Analysis Overview
SHA256
e9bc6d9a2f1beee9a1bc7cd7a5f244fd72f4bececf7799f8b3788491aacee67a
Threat Level: Known bad
The file afe792e92c8def79c88d16479c8f9051_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
ISR Stealer payload
Isrstealer family
ISR Stealer
Identifies Wine through registry keys
Suspicious use of SetThreadContext
Browser Information Discovery
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-29 08:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-29 08:01
Reported
2024-11-29 08:05
Platform
win7-20240708-en
Max time kernel
117s
Max time network
130s
Command Line
Signatures
ISR Stealer
ISR Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Isrstealer family
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Software\Wow6432Node\Wine | C:\Users\Admin\AppData\Local\Temp\afe792e92c8def79c88d16479c8f9051_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1976 set thread context of 2156 | N/A | C:\Users\Admin\AppData\Local\Temp\afe792e92c8def79c88d16479c8f9051_JaffaCakes118.exe | C:\Program Files\Internet Explorer\iexplore.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\afe792e92c8def79c88d16479c8f9051_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439029244" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{57C37981-AE28-11EF-B33F-CE9644F3BBBD} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afe792e92c8def79c88d16479c8f9051_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\afe792e92c8def79c88d16479c8f9051_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\afe792e92c8def79c88d16479c8f9051_JaffaCakes118.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2156 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/2156-0-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabFEDB.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarFF8A.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 83ef717f6d77ff725bee3117eb0b2ed8 |
| SHA1 | eb673682b4e408fe6294fccf4325a19b18cb674d |
| SHA256 | e122935f6bde2b53059663523d7d34076d789bf12e34c3aed7abcd4b82532f7e |
| SHA512 | 15e884b8e24cd052b2216f9e98d1f90fefcbc3b571ba09a4d165e4953419ef1dc1db7972ad7746ee2129b03a05e33e0f6680d4ef6121f64cd5597390ff3c4518 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ef0a1cf467f1a2e25161526c2c6e3560 |
| SHA1 | 021fa09d3da8f245f1a34461be6d3571415cf29e |
| SHA256 | cbbb5754e34da48d8d556c43df788158735565f621f0318adc9260eceffe7644 |
| SHA512 | 035dbc74788b5745494184cb2a572ada7d5add703544012591c2e2506afcfff7199df8298856384158ea82e2ce27d42f9df4042553d81c267674779efe7e1f70 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dc695de825ce13ddcb093210a9988c74 |
| SHA1 | ccb0f5300fe9be09c103b4ed986b3b70340fe3b4 |
| SHA256 | ee2d6fa59fae4dab60ddb16e8aeb57161c1d8d4f23602605e5c6d43c26865e24 |
| SHA512 | c495e590046346c045eb496df13138a2b0d6fc5aecad653f27de22a47fc11c948dcda50a09fb389811e8bc9717e8a976c67158c089d98b2e22b58f1f3b28b1b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 065112c667fb90c42ed01c671f0f0464 |
| SHA1 | 30698e76370f724880f4d9c160679c82c0ff56de |
| SHA256 | 47d61ad53d5c1ebbba50a4748e3b8d54d1fa7ba72b75f1dff818294965a60335 |
| SHA512 | 4c0bd2efef70abbe598f1ddfd0405d9e5318beab92dd0d79479c4bea8a6ed5a1ac44d2e982980285a7842cc8add7ccca619bc950f3cc33f263f5cf7eccc080bd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9101e9eacbace736764ca6a8bb209ef3 |
| SHA1 | 3e5640da360a58afd3d082f19d740138c80da26f |
| SHA256 | b765475b7ca94d57ea0f2a052ad5460d8ca43832cb9a02fa774b8f0937d2db47 |
| SHA512 | e43d494ad823c0ca5c1cfcd1da4c596684ad642205ffd0439d74e6abbdb781b9db24a8b1c7f8ce568e6118bf8fd3e71a5b3863d83c1945c57046a2c513e6929b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5b445637dd4405f3df11418d7bcd9a2e |
| SHA1 | 63c665362607eb578ea01333b359049573d8446b |
| SHA256 | 9ccbf0074d0fc0bb69d475927ac0540713ce126787dd63b4fd42660a444f7539 |
| SHA512 | ac15c3bcef810ff48ed6a5c3c8683a0ac15db756ab1aff863644595e156c7eed485867de4004b73c4cfdaf0810c190193fcc663b5557bcece97bd8bd3e2cec36 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cd761defd6d1855ce2fa1b688ffc86c6 |
| SHA1 | bc676e8a6e82ad7ba4d60a8a21569f3eb4deebbb |
| SHA256 | f98ceae44920dce06a7002a0aedf79d2d4766af7fc1e1620177e5090b40e41bb |
