Malware Analysis Report

2024-09-09 16:53

Sample ID 240612-ymhn7axhjf
Target a2148bf29ef3c45cb151a313afbcaf07_JaffaCakes118
SHA256 fc69bec31c06b525fb315ab32a19603485d9108414969bed932164beec62503e
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fc69bec31c06b525fb315ab32a19603485d9108414969bed932164beec62503e

Threat Level: Known bad

The file a2148bf29ef3c45cb151a313afbcaf07_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Program Files directory

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-12 19:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 19:54

Reported

2024-06-12 19:56

Platform

win7-20240611-en

Max time kernel

133s

Max time network

129s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\a2148bf29ef3c45cb151a313afbcaf07_JaffaCakes118.html

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px18DE.tmp C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb8100000000020000000000106600000001000020000000a423eab4cde7052270da8072f3a3a40656e77e6c9ac39a68ddaee2763da58eb9000000000e800000000200002000000085c5331f863f7dca1238ad3aabbd61c257bff0fa483dc32838a421806ac8de64200000008f56c027927bab9aa22a1cbb248ae2f1d072497a90d152df9d97a30d998788f34000000085838f500bd733bcbe7019ecd0d9d4f8fecf082087b3178d5f3092e3144ff2d98274ae109004fc8e75203a074d83cdbc0eecae4500856e5142a09c4fa7889580 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{858A4281-28F5-11EF-91CF-DA79F2D4D836} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424383912" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb81000000000200000000001066000000010000200000006be57b42037d473f2b201f9800a8a7fbcc66ef82b8a734c9f7723bd69bf455a1000000000e80000000020000200000008fc75f30ac32a8b2b20be71ebec8a761657862965e9197c4d4755349b56fc565900000000311cbc6eeb192ba75f12c43637d0ba826fccd80a3407ad002e3b8a65448b2d9808825598bddabb3f3c464582a2fed9785189dd4b8411ea30730d1ff656bae25a217d0af1917f2aac969c1671c2a9e0da67b4d4f60d2b6fd49ee2b385e1bf0ce61543a11107979cd0fc1c8ca6b95a008b629e922af27b53210ea1a8c8e5c26b2320c8ff15bc5c27d74eecc7cbf1e400140000000bee869f7bb266aadbb8cf3712931abd4be4a0e72bf9de4ec8a0c3a86c78a8cefe576adf1294e67fa983285da6db01c8d43c98b89b9f0d9f908da5c9c66c7f92e C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0245f5a02bdda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 1076 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2168 wrote to memory of 1076 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2168 wrote to memory of 1076 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2168 wrote to memory of 1076 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1076 wrote to memory of 2904 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1076 wrote to memory of 2904 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1076 wrote to memory of 2904 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1076 wrote to memory of 2904 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2904 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2904 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2904 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2904 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2900 wrote to memory of 1892 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2900 wrote to memory of 1892 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2900 wrote to memory of 1892 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2900 wrote to memory of 1892 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2168 wrote to memory of 2492 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2168 wrote to memory of 2492 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2168 wrote to memory of 2492 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2168 wrote to memory of 2492 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\a2148bf29ef3c45cb151a313afbcaf07_JaffaCakes118.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2168 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2168 CREDAT:275466 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/2904-8-0x00000000001C0000-0x00000000001CF000-memory.dmp

memory/2904-7-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2900-15-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2900-17-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2900-19-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2DC5.tmp

MD5 2d3dcf90f6c99f47e7593ea250c9e749
SHA1 51be82be4a272669983313565b4940d4b1385237
SHA256 8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4
SHA512 9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c846e816572cb8288ec78583b8e11334
SHA1 a9f2a7e0443f48bea4c5c9d080ec500d20a56e5e
SHA256 84c4341cf91e614884b718d925c07a223fb15971cc0dfee37d3aa0dd4047c3ff
SHA512 ba63db28e1376a4bf1ae8f1eb51ae96b2e3f024e5720b2e2c3a9da508bbacad100dbef2471e4eba171a8f0264f8b1c7758715eae68289e141db4d1fc1be2fc7a

C:\Users\Admin\AppData\Local\Temp\Tar2E7C.tmp

MD5 7186ad693b8ad9444401bd9bcd2217c2
SHA1 5c28ca10a650f6026b0df4737078fa4197f3bac1
SHA256 9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed
SHA512 135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 88c15af9510ec7d859be878349ad287b
SHA1 fe944619559c09f467833101cdf9677b2450e93c
SHA256 c33b9e2b9e46d4e745bf3a067dda83dbb252be2dc9d3719e2b6aab5f3ff84329
SHA512 568b7c8a1ffde98e7935c923e82814d996ad026511a9163f8819ecfc3b6965fe8845301c23e54897e9faec1ade725b95716ae6fed32441a62a98f2504e943306

