec7b2 |
| SHA1 | 79e38e5480c3d4b70998f3f57adf6d60c03ba301 |
| SHA256 | 16dbc9ab23d455f9881fbc67052cb4ec759c14fde4e3707280bb0624aad7b13e |
| SHA512 | eaddcbebffd77c7c88b975d8b0cc9590a56a042fd70b39978af31196e5f5ad05ccef662a22b06b52c3780cf9a27f11a4d9df783958fc5fcbfcb045e89be73732 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | e50f2550fdd387dc1012387c61b650f3 |
| SHA1 | 7359de97b586358af29f0f2570e6057e407c27fa |
| SHA256 | e32cbb73753b7d9dcbb35cbeba42e34b2aeaf10ba4f8762470e7dfda68eca237 |
| SHA512 | 446e694a963017b2843a09abd66602ddee1b621d3424b3815de35ef1683f2c8cb8277c28b7d5a1675bb34d9d495c8c5cf814ccc55fba465cfdfa3d26ad8c60f4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b3c014ff-7930-47ad-a19f-30bd0f17232e.tmp
| MD5 | b2a717879b497a66dcb5ce5aeb442e5d |
| SHA1 | 86823933273b050c3f8835a6b3790ad2417a1116 |
| SHA256 | bf688c09d4a6c6482ee3d26c82cde2030e011132f271f297182d09a434e112b6 |
| SHA512 | 688e93f624bac1e9a79b643084a3aa931ae91abf05b6c7b993f03fe61a4b3d4036d3d5cdc590986fb911a28c2d8a376d83ba9fd4a9d6a0cc12a5727cc7fc4891 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | efd079652ad21c50d69ad30ccf61a40d |
| SHA1 | 000bc74057bb6ab42d2a160349e1597edb211bc2 |
| SHA256 | 045646bc1a87f1ce57c87ba8a6ed5332e36f71e667ac712be1df2fef80385f8f |
| SHA512 | 35f643af8bb12bb445e3e6ce7577376dc69010ddf8d7e76752d703cb50f091bdeb9947b9718baa6e9e286d69df19a794522e446f29d58dc26dfea571045f51ab |