Malware Analysis Report

2024-09-09 16:53

Sample ID 240612-z2erhsthlq
Target a264b92ebb865a4fa82bde098802ba52_JaffaCakes118
SHA256 4616523601206992c096e8bd1a16ba2bb8f32f07591a64d0eed7c6bcad0436d0
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4616523601206992c096e8bd1a16ba2bb8f32f07591a64d0eed7c6bcad0436d0

Threat Level: Known bad

The file a264b92ebb865a4fa82bde098802ba52_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Program Files directory

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-12 21:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 21:12

Reported

2024-06-12 21:15

Platform

win7-20240611-en

Max time kernel

144s

Max time network

145s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\a264b92ebb865a4fa82bde098802ba52_JaffaCakes118.html

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\pxBD27.tmp C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7C447231-2900-11EF-BBA4-D2DB9F9EC2A6} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 807f996a0dbdda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb8100000000020000000000106600000001000020000000bc471453a93cb9615c1eda777eeb56af967a966f0b52e081b3c07fd5d0788cc1000000000e80000000020000200000002c4e2e7d128ba50416d7e1a00bc37dcdbf1190c6fb807e86d90a0301fba1cd3590000000019b735db1c46b94dde7026df02498c863a1821547532e4dd77c97d604485560a2fa7877c33b3451a1ae14ad834a4c6b6eb44a7393cd09a17dd608abdd81b0ff2964190246c3f9577d3a4a3498e19d1aa581b97305c4e697c67ef3b3862c1216a141fd65209978ea0bc4a1a718791805db39594ad97fd123f0d9f60a02335e02cd78bcaffd077d47a82fc4af42b93b2240000000f227733875a050c2fd4bb07559bfd45766369dad02cb4e66b32088ab70bc83c5ad47ce7086bcfbb8fbfce94a56401be33765e569b273a5894b7fc74fb81ff7e3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424388621" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb8100000000020000000000106600000001000020000000c082e9487cffc4117169893c8e2b221e345bc6d942619ebdc81b2d4fc202547e000000000e80000000020000200000008505bb9e4560b34dee40aa4b5c6b98c4c0108160a6c61cd1f4c1ee8f745021e120000000dbf0b43763210d3986f8db3588d310532235c0256f3eb4c1938fa6e63c6aee8240000000d7ce47a0090b47a1d8adb65236ce0b3d3f7206949ffd4b2483f8462c35c4667f8cc61469401d0ceb64915a5b071dcec6c782fc6ca1ce84797053da40f29fc8ef C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2100 wrote to memory of 2928 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2100 wrote to memory of 2928 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2100 wrote to memory of 2928 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2100 wrote to memory of 2928 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2928 wrote to memory of 1632 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2928 wrote to memory of 1632 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2928 wrote to memory of 1632 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2928 wrote to memory of 1632 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1632 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1632 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1632 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1632 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2600 wrote to memory of 2408 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2600 wrote to memory of 2408 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2600 wrote to memory of 2408 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2600 wrote to memory of 2408 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2100 wrote to memory of 624 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2100 wrote to memory of 624 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2100 wrote to memory of 624 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2100 wrote to memory of 624 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\a264b92ebb865a4fa82bde098802ba52_JaffaCakes118.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2100 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2100 CREDAT:209940 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 wpa.qq.com udp
US 8.8.8.8:53 s4.cnzz.com udp
HK 43.159.234.172:80 wpa.qq.com tcp
HK 43.159.234.172:80 wpa.qq.com tcp
CN 220.185.168.234:80 s4.cnzz.com tcp
CN 220.185.168.234:80 s4.cnzz.com tcp
HK 43.159.234.172:443 wpa.qq.com tcp
US 8.8.8.8:53 ocsp.digicert.cn udp
US 163.181.154.236:80 ocsp.digicert.cn tcp
US 8.8.8.8:53 pub.idqqimg.com udp
HK 203.205.137.227:80 pub.idqqimg.com tcp
HK 203.205.137.227:80 pub.idqqimg.com tcp
HK 203.205.137.227:443 pub.idqqimg.com tcp
US 8.8.8.8:53 ocsp.dcocsp.cn udp
GB 79.133.176.223:80 ocsp.dcocsp.cn tcp
CN 220.185.168.234:80 s4.cnzz.com tcp
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab1D72.tmp

