Malware Analysis Report

2024-09-09 16:49

Sample ID 240614-p3a5lsvemn
Target a9c3ad05150563475eb1e641c9d41ebc_JaffaCakes118
SHA256 5160aefc9ad69e77163dc12c3a17ff69598584afbe8ec99c4026fec27c26bf8c
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5160aefc9ad69e77163dc12c3a17ff69598584afbe8ec99c4026fec27c26bf8c

Threat Level: Known bad

The file a9c3ad05150563475eb1e641c9d41ebc_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Program Files directory

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 12:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 12:50

Reported

2024-06-14 12:53

Platform

win7-20240221-en

Max time kernel

130s

Max time network

131s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\a9c3ad05150563475eb1e641c9d41ebc_JaffaCakes118.html

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\pxFD52.tmp C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424531314" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B75EA911-2A4C-11EF-873B-52ADCDCA366E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2856 wrote to memory of 2332 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2856 wrote to memory of 2332 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2856 wrote to memory of 2332 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2856 wrote to memory of 2332 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2332 wrote to memory of 1504 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2332 wrote to memory of 1504 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2332 wrote to memory of 1504 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2332 wrote to memory of 1504 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1504 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1504 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1504 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1504 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1708 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1708 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1708 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1708 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2856 wrote to memory of 1596 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2856 wrote to memory of 1596 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2856 wrote to memory of 1596 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2856 wrote to memory of 1596 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\a9c3ad05150563475eb1e641c9d41ebc_JaffaCakes118.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:537614 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.5rybo2.top udp
US 8.8.8.8:53 news.share.baidu.com udp
CN 182.61.201.94:80 news.share.baidu.com tcp
CN 182.61.201.94:80 news.share.baidu.com tcp
CN 182.61.201.93:80 news.share.baidu.com tcp
CN 182.61.201.93:80 news.share.baidu.com tcp
CN 180.101.212.103:80 news.share.baidu.com tcp
CN 180.101.212.103:80 news.share.baidu.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
CN 39.156.68.163:80 news.share.baidu.com tcp
CN 39.156.68.163:80 news.share.baidu.com tcp
CN 112.34.113.148:80 news.share.baidu.com tcp
CN 112.34.113.148:80 news.share.baidu.com tcp
US 8.8.8.8:53 api.bing.com udp

Files

C:\Users\Admin\AppData\Local\Temp\Cab1CF5.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1E34.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a7e2ad6cb1e633317a54e6576a204a5
SHA1 f4d7a8da083a31e132b28c9aa41e6143df9ff016
SHA256 92508e7351295eabe38a52bd4ec0e9394ca179e60b99f46081c69c5a8fba46a9
SHA512 5c3d01966a0c8bd5f18720e1033da2b5a9af494e7691f275e3aa5e12c2b7abac4f6a4b159c6d7f93ceee946dfcc58d67462ff4afa9d232ecf552d6ffb1784a89

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a40cbc58d5c2b2ac6f3390028f69406d
SHA1 e0dfd78d746c5e94fb03b81702d94238799a8733
SHA256 85e4229e17247376f296d8693ae85b274effdd8062ad16db9dc34b3fdfa30735
SHA512 369e1d55a3bee0a740eb1bf692d6dfcdbc5a632e1cf2edb560bfc09c25e390697a9e47499970ec4765c4f64cd66f1390b8e412b014c76bdc56ca0d76bcd71d1c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d7dde2fa848f245dad15be59c0cab9f5
SHA1 713f07706e9d4c552ae84e0ce5f18deb49555b8f
SHA256 ffa14e302ecddfc45c60e3f4eaf13414bec9f8f3af97252ef31cfd2075c7443b
SHA512 c6599429e8d06c9b9d2f098f80aab9616ad47fe4fd60c4df6565af185cf43ddb8b49ad0225b0567ab1482ff2411d22b138841fc95d734a76262a4a8e0e58c14d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b6c8c745861a58e2cd9837f1518004d2
SHA1 b3146b9e7c266d2c9351e6abc2ad253d243d39e7
SHA256 72bf3d3afa2e13c0171fe6149ba96225fbeb0909e07490ffd07728cdb9dae6d9
SHA512 226a5e84e3d3941df4f65e0ef81bfd16f7dab684c777919c7d67d998345bd039c4ab40e235a5a0a00e3db30bc01fd7ab1993f87319c46f0276e3af1195e029b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b101016b464ef82dd894137d4c1b9532
SHA1 b04e31f065685d700cd872bdd8228f7c510957e1
SHA256 775d97b85d0b3601cfa9ca7fd7ff8b285e13f92589df92aacab0a14ca4bbe5d8
SHA512 593f65831dc5216f4be930e94ecd0bb4d75432255127aed9a11c11f48295bdb02b8e889e8d52b5570f979d3618fffafefbb5bc7b27c8c8819dc44bf7a40a2bc7

