Malware Analysis Report

2025-01-19 07:22

Sample ID 240531-y36qysbh5v
Target 883b1006423f85f43a55cdd0b6b787c2_JaffaCakes118
SHA256 ad838e414654eb6616ef42f1a6d4353c31b4c892e6bfc4a62c7a401996c3d69e
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ad838e414654eb6616ef42f1a6d4353c31b4c892e6bfc4a62c7a401996c3d69e

Threat Level: Known bad

The file 883b1006423f85f43a55cdd0b6b787c2_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Program Files directory

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 20:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 20:19

Reported

2024-05-31 20:22

Platform

win7-20231129-en

Max time kernel

145s

Max time network

144s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\883b1006423f85f43a55cdd0b6b787c2_JaffaCakes118.html

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px6642.tmp C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1C9B7CD1-1F8B-11EF-8D15-FA7CD17678B7} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423348649" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a8dde08034c332449a8526c7393599f10000000002000000000010660000000100002000000048c187b6a1f049e7633d7a3986b6cab8b911f4510ab3ae0995cfa9d06884a029000000000e800000000200002000000070f23265a60f43e8ea4df957a4c9abeee539a1f7df6e3735642dede59528ea6e20000000524d704d7c32060cb9044c917a4b8d0f249dc7aeae06dc17827410bb9287ff4d400000007e571f9c98af35ccb64d6b2af200793defe2bb47cfd5da0cff175322eab7e9ec9f40656765c8014bfda3a2021606f43726a10efcdec6d677bf82bbbf59bbebd3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3012b32398b3da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a8dde08034c332449a8526c7393599f10000000002000000000010660000000100002000000051273789630317009e6cb89470948119e2d5eb89796b6f923c1a2c1a9796c261000000000e800000000200002000000084a6896cc085632993eea60bf4fc2367281788d807a2993c6b17a11edb2bd45290000000894fcd9710411f79f536c8ec2ee68798c41b091c7a2e3b22124663589f6cc4b89e0d836e5563d8404480eeb1904806fb47fddff5164cd297a3e4770fd62ec38f3f44d90456fd185be820f8be33df203d2da30136fab30dd1626da15f22620e25bfa83803a060cddb158e6c03703974d0f30c0bcd196f4e6eab3b83f8ab20f03cf5f8f7b095d97e8fcab001d73f463e4d400000008e3d52702771abb07d90bccecb7264d29cd4ea500520f6bcba1769290743bb81f49409dfbbc7351b85744c049a6b0e1509567811d30d891209e9d197de196b58 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 1892 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1972 wrote to memory of 1892 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1972 wrote to memory of 1892 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1972 wrote to memory of 1892 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1892 wrote to memory of 2464 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1892 wrote to memory of 2464 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1892 wrote to memory of 2464 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1892 wrote to memory of 2464 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2464 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2464 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2464 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2464 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2156 wrote to memory of 2608 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2156 wrote to memory of 2608 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2156 wrote to memory of 2608 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2156 wrote to memory of 2608 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1972 wrote to memory of 3032 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1972 wrote to memory of 3032 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1972 wrote to memory of 3032 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1972 wrote to memory of 3032 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\883b1006423f85f43a55cdd0b6b787c2_JaffaCakes118.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1972 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1972 CREDAT:472079 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 v3.jiathis.com udp
US 8.8.8.8:53 www.liuxuebbs.com udp
US 8.8.8.8:53 float2006.tq.cn udp
US 8.8.8.8:53 www.sunkf.net udp
NL 190.2.139.23:80 www.sunkf.net tcp
NL 190.2.139.23:80 www.sunkf.net tcp
CN 123.57.205.101:80 float2006.tq.cn tcp
CN 123.57.205.101:80 float2006.tq.cn tcp
US 8.8.8.8:53 sysimages.tq.cn udp
CN 139.224.192.17:80 v3.jiathis.com tcp
CN 139.224.192.17:80 v3.jiathis.com tcp
GB 163.181.57.241:80 sysimages.tq.cn tcp
GB 163.181.57.241:80 sysimages.tq.cn tcp
GB 163.181.57.241:80 sysimages.tq.cn tcp
GB 163.181.57.241:80 sysimages.tq.cn tcp
GB 163.181.57.241:80 sysimages.tq.cn tcp
US 8.8.8.8:53 www.liuxuebbs.com udp
US 8.8.8.8:53 www.liuxuebbs.com udp
CN 123.57.205.101:80 float2006.tq.cn tcp
CN 139.224.192.17:80 v3.jiathis.com tcp
US 8.8.8.8:53 www.chinajinrong.com.cn udp
CN 123.57.205.101:80 float2006.tq.cn tcp
CN 123.57.205.101:80 float2006.tq.cn tcp
HK 152.32.191.88:80 www.chinajinrong.com.cn tcp
HK 152.32.191.88:80 www.chinajinrong.com.cn tcp
CN 123.57.205.101:80 float2006.tq.cn tcp
HK 152.32.191.88:80 www.chinajinrong.com.cn tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 api.bing.com udp
GB 2.18.66.179:80 www.bing.com tcp
GB 2.18.66.179:80 www.bing.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1BDF.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 119f01b53dc51cf21f8699e7840fcf56
SHA1 40a9d8dbd116b0407df7ab6c298488f2ce223a28
SHA256 60c6abb3f49bcd3a3d64bee53f19d0d86f64536996c95f37588a8535e4a2fd90
SHA512 412dcc25c7bbcc485b66c14ea7b8fbd26399580474bdf05336f3bca0332a7d051131efc5431025f29594b5675a8708fdbb5c64bceddc2a7af9173945a3b39dc7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 32913c456f94e93c32c732f72d22791f
SHA1 f52fa5fa27636705a82d31cfef5af3bea7ca98f3
SHA256 2a15966658cd641d338abc229662b4039600347928f941e3b15a57f5261c9410
SHA512 927b40b839ecfb7d8eea605987784ab0892dac9a8828f049f2bef81a936339568a479e1042da44143ae779a3266be79414dd9e24fbead608ef41072df53a2a90

