Malware Analysis Report

2025-08-05 19:12

Sample ID 240329-h5ykcsch89
Target 1c061a9e4ff49706f0d61544aa16897b_JaffaCakes118
SHA256 6bc98cc2bdd3b424de158ff2fade703e828dafecce7ef20b64ac750a585e9968
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6bc98cc2bdd3b424de158ff2fade703e828dafecce7ef20b64ac750a585e9968

Threat Level: Known bad

The file 1c061a9e4ff49706f0d61544aa16897b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Program Files directory

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-29 07:19

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-29 07:19

Reported

2024-03-29 07:22

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\1c061a9e4ff49706f0d61544aa16897b_JaffaCakes118.html

Signatures

N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\1c061a9e4ff49706f0d61544aa16897b_JaffaCakes118.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4920 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5188 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5680 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=4076 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5732 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 13.107.6.158:443 business.bing.com tcp
GB 172.165.69.228:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
GB 92.123.241.137:443 www.microsoft.com tcp
GB 88.221.134.17:443 bzib.nelreports.net tcp
US 8.8.8.8:53 152.33.115.104.in-addr.arpa udp
US 8.8.8.8:53 228.69.165.172.in-addr.arpa udp
US 8.8.8.8:53 v3.jiathis.com udp
US 8.8.8.8:53 v3.jiathis.com udp
US 8.8.8.8:53 www.futaijd.com udp
US 8.8.8.8:53 www.futaijd.com udp
US 8.8.8.8:53 www.futaijd.com udp
US 8.8.8.8:53 www.futaijd.com udp
US 8.8.8.8:53 www.futaijd.com udp
CN 139.224.192.17:80 v3.jiathis.com tcp
CN 139.224.192.17:80 v3.jiathis.com tcp
GB 142.250.178.10:443 tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.futaijd.com udp
US 8.8.8.8:53 www.futaijd.com udp
US 8.8.8.8:53 17.192.224.139.in-addr.arpa udp
US 8.8.8.8:53 17.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 137.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 www.futaijd.com udp
US 8.8.8.8:53 www.futaijd.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.42.65.92:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 92.65.42.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
GB 104.86.110.122:443 www.bing.com tcp
US 8.8.8.8:53 122.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 216.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
GB 2.18.66.48:443 www.bing.com tcp
US 8.8.8.8:53 48.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-29 07:19

Reported

2024-03-29 07:22

Platform

win7-20240221-en

Max time kernel

121s

Max time network

134s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\1c061a9e4ff49706f0d61544aa16897b_JaffaCakes118.html

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\px4902.tmp C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417858664" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b0000000002000000000010660000000100002000000039cbf2adcb0194e0dff475de366fa41c64b180c2968073572a85aa1ca54210e0000000000e8000000002000020000000c44a9853149cb686656223b05a8554871ecc6283da975bb6b0673b7556e59be99000000024e6e47333b1fa665d3d9b75861526e0a50c9f7d351eaa9e072873289a59253c7d354a24cc3860f96a55b65832c3d159ff072a88c450b26ad2967a503e635a1ccd148af73b41bf53566744e23f8439cd96b0f44e89c5dd3f9e31ae11ae59e2e309a5d9777cfb885f254c38f3526a3b4fd1048bca2be6556c5a4c860b8653a4d8bd97dceeff9aaa4ffe0a09b16c01a7ae40000000b90bce6f2c93ba21ed4d1bcaf2b330e6148ef21dc2514b86b0243c0fcd6ae9086fc7aca8d0e67f9247a1086a8183972cc2a6356fb04ff84f5c1064b4671046b2 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b000000000200000000001066000000010000200000005ca9160afe3ed757123ce0b8d65cd0c8bc497ddafb3e00d2288815e2d9bcf07b000000000e80000000020000200000005d2c7e17e0eb4505ddf3b0404d04d223b1edb4dba2186c493b2f35efacb52234200000009c0ace4ca326c970efa697390f7007c978e797bd86f47dcf0630418081561a0d400000009fcdcbe36004c0b75c395ddc8901b071d92b36812378b290663adf78e4ed95a659473b14c9416740f14945b595f32c738a4beb8282cbe262ef6f693c108ffe3a C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BD5196D1-ED9C-11EE-AC06-EEF45767FDFF} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70b940aca981da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1908 wrote to memory of 2588 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1908 wrote to memory of 2588 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1908 wrote to memory of 2588 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1908 wrote to memory of 2588 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2588 wrote to memory of 2672 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2588 wrote to memory of 2672 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2588 wrote to memory of 2672 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2588 wrote to memory of 2672 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2672 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2672 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2672 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2672 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2348 wrote to memory of 1400 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2348 wrote to memory of 1400 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2348 wrote to memory of 1400 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2348 wrote to memory of 1400 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1908 wrote to memory of 1964 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1908 wrote to memory of 1964 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1908 wrote to memory of 1964 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1908 wrote to memory of 1964 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\1c061a9e4ff49706f0d61544aa16897b_JaffaCakes118.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1908 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1908 CREDAT:537606 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 v3.jiathis.com udp
US 8.8.8.8:53 www.futaijd.com udp
CN 139.224.192.17:80 v3.jiathis.com tcp
CN 139.224.192.17:80 v3.jiathis.com tcp
CN 139.224.192.17:80 v3.jiathis.com tcp
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 c5c99988728c550282ae76270b649ea1
SHA1 113e8ff0910f393a41d5e63d43ec3653984c63d6
SHA256 d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3
SHA512 66e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d