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/1504-481-0x0000000000230000-0x000000000023F000-memory.dmp

memory/1504-480-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1504-484-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1708-491-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1708-492-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c9d30d62ef957fc32806fe300c9c6b6
SHA1 ec75dd90cfed07354761d294267cea9e3504ef0d
SHA256 b6e7d408d01490c8d49fd51be33931950b989733523a913fe34486b8632723c2
SHA512 91288f0000f1656c4fff0f1bdcd839f814a265739bf266cabb582f6342cadc7782719801dde8cdf4993a8438903e246994d9ff579c2a42b55240ab1c1f8535cf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 396cd4e17230dba28a8edadc530dc45f
SHA1 921943a5c6d8a161c9dce850beb8e79b6cff2365
SHA256 0ad86068dd8e62357a97989cb4ea249abf0534a1a480317eb1ef532004f606d3
SHA512 d3f26a36ea73a7cec059fd972fa1547a880db23bd286922b4d8781d98b1af81e1d4d38fe7c25656e2b562d67c388a4f31c0c81c973c18e146c4232f5e725aff4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0df4c3ca10a1d1598c0bdeb574bd2445
SHA1 be39a9b6a0cb070f9453010a852a9c4745436168
SHA256 1ed6983fdce2d10ddd02bce9f111e811f5e4d2d714f79f7eb5eb0e351f343133
SHA512 3d2f56f78a6f1a286cf389e6a7cfb2a98da5739f7590a0fc38bf7fb8ebc3668aea8b088dfb27c42b24ee1ee7e39fcaef3ac7c64626d28c9220fa63861ba86259

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0b319396d7b4bed8c7ae7b384acf248d
SHA1 c5c098b5ab44ac7ce056385e3bc85f4ce470e65a
SHA256 e567ab83b129dbaed1b867db6993da1ffedce5342d16636ff330bfcfbb15ccaf
SHA512 77f753c41d81a3374abf9d9808fdbd7e25dae0802ee5e20f40d522d933d4550e5f2fd82232b6676fbb9915d0c7ae477c4fcd637850d64a113516e8e3900a3410

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f435c00f29884cbc632d1d465a89663
SHA1 7bc8975974943e1579a7672a9344384ffb88b152
SHA256 58fe0a4e6e214cd90579e7cf533a355629afeb975f7c6a8b7fa4159e56e7fb63
SHA512 6cbdb02302bc3c4ad641c7973d654153b9eefc59f8346abf2488563607abb836b0c96a47ff5e8acd7c399a375405913a975d70221d64f2cdacde43c8f8181f51

