Malware Analysis Report

2024-10-19 13:22

Sample ID 240610-ze7h1syhqf
Target 9bdd8f4c23628fd6b05275c69668626d_JaffaCakes118
SHA256 ae913cf7dd5fcb06be93543b36139df48ff68eb9e048886c4461744497cdcf20
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ae913cf7dd5fcb06be93543b36139df48ff68eb9e048886c4461744497cdcf20

Threat Level: Known bad

The file 9bdd8f4c23628fd6b05275c69668626d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Program Files directory

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 20:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 20:38

Reported

2024-06-10 20:41

Platform

win7-20240220-en

Max time kernel

127s

Max time network

129s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\9bdd8f4c23628fd6b05275c69668626d_JaffaCakes118.html

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\pxDFC4.tmp C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424213805" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{75D1A691-2769-11EF-B54F-5EB6CE0B107A} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 2924 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2064 wrote to memory of 2924 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2064 wrote to memory of 2924 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2064 wrote to memory of 2924 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2924 wrote to memory of 2976 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2924 wrote to memory of 2976 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2924 wrote to memory of 2976 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2924 wrote to memory of 2976 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2976 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2976 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2976 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2976 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1360 wrote to memory of 2180 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1360 wrote to memory of 2180 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1360 wrote to memory of 2180 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1360 wrote to memory of 2180 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2064 wrote to memory of 1520 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2064 wrote to memory of 1520 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2064 wrote to memory of 1520 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2064 wrote to memory of 1520 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\9bdd8f4c23628fd6b05275c69668626d_JaffaCakes118.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2064 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2064 CREDAT:275471 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.iyqq7l.top udp
US 8.8.8.8:53 news.share.baidu.com udp
CN 39.156.68.163:80 news.share.baidu.com tcp
CN 39.156.68.163:80 news.share.baidu.com tcp
CN 112.34.113.148:80 news.share.baidu.com tcp
CN 112.34.113.148:80 news.share.baidu.com tcp
CN 180.101.212.103:80 news.share.baidu.com tcp
CN 180.101.212.103:80 news.share.baidu.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
CN 182.61.201.93:80 news.share.baidu.com tcp
CN 182.61.201.93:80 news.share.baidu.com tcp
CN 182.61.201.94:80 news.share.baidu.com tcp
CN 182.61.201.94:80 news.share.baidu.com tcp
US 8.8.8.8:53 api.bing.com udp

Files

C:\Users\Admin\AppData\Local\Temp\Cab7EF.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar8EF.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff87d0734e1f5d12c0a06cd92b906959
SHA1 0169de97f9ac6211f5190a6ff617c66926fa0337
SHA256 1ac80497fffefc94c81f4a9ccb51d6d9ea023159532c91d28364036e7283f4de
SHA512 e9051e1bcf44ae85a48ec2480a5c5e90ab954ae55cad2fcb743a3a91dba63994172e89898dd642a37c2fa48ecd48bac11cd6460bb8453d47c764b46d548a2fff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cff4519f47124a3afe331492348e2f35
SHA1 b8fddbe296767396008c00cb8d3ca00066693ed7
SHA256 df1cba92cba58076a21d776a391de1576b4067aa253f9fdf1454b536066aef26
SHA512 12ac706deb97153311f2bb588354a638b79414eb2fe3d92a4f6596680d8d132faf894e49ed43cd6dee3a919f0145f8dc1036a4b396a3f0fbe4caf5b6a65773f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd025908d59b7f26938b5387fd44bff6
SHA1 3c6b67eaa77d0c5d185a2780394eb568f347ba9d
SHA256 1ab18a837d63ee00c8462fd16c50658073fc8ceb977fc409c11f789c8cfc639c
SHA512 da45b8b64763e9b9d692db7623192d827d04f0e1ff425eac6b5da9520c55a880e7d6e9b88e7978f54ac8c5bfde10ab749a0fe40ce2fb12c7a7f242b6b3982ac3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c7e3d36e2ca4c879650d66adadbcbcf
SHA1 ac71b6cae20a8b97574636cc8e889ddffb70e073
SHA256 4324542755af5099cf39ca2154ce71f7bf51b5bf2856720b35cd4b43480eff32
SHA512 25d22863190c8db82563b1f90a82659c286f624b77fac44b4824c32c52b8949a4ccef4eda6f5f815dac4f46b2180811bb612c5023687b71e8ee121e319935a11

