Malware Analysis Report

2025-01-19 07:21

Sample ID 240531-yt921sbe6t
Target 8831b4ebd43a381a1ef47bdca261d53e_JaffaCakes118
SHA256 47de9bf4edb59b9af11f05f0cb2e873d179ed34c4a1d80fd710fc6ac2e9d63bd
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

47de9bf4edb59b9af11f05f0cb2e873d179ed34c4a1d80fd710fc6ac2e9d63bd

Threat Level: Known bad

The file 8831b4ebd43a381a1ef47bdca261d53e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Program Files directory

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 20:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 20:05

Reported

2024-05-31 20:08

Platform

win7-20231129-en

Max time kernel

137s

Max time network

121s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\8831b4ebd43a381a1ef47bdca261d53e_JaffaCakes118.html

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\pxA9E6.tmp C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2F161661-1F89-11EF-8DE0-D691EE3F3902} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 009f104396b3da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005853a23ac41a9e4c897d25c5a310822b000000000200000000001066000000010000200000001bb98cb14ea288dd75bba9ead51db88da0ca9ce4bffcfa024cf49919e7dd4832000000000e8000000002000020000000f73e94b54316a77b29afc452b5e33bb4661b36267fff1152283d1d2242a5a06420000000c658fa2526f776912443247cc3fa28b5a974d26106edb4f31d6995e176036dc84000000069e9b6d9d33a2d545a75345656251570c28e179255bb582e9baa9c17df426729d2fd1bfbeb45a60b072cc51c201e6e04120f4fc464a63e2d4d37de6ae3839f87 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005853a23ac41a9e4c897d25c5a310822b00000000020000000000106600000001000020000000d8a8467c3819adca91859d28eacc4813169521a5c845225e7c50f81040181e84000000000e800000000200002000000068658ac70124ca1a36fa66f0c0662dbdeeb5dfa5397dcdf1cd1aa4c6fef855e59000000024a36a97d456231e982fd138a48ff60cca355d0cead9a30cf83dd1cb7ec75e4173b2c31a968ee4d575bab0f4d74a7136bab6abbd5d641ba71af9b9bd4a064d23a15332bfb6493ba0a9bf7c736b2915fbca51492755be37aa67c30cf6b9ff4851d0515cc9df16d865f6f949a94ab4bd8c64f47aea10cd0a969214154775d6d8ecbcf8e86d9580f717bf1611507fe4c386400000003023485c80e95a6d84abb52458dcc13f337061acdd3ee30a815eca84d87836b56b50f17cc858dd96d7c080c8a0e2a3a2f84c9af672646367cc6c0b77ead36f88 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423347821" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 1756 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1688 wrote to memory of 1756 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1688 wrote to memory of 1756 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1688 wrote to memory of 1756 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1756 wrote to memory of 2468 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1756 wrote to memory of 2468 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1756 wrote to memory of 2468 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1756 wrote to memory of 2468 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2468 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2468 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2468 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2468 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2696 wrote to memory of 2868 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 2868 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 2868 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 2868 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1688 wrote to memory of 2648 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1688 wrote to memory of 2648 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1688 wrote to memory of 2648 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1688 wrote to memory of 2648 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\8831b4ebd43a381a1ef47bdca261d53e_JaffaCakes118.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1688 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1688 CREDAT:209942 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 news.share.baidu.com udp
CN 182.61.244.229:80 news.share.baidu.com tcp
CN 182.61.244.229:80 news.share.baidu.com tcp
CN 39.156.68.163:80 news.share.baidu.com tcp
CN 39.156.68.163:80 news.share.baidu.com tcp
CN 112.34.113.148:80 news.share.baidu.com tcp
CN 112.34.113.148:80 news.share.baidu.com tcp
CN 180.101.212.103:80 news.share.baidu.com tcp
CN 180.101.212.103:80 news.share.baidu.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
CN 182.61.201.93:80 news.share.baidu.com tcp
CN 182.61.201.93:80 news.share.baidu.com tcp
US 8.8.8.8:53 api.bing.com udp
NL 23.62.61.194:80 www.bing.com tcp
NL 23.62.61.194:80 www.bing.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab944.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cf4107023736c7eab2eaa84458aa33aa
SHA1 f5219fa870889b0af4f16c4c39e74e173c86d51c
SHA256 d19240fb9d329fb5d2a9ded8bacd62558ef42a6d5c6467c07a89594911a90f5f
SHA512 96e16352c42cbac496c2f5b35baaae53256607d224793b476914d25f206ee033d8626ec6638e59b19d8d4c738ea01393e7f68fea4ca67c9105b0032530ba4461