MD5 2d3dcf90f6c99f47e7593ea250c9e749
SHA1 51be82be4a272669983313565b4940d4b1385237
SHA256 8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4
SHA512 9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

C:\Users\Admin\AppData\Local\Temp\Tar1EC0.tmp

MD5 7186ad693b8ad9444401bd9bcd2217c2
SHA1 5c28ca10a650f6026b0df4737078fa4197f3bac1
SHA256 9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed
SHA512 135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/1632-63-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1632-64-0x00000000001C0000-0x00000000001CF000-memory.dmp

memory/1632-68-0x00000000001D0000-0x00000000001FE000-memory.dmp

memory/2600-71-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2600-76-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2600-73-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2600-75-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2600-74-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 566c1292ed0e4ca7f2ea4db62a1ac218
SHA1 dda736b5d63c789c1d9c765bb5049d66050d081b
SHA256 2aae7e4b7431fced9290ca3deb2873540d8adf85855874fe2e50411636594267
SHA512 b51d958e9ad9cc74cdaf75836276220d13b1595ff48a7d4eba990efe211e461226dae54eeb44de27f03730716e346a51a39e3932c0513c5b64a16c143d397122

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8c22623b8e3ca8a97667f920c01e6fba
SHA1 ca5c93c970ac08c5092ac715cb9909eb26ec8346
SHA256 9518567c1be1ba161ef291f781bbaba559e78b2e690700bd48d818037eeb7d5b
SHA512 623ba00f5c46956a2485334478ba2170d5d497c9fe708b75498c54041a6153139a5a2cd3a0e3718ffb77696e86364346325daa036811d8a2e68a3ca66b8b581f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e8b71e9f4704159bae90ae7057455887
SHA1 2a71f358c64b24ed946facf8292ae846ce92f0b3
SHA256 e1715d0c11940c2c1fb58f035ab1b809cccf8501ced34a28467f4790bd4f94e0
SHA512 374fabfcdbcfaf47b818eb3f41a7c0aefa1a50e986a9907cbd92fbf0ad634e18dfc8f0e09583ed31ad8ba1cd4b80df0afdf1e43ba9e1ab5fbf8a8e6c65366fe2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e1cb5681b3795bc25cecff0a827cd7a3
SHA1 60abc479c8a901f5df44fefd3330190b5f47216b
SHA256 9c446cd68a3b008634eea3bacdca03150260af8b6683e660495ddbcbe808a9e5
SHA512 1b6624f741e4475b2216fc27f5b6db78eea872522d47a45c172f4f6ec0fbff6739958cfc07bf85b78d34d2bad6aaccf84a428beecc3475adf7287ff856f1727e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c3affe58d3e8178ee4e01da156897d7c
SHA1 ef4067b6e89a9dfcfc3d5c34c5ae252b2687779a
SHA256 37fabd8221a14f3333fe4b7bcda2012728b32dc9ac5af1374f728b855a44b4d5
SHA512 ca11173c453f860e68821f17cca72d82de411ce91201f9dcd7f2b1c0b3307c87668d3471591eb074c1a17a2f26cc3505865102b8eb3e2743f234c9b81250f9b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34fd694de666bd637945db62e0414518
SHA1 dd3693f2415dd06b12cb65e174a2fc99e31d446e
SHA256 ffce0bd80d2f292935b5ffd66d2c9ab2161a5fbc15486374e9faabb215545218
SHA512 cb0e996d18669aa094437e3f393de02a7cf3db4b3b6531bf18b9146f84070908df723bad3ce9a51a1e1c25eda7a98426e68c349b84fa75d564cdd6d0c0121336

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 93fa296ddba681522e8bd7227fea0c72
SHA1 3d7a09120978942ae9eeadba8b5b82c2902d5739
SHA256 9c130416f0ea0795a362270e71a5920d282b88b7f987b2d82a38b875f9c53db2
SHA512 fb67b4614a2350e76e818b860c2508544c67a07d96006d2ed605d2b9cd442957b6f254c92c03f714b3591ab63cd3e93adf8ff62c8e3f6bc5279a486bca7c6d13

