Analysis Overview
SHA256
e2a220bfe7e4205322153fba59d83623cf637092aed6a7ff051fb2f255095004
Threat Level: Known bad
The file 2e5b64eab6f3ea2711a18b9372ba8ed0_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Ramnit
UPX packed file
Executes dropped EXE
Loads dropped DLL
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-29 22:25
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-29 22:25
Reported
2024-03-29 22:28
Platform
win7-20240221-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Ramnit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417913017" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4B8919E1-EE1B-11EE-A450-7EEA931DE775} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\2e5b64eab6f3ea2711a18b9372ba8ed0_JaffaCakes118.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2900 CREDAT:275457 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2900 CREDAT:406540 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2900 CREDAT:668678 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | u.x.jd.com | udp |
| US | 8.8.8.8:53 | images.sohu.com | udp |
| US | 8.8.8.8:53 | www.37med.com | udp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| HK | 103.107.90.109:80 | u.x.jd.com | tcp |
| HK | 103.107.90.109:80 | u.x.jd.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| NL | 43.175.22.45:80 | images.sohu.com | tcp |
| NL | 43.175.22.45:80 | images.sohu.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| US | 8.8.8.8:53 | inte.sogou.com | udp |
| SG | 119.28.109.132:80 | inte.sogou.com | tcp |
| SG | 119.28.109.132:80 | inte.sogou.com | tcp |
| US | 8.8.8.8:53 | hm.baidu.com | udp |
| HK | 103.235.46.191:80 | hm.baidu.com | tcp |
| HK | 103.235.46.191:80 | hm.baidu.com | tcp |
| HK | 103.235.46.191:443 | hm.baidu.com | tcp |
| US | 8.8.8.8:53 | api.bing.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab782E.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar7910.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 28ce2bbc51d356c6cbc64ff8c75aa370 |
| SHA1 | 00c01f1a92018f58065ce641c02432cb04515123 |
| SHA256 | 5bf95c086c96f0d23d3bbc9e09440edcae7182d7217dd9f53d4bc6f26da49f3f |
| SHA512 | 367bf80946c6dd270145d4aa274ff3e4dddf97169ef8803729e0a92f31f2b6efd575b89da1db4f0972c7909eb6012f529efc8d670eb10d839068ef69785bcfc4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bf86db8a23ec0faf64f04e9c7ec8e401 |
| SHA1 | a3702ce795ce3da154d62ed6e381103450ecbf4a |
| SHA256 | 925a99f16b5cf5c5a48e8652992aa3357131ee3cec374b6fd86dedc3408fea61 |
| SHA512 | 36ffb1dcbbd951079719b7eeafaea7b7a2b883690ab70a811c1823c99c849c3b40cb69a1542fb4f26809d94666af0a5ff1ff00a6633a98650f4d1e116675ba0f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5c7fbeaa97e9ea5b36eb19e7d0c87d38 |
| SHA1 | 145f0c5098dc6e5e57ffb70caad3d70b30406313 |
| SHA256 | e463a6c5a49c205600bdb2359bd8c8fada2bea8e07e85b0340e58af49bc8a91c |
| SHA512 | 928e0f13d789c2e20bad0f84651d2e09e48404e6b618e59824589d8ac539f641565e962039be0ef4b6ab1e118f8d7903c8a351e9202ab48ee1d6e667bc225697 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 473a482cda40be8b027b81985183788c |
| SHA1 | 685914703ebb157c84b777f387a74a18f1c3d897 |
| SHA256 | ef54c48f6aeec111c8869eb8a9ab1188201fb24987c0d577867d2ebe16d5bab2 |
| SHA512 | e65ebc2edd8754152e79e068c910d18881b7b1a55ddaa30c83ae19fe375f30098068faa33f89b5503675f68e6dbd7bc756b38529ee8d487d32d9c58e270e9037 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6bf3dd54e825c12431cf05852844b433 |
| SHA1 | 70daeb3820ebde75d1d5c486e1dba6c79cb168f1 |
| SHA256 | 30734aa7a9e3282f5ecb62f6dba3f147b1d5ce68c38d5fe0f8109c1d05e7a3ab |
| SHA512 | f0db162a68b7809a1052e8908bdcd11f1e2c0943e4d0fd9c47285e823d1691a898be808303ffb9a2024c2beb8828a6820f97090a7b695ca71e9a419eede22ad2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 068040c4b36471aebef81d4fb5c3a16f |
| SHA1 | e0466e1c9689094168b1d4b09288d7a1f8729cf3 |