C:\Users\Admin\AppData\Local\Temp\TarAA0.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 88e851a4b2d365a44451487e558c7fcf
SHA1 a3c72e5681d239526d7e6aea352eeaa17100350c
SHA256 c3f0297bde8deaf98ef48d9c370278bd17ff7287d0762c1ad9cde80910bd6dfa
SHA512 5751993fdebe87798066c35bc7c3dbb93a6e95506be2208f6a312fdd6f7d400111409371c99461f6cda2f26f8a61da098abcb05bd1ef769153366de1a3cae35d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fa95102ce3e20b1e4649abe6b5a84be1
SHA1 7659795bdb439667fced33f9f352fcce84842e4a
SHA256 c8d3c27fd91e32df6023c5684e4e9a892a4b4b9490c52f32d21727fbd0b9c911
SHA512 69cad50390694ab2a9bf2b05f3f560d615f232924d22904d9bb0def5d1ec83da4235454d7f6bf363fb749e476cf7f684bec9c46c6d51509d92bbd14057900061

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba0e74dfe03dd1ded185b8b76bb9679b
SHA1 024683073812a173275b9c495260e54f53d1f595
SHA256 9b1dba32c4571ee83ab101fe0c2f1cc12bd4186c3c9d7b83407e09b071f6983a
SHA512 8b82776b2b17d79f27c7dc6bc5e8418670dd73b93657e420f00548d44b50998071dc08bff8920f4dd22b17279451c47b5ae2efd684cda01122226b47d47ecab3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb5b56c26f5c7ff29a905dd26b462cd0
SHA1 52ec45b4371bad6a62911ead64a4671601ac4c47
SHA256 96e9561b3cd880feac7af475f1104e14ce2eee7ef79a97a3e7f73d3b4f96a630
SHA512 14a7b4260ba3e4ca25ac80e16a8ae2173134243f19a0e984bbd61da944ef4e89fa45c4279c96f279e11b11bfd912c09b3313eadf92bc4dbf3a006ad35115cc97

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d92e1c982fd8ce56a17cc1157c59a3d5
SHA1 1ba32f85f24652111c4e37702cc8d23c04c94f81
SHA256 280db338998268ab07a8723a592ec700ed9397a51eb68c5ea5dfd3e99a8d148d
SHA512 bb005f4210c6c6bafd9ef3dd190a3651ebe9398667b7d4df99462b8614c74ad080b1113c38cc054d3259e7124a397c8886750485c2f39b0374357c416a95968c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 50ca261d871930a59aea71fbe9f009cd
SHA1 7aacdea4531bd6592ef828732858fe4b6b53405a
SHA256 4adbce24a8e066dbb04728dbb899db89ead948a8e7deff8437fb2fa566004158
SHA512 7dba6bd4a41cf88f57eef248615b94df100ddf942cfc0f9775e8befb223d0e256c25bec1cc856aec567919de38bf7ddd9ad3f05ce215784cf22a4a97046016d5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 8a17fd211270aa08a0d6a29327baefa8
SHA1 8128fd8c87615557bc53b20dfa7a0d338a10bb70
SHA256 7d837e0106e765f9280e5438cb21af2681aba643e3e606462841a9ffd6c086a2
SHA512 a68d53abeec036b737086931667200efd3851fdfb53dd3a1fe8d3d54a9136efcdaf65521bbe26d7de68ff73d60575ea81d4bf21f6f06b5adda61fa144817ec39

