Analysis Overview
SHA256
d7606f4111c14354815f83d21e2df9ce9302ff078a8d879f78f5fd2e5cba13ed
Threat Level: Known bad
The file f9e97a87dc9c6a5789e9d20942fd04d4_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
SocGholish
Socgholish family
System Location Discovery: System Language Discovery
Browser Information Discovery
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-18 03:27
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-18 03:27
Reported
2024-12-18 03:29
Platform
win7-20240903-en
Max time kernel
141s
Max time network
142s
Command Line
Signatures
SocGholish
Socgholish family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FB6B17C1-BCEF-11EF-841E-F2DF7204BD4F} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440654307" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2328 wrote to memory of 2968 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2328 wrote to memory of 2968 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2328 wrote to memory of 2968 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2328 wrote to memory of 2968 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\f9e97a87dc9c6a5789e9d20942fd04d4_JaffaCakes118.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2328 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | apis.google.com | udp |
| US | 8.8.8.8:53 | platform.twitter.com | udp |
| US | 8.8.8.8:53 | www.linkwithin.com | udp |
| US | 8.8.8.8:53 | losingthisweight.com | udp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| US | 8.8.8.8:53 | gan.doubleclick.net | udp |
| US | 8.8.8.8:53 | platform.linkedin.com | udp |
| US | 8.8.8.8:53 | ssl.gstatic.com | udp |
| US | 8.8.8.8:53 | encrypted-tbn0.google.com | udp |
| US | 8.8.8.8:53 | picketfenceblogs.com | udp |
| US | 8.8.8.8:53 | bloggers.com | udp |
| US | 8.8.8.8:53 | myvi.net | udp |
| US | 8.8.8.8:53 | lm.logicalmedia.com | udp |
| US | 8.8.8.8:53 | widget.networkedblogs.com | udp |
| US | 8.8.8.8:53 | theclevernetwork.com | udp |
| US | 8.8.8.8:53 | s.gravatar.com | udp |
| US | 8.8.8.8:53 | stats.wordpress.com | udp |
| FR | 142.250.178.138:80 | ajax.googleapis.com | tcp |
| GB | 2.18.190.207:80 | platform.linkedin.com | tcp |
| GB | 2.18.190.207:80 | platform.linkedin.com | tcp |
| GB | 146.75.72.157:80 | platform.twitter.com | tcp |
| SG | 118.139.179.30:80 | www.linkwithin.com | tcp |
| FR | 142.250.178.138:80 | ajax.googleapis.com | tcp |
| FR | 142.250.178.130:80 | pagead2.googlesyndication.com | tcp |
| FR | 142.250.178.130:80 | pagead2.googlesyndication.com | tcp |
| GB | 146.75.72.157:80 | platform.twitter.com | tcp |
| SG | 118.139.179.30:80 | www.linkwithin.com | tcp |
| FR | 172.217.20.198:80 | gan.doubleclick.net | tcp |
| FR | 172.217.20.198:80 | gan.doubleclick.net | tcp |
| US | 192.0.73.2:80 | s.gravatar.com | tcp |
| US | 192.0.73.2:80 | s.gravatar.com | tcp |
| US | 104.21.32.1:80 | picketfenceblogs.com | tcp |
| US | 104.21.32.1:80 | picketfenceblogs.com | tcp |
| FR | 142.250.179.99:443 | ssl.gstatic.com | tcp |
| FR | 142.250.179.99:443 | ssl.gstatic.com | tcp |
| FR | 142.250.179.78:80 | apis.google.com | tcp |
| FR | 142.250.179.78:80 | apis.google.com | tcp |
| US | 192.0.78.26:80 | stats.wordpress.com | tcp |
| US | 192.0.78.26:80 | stats.wordpress.com | tcp |
| FR | 142.250.74.238:443 | encrypted-tbn0.google.com | tcp |
| FR | 142.250.74.238:443 | encrypted-tbn0.google.com | tcp |
| US | 76.223.54.146:80 | bloggers.com | tcp |
| US | 76.223.54.146:80 | bloggers.com | tcp |
| US | 74.220.199.6:80 | theclevernetwork.com | tcp |
| US | 74.220.199.6:80 | theclevernetwork.com | tcp |
| US | 192.0.73.2:443 | s.gravatar.com | tcp |
| US | 192.0.78.26:443 | stats.wordpress.com | tcp |
| NL | 94.103.95.230:80 | lm.logicalmedia.com | tcp |
| NL | 94.103.95.230:80 | lm.logicalmedia.com | tcp |
| FR | 142.250.179.110:80 | www.google-analytics.com | tcp |
| FR | 142.250.179.110:80 | www.google-analytics.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.250.179.67:80 | c.pki.goog | tcp |