| SHA256 | 7688c4143b4508331d10d2703438bc7c6c5798822e8b5c0758db998dc8f0bb4d |
| SHA512 | 54b53dfb7efd275001d1fdb07ce3fa6e405acf9666171f5ced9e6e3fb96d835033a5877588a921e2dc4e29a2f57697bf8ad7ef71be3a9a522d750f0049ec6f91 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2776d82d62d3731ed4042d05ee8b4642 |
| SHA1 | a663499a80953b60218c3a8d6807a9479742b1e7 |
| SHA256 | 42fc6b24588cd361e71f9a1e391f4cce54f51bdc46b3d0702fad6427d6444939 |
| SHA512 | 01d4b31b94dc0fea8cc2ba3c1430acbca456c69fce5e18e34058769e86d95385a3bfdca0e1091322174ec9cad1c88e8b25b296e7637bd6cd5e8ceaed7fd6bec3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 43f28ae456e460404d01594b47170948 |
| SHA1 | 958ee5cb32e1c5fd2bdaafa868186dac68209eb3 |
| SHA256 | b12ef3bf67655e8c849ee37aa0a4f9b15000bed6715462c4895d1b2e5aef836b |
| SHA512 | 8c96af6c3856dab7b7acf4620312029d4ab8fd7b96e236c508c5ecd433ce137bed94dc4e3dc6940f00f38640a1bf53c3d605e822a083d0b80708faa5fc77a481 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a24be4c4199ddf5420c3e5405717ac6a |
| SHA1 | ecdbc22ec586a8eabe5ab2a74b9b584aea158324 |
| SHA256 | e431d4b0981ceb533ac6b54340a5fb9a89625b90584abcd8d21c0be002671d1e |
| SHA512 | 45c8e02960951210c78189e51deccb1d396c4bf6e497723c8fa86c4f23d3c119ac3de0a77695d1b2209eadd7114085adb6e9f51bffb314820cec16acc4460cc1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ade2d00bd5708d3bdfcec7107df29a0f |
| SHA1 | 2382e92ead712e1c6dfb85fe744053c4328e6837 |
| SHA256 | f923bfe36d77514288a3d7bf09dab7c99cb7a547654d8762fc5957b2fdcf2ce9 |
| SHA512 | 4bbdd4f1f4823e80d004dc1b495b632384973df4302711b5478fcc244e52e67fdd6f9164986d49b4ba5519416677b44be701323bb0cff0b32224ac9879fa13b4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a120d06ecf5bb24dfc6ffdb7254eb2cf |
| SHA1 | 0ba9b7b4b5dcdd6d6d9465b9288a2ff57d48dbc9 |
| SHA256 | b371dc94a25cdd3bf0f97e2badd0749c2c3e3858795e74272c68455966f62f8b |
| SHA512 | 447232e8dc444a8d7add1a7077ff7c6a4e354d2b1b31c4ede1f5fde1797719d112432980f69c35e5e7cfa297b16f21aa9fbafa6a6b4ca32016f65072b2a586db |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5748542eb3810e0ed90f03d8ca9c6e17 |
| SHA1 | d3d5db0a07665f31014cbca2fd3f507990d0442e |
| SHA256 | 96757d64af195df794ee6e3c79e0fa08394115d9d39939d506464f66f3477c02 |
| SHA512 | b25838779143f1d59c82acffb7e95c6ff95d9f7c17d52b791029b15282b6e98d41aca85302441febc4caad07d2329327223844eeaa876d881430b87649fe8e3e |
\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | dfb5daabb95dcfad1a5faf9ab1437076 |
| SHA1 | 4a199569a9b52911bee7fb19ab80570cc5ff9ed1 |
| SHA256 | 54282ec29d4993ed6e9972122cfbb70bba4898a21d527bd9e72a166d7ec2fdc0 |
| SHA512 | 5d31c34403ab5f8db4a6d84f2b5579d4ea18673914b626d78e458a648ac20ddd8e342818e807331036d7bb064f596a02b9737acac42fbead29260343a30717e8 |
memory/896-511-0x0000000000400000-0x000000000045B000-memory.dmp
memory/896-512-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/896-514-0x00000000003E0000-0x00000000003E1000-memory.dmp
memory/896-513-0x0000000000400000-0x000000000045B000-memory.dmp
memory/896-515-0x000000007713F000-0x0000000077140000-memory.dmp
memory/896-516-0x00000000003F0000-0x00000000003F1000-memory.dmp
memory/896-517-0x0000000000400000-0x000000000045B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-29 22:25
Reported
2024-03-29 22:28
Platform
win10v2004-20240226-en
Max time kernel
130s
Max time network
155s
Command Line
Signatures
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\2e5b64eab6f3ea2711a18b9372ba8ed0_JaffaCakes118.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5360 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4948 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4924 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5500 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=3704 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=3700 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| GB | 51.140.242.104:443 | nav-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.37med.com | udp |
