Malware Analysis Report

2024-11-13 14:28

Sample ID 240603-l9ws4scc37
Target 916996da2a24e74bbd5b57a7c20f0b16_JaffaCakes118
SHA256 8e73ac0a6f3354d5476c7d28f5ba389d52e65b637cedc27ff22c0cfe825c9b64
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8e73ac0a6f3354d5476c7d28f5ba389d52e65b637cedc27ff22c0cfe825c9b64

Threat Level: Known bad

The file 916996da2a24e74bbd5b57a7c20f0b16_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Program Files directory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 10:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 10:14

Reported

2024-06-03 10:17

Platform

win7-20240221-en

Max time kernel

121s

Max time network

135s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\916996da2a24e74bbd5b57a7c20f0b16_JaffaCakes118.html

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px4DF1.tmp C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423571545" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8032f1029fb5da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000671068bcae24c54d8999e1d3d6d3294000000000020000000000106600000001000020000000bef2d7a284856bda480d5e2d49adf990994a97d9a56dcfcfdaef82917b930796000000000e800000000200002000000004013fa6d9d17386878fca29fc8406cdd9106fa8083468e95576d7b69cde6a879000000040e6bb3494826f6754b96ae1fc224357803fb3da73afb9bfa00d8f96f720f1db7b5bea1e7674b01c4b04a4d7ee76b0d7fc9b5231fc56c5755d37116483aa8549287f9660c626c98646b33a2c33616339d3afd2c91ad31e7e533c15abe0b74e8a8c3536c7b683b28fc4b04f65d10475055278a1ef1bba5447106f97368aac4749becda0916f77fb74566f9ddd29f4eaa040000000038e3f96d14e6a861440be280ac48d532301eae3b89c56f81ca9c54f774b7c88d976ccfe8a42c62526668f39350b876c38508f058c0648f78ebe016f3918817d C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000671068bcae24c54d8999e1d3d6d32940000000000200000000001066000000010000200000004950a4503f7a45c5064738dbad81644ccc4bb5337e08860fd11cfa5f8bf8dd4e000000000e800000000200002000000034153d71bff73d89780180f9f58dad6f3571d18dab2d3b40b901b0346a88061720000000a9b64df9abce3d90a19b5780153802eb8df26083515a12e24c26e0da898fea3940000000eb7e603230b357d858222f374f50b47164d3acbd16dde7ab8f864539806fa70b0990251a0aea14f296d15a707b3d460054c5019c767a86c104b8a835cbb4b5dd C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{13D0CE81-2192-11EF-9F01-52C7B7C5B073} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2756 wrote to memory of 2896 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2756 wrote to memory of 2896 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2756 wrote to memory of 2896 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2756 wrote to memory of 2896 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2896 wrote to memory of 588 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2896 wrote to memory of 588 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2896 wrote to memory of 588 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2896 wrote to memory of 588 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 588 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 588 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 588 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 588 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 608 wrote to memory of 2644 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 608 wrote to memory of 2644 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 608 wrote to memory of 2644 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 608 wrote to memory of 2644 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2756 wrote to memory of 2676 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2756 wrote to memory of 2676 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2756 wrote to memory of 2676 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2756 wrote to memory of 2676 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\916996da2a24e74bbd5b57a7c20f0b16_JaffaCakes118.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2756 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2756 CREDAT:472073 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 static.bshare.cn udp
CN 122.189.171.115:80 static.bshare.cn tcp
CN 122.189.171.115:80 static.bshare.cn tcp
CN 122.189.171.115:80 static.bshare.cn tcp
CN 122.189.171.115:80 static.bshare.cn tcp
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/588-8-0x0000000000230000-0x000000000023F000-memory.dmp

memory/588-7-0x0000000000400000-0x000000000042E000-memory.dmp

memory/608-15-0x0000000000400000-0x000000000042E000-memory.dmp

memory/608-20-0x0000000000400000-0x000000000042E000-memory.dmp

memory/608-19-0x0000000000400000-0x000000000042E000-memory.dmp

memory/608-17-0x0000000000400000-0x000000000042E000-memory.dmp

memory/608-18-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab6402.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Cab6695.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 09e24abf4fa7783e72329156fd5e5804
SHA1 bdc669d2222b0148c73ed9328dfe8c95a05064e8
SHA256 ea48d86d138c6a63a03f5f9ef8bd4dae6bf8c86464a4559c4a0fb61eb53836d7
SHA512 366c741facbfb15841da3fee3af18e40625f5e05cb900a3d531c49e02ca421204dcbbd35c90a63dc2bd3945f329cb5790ddbb3c0fb11bb0df12a39c9e97d83be