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 78ca8b9ca385dca56887f602ab92436f
SHA1 3b00a5535dee931601a3adfaf6450958f6d19e08
SHA256 a09ffc54fe2edf3a3e885b1b09f32428b82376137cb21743bd75a43f2bc5f261
SHA512 fe9b2c681bffbc189c0261a4439e6028a90cd95a5d6ad49fb2a27ce1f9ecba41223d0f5bba4cd6f9c43ba02918780f3387a90b2f7990058716a2512808848086

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c83a62a5c2ce38b21afc586c998c3cd0
SHA1 3ce1ab816669da49c40be5bfea7aa1b2be373ec2
SHA256 fa1e7c0a9b477a300a0fbbea984d66553b11511240c6bbb35992d3dc62eefede
SHA512 2f9af4fa3eae77a46dcd35173ac66f426ad1e2435ffb54b1ad3678fa4405e2ff53d3b7b0c2d4f3f1c6132fa491887a7b9c7509d91c9554ccaa5b04cbc9e3084d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 64b5566f0c03c19170a9fa733f477d86
SHA1 2b2bfb5f5b594885aed5cd0af7300f8c41fbf7d6
SHA256 8039dda5c7c63dbfd57dc26284a7c971b462b69d09d62f931f16ca7134b8997d
SHA512 600930c1fdb9c6d275811df03afaad2a5032a8092677db490b92430beb8b94b7e4db1c0635ec24aefb9e1c2b1433f1f7abe032090c9ae51216b56ff92b5dc4b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e33c8df3842f63289f81185555a10605
SHA1 8b08954564fcd87b5ff785c63a00588b2e8a5a81
SHA256 b71b7d8526eb57c04bc4a30d3c9e4fc5e153352153a8be7f56597a70e084484e
SHA512 e13a1b523cdab4dccdbc7baf585810e8fbce7014bab6b33a07003409b3282519c2022c8edc2e626370fef0aeba2e39ef6702bbd7d9ae371b7ba4dc5506d4b841

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2e2549ad5192e492794283f5e82b225
SHA1 8429a281c60ef11a5f10a701e47de22aca995ef3
SHA256 fa1e103dddf0866997a4b9fc3429a698434746a7616fedd6ebda4aba1bb6094d
SHA512 064b1deb06f3f94c692154431ccf8910caf1260153f6ab23d476ca5b9f4b9e722ccbb2ee84caae5488eb871623e725f44b76be5ed424a85326d0bbb4f86b7b7b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 f322a5e2a67efc7049fcfde57a4e1819
SHA1 026a5d5c3dd045f38957a55d11fcdb35f55bf1c6
SHA256 f6f6e71361b72bc3261e405cfbd52c2222ac70cc4713c1f8a96e6ba35adf4284
SHA512 6c7292504240f3600916a82b03f32c80a833f037642027b5b3dea03e475a862e30d71d3364c8a61394306354d2401764ce1b9078864ccaad787d6c96285b3e48

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6cd9f7e226eb8ba07f626859cfac1a31
SHA1 1e59e3cf7e4e76ce669845f05adb45e430aa2085
SHA256 3219cd2607134bd5a71ffad7efdd1366ac9c3f7c6dab6917002e1b40af5dd2d4
SHA512 e2eed7332dc1afbc97375e5d9fbffe7296ba3c933b5f124f7dd03fb66a3b083a10ae795d20b9c8b280c16304c9935b7d509eed9ef94ad8b2ec67890e9cd0ae49