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9d3b938789757fb77fcae8be3b51dd08
SHA1 2fae311027f3af99f922fd0903e78bc43aa0957f
SHA256 3c56d2fb631d0fac8460e5378228a4b614a719b59a133e3028330208a76314cc
SHA512 10d5ea8d3d8fc0546f2a019305e32b8ada8e3e53d853e12fe1dc83b0a941a9b9be13528677c68e5cd07421278599167458dab0a36de84b1e3d79932c32106163

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3f593d7a9d3e47954e54d6b833872eb9
SHA1 c5a7768ab3688ab33c7679b9ef7829c6f7a8524d
SHA256 e33f6d27e281c41374dc6a2f3ab5983600fb54c79831ab2d4bcd5e4ff515f916
SHA512 252d806e3d55d8413a5396fa675caa3c3e132572322c94a8fcb11191961e8b808611126f3789df6686719dc74a5d209ea6f0f57235196fdd911fa1bc4d6f9ed0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e52abd47bf5fe49cadaed0104c2d282e
SHA1 4d2c68872851cef95ddfa1922cfc1c82ab1ac73c
SHA256 f83320de9c5bae42642505d23dfce5b456caf3e9acb8945ab82621e9c147f33c
SHA512 d0e1f53ff7f547acd4d3ce068b233ef65cdf710ed8e92a189da9f73a2634e91228108f55aed08aefa061e398d5936e1982c0ae6db6a6e89bef8c7aae17de7919

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/2468-577-0x00000000001C0000-0x00000000001CF000-memory.dmp

memory/2468-576-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2696-583-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2696-585-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2696-587-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3a6bcb67b21bcbc3d9ed59f365cf64e1
SHA1 0ad3b9d4e416fcd914c2417a8bab0521543a5315
SHA256 6e12778ebd36a5a062f5953fb82050477957bb887daf25e253acd4e869286087
SHA512 34dffcc850a08b9cba769c8522f77c6c4449bad3ad03edde86f0f1e490273f23297cbc2d9f0bbe8e1e8be5b17710c178a41e84cf326da77624aa499d9cb4f500

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0b77d2bfb7c0acbfdc4c5c31b906295c
SHA1 50ee01a5c3d670ef7908d3f1141c65269357c9c7
SHA256 0a18b647ca4003e306f4c6e3d85d3c167ee0ddbd577e1024cc6c08423ae8b7c3
SHA512 2285e5cb1b3c6b0c9a46134be7154fe4b98bb53807c3295361f1f398cb9c79df6152ffb3c5daa0d76a9a935fe9a4d0cfa6eca40f06f1a2e3b1938b5757ae3589