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dbd278f8f89f147cff6b234e54bfc85b
SHA1 e3810393b7eb6ff2705f79bd3c53ed24a6f8ee95
SHA256 ad4e9fba89bd6b1c61c39025642860af1fd0b90cb7602cee6b25175e2dba1d18
SHA512 04f26c674084c37769dc305a54e93145fe431ac46390716207735e317d5a81be0a3e835e4ca32c5067e58dcbe1a59ce23e1b8d23147989c6cd5265318c2b9597

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 97d8757dbbf7a49a83c4e4028383a290
SHA1 f9b39dacf52bb33a6dad48a23637dcace63534e3
SHA256 82b6bd25a750dd57e83aa386218d6717b7ed7199968233b58334ea5a84cc5128
SHA512 0df3f60059eeeaefea8a3ff0016401e5aa8048b35467a4a7cd1d74735ec9c37a53536a6d1ddf8d82fcef6f10cc6a2e285d2803aec96fe50b7e24122de462c347

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7aec5875851bed20897b86531ad69fe2
SHA1 94271a44795d4d0cf44db18155392bc15f3a5cd3
SHA256 972dc55bd2599a825c4760cfcf0cbfbe7f0936de577dc918a38b53185b709804
SHA512 52e99215732ccad198799a68a9a6975dfeac4526b28f008c3578f798eca7faedc4af52741bdcea55d5c9f10bd663ec23ff334517464ad4a288af94120a5498f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a20d589c30582d5aa617c45974f78e62
SHA1 5bca73624b7dec75f2e7e495533a56b26f3d2ae9
SHA256 20a3fabb8416c77c3b8f41260ba52a309570ef78603f11999d0de093990c715a
SHA512 3e9ac7777ec693e6c4c77ff15b70c222e46829e346a2f1deb4050974112f0dd16a9226f9fb19c6d44c15b0fde1b60e03d322200aed2c37b6541feccee0fd8af5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 71f1b7946d21f0f7f361a96aa578c02f
SHA1 65073dbff32722d0574727ed17c9c6c0739a11ed
SHA256 e63cfef3631788fff5a5e9eedf315efc7d44c8d9474edae1bdf00f1efe3b4f26
SHA512 4faefb73d35b694d289a43a13d5d594e5d6d499e080a1ba01b1c99fb1d9805d1fe72fbd216ddd2c6f0c25ad1626709765593301fc8205b97e2891b78e9479c61

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 38574a85caee272d8cd66f6f8a5ddf5c
SHA1 6417e5d38192f4baacd909486840cd4dccd58a28
SHA256 bb28fe5f7b469d9b14910c5de1f74e141b8efd518d4b308a495d7d49f55c69cd
SHA512 da75cbf79802df38dfb9ed880ec3706307b15d4665331a957aec54e7b14b7243580169dc81dac875eb52fafdf945147465dac586589879dc896fa045caf72144

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc7473717976a447136dc9d26e7878f6
SHA1 7c3699b732292d5f1fecf015cdf8059e39113a69
SHA256 39db684a886947deefebbafed1b219ce1686db4bdd805548c3ee448de92a8a73
SHA512 a20206917a89cad997b2933e658087950f3f8899047686b6061a303b23de9f2f83442670fbd4525a0e857586b15c2635257c977d80735ebecd8f0a19e7b6a8dd

memory/2900-400-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a1ca356aee580d67d7c8862431bc133d
SHA1 4ce2bbcadc33079210290b266cc27e600cb38aee
SHA256 5b8dbdc64a9274ce6aca496625b6b980ab13ad59b5577d296af22419d5f513d5
SHA512 78d50a6645cbc49189c34e49cd966d188f6738ed37894d118683f1c1823b2251987996730e9378ff76e6441770b5e5012c082e272e572ccb0ddc4ad4e8b53a0f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 47926c673cdc183055fd6d3016e189b4
SHA1 805987391db360aa57eb6511fb26d2df3a8733f5
SHA256 697dbc119330d6da26650aa700472a94ae023eaf5ec84eaf261096eaaf620d5e
SHA512 7d7fb36523317e1e6d4d2e8e414cc977df5d2ea690f23a4fa6fa42905d9b807bf79123c013dea584c606fdf6309b139238b05841185b8ee5e0a28d635c764ab7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5625ca4b0c89df30d44e791d79514867
SHA1 303e3789dcbb540b6bc3181ae148c476f898ea09
SHA256 d4e948a53a745f0e1ad28f46053505f07a388066bb238550dd3939db2b1ed3ea
SHA512 cd180a11225f883cfff4b98708314eba95040f235566419e3c409f04364879507e91fb24a4e77fba3c69774505bc7846afa3b19daa34cb5a91aa8f864a748dd6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d1dd937b40a33ec47ee2f13053817391
SHA1 9e4c286b50f6037f68acdc29b7fe77d0cb72ea4d
SHA256 118050fbba014189f22ba0a00b2745175a8fa7366cf79bd45a03bef9e2b3a5d5
SHA512 884df0f37f48a0494c8e2ab437db019401a0e53bba4a1eafc6ea4e37b29f956dc7e11f3814c2b0a684ffece631b9301dd8764a6223f29070fa296e04392d9173

