Analysis Overview
SHA256
fee4d7065bb4147428c9895fec7176eddd5ffe5ae53d905a3ea04af14ebbcb10
Threat Level: Known bad
The file 86e2da2e1b432df14840379b09b67c76JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Ramnit
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Program Files directory
Suspicious use of FindShellTrayWindow
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-31 13:03
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 13:03
Reported
2024-05-31 13:05
Platform
win7-20240419-en
Max time kernel
129s
Max time network
139s
Command Line
Signatures
Ramnit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\px2462.tmp | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423322468" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2826EAE1-1F4E-11EF-91AC-F2A35BA0AE8D} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\86e2da2e1b432df14840379b09b67c76JaffaCakes118.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2752 CREDAT:275457 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2752 CREDAT:537607 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.sellipc.com | udp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| US | 8.8.8.8:53 | rescdn.qqmail.com | udp |
| US | 8.8.8.8:53 | bdimg.share.baidu.com | udp |
| US | 8.8.8.8:53 | api.bing.com | udp |
| CN | 113.194.51.186:80 | rescdn.qqmail.com | tcp |
| CN | 113.194.51.186:80 | rescdn.qqmail.com | tcp |
| CN | 39.156.68.163:80 | bdimg.share.baidu.com | tcp |
| CN | 39.156.68.163:80 | bdimg.share.baidu.com | tcp |
| CN | 61.54.94.215:80 | rescdn.qqmail.com | tcp |
| CN | 61.54.94.215:80 | rescdn.qqmail.com | tcp |
| CN | 112.34.113.148:80 | bdimg.share.baidu.com | tcp |
| CN | 112.34.113.148:80 | bdimg.share.baidu.com | tcp |
| CN | 42.236.6.243:80 | rescdn.qqmail.com | tcp |
| CN | 42.236.6.243:80 | rescdn.qqmail.com | tcp |
| CN | 163.177.17.97:80 | bdimg.share.baidu.com | tcp |
| CN | 163.177.17.97:80 | bdimg.share.baidu.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| CN | 180.101.212.103:80 | bdimg.share.baidu.com | tcp |
| CN | 180.101.212.103:80 | bdimg.share.baidu.com | tcp |
| CN | 123.12.235.98:80 | rescdn.qqmail.com | tcp |
| CN | 123.12.235.98:80 | rescdn.qqmail.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| CN | 182.61.201.93:80 | bdimg.share.baidu.com | tcp |
| CN | 119.188.150.238:80 | rescdn.qqmail.com | tcp |
| CN | 182.61.201.93:80 | bdimg.share.baidu.com | tcp |
| CN | 119.188.150.238:80 | rescdn.qqmail.com | tcp |
| US | 8.8.8.8:53 | static.duoshuo.com | udp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| US | 8.8.8.8:53 | s4.cnzz.com | udp |
| CN | 220.185.168.234:80 | s4.cnzz.com | tcp |
| CN | 220.185.168.234:80 | s4.cnzz.com | tcp |
| CN | 220.185.168.234:80 | s4.cnzz.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | ff5e1f27193ce51eec318714ef038bef |
| SHA1 | b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6 |
| SHA256 | fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320 |
| SHA512 | c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a |
memory/2800-8-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2644-15-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2644-17-0x0000000000400000-0x000000000042E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab1B5F.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar1C21.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b1ba50a1e080d9dcac8f813c99bbc09d |
| SHA1 | 0422d2e51271811d6d04c16b11bff675e2c1ee93 |
| SHA256 | db8bef4d182d50f6117933fee8f1770d3c95e587f36c246373c94c35c53af058 |
| SHA512 | 864af51d2c9ff0052474d0ce1d0a597b6336176dec8ba3a0d5af14808c1af2750fc743c86eb5a79cb6f9b32beea3302d0d9a9fc5fa97f467b013a8bdef9c1b13 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9fb5da30a334d757d842c20803412b75 |
| SHA1 | 8c2db0b658c726385d0d78d019eab81e0ca4e55f |
| SHA256 | 049e5e88e3d5d24574f1dbf8d8025d9cb11180f0d2b924f523fcc1cc36fae9f4 |
| SHA512 | bfd8414c217bdca7b61903a1c7c89c2c2622a8d17fe693e16fc4dc05a44772efefa5eec86665cf90d81f4b1b01457c0bb0493ccb3da66ce06fc1002a30d1de8e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 48160b1141302afafdb71b4941d0bd74 |
| SHA1 | ab618a006a9e1baedd768fcd5f42af8be4a6ee98 |
| SHA256 | f86031d12cb1a89c49603808dac2fd40b94c0703bce523d2627e9ac0b6b602ff |