| US | 8.8.8.8:53 | www.37med.com | udp |
| US | 13.107.6.158:443 | business.bing.com | tcp |
| US | 8.8.8.8:53 | u.x.jd.com | udp |
| US | 8.8.8.8:53 | u.x.jd.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 104.78.177.227:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| GB | 2.16.34.27:443 | bzib.nelreports.net | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| HK | 103.107.90.109:80 | u.x.jd.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| HK | 103.107.90.109:80 | u.x.jd.com | tcp |
| US | 8.8.8.8:53 | 104.242.140.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.34.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.177.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 8.8.8.8:53 | images.sohu.com | udp |
| US | 8.8.8.8:53 | images.sohu.com | udp |
| NL | 43.175.22.45:80 | images.sohu.com | tcp |
| US | 8.8.8.8:53 | 109.90.107.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.22.175.43.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 13.107.246.64:443 | wcpstatic.microsoft.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | wcpstatic.microsoft.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 20.189.173.21:443 | nw-umwatson.events.data.microsoft.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| US | 8.8.8.8:53 | www.37med.com | udp |
| US | 8.8.8.8:53 | www.37med.com | udp |
| US | 8.8.8.8:53 | www.37med.com | udp |
| US | 8.8.8.8:53 | 21.173.189.20.in-addr.arpa | udp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| CN | 47.97.175.202:80 | www.37med.com | tcp |
| US | 8.8.8.8:53 | inte.sogou.com | udp |
| US | 8.8.8.8:53 | inte.sogou.com | udp |
| US | 8.8.8.8:53 | dsp.brand.sogou.com | udp |
| US | 8.8.8.8:53 | dsp.brand.sogou.com | udp |
| US | 8.8.8.8:53 | u-x.jd.com | udp |
| US | 8.8.8.8:53 | img1.360buyimg.com | udp |
| SG | 119.28.109.132:80 | dsp.brand.sogou.com | tcp |
| CN | 106.39.167.232:445 | u-x.jd.com | tcp |
| SG | 119.28.109.132:80 | dsp.brand.sogou.com | tcp |
| CN | 116.162.51.217:445 | img1.360buyimg.com | tcp |
| SG | 119.28.109.132:80 | dsp.brand.sogou.com | tcp |
| SG | 119.28.109.132:80 | dsp.brand.sogou.com | tcp |
| US | 8.8.8.8:53 | hm.baidu.com | udp |
| US | 8.8.8.8:53 | hm.baidu.com | udp |
| US | 8.8.8.8:53 | 132.109.28.119.in-addr.arpa | udp |
| CN | 119.36.124.138:445 | img1.360buyimg.com | tcp |
| CN | 120.226.150.214:445 | img1.360buyimg.com | tcp |
| CN | 123.6.65.220:445 | img1.360buyimg.com | tcp |
| CN | 123.6.122.133:445 | img1.360buyimg.com | tcp |
| CN | 175.6.201.86:445 | img1.360buyimg.com | tcp |
| CN | 183.204.210.169:445 | img1.360buyimg.com | tcp |
| CN | 183.204.211.157:445 | img1.360buyimg.com | tcp |
| HK | 103.235.46.191:80 | hm.baidu.com | tcp |
| HK | 103.235.46.191:80 | hm.baidu.com | tcp |
| US | 8.8.8.8:53 | hm.baidu.com | udp |
| US | 8.8.8.8:53 | hm.baidu.com | udp |
| HK | 103.235.46.191:443 | hm.baidu.com | tcp |
| HK | 103.235.46.191:443 | hm.baidu.com | tcp |
| US | 8.8.8.8:53 | 191.46.235.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | u-x.jd.com | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.86.104.in-addr.arpa | udp |
| US | 13.107.246.64:443 | wcpstatic.microsoft.com | tcp |
| CN | 183.204.211.214:445 | img1.360buyimg.com | tcp |
| US | 8.8.8.8:53 | img1.360buyimg.com | udp |
| CN | 1.194.249.199:445 | img1.360buyimg.com | tcp |
| CN | 111.7.99.214:445 | img1.360buyimg.com | tcp |
| CN | 61.184.9.163:445 | img1.360buyimg.com | tcp |
| CN | 111.48.138.86:445 | img1.360buyimg.com | tcp |
| CN | 113.219.195.100:445 | img1.360buyimg.com | tcp |
| CN | 111.174.12.214:445 | img1.360buyimg.com | tcp |
| GB | 104.86.110.120:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 120.110.86.104.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 40.134.221.88.in-addr.arpa | udp |
| GB | 2.18.66.74:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 74.66.18.2.in-addr.arpa | udp |