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3d8f0625b94a34eb3210317b37a43c88
SHA1 81654e7a58122f1cdf20e7b3784aec2428c25af0
SHA256 4306e1ce666906640035228f6419f25dd833318ebcf1897573f4d1ac06dc7445
SHA512 f2daf7a2b20cde48cb8df6a6594f48340ad45f1259ef0900292c691e8a3cd2ec495e6c6346783f94b4e8aad214c39083547466b59853fe2aaa32d542ab9b875a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 07360ba4bd51743efac089f2a5478d8e
SHA1 243238d64a22c0f0e9734d27368b65711155d694
SHA256 1dcd40039f2dbad421123cef58fa80a261a4e59fa5159630b04b585f4b870ff6
SHA512 165afdf2aa897d27700f069635801fd3180734d4d8aae8ea0333bfecc3e27269857cd58608444b99e0509f11abae6fc722ca20a0063bb8e68ca9cd01144e8fae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c109a16dd136ae31f3621479e28266e
SHA1 557d78cc2134aba7f5a853ed553bdc6ebcf9be2d
SHA256 6511dc713c9314750ccaccf27fd731aedf5087bd9add5fca75c50020958423ea
SHA512 d3ddfcd595e2fe32aa31fc0c53b2f6385a2dd51654e4197519ef5e3f81dc51ba6865ba71e288852c95863880f6a0e0907faad8ac5bf9559189b856333463c282

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 66c0a48fe6f7bfac6d182ad45d8cbc7d
SHA1 91fdb5c6c935902a7f8cc2b44f99eb8d5dbc702e
SHA256 6b4d25fc2d5e24af52da53d610c4bc8e3694260df37ceb3f23035769060605fb
SHA512 b68575a8b63dea2b60a6b7d72c91844d27c840dbe8e20f7a161b1dfca8a422f4a42fa7e60387dd689af8d1f5f73bb0b5bcdc27d8421f4c1fe0c28e1167473a1c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 13cca81030bcef7ec34731ecc31c9014
SHA1 dddb8b9a055db74cfde980c749f580cf84b2f148
SHA256 12e861b96a2cc86187e0438df51a11b94e8eacf75ae83b3a8fff6b152ca65eb5
SHA512 e0e042d16fbbfcca5a6772da95cd5c855a432eb9627f459eba26fc9137827f12ebe1fe44b35a6487ad109de675c79eb132e15e2e08750d604a7d2182eac94c88

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a9ff4be6d08f14f986236c4a58a2ddd
SHA1 3f4511c279d6b764240d26c1c8887f28d829ed9a
SHA256 2c3ffa570219c871f8cf3e6a350b51f50caece0b00ffc3d925651f5b24e943af
SHA512 08c55eb5ea7163bdbd80c046eb418ad8e12ec175e5ba7fdf309bfb749d78fd3266f27ebb05911606d8d3eca492957b0ec51041530ae42a6fbe4c875dec523eb7

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 19:54

Reported

2024-06-12 19:56

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

152s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\a2148bf29ef3c45cb151a313afbcaf07_JaffaCakes118.html

Signatures

N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\a2148bf29ef3c45cb151a313afbcaf07_JaffaCakes118.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3708 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3960 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5392 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5488 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4584 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5372 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 51.140.244.186:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 2.17.251.4:443 bzib.nelreports.net tcp
GB 104.120.141.176:443 www.microsoft.com tcp
US 8.8.8.8:53 205.81.16.96.in-addr.arpa udp
US 8.8.8.8:53 186.244.140.51.in-addr.arpa udp
US 8.8.8.8:53 4.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 176.141.120.104.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 248.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 52.182.143.212:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 212.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 201.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 210.80.50.20.in-addr.arpa udp

Files

N/A