| SHA512 | 3a7f5d17243396aa7d4106404f4de4b4cd0ccbbe0b89f700c05fa0324c09024b611132caba7c67c5810783033d2423cd796f0bb77bbb3aa19201be226689c82b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0046588118af010f0c6da93aa185c027 |
| SHA1 | 1379f7f4f4c6a42f962a8438621c7e0be75670ad |
| SHA256 | 69a020e720f2be9d76931243c7025c4e7e6e3f5e6a44b8cc23a36a3749e21fbe |
| SHA512 | 702b305450fd0efc5d59c696c59eee7eb6281908f3b2ca56b75445597aca6365d58344a6df1f9b9e89ca50c01b81657e8bb8efd3cd6b3c8c4f7c3e6b2510b1d5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 505697f16ddb491de88a3245fad99347 |
| SHA1 | a4f4a1f9979897e8b9c18bda0db5a07216637911 |
| SHA256 | 80cb3271a84a0d26d5f38adc0b9c2e6bbdea1805143b41f89aa7dafb49683c32 |
| SHA512 | ec7445b001a7d473c8eee2dad13d64a4f2649e1058df6d2365f12fd407887c673fef6633d8a16f5bad0c6367ec8e72427f0e9be5e16934cf52cdc884a8374d9a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ce3fd7565c7e899a8ea5e30ebed9fcdc |
| SHA1 | 75639056425019a2d1122de756ea29ccedaa1776 |
| SHA256 | fc4fbb4938eacfc1f9148f3958a61c0e580d1e6705910789b6e9d67962becd63 |
| SHA512 | ebaac5fdf3bbec17d7297a0a4014237807715147c31a9a7f2196eaa254cc7d02038fb5454653bab0993d2b27f296daaadf853b54c8967eaf8c38940de0d9920d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 20beb08da9a2cc654aaa7e14c572315f |
| SHA1 | 2bb0ef23ae2beccb09a0524bac297946cc24c053 |
| SHA256 | f76be7ee421abab2b22db2584f2873f7a1d617559173b9430725c8b408b422d8 |
| SHA512 | 24d5ae6ed2c387aa017778af00c340fea6d82cf32ddb78e97c9db8a304dab4358fe2e8c65adbcd507f44b0f15d3b6d424022bb5e6f61266e1284836cd6659097 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dc8f3d802492fd0a76c915dd050a3b58 |
| SHA1 | bf447a9a37a8551edff5555235fcbbe552344491 |
| SHA256 | 866cf8d2822055764173ffa73aafa4f3f8391fc48154903e28d4038c6c183177 |
| SHA512 | bde98876deb66dfb2344b94844e1b87d25a3abe4ea007e75a5a6899ff823f8ff13e5a238c81b6b2ef6a3252586cec3da3ca569e2671d25fd1cfbd2db91e80702 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7905ea1ff90f66f554b301eb97df7784 |
| SHA1 | 70e585e2d28914a48a718d3cd33c38b078466eca |
| SHA256 | e82858f5209e125c953dcb84eb5e37ddd54ec136b49a92a6c863840ae429ed2c |
| SHA512 | ad72580e95d294a855b2c8fbfa251c74c0088bfdf080bc2c5379c5d443389c328995c42bafa77fc732206f68483be8a8aca2499a49c12d6dc35b31102419d698 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a2fb0dfb67ce144e53fda12c33995a37 |
| SHA1 | 3c1c146130c11db7f3cf8e1e5b9d65e3866eeecd |
| SHA256 | 3e7cd67cb9e8193831bb37ee7aee52c30e574d0480428733205a0314ab6462dc |
| SHA512 | 1cefc1f0780886c7f455e98a1b3e3cd8ed77790c50ebbe84f4bd978369a46d2c403a9629320d8c6f085f3c96ac4c11c9447ead08d8a878f4edb67fedeb87f134 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 82a582d35f86a7288629b9d85dbe8faf |
| SHA1 | 72c00ab5c1bd43c86812ee6873ff155ffe75fe2f |
| SHA256 | 7efc764705281dd5cc00982976d986d0a32a6d169f0e397ed06a2c27d8daa570 |
| SHA512 | 60917232c89e79a1990a01ab5d469a9831bd8fa8d8a28f89ca6afdfc96d142ab617c8090b066c2da18deb6505584c74b141cf0c7433ce1702b4bf6151c4c5341 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-31 13:03
Reported
2024-05-31 13:05
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\86e2da2e1b432df14840379b09b67c76JaffaCakes118.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffadd346f8,0x7fffadd34708,0x7fffadd34718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,14354692580425104233,7246442378876648272,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,14354692580425104233,7246442378876648272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,14354692580425104233,7246442378876648272,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14354692580425104233,7246442378876648272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14354692580425104233,7246442378876648272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,14354692580425104233,7246442378876648272,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1860 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.sellipc.com | udp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| US | 8.8.8.8:53 | rescdn.qqmail.com | udp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 124.71.234.156.in-addr.arpa | udp |
| CN | 113.194.51.186:80 | rescdn.qqmail.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| US | 8.8.8.8:53 | bdimg.share.baidu.com | udp |