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c51f93cead8cad79a77edb31447e3a8a
SHA1 66787fa02c5f390148a38254e4c00ec55e0084ff
SHA256 8064ca5cbc533f79c009420f153208f1acf484a9e8975f9809eddca1d4d77b22
SHA512 8ffb96e31177745600d97be3e50ec23ffda1940b3364c1c5bdc7b18acc24a455debf8dd10ce98e65432a4900e2c3bb9f8111cd46d44b3e6693279158421ee12d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e48638c8fbacccf2da0848f017d9d9d7
SHA1 6d54f41a75e0896128181b057fd761d8a6b1b04f
SHA256 d83465b0b33f9bc9bda62f43988cc58746e1a8465408fa28e5889d6032ac8e4c
SHA512 8de19fe5e7a35d1710bf568f1512b0f250359c1ec53f31c9e28565e4b1a592c206a01a90e7c1755b76fec95c2f3a08d1f32c69bc9ee852a592b08016db66a604

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d0d0a5bc93ec56639eaebe3c74d60cc1
SHA1 c3c5166ec208ebe545caafc083e359f6c0928025
SHA256 6bbac28457e84806fddf72b4e6ece51bbd35cbda5cafc923bdf9f6afa00ff29e
SHA512 18faca7d24c54969996d9262eb111a4aa316b59458aa77c241796f494e0072afb38881f56395388b4b2cd928e811d9a95d7fce03f04570f9734bde17489e6191

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dcc7c786dd5009033e7d4ec7cbd2a618
SHA1 29eb0ec9704ebafafeb09a972d5da2b7cdb8f52d
SHA256 ba531438712a74dda096f4d323c3c52acffb178e84fbd1a9c3fe7256848f6d8b
SHA512 f8a326ceec9e24a80943bf4a7073c3c1cda0fdfab45b8edd1e711a33a475d4de1b5bafdfde1f316ca25c1f813f30adc9fb8bdc9ff72e26f9271269e88a6b36e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6e5f38a4abd7c4e0935960595a6fb420
SHA1 5a63ff9ce836af69ae8a2ae53b56450affeedfcc
SHA256 c301c1d879fd0c7c9b267dbbcca746540c10f8040590a69f9740757acfc826c2
SHA512 6eca4c7e4619d7c06821e1502ba5f79c65ef83ef855cb10059793f6607713714d4085d1a3cddc93b7bdbbd98c96e4fb5cf6cd99e3cc944138046cb3daf9ec551

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4493517d7cc1995985c542569895a599
SHA1 bea52ed7721426286310679053a3a3e0701e8690
SHA256 3239cd6aba60c1e5fc21831f7620ca00f769a676aed276461c88f43f1bd3923e
SHA512 247a60ced885b608f86d3e3014fc9e846374cce9edd2e2a2593c764c26a6e589ff0cf345ef2ccb9df17f20a4d68019e7a734258a9da811f9cd36c3a75dc13e13

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a2fbcbf7236c8ee52da81672bdc13a3
SHA1 8736055f593c7e9c1eae7d41b0fb130836817e4c
SHA256 8e672ec5347e6cafff9f20e3039f9db329799095b7721076f231aed0a6ec5dd3
SHA512 f3ea4b98cc378e52158c8b8a4e5bdf6917992dc609279546770511fe3e081f0c6f2289a3b34584d658a15c28eb3041932a599a1a780b0c247418141ececd58da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c76e391451b12edde27eba349328d9eb
SHA1 9c92acf9ff2bd26ef42a36dc010b4c3b0bf2852b
SHA256 15c57e2f67313f110d57c461fbc0107880691adfbfe0093efefe4b2b77f6b872
SHA512 bf80d9020cdce296066c36c410d8530ba7db31984c4e90fe6f15f60a77669ed8c670008860ebbcde1188afc5c120edca0773a4d3d9a1d70fc4da0aede7f16eb8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 84a43d295772437fb71548be914df0da
SHA1 da718b053615cd513529239704b0b460d2698c9d
SHA256 5ae228d6e236d0c86ec6f3a434c3c727a10d47bb4d7941746fc3f1157b88a24e
SHA512 9dd40df507b5114d3fbb06dd6052172d477292b08778331af46b15bcd4b0e89ac2ed63fbd8e20f29b8c9f5903273591082adb4f4fa3b6175f4371866e5bbf542

