Malware Analysis Report

2024-09-09 16:53

Sample ID 240612-zabksasgqq
Target a238958d855b22c9b33ac6a5097febe6_JaffaCakes118
SHA256 b9cf3ac362dfe6f27d9c4d7dc739d2d6431a9700e9d08cd3bb75f5a397cf40d5
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b9cf3ac362dfe6f27d9c4d7dc739d2d6431a9700e9d08cd3bb75f5a397cf40d5

Threat Level: Known bad

The file a238958d855b22c9b33ac6a5097febe6_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Program Files directory

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-12 20:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 20:30

Reported

2024-06-12 20:32

Platform

win7-20240220-en

Max time kernel

130s

Max time network

131s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\a238958d855b22c9b33ac6a5097febe6_JaffaCakes118.html

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\pxF43E.tmp C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424386093" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{99821971-28FA-11EF-9A72-56DE4A60B18F} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 2744 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2192 wrote to memory of 2744 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2192 wrote to memory of 2744 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2192 wrote to memory of 2744 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2744 wrote to memory of 884 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2744 wrote to memory of 884 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2744 wrote to memory of 884 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2744 wrote to memory of 884 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 884 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 884 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 884 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 884 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1040 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1040 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1040 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1040 wrote to memory of 1304 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2192 wrote to memory of 2820 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2192 wrote to memory of 2820 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2192 wrote to memory of 2820 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2192 wrote to memory of 2820 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\a238958d855b22c9b33ac6a5097febe6_JaffaCakes118.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2192 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2192 CREDAT:209934 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.a8sfq2.top udp
US 8.8.8.8:53 news.share.baidu.com udp
CN 182.61.201.94:80 news.share.baidu.com tcp
CN 182.61.201.94:80 news.share.baidu.com tcp
CN 182.61.244.229:80 news.share.baidu.com tcp
CN 182.61.244.229:80 news.share.baidu.com tcp
CN 39.156.68.163:80 news.share.baidu.com tcp
CN 39.156.68.163:80 news.share.baidu.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
CN 112.34.113.148:80 news.share.baidu.com tcp
CN 112.34.113.148:80 news.share.baidu.com tcp
CN 180.101.212.103:80 news.share.baidu.com tcp
CN 180.101.212.103:80 news.share.baidu.com tcp
US 8.8.8.8:53 api.bing.com udp

Files

C:\Users\Admin\AppData\Local\Temp\Cab123B.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar136B.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f615b786bf71435bb25621707ca4a294
SHA1 7f27735443a700c121d5c27a4f86d97bc601a355
SHA256 d080bc0ba1cb31a28eebc2289fc49072ac4536a0630a20605fc8d95e40b7c651
SHA512 d40735aa5b2245ec2983f89480143b1c71cefa9c2ef5e374259ea299068e2f0ba93ef4731013312e7a3eabe75fafd6f52a1af18a49a47b1080800542cd358704

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b4e7aa4444982d2a776f6de239832d3
SHA1 79d1c9034e02c236d21c486ff41b716c16ca0c1d
SHA256 a7c1c025c311ba1a5a23a69f4c0cc13f9b409b69d22636418dc517a73f06d144
SHA512 94723afd626c69f6f71b47b08ca705a0629414ed00fa3e6851502ff2ded25830d2c88aa18e88605421a0fcb6920c18b7879dba1e1ccd0eb9f4ea3d6772cbcddc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 28c80fe7b13321b52725caa282f24030
SHA1 a6ae92693721ff4e8cae91ddeb6df1ac45bc5474
SHA256 4cb2b43566a56d9974bcb9cc098c25a38dc34a4835e3349ed566ed1b54fb8e5a
SHA512 29f9559c56d78423b3316ca836914721141c2ddd95a7174c7614c376f72bfcf453ae56ff281953145a07b15a2bec6a11a3e585d3c8e3185455bbe83bc1709906

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d70ad2c90caffc6bd9f6d8525d75d558
SHA1 0d0bd9e98c7f8827553d4ffeede5b561116627c7
SHA256 8ca7beb6e4ecab652715349301a1dac58a873a7a09dba0a702b4842705b2d99a
SHA512 bd8ed10b5b750842785218de3b22d7fcf5c7aac53de25c628855608a8e49d15851b4dde42711dce428be8acea7ac5580bb0bbf1a3899e0fc59910288d2db7793

