Malware Analysis Report

2025-08-05 19:12

Sample ID 240329-2casdacb45
Target 2e5b64eab6f3ea2711a18b9372ba8ed0_JaffaCakes118
SHA256 e2a220bfe7e4205322153fba59d83623cf637092aed6a7ff051fb2f255095004
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2a220bfe7e4205322153fba59d83623cf637092aed6a7ff051fb2f255095004

Threat Level: Known bad

The file 2e5b64eab6f3ea2711a18b9372ba8ed0_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

UPX packed file

Executes dropped EXE

Loads dropped DLL

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-29 22:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-29 22:25

Reported

2024-03-29 22:28

Platform

win7-20240221-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\2e5b64eab6f3ea2711a18b9372ba8ed0_JaffaCakes118.html

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417913017" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4B8919E1-EE1B-11EE-A450-7EEA931DE775} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2900 wrote to memory of 2940 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2900 wrote to memory of 2940 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2900 wrote to memory of 2940 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2900 wrote to memory of 2940 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2940 wrote to memory of 896 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2940 wrote to memory of 896 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2940 wrote to memory of 896 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2940 wrote to memory of 896 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 896 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 896 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 896 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 896 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 896 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 896 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 896 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 896 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2900 wrote to memory of 2628 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2900 wrote to memory of 2628 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2900 wrote to memory of 2628 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2900 wrote to memory of 2628 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2900 wrote to memory of 2652 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2900 wrote to memory of 2652 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2900 wrote to memory of 2652 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2900 wrote to memory of 2652 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\2e5b64eab6f3ea2711a18b9372ba8ed0_JaffaCakes118.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2900 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2900 CREDAT:406540 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2900 CREDAT:668678 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 u.x.jd.com udp
US 8.8.8.8:53 images.sohu.com udp
US 8.8.8.8:53 www.37med.com udp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
HK 103.107.90.109:80 u.x.jd.com tcp
HK 103.107.90.109:80 u.x.jd.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
NL 43.175.22.45:80 images.sohu.com tcp
NL 43.175.22.45:80 images.sohu.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
US 8.8.8.8:53 inte.sogou.com udp
SG 119.28.109.132:80 inte.sogou.com tcp
SG 119.28.109.132:80 inte.sogou.com tcp
US 8.8.8.8:53 hm.baidu.com udp
HK 103.235.46.191:80 hm.baidu.com tcp
HK 103.235.46.191:80 hm.baidu.com tcp
HK 103.235.46.191:443 hm.baidu.com tcp
US 8.8.8.8:53 api.bing.com udp

Files

C:\Users\Admin\AppData\Local\Temp\Cab782E.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar7910.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 28ce2bbc51d356c6cbc64ff8c75aa370
SHA1 00c01f1a92018f58065ce641c02432cb04515123
SHA256 5bf95c086c96f0d23d3bbc9e09440edcae7182d7217dd9f53d4bc6f26da49f3f
SHA512 367bf80946c6dd270145d4aa274ff3e4dddf97169ef8803729e0a92f31f2b6efd575b89da1db4f0972c7909eb6012f529efc8d670eb10d839068ef69785bcfc4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bf86db8a23ec0faf64f04e9c7ec8e401
SHA1 a3702ce795ce3da154d62ed6e381103450ecbf4a
SHA256 925a99f16b5cf5c5a48e8652992aa3357131ee3cec374b6fd86dedc3408fea61
SHA512 36ffb1dcbbd951079719b7eeafaea7b7a2b883690ab70a811c1823c99c849c3b40cb69a1542fb4f26809d94666af0a5ff1ff00a6633a98650f4d1e116675ba0f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c7fbeaa97e9ea5b36eb19e7d0c87d38
SHA1 145f0c5098dc6e5e57ffb70caad3d70b30406313
SHA256 e463a6c5a49c205600bdb2359bd8c8fada2bea8e07e85b0340e58af49bc8a91c
SHA512 928e0f13d789c2e20bad0f84651d2e09e48404e6b618e59824589d8ac539f641565e962039be0ef4b6ab1e118f8d7903c8a351e9202ab48ee1d6e667bc225697

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 473a482cda40be8b027b81985183788c
SHA1 685914703ebb157c84b777f387a74a18f1c3d897
SHA256 ef54c48f6aeec111c8869eb8a9ab1188201fb24987c0d577867d2ebe16d5bab2
SHA512 e65ebc2edd8754152e79e068c910d18881b7b1a55ddaa30c83ae19fe375f30098068faa33f89b5503675f68e6dbd7bc756b38529ee8d487d32d9c58e270e9037