memory/2672-8-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2672-6-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2672-10-0x00000000003C0000-0x00000000003CF000-memory.dmp

memory/2348-17-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2348-18-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2348-20-0x0000000000230000-0x000000000023F000-memory.dmp

memory/2348-21-0x000000007743F000-0x0000000077440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab5EC6.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar5FD6.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a3881e419d97bacfa1ec5acc77a00dbf
SHA1 2a489129c22190a31b85b965c36fbcf7a38de95a
SHA256 1a4da7e17e1a639afd9f6fd148b8010e5a24bd00a090e94f06bf31ef06d62f0e
SHA512 b3bc9d868f651f5cad7243e7f01f19ae118e33bc38b377b86051b95ebef3bd1eff2c468baa8cad568723c953737f7d94e9ba249d4498b264fb0b543f49b63688

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ebaf008bc933ae88a90abe527529f9a3
SHA1 b941dba2195e9d2029377d663837ca9deb31a434
SHA256 e5483633d35152ef8d9ae0f88470e50b972321bb312e70404da318ebd6b72867
SHA512 5733eef8698f05f10c07e23c49f1fe9f98288a45ee8dfdf1a5a26808a6bfe056edcf2ef9a281db2b233931e27492a41d6e10d1f0e9c53bf8e1f190db92e25dfb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd9cb03cdcf57c11e27927273812463b
SHA1 c121000979e32e867a13344f89c728cc8f3f5938
SHA256 e8a9a4c05a26abb7c0e54242a91f68c9e8a0a06d0a622cc2fef5598f14eef632
SHA512 a92279d1c81c62a6848385c6cd000486df399f2e1fe938ff1bda4a9e550b38518548925cff547c98f5d3d87e5cb7697ea04668daba0d6003a80483ddf0912058

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 df7a7a3d447352d2316ba6e110dce9aa
SHA1 e66af573799c69d8462a3aae44934e5b54f4ccfa
SHA256 bb1a4e8f866674dc55f4bbe2e128c460821143abfb3796d517cc9b29b167a21e
SHA512 7c1e516808e47034b141273f429874234c1fcd7ac80ecd29e43766827937ebb157d936cb189c24f992e1be5b60d24509773f20c5c94b82c4b7f62572331d58ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d4735f8e8e28835c50b7d059c3832096
SHA1 96fe8409448fc69a7d6091e7700e34bbace0f033
SHA256 aef5a5e17853136197d15578c209fb21b64bf818bb3060abc041fd6cd4708e86
SHA512 2bdd592ce9caab6ca0e49716786ac13f109d6fe66fb37aeebf96f2e53e66f08ed6e4cf6c75211094a9218a6fef6a46b750c6a220cd3f2caf46a2e0087082d638

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ca53add7eafa4755cdf1990ddc1d9c09
SHA1 37b0b2b591c588811c30d5d291fa71f1b3e7d5c1
SHA256 92b5cd5279e34332679b7fdc998282532fabb2f9a2a73c8c716f3a3331562949
SHA512 2b5aa3e7742ba7d4e49dcf2642a921006fff229a8ddc273a36c6b834d60f21bf3e9b625d58795aad88703e593573f6c3031ddf98a2e2ecc1f4855b5c151b5018

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db1e52b034d7c4ece27f0f36df503f7e
SHA1 5019b93fc51890b1226b069ef8e70c41b72bd5e1
SHA256 97dcb298a7be81b29fd6872b15c84bce37917a0118fc37354bd00bf136bc663a
SHA512 0949aeaa357043db1531c868c5d02f18126314dd13cad799eb73214ae6787751630866a4710a384099d3470b46ebb337fb0ceb416ff1a74697e06f36b5f232f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 001a41eec4ec1fe8a6c73eb7dee3ef0a
SHA1 390cc136d69ed234ebde7d568742951baf5b1f9e
SHA256 ad6c3e086cdc9e3d52d1c1e80ee92815a488aa1e61c670f0981c9f35531845d1
SHA512 58596e5bc0ec84f769e3c890bfa49a27007079257c874d5f5f57576718a1a3a86e3b6350499f439899942436c23afbe0f36a0018279a8ead4ce77375f8fa7d62