| FR | 142.250.179.67:80 | c.pki.goog | tcp |
| FR | 142.250.179.67:80 | c.pki.goog | tcp |
| FR | 142.250.179.67:80 | c.pki.goog | tcp |
| FR | 142.250.179.78:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| FR | 142.250.179.67:80 | o.pki.goog | tcp |
| FR | 142.250.179.67:80 | o.pki.goog | tcp |
| FR | 142.250.179.67:80 | o.pki.goog | tcp |
| FR | 142.250.179.67:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | encrypted-tbn0.gstatic.com | udp |
| FR | 142.250.201.174:443 | encrypted-tbn0.gstatic.com | tcp |
| FR | 142.250.201.174:443 | encrypted-tbn0.gstatic.com | tcp |
| US | 8.8.8.8:53 | hecodat.de | udp |
| DE | 217.160.0.76:80 | hecodat.de | tcp |
| DE | 217.160.0.76:80 | hecodat.de | tcp |
| US | 8.8.8.8:53 | www.pornanswer.com | udp |
| US | 104.21.48.1:443 | www.pornanswer.com | tcp |
| US | 104.21.48.1:443 | www.pornanswer.com | tcp |
| US | 8.8.8.8:53 | myvi.net | udp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.18.190.80:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 23.192.22.93:80 | www.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabDF78.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarD70F.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 8689a90566891b1151272dc7cdf927a3 |
| SHA1 | 1864c900f9b1ca7ca882058809200904459e91a4 |
| SHA256 | ad2089cf893c945b4ea89fff36a3721b528eca318c1bb9f22a6e99b2191be3f9 |
| SHA512 | 4cf7dd9c482bc20655e4a05b592452de2c3988e8a9ecb813421234884ecb4bb4784cf89a9220f8fc834bb6ccfaae6f57a17c69efd28147f9ce443fac08fc0174 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1f7022fd010cd16c10ff62631a9c70e0 |
| SHA1 | dde9f2d57cb3532b864ce6dfee611e9b3444b388 |
| SHA256 | 27b714820951b764eae5edf56fb10b0ac6a5567f94abc518dc73ade8e79ee2ce |
| SHA512 | 4550cb88b372748baf940093e66c72521e4e9f8a2704f10067b1477ad16ad52f02db50ee03caedf86cc917becf32d92df18d7a0ebcad15112dce2df848988984 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1218107fe7e4afa3d29994d673152af8 |
| SHA1 | 759882db0b3f82fb7f79e39ee3ae0245b519b662 |
| SHA256 | 114173c7cd316dfdc16c206fa5f1357fd71b0b8785b0e02508ce1872023e8a62 |
| SHA512 | 1c3297b76eb333afba3d207e62ec256b154d692a3be21dbbe2888bb5453c1e168474357f97afcd278c836c05e418375a91136f0345fdecabffe1025d8a189f17 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ce88669b3a801442080d03fb71181667 |
| SHA1 | 76a62730354f366fce1e1ad795fda0ba88e891a8 |
| SHA256 | 9f6c9cde9969c7d2205315f58e73cfd75afd83f77256fa667efed317dfb229d2 |
| SHA512 | bb966d5609d94d0b71554a7bfac87c2b0a7e6f0a98ab20d6b4b483dcee32b2fe3fd62107ad6e412da83b5961bde4e3574d5e4e348530664f9b8d5c5bdc725309 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bac1471ca912db6c9cc859dda99bd4cf |
| SHA1 | c4725526712ecab92b74ae5ed321f90a0f4f1462 |
| SHA256 | dc4b2e22587a0c070e0a06716121067df762d1b9e28781ff75a47aaa4b1076a2 |
| SHA512 | c41525aebf91d86ec287de649e1790ae9bed5d7f9bc34ce4a782f5fbd7893e0c7958e8ae07a744a6f03c840dd0d2247aa3890dbf76aaca0e14de5c94966ae148 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 66678483393b1d03147e56b42ff3c5f0 |
| SHA1 | 55eddb7eb91ed0ed86a157664b4716e5b3e640bb |
| SHA256 | d6892b7847c617c2c2cf914e5a3c1f0f071005038999f5eb9e56658ab49b8c48 |
| SHA512 | 2c86bff4c9ca5b0803410c52337abbf99b36894a3ef13d5366f8420f43374a8fa609fde1b6f0e3b770f779f857cc45870b83a9aa43ffa6c6d0e821d4d0bb9c26 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 397139e6c013147b613e4c996b53a182 |
| SHA1 | 8f049406b442fea4514052072cee448c0c3cd769 |
| SHA256 | dc874f73396a8d2fb7e6cd7e9feb4ce6ee7b7a6db2461152dfaa19467ca96920 |
| SHA512 | 00bf71c2cfaee719c1fbc2cf92ef9f1a9b0a63fcd9694c78c673bc7d3ec43bf793c0fb11e02e7cdc15fc7ccfa50755d5673ba55c78380fa7ab5ffbecf5c01185 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | 4404dea0a4e6933de0f4c09ac11cf4fc |
| SHA1 | 2b1dc9870b960cc0fbefe63161347faa9b865b10 |
| SHA256 | b5ff07a546de0f7f466f36792bdfa131aab46624ee57664c50837e0a9e27700e |