| CN | 39.156.68.163:80 | bdimg.share.baidu.com | tcp |
| CN | 113.194.51.186:80 | rescdn.qqmail.com | tcp |
| US | 8.8.8.8:53 | s4.cnzz.com | udp |
| CN | 39.156.68.163:80 | bdimg.share.baidu.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| BE | 2.17.107.122:443 | www.bing.com | tcp |
| CN | 220.185.168.234:80 | s4.cnzz.com | tcp |
| CN | 220.185.168.234:80 | s4.cnzz.com | tcp |
| US | 8.8.8.8:53 | static.duoshuo.com | udp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| US | 8.8.8.8:53 | 122.107.17.2.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| CN | 115.56.90.102:80 | rescdn.qqmail.com | tcp |
| CN | 112.34.113.148:80 | bdimg.share.baidu.com | tcp |
| CN | 115.56.90.102:80 | rescdn.qqmail.com | tcp |
| CN | 112.34.113.148:80 | bdimg.share.baidu.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| HK | 156.234.71.124:80 | www.sellipc.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| CN | 123.6.105.194:80 | rescdn.qqmail.com | tcp |
| CN | 163.177.17.97:80 | bdimg.share.baidu.com | tcp |
| CN | 123.6.105.194:80 | rescdn.qqmail.com | tcp |
| CN | 163.177.17.97:80 | bdimg.share.baidu.com | tcp |
| CN | 180.95.234.204:80 | rescdn.qqmail.com | tcp |
| CN | 180.101.212.103:80 | bdimg.share.baidu.com | tcp |
| CN | 180.95.234.204:80 | rescdn.qqmail.com | tcp |
| CN | 180.101.212.103:80 | bdimg.share.baidu.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| CN | 14.205.73.123:80 | rescdn.qqmail.com | tcp |
| CN | 182.61.201.93:80 | bdimg.share.baidu.com | tcp |
| CN | 14.205.73.123:80 | rescdn.qqmail.com | tcp |
| CN | 182.61.201.93:80 | bdimg.share.baidu.com | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| CN | 119.188.150.238:80 | rescdn.qqmail.com | tcp |
| CN | 182.61.201.94:80 | bdimg.share.baidu.com | tcp |
| CN | 119.188.150.238:80 | rescdn.qqmail.com | tcp |
| CN | 182.61.201.94:80 | bdimg.share.baidu.com | tcp |
| CN | 180.95.234.213:80 | rescdn.qqmail.com | tcp |
| CN | 182.61.244.229:80 | bdimg.share.baidu.com | tcp |
| CN | 180.95.234.213:80 | rescdn.qqmail.com | tcp |
| CN | 182.61.244.229:80 | bdimg.share.baidu.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 439b5e04ca18c7fb02cf406e6eb24167 |
| SHA1 | e0c5bb6216903934726e3570b7d63295b9d28987 |
| SHA256 | 247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654 |
| SHA512 | d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2 |
\??\pipe\LOCAL\crashpad_3192_TPUTRFVWLUPQNBNP
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a8e767fd33edd97d306efb6905f93252 |
| SHA1 | a6f80ace2b57599f64b0ae3c7381f34e9456f9d3 |
| SHA256 | c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb |
| SHA512 | 07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d961558e1371c8dd6c42b8ef837cc247 |
| SHA1 | 3d0b979b9150f6ef241e13bc9f9ae649191fa771 |
| SHA256 | 6a650fdb456e554a3aee6977e2dd51809884168016e5cf81b97692c7d21270a0 |
| SHA512 | 1435cc918682c819d572b44f7271960b3e7366e68aa60dc5223aafc432a0288b460792cb4299eff9aa515acc494278b639fe936359c16c3b189b8f009148682e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | a0acb2104dd16e931d01c0ec5e08f134 |
| SHA1 | 3c554f3f92a01428546ae011583661ee730e2455 |
| SHA256 | 799f765e0ccfb4ac9d43eaf2dfdad4571e566c51532d448897ef23cbaa546361 |
| SHA512 | d2fc3b9570de1cacf923fde39aef2bf48be7c41a3c251567659a055725646e9ed78bd3637d18997de2ba069efb3ee0009c5539d69e2e648ea66da62ceaa94bce |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e141e5de6f966c4521747a4d70b53167 |
| SHA1 | 08d1a294216153752b6044bd0a17d2bf6ef7fa38 |
| SHA256 | 9e5b4ab039c14a9d509fbfadfef784bba29c30205b6644ed4d87b1f1f7ad2428 |
| SHA512 | 307c872d3d4ad2510681a18b92d35bcf092b5be289fda804a2cc4909aff677c70c5f4a7107f86940aa251b8a13223f0a1337a10fd785b50a4a705d8b15f8eb64 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 807419ca9a4734feaf8d8563a003b048 |
| SHA1 | a723c7d60a65886ffa068711f1e900ccc85922a6 |
| SHA256 | aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631 |
| SHA512 | f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 76197b344564e50f878d5abf4bc17a56 |
| SHA1 | f6e6afb6b8e67fff87a1d3fae21a651f22ece133 |
| SHA256 | a49cb9bffd19489fdd684094165550f9348f00633fd48724c2e4a803ce56365a |
| SHA512 | c62b99978eac0661f260955d05169b8d22ffa904de6f6398f02da05f0cdd5ac7242ce4e881898141d427b13a4934838310b64ab66937ff1a4c378bc1a7f272b1 |