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b371765a351d83dff2e32297ee8e452a
SHA1 8e0ede313ffe123680529cef38ccf88b3f5a9325
SHA256 c14590c519d5eb4ece9d9059e77cfd53cc60c80ca51fa536eb512e3aea9824ae
SHA512 64aff3e834d5ac5ab4c3d6d6189c56cb526562df1f4e300dff9eddf2dab4c7adebd0ebaff1cd4c7374da389125a55da9f5aa38671fc3d591e433417a8b99e21a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 98fa5303ab268fb7def20f9d5c8627ef
SHA1 e429dec196c9936a0cf6df9a834916a6df4c3880
SHA256 cb7a1542aa45be81ef814fd0579ecfeb74fa9eb288fab2272d08e404a15b0aa5
SHA512 7943b07831a818399713299127aacbc6334554e366247d5ccc7c745ebf98d64cb92d32aa6af328d8f42ad899cede4bd96d9b3a81a3dafe7c3728c8ac49122a25

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5911af7e2f4745a8ade5b1b5ca024976
SHA1 80306104ed757f7c77deb997974117240e8160b5
SHA256 202e1c17f32f5403cfda828b7a246574115bf63e89d88c0c2724d0952e50e4d7
SHA512 afc6891219feeb72a8f576cf78212e4e72056c0a1c08248190059c2e1128b460e6a5807466ec17db8efb740d4b0ff16892efb647a907c84d9bfb2aea7d1352f6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 12ba3d2506b63a38fc832a9892622946
SHA1 2de37627ba0fdfb899b3ec33f919c787b830715d
SHA256 1c3c300252f1a22beeca35299be63047fff2203c1dfe305137fd751cbe6b24ac
SHA512 d0da5b8967f47a5db4db664b11bef6ce2e7021773e50c71046de8d432ca9aaf94ead4a7eb37988ddf86a952d70bb2210920af2498861ef1fbb1641898ab8b3a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2f0db2b2e5e5007a3b0d61f01a340a65
SHA1 bef2dd3f3d200c134b45a70c2361bd04ae4ae7a2
SHA256 c802def42c9b38ca8105ed324ddb87128b5e5ae23439b067cd61742e01e7d19c
SHA512 e7a1ab5c44d1e40898ba0fd8ae1fcc31c346253919c57beec2de0a6bbc82351e04b9e54423776e2094f4c650886f0f1c0fcf451d36b554355f1f8f92c02fa212

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/2976-480-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2976-482-0x0000000000230000-0x000000000023F000-memory.dmp

memory/2976-483-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1360-491-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1360-493-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b9fecff958e920c4a69f01c6eeb0523a
SHA1 c86aaaedcdcc894eba53dba96f4b0cd473725f08
SHA256 a22c5f31bfc2f68e6dd7f57cfefc75481ef19497d85ecb8d8dd2c09aaaba574c
SHA512 3f3775b069b9b523d506e2b42e74cc8aab8e89e1d4b7f58e85aec7a75ad6732f63800ebb66b9800649ae34fe4081144bb44f1c53773d412329126720829bb525

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 56f4df2955c99a0116e7213e84f4f2db
SHA1 c1263e01466309f9964f29b4bb02de7ddadd2c0f
SHA256 b0cb6331fe700068f72a6e86dcbc1a2ba1dcf39451c67dab097147877420c8a8
SHA512 7999f6a22c22688fd2759ec555fc67c8be11cd70f2182b99c138526c886d56e5d24893cded5b5fb5334b2b667211401798f5d8016a8ddb8f3caf493272a68477

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7f665a9d6239297bd42f7c00e896b34
SHA1 3eb11afc139fdd7f5f102af28d5ac2f9a9cf500b
SHA256 de63271f69a10c2b44bd48040c7107a9642e5daf5e34005c5a70a2f0af476373
SHA512 96c11899253dd346d4a3647e5a40f44540c56929acc4e379ad04aaffbe6f6b49e0e72541bec7be54a091fd1cf31090a41663cf86692ba3305e780b4b1d1bfab8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f6f3399834600d230e31bdde7af52ec
SHA1 2afb8e7355aaa666c36c2e9a5453f3716c5d4ddf
SHA256 9d344b8076ac98b891fce0efaf5f0ccfa8e8f962381eb1db62f4fc8320dfa13d
SHA512 ac186a423c51e7173a66302e83acaf23e8d77448f7e89963e6549732c3afdd2ec299cf03bf973f18118a40e8b811cf003aafc225d294b29913e49b78bfb10f24