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 082652ea427f109056bb83b1d1ded8e7
SHA1 128036691dcdab17999e492cf71c73e14615e619
SHA256 a3a79cc8d699b5b893917a7429c29d8a8758c6e8e303dd46e8fbe7bf2eea617b
SHA512 6030bd53ae58d1a2819a2b4790635f1949b40ff088558a52141297f1f0dcfd6e11a8a1b6e4e27561b5e5c8e89df3731b647767476407a4ea7e416c86a5450a43

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 97f202d27df3a8720543f4198ca88032
SHA1 17d18fc5780136c38e82df5b434a47cadc894d3b
SHA256 72b45df863ef53cf158febaa3ffdae676131255d6af843898e8b6726d6e69723
SHA512 16efb0ff44c678cb0fa90ebf148211e2f615b021a9f8827942573f47d3f59018b878bc2e702853c0ac6036f2e94f9f230a79d28545b989a6f5359c2b8c5b35fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a8aecb4290d3b01ef153c368e57666f3
SHA1 b0ea63d0902a429dd5266a7749c21ae74d2d1759
SHA256 f8416f4c47821ba5c0d60d933a06f7807b735538c0a1cd82dadb6dada361304f
SHA512 4a4a0e8fa8ca1debd0f63530c8620f99adab5a5c3ae6273ddc2b79976970c6723969bb1ae1363c18c42b1264489ccc31ba205a9a8cc7bb34b9de5db977ad6cb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ed5e32c26c97e79efa00988cc3a0c20
SHA1 234e3f91861d167a09ee4a5c3e7fe0d8df7953cb
SHA256 a50c4f4ea41e3d5fae789fa23b401e64835e273ad5416cc1ee1dd60d44943b72
SHA512 59bf28dc84d231acae2bff4c435f6eb0ffb0bc1296adff238c03f9a3ee84315f48ba631c9acba6eb9f37acaf0090537da7059e78ed0aaf4cda4d81e481ffd29d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 21:12

Reported

2024-06-12 21:15

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

152s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\a264b92ebb865a4fa82bde098802ba52_JaffaCakes118.html

Signatures

N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\a264b92ebb865a4fa82bde098802ba52_JaffaCakes118.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4992 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5700 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5752 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5452 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=4532 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
GB 51.11.108.188:443 nav-edge.smartscreen.microsoft.com tcp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
BE 104.90.25.175:443 www.microsoft.com tcp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
SE 184.31.15.35:443 bzib.nelreports.net tcp
US 8.8.8.8:53 175.25.90.104.in-addr.arpa udp
US 8.8.8.8:53 wpa.qq.com udp
US 8.8.8.8:53 wpa.qq.com udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
HK 43.159.234.172:80 wpa.qq.com tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
HK 43.159.234.172:80 wpa.qq.com tcp
US 8.8.8.8:53 172.234.159.43.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 s4.cnzz.com udp
US 8.8.8.8:53 s4.cnzz.com udp
US 8.8.8.8:53 wpa.qq.com udp
US 8.8.8.8:53 wpa.qq.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
CN 117.45.3.100:80 s4.cnzz.com tcp
HK 43.129.2.11:443 wpa.qq.com tcp
CN 117.45.3.100:80 s4.cnzz.com tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
HK 43.129.2.11:443 wpa.qq.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 11.2.129.43.in-addr.arpa udp
US 8.8.8.8:53 pub.idqqimg.com udp
US 8.8.8.8:53 pub.idqqimg.com udp
HK 203.205.136.81:80 pub.idqqimg.com tcp
HK 203.205.136.81:80 pub.idqqimg.com tcp
US 8.8.8.8:53 pub.idqqimg.com udp
US 8.8.8.8:53 pub.idqqimg.com udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
HK 203.205.137.72:443 pub.idqqimg.com tcp
US 8.8.8.8:53 81.136.205.203.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.137.205.203.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 104.208.16.94:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 94.16.208.104.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp

Files

N/A