| SHA512 | cd1c9c3e945ec9a3c3b00d041109ad4fd1ff0451260318ebc3c9a85329aa5ce9a0763b45223f2fb8b32d3b9f556b8342997f11ddff6fed9110a1df8e4403a7ec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dafc3a407a655882acdb6d65132fd168 |
| SHA1 | 17304bae1e7e77ad54754eb6b47a48556e5e232b |
| SHA256 | bf953868b4b3ff7bfe0d1c4e4d14e5a0b68fe4bbb7aa80603277db73811264d5 |
| SHA512 | 1bf2858db2eaf61290f4d6730b4de92d62babf7dfe9df33b4803120ac9662fa402d5db3fe94a3f2168198e40ea8f9065602104d07e8bc6dd0e295a14e47692df |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e063e19130cfdfe38e613d2b6400a307 |
| SHA1 | 4aa272430a4e3ff795507dece593fbe600039a3d |
| SHA256 | 09ffac5e81a1f610c35bf80d9cd1ecad5ffab581e881666a0316a80dfba6a794 |
| SHA512 | a589927767dd2964c2fd689e277e32d4e83d432a2f16ce7bcf6f9f066bd808df325cbb1bb7c80427a495f94575536d09ac5f2b2e15cc880c247d8ce3a934bd2e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 60d6aaf196de8684257fe6900ac67912 |
| SHA1 | 3e68cb3288b63dabf96a4eef4b0865d91bb8d5ec |
| SHA256 | dda6ac0cd50e1b89e1b14098b09f2f90cf8dfe84a894bd99b2c712443bb2790d |
| SHA512 | de04be558b5231219d893fb1024437c6dbd0d144e611566b5c0a160aabd8df23732f53b4786ace82bf21283fe99e724e7d83e97d8431fcf76299228082597c3c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 69abb376cffb0e89517c56fff91c70ef |
| SHA1 | 8b2c0856d63ca8fc7d536d9090cf188eb697fa83 |
| SHA256 | 265d6cd719f55d575fc7261c15de9b601d158ad1dc5b6f5f1694c51a55ff9164 |
| SHA512 | fd1fa9aebc7300b7e767d3d41640c66d66b2064f464b070e2da8b650bece8186c2ea8cbc5fde84c7fed869c1fa93088afac94302436f07164b15078dbd4c47a3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0a490f52533c4d274fac2c5e804578fd |
| SHA1 | 86cea20ba053253e2b377f58fd2e285dce4c4420 |
| SHA256 | a9dfefe58c58fe27c8a21610866c72eb438de650fe48acca383e9abeb3db6d12 |
| SHA512 | a4f1b56f55f26cf8bfa162781722a286bc0fb66a2466fdd957e8fe2b13cc7cb8ed2b5a7aab225a69d8268fb6fc4e0339776cf5546eb6b95d8ec7f121621900eb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5e201a3f01de5c50b71697dc8effd60b |
| SHA1 | be73d9c4d9110f793b89f117170b149db64d740f |
| SHA256 | e1f6d750012457ca25c3102af5091179b2792366a703938de35a49a7ca920bc4 |
| SHA512 | f251f40a4c4bcae2874896deda6ab10828ee658729ff9c3a944aea9763af607747f7382480814f62bf7cb05f6c53a3b1856f5d4ec1a854b8d26725791c502a19 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4450cbc62808ab89c782ba43ca156991 |
| SHA1 | d9d8dd3e71d02dc9bdfa7f107b1dcafd826757b6 |
| SHA256 | 6f9ad8e76e05d02fe12893013f576e47ea003b716d1287dd9a48ac2522fd86f1 |
| SHA512 | 1f77ca4f677fc241b572482b2dbd816d4b870b1e512e4dede05d878c52849e75d888604e862cb5f4f35444ec4958781ffe8cec7e9cf8638626c88144dca171f1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8a0c77dbb8e56b774d32da32888c26ba |
| SHA1 | b36a8238d1da89c6bfe2dec4e4023f144d22dc3d |
| SHA256 | c6379d605bc5583f19784868b68e088852085d49be920c6f23ad417fff4fbf35 |
| SHA512 | 72d8a543a6dd7d36638d1c236d581294435762f75955e8c7d92c1922042cb86b0c029aa3c35fd2b373139212e4dcd266cdf437ccd9f672a75b01c7b700b82254 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c73e88465a9c0863628225906024d96b |
| SHA1 | 4c2c73b9cbd728b0bc9fc8209bbd5d74013873e9 |
| SHA256 | f0950b37a695ed7136f6dd8070c2582a6fcd6e06132b041d10e0334659871099 |
| SHA512 | f6d1bbc0708f89cf41308d8f5f5916281f5c3ef6cb52a9f006877fa91a00912c460a987d5489dbbfb910da006c25d07198eec79531a42852295e0362256a5fde |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | db3d2b898a8258ed1c9b12d407130458 |
| SHA1 | a4fd9620765c055421b007804898c62428180df3 |
| SHA256 | c313cf7f51a4d369dcca5f6a4d06316c626a2ea14738a54a5c95b41395c2ebfe |
| SHA512 | 821aaac136166e483517a79473bdbcd4d6bc187cedb0b80ef55dd507e11b5a4e96a2898a4965256eae4ef7af64712676f24d72b07ede86c9d966b863a4cd36f6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | aeb6f129af2615a2467d35b71eae5cfc |
| SHA1 | 8b604a09ad5904c465473697b78a57d2c00bbc05 |
| SHA256 | 92ac1ddc219ef0eee9c57dc015f67a92ad8d7562a2cfd0daf154d809b4b15030 |
| SHA512 | c34f473ebac2d08fb719b3a14cff4baf7ff81ccf2c3f03977c81d6157b609e37a0a9396191d8c0accdd176af21133480e95ff9516e3fce1e3837cfbae26876e0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 68e48ff80632da363cff3295075456ea |