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 83a04f7f993f48a69cb75afdb32ecf14
SHA1 d466e5b196d4667694733c57e77f45adebca305f
SHA256 745e20fc9352ba81589d5cd82916c2ad34bd6d868516a11241ed1aa49ab38872
SHA512 36819c3f2602b01d2903754c819bc1f4ba7eff76520f9f81e31d0bd1db8390b7d37da4617c1626621bd85f191cee677cb8237ec74989827bfee075d414b00f45

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f8d36eeb63ad871884de3f5c963143d5
SHA1 a46f208fad1660fec7b6861ff9b566ab9ed4dc8c
SHA256 99388522084f694213f31bed77ebc5b8dd3e300f8b8495ed9e0851b2fcba9609
SHA512 17370c795da7c98c770d59c4092b81e40e56737f071a19876882a0539731b1193099461cc1b50fc93b78247be487960f943b17e74558150b9221c19fba1107f6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a00f6d3c59ba621b455b2edec56a2eb
SHA1 e78ab0e67bfa2b234024e4a397a6fb590e7a07dd
SHA256 7971d5c665367ea7ac52bd53706c760b643bcf3ad424e96e9f3a07d76cd6425f
SHA512 dd51593426bd46d04f91fb9a00c17c613b0f12e0da0200ae5d83049618c6cd2425e45b121f83b80e904a50b2a78179b36b722dd011f64bfd35f7f6656104c6be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a74306a720458722c30d5eb9088b33f
SHA1 f6b4cca7b0b802bf6c0cbb0546ac4f98d613fc26
SHA256 f7a2ecfd6ee3b6d801152f0fe0ff8ef05878d7e2a991489e3f3379f10d2a0b01
SHA512 ec412d386de1030e88a2d51f1a87d83ee89a98d996c16c3526ca437e2dd6a010c4964e4c831b3c31262158382df1604a4866d2998ada2731bcbda258fb0b4436

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4fd63921ddd266d6ab09e03b3a2e9df4
SHA1 bb6bcd24b642518d8aec80ce1339b8ce844baa4b
SHA256 228cb9d4f126b185800deeb4bac1665145b5b6d9b4de3be3e6a79b8cb0e21e29
SHA512 fd0d885d6540ab00439e74662b8a035df7448636190aa328300fa5e81732081dd7997b7fdf8385f3f48c847395e1da2811b66f3e5c400a1d949dd503b2e5bc43

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/884-482-0x0000000000400000-0x000000000042E000-memory.dmp

memory/884-481-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1040-489-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1040-492-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1040-491-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1040-493-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1040-495-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f0aea874c130dc905a0a2ba09d7f6e3
SHA1 7ae2c994020766e84924897debe3a307f4b6c099
SHA256 80adb9d40ea149dee64fa2ce66245c0033fba6a735a1468440241ab58f0ae0bd
SHA512 d4089933f0d3639677be446de343da2502f0eb4d660c7b362c64688af56f53b0a238d353fa5bdcbb0ff2c4a9b43b78e860d2126e76c3da74c95d6e2941b26496

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1beb11fb63d87104a9a9a7658d9e50c2
SHA1 edaa7d09a0578a3ae178443b7e4b0e1b1a9d992a
SHA256 6f07314f2cc0e825d0566b1e749644ed381f09fcbcbe28aa5630bd5cfec57f59
SHA512 d611b94f865943ad63d48713fa45ee6fd858f381268b6b1cac461e4ceb922cd49e3c5746015b5ab969aee362426da7bab7a9b329d0554d1c16d457f713dc71ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4a11c5299f66af80eb1ddde31f2683ad
SHA1 fba76694f5cc43dde36bca282a2a6a84ba5d9d22
SHA256 a5e10e428479265d547edf6f4e357dee3524ae6444913c8c0be7a71ff6b76c16
SHA512 61a48bbf9b62a7e955bcc561dc785ea0bbe683d535272f41078e9cd9fd853435c6bf77836055c943ce7b356c39d46089f136d686a5e4fedee3faeaa51b84e17b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 da7159efa520c8cb36c765b657510a36
SHA1 28e3d2fe04e32f58d66904e7398707b6d326c3a4
SHA256 b4414b8919dda2e8dacc940e5e032100c4863b6236f2f3e2367990bc5429f612
SHA512 2b39258f2ca29f3cd251e5d834668892a7c294237ef352fcade65c5281b5160098e159f52d7b0a95d966f1dce2b20e61d28737c34387eb82cb836bb1e8cc6f79