C:\Users\Admin\AppData\Local\Temp\Tar66C9.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 757c8f17f16a981518891d5079944b87
SHA1 b2f14fea26e1b0e483830aa15ffbb49839d80f55
SHA256 6906a7436e18969c44a4bb3c67a6c1eb1a4233420880584c5518743f959d4fcf
SHA512 7a2e66981377111f31b66b62fdf9f2c4074e34c72039e6420baaa0d6568396d84e644d16fce41adafde0fd50e66290df89973a0b63b4afc15fb7d2cd9b729ac3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ca9b0a759c789f78df027b8a6f7602cd
SHA1 fb3405c4bd1ae7ea827e63c78edfa17350ca5566
SHA256 d23af914ce2f34113ad0583b7b6a36716e77b154bb5965ff8fef144f83a9d6b6
SHA512 f11e6a5b4426c2a78f80774d31c5e462b27676ec4cd3608222a04da27542e1bdf0feaf0d2ae58a5322815d1eb7f378a9f449f5ea96f812c19e8a6d5927aa9aed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f6c3c9d62c11db2c66123bcde85d668
SHA1 9e0a03e0bf336549fd0731d5c8d39e726559d431
SHA256 88c4f7527ac95c02dff4f1e1ec56a1026fe2ff629be93d43e1a4a73abfb0f9ae
SHA512 df31b3eb2ecae908bfeeb7344fa458bb7eb4c2559142804aaa80e43088a0b8bb987647577c72bf9ca05a9be30d7a6054f9bc9920722d4a13147f9457d6bbbb4c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3cdca3eff0fb5cfd10a4a02731577c87
SHA1 4282f1eb1e6db400b1d96b9c2a56fff47a397b21
SHA256 9b064b70f060cf945fac296fa247ec78aec2ec45ae56d74321b98c8cd2b65fa7
SHA512 e4b378db8cab2baddf6a89cfd49e45676769f711419eab51a491c7aeeede8212185a742138b80f93d86254ddc76869e40ec55206e9214a778cb910e3953685ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 680cf333a323ddf7a0279ddb9bf46fe2
SHA1 9f0d6b5d3c55a3529906bd395e17ab47abf42bc9
SHA256 af15aed47047ae9c1637eba5d4bc47c5576d62c732f78b03f5ed17b2de0c73bd
SHA512 eb4411412981e5568604953f29a20aabe4945516c76a083a964e1e1841ac87e8cd28f414b2d470f0e73c43821fc75752717defa569da54821306adaf133724de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a3f51d20201092e740d635e07aadf1d
SHA1 25471af27060c490a63ceab53f85e2ba1fc686ad
SHA256 ab83c9367e97780c411e865935b5a57d00aa97de7d5f1c1dae52592d25ad9975
SHA512 b3defe11a9aff41b1074bcc60359443dce0e012b082e94a697f2b6451a316330b954fbf56a0973ddf9b40181e1d6db359f0d6716a53b8cfee5ebffc531efb0b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b9db9b8c55078bc82b0d0a4cb270146b
SHA1 caa760c9f14fd9101fe17a50f9da67741d0d86fc
SHA256 21ce3e89238bcb49a9825b38e548aec65a37fca11eaaf1dbdc1db4262df1c9e4
SHA512 77256acd8c70d71eac652bb9368be8484409c93e79323bf0f5e924e627d572de3703d7458df34a73231cf00b53801e995548e6c58767e07ef454d7a51fd8bf0b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b1631584ba0fdb0190ddf5a77bc2a47
SHA1 77f0bfa63b3df23e43bff18b002316b788292977
SHA256 1d6fcda8c8f32146238832537f1f99ef070bdb972cbcae0f3fc1aa73bcbb789b
SHA512 6607eaa6a99fbc3b3dc75ed1e20906e0e9b1c52821807f4f3578fbcfb73e0ed9489fc39e7b39e2fa11753258cd511374fd9e73ed0dab589d3c8999b0667308c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c4902ac07bad6a515bf0fa45f4b1965
SHA1 be288dc4054a1caa386f98f385bd47cebe81e2f8
SHA256 d461cdab8a113b9e2d7dc833c29360b824746b032ffdb375a6f0d76e2cf00402
SHA512 be0887cb7bd9aba91812544e01e9389df5fde004132059e0c3e414df8610a1a941551d6aac8a25885614c8606d98c96f2e6991ad5f32013244536ee68b7888d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 72e84a20a9550095372120b792a9b87b
SHA1 0cad2e0eddaec237a05f603a9ab1dca13b65cad0
SHA256 2e9e8ce1401057441284286f078e8a0d2b1f0d44839a7d3a190832a7caa7cf2e
SHA512 51160e9276c3dea5d8da6497a520928bd4b4383a8678b416c940b36e6ebe0fddf97cb4bb7484ca43bae27c96d0dfdad6c88e968a9a70b588185809fe76e92673