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9217c2867b160b6a14b603e40a5817ce
SHA1 064269735cb8b6fb54fb693953f791858df44e8e
SHA256 4d14c1e70f98f25b23b5fc184f8dcd86cb48355cdf9eabdb01e9d8d65abb3ae3
SHA512 7765ef5df98f901686b79954baff87c33af1c0189c88f7576c4fc6dc99e48e77ba1327819224471e03fed5c7d65d4f48aa5181649089a5dff6f5bbae30551d5d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 66432e27868a37f7f5dfa145b63dd243
SHA1 7ed97044f9c7e1f34cfd833e6bfd608dd9f0fca2
SHA256 212338e1c2f3a4996b40d330419b8402614f917a642770d7f8fd5b0087da3b27
SHA512 d53e73eedee328b3665ed6189017b41b780393964981ddc2f505e16ca69654976644e7857f00203dbf9467a8265249c012822804a195db0fdee29da4770a42bc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4ac2c369cbb8a0de034e828ed736b2a9
SHA1 61e4e28752a68bb047e0d8d0eb114a23c31f0f84
SHA256 09427aaebb0d6c8e9e8561d721deda6922e39aedb6e70969d5860a177942d6a9
SHA512 e1b0ab8e0a79ae678eb707d0ed277bbd226958f37ab2321b2e8f7cd576fd1954af225925320d399cb4397b17c8ce9a67bbf4b610de8fb37151ecd6f8f1fcf3b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f971e2e3703786f27837084eaf5693a
SHA1 dd320aaa16c6e2f4b3fa24ebf6d4699ad6213f31
SHA256 a5680fb1b8e295e7de7a05afddec8a7d3cd2a9200bbc5136b6e51e1df544c365
SHA512 709942175f1dcfea20f892f1083167ec74b6d77b920c33bf93a102d300fda97ce100210a97a72929c92d242fd421707a086872dd6216c4af0a986e630f5508b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f3cd3cf9635e5d9f91788e8b808dcc43
SHA1 97ce7261d63c43ea8d15f390c61c78f6bb5ff9ab
SHA256 38cd2f72432e09aface8aa367378df6f04c515b56de5a3c188e79f86f8de7211
SHA512 bd765f9a40f819eff0bc68c40a34b244cbb1d1bf4515f76e19afb1d6c64d3a19aac602bcc3c9c15c7330acfbfc6109679dab166f7eda728b1ee63eeaa165d2ef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 689d6b38629cc0a0ac27fddc6ca31db1
SHA1 7d0b9d5fee161de00e1b57f688959b69ded4991b
SHA256 7d2673e488c38d1dadf7a9367bcedeab6647bae06ba7f6c0038674084d5f7c24
SHA512 4e88a2d61f30e4ddc4bd948d08cc9e2edeb9c3cc1ee8473e97bc174ee4520bc6251d4004f4a009ae8c0df2d4163b992871731b783b7140f9198bc985ba4be59a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f412ebf371ab76b9b97fab7ae10a054
SHA1 9949791eb41627d81276e25920ca878688cee9c1
SHA256 d1847d41d95a41b90e96ec07b525d1e0f6cce3d1bac0db1010e76ba1874c57e8
SHA512 7207b03cd7a53e4ff5a574b281f631697297eb3004d65cf6c7b13f242d2e562ae365725aa5130fe1554e8294449d0b9d6c8567203d16fe21301f67691fa24f52

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 681c9821285dae4c8702999e7d7c1f1f
SHA1 33a8b369f2a377d8a5380c50a84e6fe2a7f1f860
SHA256 fe73a58dc7146afff7b2f6dffac810ecbb278055d82363f9e071a0d0f35957a4
SHA512 1ae9b0774919b0d2e8feb35bafe607206e0f90563a4d920739a5985a243f6a875a844994f7b496e3ac4e93c078a4c15e7efce7e05f56da15c364527c12d6265d

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 20:05

Reported

2024-05-31 20:08

Platform

win10v2004-20240226-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\8831b4ebd43a381a1ef47bdca261d53e_JaffaCakes118.html

Signatures

N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\8831b4ebd43a381a1ef47bdca261d53e_JaffaCakes118.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5072 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3920 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4884 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5508 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5868 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 51.140.244.186:443 nav-edge.smartscreen.microsoft.com tcp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 2.17.251.21:443 bzib.nelreports.net tcp
BE 2.21.17.194:443 www.microsoft.com tcp
US 2.17.251.21:443 bzib.nelreports.net tcp
US 8.8.8.8:53 news.share.baidu.com udp
US 8.8.8.8:53 news.share.baidu.com udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 186.244.140.51.in-addr.arpa udp
US 8.8.8.8:53 21.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 194.17.21.2.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
CN 182.61.244.229:80 news.share.baidu.com tcp
CN 182.61.244.229:80 news.share.baidu.com tcp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.42.65.92:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 92.65.42.20.in-addr.arpa udp
CN 39.156.68.163:80 news.share.baidu.com tcp
CN 39.156.68.163:80 news.share.baidu.com tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
CN 112.34.113.148:80 news.share.baidu.com tcp
CN 112.34.113.148:80 news.share.baidu.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.200.42:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
CN 180.101.212.103:80 news.share.baidu.com tcp
CN 180.101.212.103:80 news.share.baidu.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
CN 182.61.201.93:80 news.share.baidu.com tcp
CN 182.61.201.93:80 news.share.baidu.com tcp
CN 182.61.201.94:80 news.share.baidu.com tcp
CN 182.61.201.94:80 news.share.baidu.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

N/A