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6bf3dd54e825c12431cf05852844b433
SHA1 70daeb3820ebde75d1d5c486e1dba6c79cb168f1
SHA256 30734aa7a9e3282f5ecb62f6dba3f147b1d5ce68c38d5fe0f8109c1d05e7a3ab
SHA512 f0db162a68b7809a1052e8908bdcd11f1e2c0943e4d0fd9c47285e823d1691a898be808303ffb9a2024c2beb8828a6820f97090a7b695ca71e9a419eede22ad2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 068040c4b36471aebef81d4fb5c3a16f
SHA1 e0466e1c9689094168b1d4b09288d7a1f8729cf3
SHA256 7688c4143b4508331d10d2703438bc7c6c5798822e8b5c0758db998dc8f0bb4d
SHA512 54b53dfb7efd275001d1fdb07ce3fa6e405acf9666171f5ced9e6e3fb96d835033a5877588a921e2dc4e29a2f57697bf8ad7ef71be3a9a522d750f0049ec6f91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2776d82d62d3731ed4042d05ee8b4642
SHA1 a663499a80953b60218c3a8d6807a9479742b1e7
SHA256 42fc6b24588cd361e71f9a1e391f4cce54f51bdc46b3d0702fad6427d6444939
SHA512 01d4b31b94dc0fea8cc2ba3c1430acbca456c69fce5e18e34058769e86d95385a3bfdca0e1091322174ec9cad1c88e8b25b296e7637bd6cd5e8ceaed7fd6bec3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 43f28ae456e460404d01594b47170948
SHA1 958ee5cb32e1c5fd2bdaafa868186dac68209eb3
SHA256 b12ef3bf67655e8c849ee37aa0a4f9b15000bed6715462c4895d1b2e5aef836b
SHA512 8c96af6c3856dab7b7acf4620312029d4ab8fd7b96e236c508c5ecd433ce137bed94dc4e3dc6940f00f38640a1bf53c3d605e822a083d0b80708faa5fc77a481

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a24be4c4199ddf5420c3e5405717ac6a
SHA1 ecdbc22ec586a8eabe5ab2a74b9b584aea158324
SHA256 e431d4b0981ceb533ac6b54340a5fb9a89625b90584abcd8d21c0be002671d1e
SHA512 45c8e02960951210c78189e51deccb1d396c4bf6e497723c8fa86c4f23d3c119ac3de0a77695d1b2209eadd7114085adb6e9f51bffb314820cec16acc4460cc1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ade2d00bd5708d3bdfcec7107df29a0f
SHA1 2382e92ead712e1c6dfb85fe744053c4328e6837
SHA256 f923bfe36d77514288a3d7bf09dab7c99cb7a547654d8762fc5957b2fdcf2ce9
SHA512 4bbdd4f1f4823e80d004dc1b495b632384973df4302711b5478fcc244e52e67fdd6f9164986d49b4ba5519416677b44be701323bb0cff0b32224ac9879fa13b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a120d06ecf5bb24dfc6ffdb7254eb2cf
SHA1 0ba9b7b4b5dcdd6d6d9465b9288a2ff57d48dbc9
SHA256 b371dc94a25cdd3bf0f97e2badd0749c2c3e3858795e74272c68455966f62f8b
SHA512 447232e8dc444a8d7add1a7077ff7c6a4e354d2b1b31c4ede1f5fde1797719d112432980f69c35e5e7cfa297b16f21aa9fbafa6a6b4ca32016f65072b2a586db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5748542eb3810e0ed90f03d8ca9c6e17
SHA1 d3d5db0a07665f31014cbca2fd3f507990d0442e
SHA256 96757d64af195df794ee6e3c79e0fa08394115d9d39939d506464f66f3477c02
SHA512 b25838779143f1d59c82acffb7e95c6ff95d9f7c17d52b791029b15282b6e98d41aca85302441febc4caad07d2329327223844eeaa876d881430b87649fe8e3e

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 dfb5daabb95dcfad1a5faf9ab1437076
SHA1 4a199569a9b52911bee7fb19ab80570cc5ff9ed1
SHA256 54282ec29d4993ed6e9972122cfbb70bba4898a21d527bd9e72a166d7ec2fdc0
SHA512 5d31c34403ab5f8db4a6d84f2b5579d4ea18673914b626d78e458a648ac20ddd8e342818e807331036d7bb064f596a02b9737acac42fbead29260343a30717e8

memory/896-511-0x0000000000400000-0x000000000045B000-memory.dmp

memory/896-512-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/896-514-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/896-513-0x0000000000400000-0x000000000045B000-memory.dmp

memory/896-515-0x000000007713F000-0x0000000077140000-memory.dmp

memory/896-516-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/896-517-0x0000000000400000-0x000000000045B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-29 22:25