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f32d43301ac2e5e727ef38830240c87a
SHA1 45402c3ba5e7e32babbb40ddc214b996954356be
SHA256 cf5a092c28dd2fe5b0fec49dd7e0c71d41c6223f23168a0dcc4e7519e9bbe55b
SHA512 80f7e6dbe4b99f1d2c7fdec40e636a0e7b02d27a0b669903f31758f5ae5f2812a9e3a61fadc2aad5f46b67a1d3172e2fbb84a312f87743f6bac2c70a5cc28550

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b949cc5f69f5750ac2870b4732ffc94
SHA1 2090a56d529ffde8477e17b6bbd9d9470dae143c
SHA256 3c480756e5ece00cdb927f3760da5a971463c241486822cd9f339410f6a4bacc
SHA512 8ad21d0d0fe603be4e8620b3be547db5e51bcc48e61c6a03a419e53cb23e2eac6b7f97f60ee9665178fa73348e6f7e4f627367ce9b250fa8f2da178a2c4aa0e8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 acdc00d072c5794ec2129a559031309b
SHA1 5214a25b7f49abdc6f6b263811b919322429ca8c
SHA256 5bc50dea62e8457aebf9d34831823c21721acdde18d2b156905b2a9a3b51b2d0
SHA512 93906c8101f785e3e56537314459f222cbe3e8e0d4531f7e3b2a1343ff7f108f8d115ff33f3a3caf9cee5e775a0cbde4ae399716ef3ae31065bec718d9bfbe90

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d4c812d0e07ecd278fa3a4a20f532644
SHA1 9e12e77d3c094b255003a8b3f1cb577ea28ffb8c
SHA256 985a820972c0d65ee3331b2c41cc24d2ac5907765d82a24135f956f7f519abd2
SHA512 085b2a967a03fd90670142c89b29aa2e8cb2889f5dd21985005592e1e5f61cfee0d163c127905195541822cf28ef9481934600523705c065ff3c53e23b6ab7b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8b5a6f841c435d31952ed6a8724f7118
SHA1 6e837f859b88f25fe585ea9e5b78d24f2ae243e1
SHA256 0a8be1e2739fcf7e91e2e1cf3dab8ca18a1a2619c673273a0c55e9b50974c9bc
SHA512 726e3a4bf4138a1458823040d76566a7da4a574bd9ebce42849d8538bf8bdfbc318f134354190a1fa934e12c3fdf611961080c67baf527860bb40c13a678a650

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d5c31b957806d2a482bc10b71a615b4c
SHA1 2eec55c47af78403a221caa15e98ebeb3db28427
SHA256 ea2aba98bd4bcc62b56253ead5f386960d30ff16c01bc58119fd7f8015f5dd36
SHA512 2130b69e6d2f8e9818bde6239095838b4e1079411ccc22f135fb408376881d3f9ce2bdf8a37ceef7c75bfaca8dd22ab890c07bc10ff409f54d8aaacbabee404f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c3a983df5c16b9d01d36e316743c56c
SHA1 d3373448c8e99e78872f25b0a3eb77f32f8afe20
SHA256 e030404b5b09aa99e0e77fbd65a57d3eaa79bea5a74fe499585b31e34bac24a1
SHA512 25988a0c8fb8a6c02ff6fdc64afbe78847ccc296861690dda6edcdbc2bc5390a64725511e27e02b96fa3fa89acfc476270d943ce8e7e9ccc8d4c0020a2fd4297

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0a88db4abbc1c575ff83688957cdc20
SHA1 d3d59ec7e7335edf245e9c1aa248dc49770051f8
SHA256 7113db256104d52271ae4a0516c5548dce260035aad64d5237c5145e48063aa2
SHA512 a9d3dba5434c63259ed0ef444dc4070ea1612f03fbc2b2ca90e58b9ddde03e9b090a449be9dab4b34730fdae4be42e0d92e081bc4ef389342c0ce8f0d20f180d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 24b4d45a433695b65e55fcc5664ffad3
SHA1 69859ec6a2578d2109f3c19bf0796569a3b29943
SHA256 97044f67e0c7417a455e4a491815abb257f805d6d31c9774829d24fa7c264ae3
SHA512 54faf2e47ccb69ab64de4c6207377ca52a6eba996db303160103000a08e82621759ed32aa036b416f8c88d12132f5cf153b96c4f3d56456f6fcd832fd17b9be7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6230d38a401552f2ab01704a08ded3a4
SHA1 997268403eebbccfc75397f0b113a4b37c269e82
SHA256 be7d35e2eed4d1d6c745b44c2e8230d34e506b6dbc15d1f9409cce3c84c1127d
SHA512 744c94f806c8f4513b7cbdcb75808bcabfcf570e0f1a2d5e55c176c266860f9422e3bf8419ecd0adea2f6ded15bc398e20ccdd184b4b939e172ffd400d73ffb6