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 232b65219b7c4015bd8950ceb68a5b12
SHA1 ebe795a4ba28d78c21e3700e5a5f43ee9de7bd8a
SHA256 d63c0b87bff870a38d96562554323e0a00d9c64ee8febac877f0b05d58b31515
SHA512 3754f558150c39ae0156bfc17e7f42257195a08053e20f4ee0c9d411a67070d5482b4de47d5e83c5ef1a597f3ef03459fdbd1fbb37c4d2f0dcc4b73a7ab5dc70

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a4dc0cbeec51974678417368645ef6c
SHA1 0f30c94ed4cae8d611309a0ad424ee0d3a6f2211
SHA256 b66b20ef82764472483a836297989026e6164b7da750479b7aadbcdd168d592d
SHA512 6b18176fbbcb8b8ea1b91889f369827fca93652c85da5c1b6ee8a39eb36b85dbac9efe3715073117af3b44ea9f9ebe8245a2b2ac0c02c5058acc6f247b439db0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 05a6b54d9ee03f46445aa4065962c763
SHA1 df917db8a0cc8ba394617520e873ce74a541068b
SHA256 e1bcecd0700e55554a8dc543039f5f24f9c3f73e2df6d2e3d0e58dc855a24b65
SHA512 32fbcf8e9517fb6c21563f8587a321116ffb7c6ece4db9c7ca50ecb2abb00abcbb7effbfa59feb2cefb86121029e80dc98debc463236ac46160aa2258351bdc7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ac7be32d0f3846188659d38e30cee0ae
SHA1 2c9ae6468e7b1199718fe1784c8c45ad2f18f497
SHA256 197115da14ee85f522f2502674d2f22408ccac48026bb3fb7aa0daa685b89a74
SHA512 e4d411493be587ed42429ad26c4935d1d6a502d3d8b777ff4fcdfda66bbece27a199300727c27157e41d12b92da8e3fd027b97a50d84e1335a9d3f4ebe013b45

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a80e35806cbae2b2c51dc89b65b91632
SHA1 2eb2a6b00a1663e8f13743798676d4c72204b124
SHA256 094ac64d619a4f0130013b3e14b7459df148e7607429ad8b6f5bd1905c6549f6
SHA512 7a91e7e075f256d692b8e915ba71f254186d58099e2a87124fbd40637577d68c0cdeffb914cfde4fbd61b9ad70dfbff1ff9f7b80df0c46a60fd778cf30b466f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b86a0819dd82204ffa3096c031e6e5c3
SHA1 0fd59ad4d48ac3f5bb70826bf1cf30eca92df1eb
SHA256 76296cab1b085160ec5eb2d7deb3f1041f0bd16ae5a5247ac614cfc824464765
SHA512 780efbf9e5bb98f66a16be04f7ea3260676d6d44d3cda7f1a186c5b81e57c77cf707e056d527fadec50b49ff4fa8e078794a1a8275d8713a73875cd95abea97c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 20:30

Reported

2024-06-12 20:32

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

149s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\a238958d855b22c9b33ac6a5097febe6_JaffaCakes118.html

Signatures

N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\a238958d855b22c9b33ac6a5097febe6_JaffaCakes118.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3924,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=3996 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4764,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5124 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=756,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5360 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5368,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5456 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5380,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5568 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5852,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=6260 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=6048,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5676 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 www.a8sfq2.top udp
US 8.8.8.8:53 www.a8sfq2.top udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 www.a8sfq2.top udp
US 8.8.8.8:53 www.a8sfq2.top udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 www.a8sfq2.top udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 www.a8sfq2.top udp
US 8.8.8.8:53 www.a8sfq2.top udp
US 8.8.8.8:53 news.share.baidu.com udp
US 8.8.8.8:53 news.share.baidu.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 www.a8sfq2.top udp
US 8.8.8.8:53 www.a8sfq2.top udp
US 8.8.8.8:53 news.share.baidu.com udp
US 8.8.8.8:53 news.share.baidu.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 www.a8sfq2.top udp
US 8.8.8.8:53 news.share.baidu.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.4.4:53 google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp

Files

N/A