Reported

2024-03-29 22:28

Platform

win10v2004-20240226-en

Max time kernel

130s

Max time network

155s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\2e5b64eab6f3ea2711a18b9372ba8ed0_JaffaCakes118.html

Signatures

N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\2e5b64eab6f3ea2711a18b9372ba8ed0_JaffaCakes118.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5360 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4948 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4924 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5500 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=3704 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=3700 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 www.37med.com udp
US 8.8.8.8:53 www.37med.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 u.x.jd.com udp
US 8.8.8.8:53 u.x.jd.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
GB 104.78.177.227:443 www.microsoft.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
GB 2.16.34.27:443 bzib.nelreports.net tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
HK 103.107.90.109:80 u.x.jd.com tcp
US 8.8.8.8:53 www.microsoft.com udp
HK 103.107.90.109:80 u.x.jd.com tcp
US 8.8.8.8:53 104.242.140.51.in-addr.arpa udp
US 8.8.8.8:53 27.34.16.2.in-addr.arpa udp
US 8.8.8.8:53 227.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 images.sohu.com udp
US 8.8.8.8:53 images.sohu.com udp
NL 43.175.22.45:80 images.sohu.com tcp
US 8.8.8.8:53 109.90.107.103.in-addr.arpa udp
US 8.8.8.8:53 45.22.175.43.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.189.173.21:443 nw-umwatson.events.data.microsoft.com tcp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
US 8.8.8.8:53 www.37med.com udp
US 8.8.8.8:53 www.37med.com udp
US 8.8.8.8:53 www.37med.com udp
US 8.8.8.8:53 21.173.189.20.in-addr.arpa udp
CN 47.97.175.202:80 www.37med.com tcp
CN 47.97.175.202:80 www.37med.com tcp
US 8.8.8.8:53 inte.sogou.com udp
US 8.8.8.8:53 inte.sogou.com udp
US 8.8.8.8:53 dsp.brand.sogou.com udp
US 8.8.8.8:53 dsp.brand.sogou.com udp
US 8.8.8.8:53 u-x.jd.com udp
US 8.8.8.8:53 img1.360buyimg.com udp
SG 119.28.109.132:80 dsp.brand.sogou.com tcp
CN 106.39.167.232:445 u-x.jd.com tcp
SG 119.28.109.132:80 dsp.brand.sogou.com tcp
CN 116.162.51.217:445 img1.360buyimg.com tcp
SG 119.28.109.132:80 dsp.brand.sogou.com tcp
SG 119.28.109.132:80 dsp.brand.sogou.com tcp
US 8.8.8.8:53 hm.baidu.com udp
US 8.8.8.8:53 hm.baidu.com udp
US 8.8.8.8:53 132.109.28.119.in-addr.arpa udp
CN 119.36.124.138:445 img1.360buyimg.com tcp
CN 120.226.150.214:445 img1.360buyimg.com tcp
CN 123.6.65.220:445 img1.360buyimg.com tcp
CN 123.6.122.133:445 img1.360buyimg.com tcp
CN 175.6.201.86:445 img1.360buyimg.com tcp
CN 183.204.210.169:445 img1.360buyimg.com tcp
CN 183.204.211.157:445 img1.360buyimg.com tcp
HK 103.235.46.191:80 hm.baidu.com tcp
HK 103.235.46.191:80 hm.baidu.com tcp
US 8.8.8.8:53 hm.baidu.com udp
US 8.8.8.8:53 hm.baidu.com udp
HK 103.235.46.191:443 hm.baidu.com tcp
HK 103.235.46.191:443 hm.baidu.com tcp
US 8.8.8.8:53 191.46.235.103.in-addr.arpa udp
US 8.8.8.8:53 u-x.jd.com udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.86.104.in-addr.arpa udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
CN 183.204.211.214:445 img1.360buyimg.com tcp
US 8.8.8.8:53 img1.360buyimg.com udp
CN 1.194.249.199:445 img1.360buyimg.com tcp
CN 111.7.99.214:445 img1.360buyimg.com tcp
CN 61.184.9.163:445 img1.360buyimg.com tcp
CN 111.48.138.86:445 img1.360buyimg.com tcp
CN 113.219.195.100:445 img1.360buyimg.com tcp
CN 111.174.12.214:445 img1.360buyimg.com tcp
GB 104.86.110.120:443 www.bing.com tcp
US 8.8.8.8:53 120.110.86.104.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
GB 2.18.66.74:443 www.bing.com tcp
US 8.8.8.8:53 74.66.18.2.in-addr.arpa udp

Files

N/A