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 71464147adec2f0ae814665e1c2ae93f
SHA1 2ec9e56dd6b3c1d728a2c8e627ed953b04b42097
SHA256 0583ba915888365369a19b5d4dc27abd2c8837cc0f968a72b1c44c2f2b768aa3
SHA512 23d9b31a0558a1c5ca60cbe745169f53b798b665de7369fdf8d997e1e5183ce7ebc21d78b686ab74223adc04cfbaab7cf82d47c8a636cb83c91ab4dc5a6e140f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb39602971b8fe1c09eb9059a2693124
SHA1 ac0dcf55454e1aa8926688808e6df69d0f01a331
SHA256 bdf0199057af969bb47373eae9536d960809d0b2fe91afb768b0ff7b6ac4d4b5
SHA512 d80c89650ae8840fbf4e8347e97c8ce2200838296fbf48cdce9f4c44af02e688d663978d5b772ce3bed722f5eb81753caae077b9245246e18c2b8e44e946fec1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 09fd076b26160ff7b68e1e52175bcd49
SHA1 95f07a40f9c1cc859363637ab7604e50b220fada
SHA256 26b0f1518ba760f0840ed579d08b29ea3ef8c8e00d56eb8bd3ab40610be190f4
SHA512 d027c5f3719dcdf4aef69468c36f08fdc20d48f466cdca5db8f9c437dc9de786542a3f58acca9f6c2d262d6a86fff5a8769f709e5a1b93e87813b8eaa63ccae8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8a9048b3c1c026fac845f0591344f87e
SHA1 0bba912c141b8a0d58087a31d14942e741a49eae
SHA256 a45bf874ec5c021cf182fbfb1fc64fdc1a0b2e6626e81a27f11f8db9d9b09c36
SHA512 8ca2cd9e3619476f95be3ef6f4dff70dfc4b209b022f1a863c51fc2471c50a621403055ba28dad6d185b3eefbd51de38c4c8e62e93ef4a2b82e6c58c38976de8

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 12:50

Reported

2024-06-14 12:53

Platform

win10v2004-20240611-en

Max time kernel

128s

Max time network

138s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\a9c3ad05150563475eb1e641c9d41ebc_JaffaCakes118.html

Signatures

N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\a9c3ad05150563475eb1e641c9d41ebc_JaffaCakes118.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --field-trial-handle=4436,i,2029050989380753659,15333598055019363793,262144 --variations-seed-version --mojo-platform-channel-handle=4920 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --field-trial-handle=2212,i,2029050989380753659,15333598055019363793,262144 --variations-seed-version --mojo-platform-channel-handle=4940 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5364,i,2029050989380753659,15333598055019363793,262144 --variations-seed-version --mojo-platform-channel-handle=5388 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5372,i,2029050989380753659,15333598055019363793,262144 --variations-seed-version --mojo-platform-channel-handle=5560 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5376,i,2029050989380753659,15333598055019363793,262144 --variations-seed-version --mojo-platform-channel-handle=5552 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 www.5rybo2.top udp
US 8.8.8.8:53 www.5rybo2.top udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
GB 23.73.139.50:443 bzib.nelreports.net tcp
US 8.8.8.8:53 www.5rybo2.top udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 www.5rybo2.top udp
US 8.8.8.8:53 www.5rybo2.top udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 50.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 news.share.baidu.com udp
US 8.8.8.8:53 news.share.baidu.com udp
CN 182.61.201.93:80 news.share.baidu.com tcp
CN 182.61.201.93:80 news.share.baidu.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 52.123.242.9:443 tcp
NL 23.62.61.177:443 www.bing.com tcp
GB 52.123.242.49:443 tcp
US 8.8.8.8:53 177.61.62.23.in-addr.arpa udp
CN 182.61.244.229:80 news.share.baidu.com tcp
CN 182.61.244.229:80 news.share.baidu.com tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
CN 180.101.212.103:80 news.share.baidu.com tcp
CN 180.101.212.103:80 news.share.baidu.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
CN 112.34.113.148:80 news.share.baidu.com tcp
CN 112.34.113.148:80 news.share.baidu.com tcp
NL 23.62.61.168:443 www.bing.com tcp
US 8.8.8.8:53 168.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp
CN 39.156.68.163:80 news.share.baidu.com tcp
CN 39.156.68.163:80 news.share.baidu.com tcp
CN 182.61.201.94:80 news.share.baidu.com tcp
CN 182.61.201.94:80 news.share.baidu.com tcp

Files

N/A