| SHA512 | a569bc39eac4bb0f6efe21089d099e0e32b65ce7addb02637f60163caa0965ce3fa550b1312d13c5cf1f2aa8b0c038aeb9957d07f7fadbc8176bf2735bd38ed7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cfc33eddba9cc83d2378e7581cb78cc7 |
| SHA1 | 3dd7e13be7aab162fc29b4703ac2e422f819cd47 |
| SHA256 | e71164f95d8b06ddc89bb95d569ae0a4416d1c011a4d40c1e0629441d496c9a4 |
| SHA512 | a7e515c7031a634050974b97bbc9e89066ad78bc9ffd45e24a1fe5813ba6a27286203e16894a398c3bf5a38bb8d612d1d494559627688932979d7918d865e2e4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2c057fdd89c06db6d2f153db63109478 |
| SHA1 | 5640ab3729a679a04cc61543d8708a2447666d98 |
| SHA256 | f5d04268698503d4e0d25e33439740f215a13c5f5c6feaf2919e95012d8e73b1 |
| SHA512 | 90935c16f8a4acbddba5a56429337ab1a7c44a53c9cd775d51cfc7ead7bf262fdc73648599621a1d20a7aa2e415e6798d606ee82af553afa33bee6823a89a2af |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 68821f4a92e0c2fadc663517f7ff789d |
| SHA1 | 26311030c84d65fa93b1bb3d7fe3e109a7c7f0c8 |
| SHA256 | 7974e529e79f57f4bcf80cd1fbf58c20bb520eb930bba6f4ef0a7e068fc42e19 |
| SHA512 | 6c5cbdcf3b68826df99b80a39eb9c740e281c6de8f0ae97daaf7decb02da31744fbcfeee63ead74fe93bc5a65b614bebf46e7344033a8fdbb8746d4447486922 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-18 03:27
Reported
2024-12-18 03:29
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\f9e97a87dc9c6a5789e9d20942fd04d4_JaffaCakes118.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaf21a46f8,0x7ffaf21a4708,0x7ffaf21a4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,16062657720231183821,5074708271309772728,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,16062657720231183821,5074708271309772728,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,16062657720231183821,5074708271309772728,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,16062657720231183821,5074708271309772728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,16062657720231183821,5074708271309772728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,16062657720231183821,5074708271309772728,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3920 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | losingthisweight.com | udp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| US | 8.8.8.8:53 | platform.twitter.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| US | 8.8.8.8:53 | platform.linkedin.com | udp |
| GB | 146.75.72.157:80 | platform.twitter.com | tcp |
| FR | 142.250.178.138:80 | ajax.googleapis.com | tcp |
| FR | 142.250.179.78:80 | apis.google.com | tcp |
| FR | 142.250.178.130:80 | pagead2.googlesyndication.com | tcp |
| GB | 2.18.190.207:80 | platform.linkedin.com | tcp |
| US | 8.8.8.8:53 | www.linkwithin.com | udp |
| US | 8.8.8.8:53 | gan.doubleclick.net | udp |
| US | 8.8.8.8:53 | stats.wordpress.com | udp |
| US | 8.8.8.8:53 | s.gravatar.com | udp |
| US | 8.8.8.8:53 | ssl.gstatic.com | udp |
| US | 8.8.8.8:53 | widget.networkedblogs.com | udp |
| US | 8.8.8.8:53 | encrypted-tbn0.google.com | udp |
| US | 8.8.8.8:53 | picketfenceblogs.com | udp |
| US | 192.0.73.2:80 | s.gravatar.com | tcp |
| SG | 118.139.179.30:80 | www.linkwithin.com | tcp |
| SG | 118.139.179.30:80 | www.linkwithin.com | tcp |
| FR | 142.250.179.99:443 | ssl.gstatic.com | tcp |
| US | 192.0.78.27:80 | stats.wordpress.com | tcp |
| FR | 172.217.20.198:80 | gan.doubleclick.net | tcp |
| FR | 172.217.20.198:80 | gan.doubleclick.net | tcp |
| FR | 142.250.74.238:443 | encrypted-tbn0.google.com | tcp |
| US | 8.8.8.8:53 | connect.facebook.net | udp |
| US | 8.8.8.8:53 | bloggers.com | udp |
| US | 13.248.169.48:80 | bloggers.com | tcp |
| IE | 31.13.73.22:445 | connect.facebook.net | tcp |
| US | 104.21.96.1:80 | picketfenceblogs.com | tcp |
| US | 8.8.8.8:53 | myvi.net | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.72.75.146.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lm.logicalmedia.com | udp |
| US | 8.8.8.8:53 | 207.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 192.0.78.27:443 | stats.wordpress.com | tcp |