| SHA1 | 32546f83c5bedd195f89cacb4a6746c78de4ecd7 |
| SHA256 | 0b6bdc0502979ebf869ad09fc41fffc5b250430eceb75e496ed5fa4aab44c66f |
| SHA512 | 5b2f2d44e3c35acd81a692feaf77422b9f31e43491810d045c16a92bab7724c55fadd26dcd80039efbf1418801a06ff19a6a2c7aa2fde04927200567fff94a07 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-29 08:01
Reported
2024-11-29 08:04
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
ISR Stealer
ISR Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Isrstealer family
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Software\WOW6432Node\Wine | C:\Users\Admin\AppData\Local\Temp\afe792e92c8def79c88d16479c8f9051_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3772 set thread context of 4152 | N/A | C:\Users\Admin\AppData\Local\Temp\afe792e92c8def79c88d16479c8f9051_JaffaCakes118.exe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\afe792e92c8def79c88d16479c8f9051_JaffaCakes118.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\afe792e92c8def79c88d16479c8f9051_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\afe792e92c8def79c88d16479c8f9051_JaffaCakes118.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb66ff46f8,0x7ffb66ff4708,0x7ffb66ff4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,3053745823135807099,8185435503012755214,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,3053745823135807099,8185435503012755214,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1960,3053745823135807099,8185435503012755214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,3053745823135807099,8185435503012755214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,3053745823135807099,8185435503012755214,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,3053745823135807099,8185435503012755214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,3053745823135807099,8185435503012755214,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,3053745823135807099,8185435503012755214,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,3053745823135807099,8185435503012755214,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,3053745823135807099,8185435503012755214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,3053745823135807099,8185435503012755214,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,3053745823135807099,8185435503012755214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,3053745823135807099,8185435503012755214,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/4152-0-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d22073dea53e79d9b824f27ac5e9813e |
| SHA1 | 6d8a7281241248431a1571e6ddc55798b01fa961 |
| SHA256 | 86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6 |
| SHA512 | 97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413 |
\??\pipe\LOCAL\crashpad_4152_IZSJGRCAPHYTCRRO
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bffcefacce25cd03f3d5c9446ddb903d |
| SHA1 | 8923f84aa86db316d2f5c122fe3874bbe26f3bab |
| SHA256 | 23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405 |
| SHA512 | 761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c71cd13f63d4b6984aade8f617c75c23 |
| SHA1 | ced36bd0e8199e5277a9a48a4ebeb09c069e84b6 |
| SHA256 | 17a99fe394b0f8ae73a892f5a5daeafeab0fd4be3b0ea8303b732361302f63af |
| SHA512 | 9202c78a96d1158ee517b10c2ce49c9631edc8dd185b417910193b1c9ba8abd0dd8d01c29979504b4eaa4edcae7e98c7c7d316307017483204dc229cfe11062c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c230e8274bc22ba08bcfcae09400a089 |
| SHA1 | 7f3aa1a8dfcea1eb73579ed8a8b17a228b6af414 |
| SHA256 | 19c365de1488258294235000fcc25cd562df763f4cea6ac8575ad8b108ffe9d6 |
| SHA512 | b9ffdb65430116e1b8f156844574f85974964d8cfb75fa4c5f754dd75c3e6b1a06683e1679f9bc73c5c57b1a1b99e6eadc91ee22573b5789d48e6b55797f0750 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 02243722a9a1cee53883407a26e3e7fc |
| SHA1 | b0a39f28bcd48fce8b4005b8279963a4d580ed5b |
| SHA256 | 6149b4700b33c6efdc0e8921cae047031dbc318099864ca46cd2c783bce1b1c2 |
| SHA512 | 464426031caf82519f03545412ea6c85b9ac8d2b1e20992c79cf9131e4d0fd811a356e33109b3f9878a387f7b5493cf0b4b04e4fe600a20580f503979bf4d2dd |