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a38c90a2009dfb8ce70b82feee813f49
SHA1 f6847c5618edcc443f357f2087bc47b702c71f58
SHA256 820883de7a9988d543dfd34dde004edc72ea9ab560eac07982d075517c4a891a
SHA512 390eac90239fce1986b99b2d926fa4665aea5806b580afba5b5ccaf1e4b16aa07a914c9f430b9bee9f9085a2088b61f5a6fb27952a4af1569960bbe0e12f86f3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b410202864fbb128b466940e6955c2b
SHA1 b14b5cce57a71e1495c5f8fbab53058b0dd1d15d
SHA256 7169dff6cfc641368f4d1da5bea34af5813f42ac360646ff436c19854db92637
SHA512 e275e0b133297b8182c06c8ef73e045499bab44fb1b01a7e6ef433d9d9f0b13a09894910a591697fe056a9b5602321e3aeb17ca06fa1296909575ad7468c720f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3eff9b1298ece7269a5cfc1ad61b5020
SHA1 c7e068167ce1040affd24129b14fd83262b6ade3
SHA256 ca9c589ce8b2bd20c50ec18581c42dbcacdacc1a6c00dbeda3519bae1da067ad
SHA512 6327fb09bd0cb1d084a5f358ed813a42342ef38ee402d5974df88b589de88687161e098f5dd4093aa6d9798140fd62cfed64f4a9414d21622fa80e5f36f98212

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a8ba46ad6c78e8697c6b8b6be5b7d4a
SHA1 0a55ab70cbb0790c1b232f733509a3ce882aab6b
SHA256 05d9a5b6045772e8ad85ea308c2ccfabeefa611070787fb14237f34e785fe5ed
SHA512 491824f6fe0ce721b7729eba2dfb5176a49d1f397b7d48ea6874f94cb48709c6c91a41459e6a15ac44bdbaa882d21607493da123e1d1addbdc009e1424640ce7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 113b93f19e5f33e66b8860b7b451cb99
SHA1 e08f9514548c98092e03029f976a50e36ef562b7
SHA256 cdfa08546ab680724f45158df6a5b1373b5721ff2420a8821475eb501fb8a946
SHA512 df3ce9d77ec8928b7751f739ef8a360308981f0e4de9c195fa2dcc59d22ec58a793879596e98e0d7aed30d3bf26abcaa4295babad2b04a10e1259b2e526ba2ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0b7dd1f1a111833e511761ea07128af
SHA1 b43199bd672e58383a24f2406fcd37bae75b188f
SHA256 070a822d065c31047d6b9d484bd16d3348a3128b667bf9f42eef50948d1dc890
SHA512 bf25a7211819ac9740801f6c3688eb19048552f35446f9a667fc9f65db58229180441ffff39b5cb78ae063f0ad536a0d9951aeba32b3c124f1f0f3c4539dca93

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 20:38

Reported

2024-06-10 20:41

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\9bdd8f4c23628fd6b05275c69668626d_JaffaCakes118.html

Signatures

N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\9bdd8f4c23628fd6b05275c69668626d_JaffaCakes118.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4332 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4016 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5836 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5500 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=1396 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 51.11.108.188:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
BE 104.90.25.175:443 www.microsoft.com tcp
US 8.8.8.8:53 175.25.90.104.in-addr.arpa udp
US 8.8.8.8:53 188.108.11.51.in-addr.arpa udp
US 8.8.8.8:53 www.iyqq7l.top udp
US 8.8.8.8:53 www.iyqq7l.top udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 www.iyqq7l.top udp
NL 104.97.14.67:443 bzib.nelreports.net tcp
US 8.8.8.8:53 www.iyqq7l.top udp
US 8.8.8.8:53 www.iyqq7l.top udp
US 8.8.8.8:53 67.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 news.share.baidu.com udp
US 8.8.8.8:53 news.share.baidu.com udp
CN 112.34.113.148:80 news.share.baidu.com tcp
CN 112.34.113.148:80 news.share.baidu.com tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.189.173.21:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 21.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
CN 180.101.212.103:80 news.share.baidu.com tcp
CN 180.101.212.103:80 news.share.baidu.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
CN 182.61.201.93:80 news.share.baidu.com tcp
CN 182.61.201.93:80 news.share.baidu.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 219.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 208.197.17.2.in-addr.arpa udp
CN 182.61.201.94:80 news.share.baidu.com tcp
CN 182.61.201.94:80 news.share.baidu.com tcp
CN 182.61.244.229:80 news.share.baidu.com tcp
CN 182.61.244.229:80 news.share.baidu.com tcp
NL 23.62.61.194:443 www.bing.com tcp
CN 39.156.68.163:80 news.share.baidu.com tcp
CN 39.156.68.163:80 news.share.baidu.com tcp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

N/A