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8d7b4da73d4a1e76f8e10fe320b75eb3
SHA1 2e162e39b34145fb60be28148ac2850750ae87a3
SHA256 d9a9adbc0cf8cfbd0ffe7705de453f1be333fe76d8c61eeb8581d9ac9b1a3127
SHA512 38894ef2e38a1e0c4bdbd4cd034d28a7dec60b982371944f8a74a7b9af91ccaf7b7aee8a10edc0395c0af1344d7f8c1e563660dce2d2c4062e819051793eed11

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7ae9c2c2e71c3dfd3f2f10ade6ca05d6
SHA1 18b1e77d3f3cacc7de95c1e94edf3cafcbe8f594
SHA256 468253b9e943ffeb704411ba37e25ee2edaa809ea7f9d71b7d27c0e09d9f5e87
SHA512 588735a3f90f0acac717b0892f3b3a055ff3fbef585b3a54f1132acebdd56af12575b7c38f5fffa287a6bd512fd2c685491048b7b827874647d4e9deb57b0b57

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/2464-579-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2464-582-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2464-581-0x0000000000230000-0x000000000023F000-memory.dmp

memory/2156-589-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2156-591-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2156-593-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b92eacc4a42ea8b8903d7523a2b293e7
SHA1 9b2df0969fb0f9bb996f91507cf882e20077f0d0
SHA256 b1ce61e496e2a6b4889b1d91ef262596f6072f8f3343264c7f1d2878ed386d17
SHA512 56adcd7a1e85f0159feed4ce0b4b13190c833dca64a2187c85bc4137cc329bdee9b4903e8ad5ed722f0f1a6cd530a37930b425037498262ed5aac82a0dbbc39d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7ab13d621c1ed2f4636e625deac3377d
SHA1 d35f098a095dbf3ad86143f6944e5bb1c05c62d8
SHA256 6a24a9122927f04d66b0716ab07f3f5d84780e10f5c6fb646a7b218cfebaf6c3
SHA512 79bd681e7009bf3ee1779dc5658bbd3407c1a12df9e6809fcc705d2dde067901bfd2d6f2b65149fb0e80d2fe48cde1beb983f9da5c265f19e1b0f5d88a76ddb7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 61f257e0039242f98510aaa1436c4b9f
SHA1 787f8786829364b5d905608b46f25592fe0f848d
SHA256 c2d689979c7452000ddf38330bc1b92262281d4414955c58a306ec869967b7c7
SHA512 00e8db3d55f7e9e296b243cf4cddbd3a3d486da848c585559f674e76ad562a5336fefc3e98ebd09810659a169279b261c44b79f470689d4e585cb9e8055b7017

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4995321abfc2a861e7922a9b5b663afc
SHA1 fa3a9d252b0cffa7b5aa96261ae3b1e6e8c36de3
SHA256 49c3f55bf640701e020f8fd4f5543691c24199240bf3c97db00471f7548464e5
SHA512 65cf1ba2943a500e44ed31e753fd14e04c6a9ac75a2469c09e225446a7989ddb27b5494621301e16e64e210e016548fd93e068154b8132bdde7f1e8f4a1ce5ec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 98c0d7fc3a525402b31d5a97882c56b5
SHA1 ea0edff082cf589159819503d112d6444f5a7072
SHA256 970417d545b89f86f3c7e155437e4b3887a12c976d1ae6d0a2fa55649e649b14
SHA512 377418abda6dcb410a1394212e06cc9395ebb7f9cef1b30d42f5c30a08f94dea19442973e27d3e99c7641351662d982943c814cc5ff27d5984e33d5d501778b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c916931e5842efb293a29c30a016f251
SHA1 67071340b389735d6045605c0d675f33cf5d807f
SHA256 838a47af8eaf480aa7af88889f29ea6dbdbc9fa6b9906b1fe1779f73b862e24e
SHA512 daf389ea7ba5b8fc409c6dc11cfd73922e6d236e6d4a2942108a2161c903dcc922643fb0544b030290d5ff0b645ae3d18e26fc283d637a9fa10d72cc075622c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 92c6ddfeb9f163e0f8d467316e13de59
SHA1 73db383013154afc9202169c2c90d246499c2517
SHA256 2d0ea2e1a37fc288a4a3ad1fe2db33a366f44ba2bb319ee2c90ab04492d5d504
SHA512 498c960a15fd10d6008764866b6dfb87d0a6b89b5546bc0f2b7830b2b2fd8603964bbacf082b129873fad5013e801b61af33dd141f61e305385d11dd3ed290d5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 397238b45910b3ca3a3b717b352009c0
SHA1 cbed780f42db9c98f96bec61a6f30093a6973f0f
SHA256 2360d889c9fb797bfd6221cbef9124a4ffba4679d0cc03211a4ada06b5dfd4cc
SHA512 54e73909b837fe533dbb2e6d708b86db02ecd02367cfece364a2379475f7574275ad2146c6f1f1db2577f33e68ea483be3724c424a751924810e538384fa2b70