| US | 192.0.73.2:443 | s.gravatar.com | tcp |
| US | 8.8.8.8:53 | encrypted-tbn0.gstatic.com | udp |
| US | 8.8.8.8:53 | theclevernetwork.com | udp |
| FR | 142.250.179.78:443 | apis.google.com | tcp |
| SG | 118.139.179.30:80 | www.linkwithin.com | tcp |
| FR | 142.250.179.110:80 | www.google-analytics.com | tcp |
| US | 74.220.199.6:80 | theclevernetwork.com | tcp |
| US | 13.248.169.48:80 | bloggers.com | tcp |
| US | 192.0.78.27:443 | stats.wordpress.com | tcp |
| US | 192.0.73.2:443 | s.gravatar.com | tcp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| FR | 142.250.75.226:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | 2.73.0.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.78.0.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.20.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.74.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.96.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.169.248.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.199.220.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.179.139.118.in-addr.arpa | udp |
| US | 8.8.8.8:53 | connect.facebook.net | udp |
| FR | 142.250.201.174:443 | encrypted-tbn0.gstatic.com | tcp |
| IE | 31.13.73.22:139 | connect.facebook.net | tcp |
| NL | 94.103.95.230:80 | lm.logicalmedia.com | tcp |
| FR | 142.250.201.174:443 | encrypted-tbn0.gstatic.com | tcp |
| US | 8.8.8.8:53 | 226.75.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.95.103.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.201.250.142.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | platform.stumbleupon.com | udp |
| US | 54.165.207.73:445 | platform.stumbleupon.com | tcp |
| US | 44.214.57.144:445 | platform.stumbleupon.com | tcp |
| US | 44.196.255.240:445 | platform.stumbleupon.com | tcp |
| US | 8.8.8.8:53 | platform.stumbleupon.com | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 44.214.57.144:139 | platform.stumbleupon.com | tcp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 7de1bbdc1f9cf1a58ae1de4951ce8cb9 |
| SHA1 | 010da169e15457c25bd80ef02d76a940c1210301 |
| SHA256 | 6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e |
| SHA512 | e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c |
\??\pipe\LOCAL\crashpad_4752_NQBGNUEBXLFYBXWG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 85ba073d7015b6ce7da19235a275f6da |
| SHA1 | a23c8c2125e45a0788bac14423ae1f3eab92cf00 |
| SHA256 | 5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617 |
| SHA512 | eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7269122a48f1d91e5696d63590be3d7b |
| SHA1 | fcc058a39d803de093514c2504e51488060ab218 |
| SHA256 | 762b78e27d41c6b5989e415bb64a6b6eb04ed63c33b252736f1876998207446f |
| SHA512 | 48480a040bcc0997e6bc6b0efe639d240f908ad8dc25fd01376149008ec3279b23525491c91fe9499415554ca4e6107571989ddb399dd05dc37bdcfb64d59701 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f383d7337b98b660ad796f0b843e47e6 |
| SHA1 | 9fdb0651a8006b28384eb8e74d838deed0caec64 |
| SHA256 | a4f767ed002de2dfd0a43f7f0d59d22e4ee085863be178281cce7f9830b94214 |
| SHA512 | ba68d675fcfd35c811e802bc6e4a1a96344bc7c28e594eeb634139ed7138bac2611a2d9be22217dfcdcb43f8555fdd34b59ca3f10735a1d95b4a10cd73e3ec25 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | af139a711ae076014e4e94f811b1168a |
| SHA1 | 6274e3e6fe78a8da2c5dd26c74a78417e375628c |
| SHA256 | 4aed79f66aa61faae26e679a821ed56a1a2313ce8e614fbaa86339640a2b3254 |
| SHA512 | 60b826cf7883912a6c4a548e794f91cc207e956953bca3ec7c6b6db192407efb32c9c1437783fce930ff4502b9d2ddef0c59e3de95add530c2676d30b19da0aa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | a397bf828a0abb33f06c9462350317ca |
| SHA1 | 9ca4f67c98c83b870f7224a2e6d01f6cfd59f23f |
| SHA256 | d63141d10bf4f6b55cf0c598894e43868a11468ea14f4c4e7054fdaa6a664b7a |
| SHA512 | cf03f8f90c229918816efe4755c53483d7f38cfe2ee12b03b501986c4df330b01993b7aa5697d333261fd76e8afdd9e397c1a36885a7117ae01af1a6cc8cd9e3 |