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e13e627e921577061992ef53cd6d750
SHA1 262034364ce9d5ce2fd634ba14dd356a0053bf7b
SHA256 87416ee2ddb7c687f917ab7ce5f47e55c28b7bcdca0c31ca2dc0133ba70b97c1
SHA512 cea419e41cc4a16eee6c983cc26a697a4c77c988d69bb4a0f012c6684323bf6d154748f41d007410969ad9bb44033f33e744506be9717becbe2a43519019f15c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eecae8df3441da7f37ed0faf8af6210e
SHA1 e6af778fc73c7bc7aa116c4efd41bafafedcf95f
SHA256 3aacc249464aa571a0a15597ccbd3b77b5dfeb605cef0a49f8da1103f7e50857
SHA512 9bb7b5b822ac3fd5e17887f5c77b6663aa44228b522112831d7c4b2030bc3e6eb0fb03fe8c55ce58b790c5438a0850355b1fff98346c2e440398537128817aa1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e87dd68131b0da0db781b0da75a1daf
SHA1 915e686374f8c98e714f1f630f23f64d23952b64
SHA256 39803517a3ac4d840b28e954360de767e618ce215433aa202749a5abcf5aafb1
SHA512 c0a83bc5f4f2ff5a353af935f5642e49ed5c5bb7548d675ec71e8dae93e24e8a647c0f479bde50ff2fa532bec35d588af04d9cf8a7647c055137034d8b84a2c8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 48e1b17d912bd2e829d67b7c22fa382b
SHA1 0adfbacb2732f771792fcc7872181213607c6eeb
SHA256 27004599d937fc7c19710d9adc645955a5b722b5fc9392810ed1fdf57b7271c0
SHA512 1fee12270defb20416b9acc853f646d2932f4749cf1a3ab437bcbee03ac1f9a37b2412ad6151541d9874a37a227bcb655eb90a5b399416e28cec88781a01ad39

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 69fb41ea46b2b857a666c25d8065fc9a
SHA1 a2a1f6b010d29fd2e4ede95b9ee7a861d3faa926
SHA256 0e28a11aefd13b77860cdcbf39e99be338eedb85a1dbe1795d73a20eea4114ec
SHA512 14402a48fb133c2c9bfbb0fd1ee6ee767a8878e4ce708fedf8cea7a758482a824c27531c7e74fba8855a57bf98cf35a4b674950055af06cd729fa62b7009a995

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c223b2cd5bb85f24c6913f36e9b3b1df
SHA1 1fc4ba1f7aa74946cc3b2f4b0576e066dadcb7f4
SHA256 1a77a0da71c1ac2f453e61177583da45a24000952c8464bf9453d0bb3e98e484
SHA512 040ac434af304a07a07f6a82f196f439a6f1f3d2a53d0419cfe95cb8ebed5957ca11e77e1c9466d30f2c7e57117bf9404a3b8eb8403479d8588c03982c6478a3

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 10:14

Reported

2024-06-03 10:17

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

151s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\916996da2a24e74bbd5b57a7c20f0b16_JaffaCakes118.html

Signatures

N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\916996da2a24e74bbd5b57a7c20f0b16_JaffaCakes118.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4140 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3716 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3412 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5520 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5812 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 13.107.6.158:443 business.bing.com tcp
GB 172.165.61.93:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 56.94.73.104.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
BE 2.21.17.194:443 www.microsoft.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
GB 104.91.71.140:443 bzib.nelreports.net tcp
US 8.8.8.8:53 static.bshare.cn udp
US 8.8.8.8:53 static.bshare.cn udp
US 8.8.8.8:53 158.6.107.13.in-addr.arpa udp
US 8.8.8.8:53 93.61.165.172.in-addr.arpa udp
US 8.8.8.8:53 194.17.21.2.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
CN 122.189.171.115:80 static.bshare.cn tcp
CN 122.189.171.115:80 static.bshare.cn tcp
CN 122.189.171.115:80 static.bshare.cn tcp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 73.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.253.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.42.73.29:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 29.73.42.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 13.107.253.64:443 wcpstatic.microsoft.com tcp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

N/A