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 56034603b8bd5774353f49f1c385c39e
SHA1 30e681e49f6759f368fe367665663191ac539908
SHA256 40fa1fbf3a7abcf2929f313afe84f01334859d90c68777fd76b7d927dc204455
SHA512 c18ef0ddc59e8cc36b6cdb14aa2cdb17ded9c7b78e76cc0c1fe50e969a52d317bab8fb5a7cd7bdb76ccb9ee9b16e57b7c45b9e08d9b4192ae08a9e21b1a073d3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 40eb0d0ed54e6c07d79271ffdc5b59cd
SHA1 c2a742da4eb2139a7842d77639850c1daa93d1ed
SHA256 2be940247d1a904edbf2f50abd0b4d2be1acf3f2793bdae31ac7ddb2b0db96dc
SHA512 f7b7bbb0e8e9cf26ddb94e4daad6491539868abbf9e855ee873103c2ec8eceaa57d5f45ea8e4cbcbac0cb0a3c351bca40339db6c876714568c4368a305ab5087

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NXO9UZV\favicon[2].ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 20:19

Reported

2024-05-31 20:22

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

151s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\883b1006423f85f43a55cdd0b6b787c2_JaffaCakes118.html

Signatures

N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\883b1006423f85f43a55cdd0b6b787c2_JaffaCakes118.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3628 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4356 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4600 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5368 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5464 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=4600 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 13.107.6.158:443 business.bing.com tcp
GB 13.87.96.169:443 nav-edge.smartscreen.microsoft.com tcp
GB 13.87.96.169:443 nav-edge.smartscreen.microsoft.com tcp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 158.6.107.13.in-addr.arpa udp
US 8.8.8.8:53 169.96.87.13.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
BE 2.21.17.194:443 www.microsoft.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 2.17.251.4:443 bzib.nelreports.net tcp
US 8.8.8.8:53 194.17.21.2.in-addr.arpa udp
US 8.8.8.8:53 4.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.liuxuebbs.com udp
US 8.8.8.8:53 www.liuxuebbs.com udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 www.liuxuebbs.com udp
US 8.8.8.8:53 www.liuxuebbs.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 www.liuxuebbs.com udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.42.73.29:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 29.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 v3.jiathis.com udp
US 8.8.8.8:53 v3.jiathis.com udp
US 8.8.8.8:53 float2006.tq.cn udp
US 8.8.8.8:53 float2006.tq.cn udp
US 8.8.8.8:53 www.sunkf.net udp
US 8.8.8.8:53 www.sunkf.net udp
US 8.8.8.8:53 www.chinajinrong.com.cn udp
US 8.8.8.8:53 www.chinajinrong.com.cn udp
US 8.8.8.8:53 sysimages.tq.cn udp
US 8.8.8.8:53 sysimages.tq.cn udp
HK 152.32.191.88:80 www.chinajinrong.com.cn tcp
NL 190.2.139.23:80 www.sunkf.net tcp
CN 123.57.205.101:80 float2006.tq.cn tcp
CN 123.57.205.101:80 float2006.tq.cn tcp
CN 123.57.205.101:80 float2006.tq.cn tcp
HK 152.32.191.88:80 www.chinajinrong.com.cn tcp
CN 139.224.192.17:80 v3.jiathis.com tcp
CN 139.224.192.17:80 v3.jiathis.com tcp
US 163.181.154.248:80 sysimages.tq.cn tcp
US 163.181.154.248:80 sysimages.tq.cn tcp
US 163.181.154.248:80 sysimages.tq.cn tcp
US 163.181.154.248:80 sysimages.tq.cn tcp
US 163.181.154.248:80 sysimages.tq.cn tcp
US 8.8.8.8:53 23.139.2.190.in-addr.arpa udp
US 8.8.8.8:53 248.154.181.163.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 www.liuxuebbs.com udp
US 8.8.8.8:53 www.liuxuebbs.com udp
NL 190.2.139.23:80 www.sunkf.net tcp
CN 123.57.205.101:80 float2006.tq.cn tcp
CN 123.57.205.101:80 float2006.tq.cn tcp
US 8.8.8.8:53 www.liuxuebbs.com udp
US 8.8.8.8:53 www.liuxuebbs.com udp
US 8.8.8.8:53 www.liuxuebbs.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

N/A