Malware Analysis Report

2024-09-09 16:49

Sample ID 240614-rf38zsxeqp
Target aa1905f984132e1d326c1fbec2e58fb1_JaffaCakes118
SHA256 8d3d4bfd6e6e7574b885feb4a2f7feb7f25f4c5b7923fc4f3cfe7c316bcf8180
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8d3d4bfd6e6e7574b885feb4a2f7feb7f25f4c5b7923fc4f3cfe7c316bcf8180

Threat Level: Known bad

The file aa1905f984132e1d326c1fbec2e58fb1_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Program Files directory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 14:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 14:09

Reported

2024-06-14 14:11

Platform

win7-20231129-en

Max time kernel

137s

Max time network

121s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\aa1905f984132e1d326c1fbec2e58fb1_JaffaCakes118.html

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\pxBA89.tmp C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424536011" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A7849CB1-2A57-11EF-BF0E-72CCAFC2F3F6} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000095165d8e64fbaa41a4ae0dea289ecffe0000000002000000000010660000000100002000000022a8373eca90b5005ddaacdff7849be8f017d5f394f2367200650abb0062b8e5000000000e800000000200002000000019dcaf4db6a706fdcc3589baa3e051271c98b3dabe4525d4b8893733fa56c9a120000000250b46d90cff47270ffdc3c58359e4cb18a734e93d3e2195129a72da940e11df4000000040f76d072f0e6429753019bc1e92e31d9377b72bb714b9f53eba843d23cfd7464c0fb7b95c3a204f9491bec7515df12d4e13c9886305d4a9f275eaa24bf5d87f C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0166abb64beda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000095165d8e64fbaa41a4ae0dea289ecffe0000000002000000000010660000000100002000000098f45d13be45d8a7757ceaab44823b46a6499d0f875f6a23ea7b75d9d5dad0a9000000000e80000000020000200000008558f0a36b24309763bae46e50f1e13e2dc6aa2aab1495add94f9ad66fc6c2b49000000073552b97e8a0b8a9988e39ab891e054c303a170c90e1a31beff4bcf5b0389df50b5e7a590ff8958304fbadbc122b308896aec664392556954827e1c02ae95cb55816ab7459315e6a153c19cc08bcd3c21ec804563339a717a68057c6abb6aa44a34b85b89d27d9d83fdad8a8045ca38d8a5a90d94f67e91d5cea866e6c918fb13f81aeaea7d9874eea14d866ac2929a440000000624bf5c497315a700253963080eb7ee7cacef83a6c6d7fc28f33621b41bd33767ed75ab48ac5ea5e630f385926ec278c8ba8d99b0e3dede211ec0d70d1b9296e C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2924 wrote to memory of 2056 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2924 wrote to memory of 2056 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2924 wrote to memory of 2056 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2924 wrote to memory of 2056 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2056 wrote to memory of 2588 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2056 wrote to memory of 2588 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2056 wrote to memory of 2588 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2056 wrote to memory of 2588 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2588 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2588 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2588 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2588 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2544 wrote to memory of 2316 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2544 wrote to memory of 2316 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2544 wrote to memory of 2316 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2544 wrote to memory of 2316 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2924 wrote to memory of 2136 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2924 wrote to memory of 2136 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2924 wrote to memory of 2136 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2924 wrote to memory of 2136 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\aa1905f984132e1d326c1fbec2e58fb1_JaffaCakes118.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2924 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2924 CREDAT:275469 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 siteapp.baidu.com udp
US 8.8.8.8:53 znsv.baidu.com udp
US 8.8.8.8:53 bdimg.share.baidu.com udp
CN 39.156.68.163:80 bdimg.share.baidu.com tcp
CN 39.156.68.163:80 bdimg.share.baidu.com tcp
CN 39.156.68.226:80 znsv.baidu.com tcp
CN 39.156.68.226:80 znsv.baidu.com tcp
CN 182.61.201.94:80 bdimg.share.baidu.com tcp
CN 182.61.201.94:80 bdimg.share.baidu.com tcp
CN 39.156.68.226:80 znsv.baidu.com tcp
CN 39.156.68.226:80 znsv.baidu.com tcp
CN 182.61.244.229:80 bdimg.share.baidu.com tcp
CN 182.61.244.229:80 bdimg.share.baidu.com tcp
CN 14.215.182.161:80 bdimg.share.baidu.com tcp
CN 14.215.182.161:80 bdimg.share.baidu.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
CN 182.61.201.93:80 bdimg.share.baidu.com tcp
CN 182.61.201.93:80 bdimg.share.baidu.com tcp
US 8.8.8.8:53 api.bing.com udp
NL 23.62.61.106:80 www.bing.com tcp
NL 23.62.61.106:80 www.bing.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1C6B.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb468efbdf67abecdb24119bd3d41807
SHA1 ff7e212a87bc89977232f9d28885247015db35a5
SHA256 0152936d6f03ef64356e99254b5ae8b4861e85b1c6efcac7de6f7b8f16c56696
SHA512 c417a73db46324d8b28c48f28677b5027f70859fc2da860eedd749d7c0aba2226c9e814884ba07ba19f6ffbfcd025a6320d9280a1d911480a8ce6c2dfa4bf6a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 30bf785943d2ff94712c3de32c2de5a5
SHA1 0de00f10e8ee5a1a824ba045735664084f440813
SHA256 79a9073e93ae82144ea73f48338c01ac1383bb5963350c7dd707d0368e4a9463
SHA512 cfc724b012da465f36fddf8ea4e1f32ef052ca7e6be749dd03840e74351390de7c85c96fec57542d8fe408571c83f41f16e485af499fd19a34145f372d0a5af2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 2b1d4d03ede87322f1b2bb7ec3083bda
SHA1 fccd060a7deec7dad06d6eb8e752eae20a8e25c0
SHA256 2aed4bc1eb8f3d7438c6a418fbf05cabb65ca1086b14e01df64fbfa2d48b9f34
SHA512 af1eb2affda805a66dc1f2c8fcde3b4fb56fda46d6b9239d0de5a352e609c10c23a65efe2c4f65ad348b578c5a48ef0e8a104dbce8e6612fea0e8fb1c396ee28

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89c8cab23f2c401035b40524ce8fbcc1
SHA1 a3c8a72df252ffc7f0e66f38e0c19e1aca5d1cbc
SHA256 c681556fb149934c63896749709d73e711ccb37fb674e21c51a470fff7d595bc
SHA512 d516e6b87d31b3caba3c1f2ef10a5db63ee933e21a997e7665906cade17396c97dbfef91a2e29b8c660e1ec153847aae6682d979df7b25997805c43a65d5bb13

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7d321d9f53e2f019b4f3bf4e1a3450d0
SHA1 0d3b1af4605259228b85818786193b283978c8fd
SHA256 3b759d58b9d360b072ceee2272f580ef09b8249481784937c8b13b0ca6bb355a
SHA512 98ed161b12800ae2f2d29d7c5ecb73610e7f9e5af5f86374d55ee87b07da1725c69a8726d232875157655c968e4548a8bfaf4cd315f29fb04d6a6390636b39c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7bcd862bc8986f1356178d07bf4582f6
SHA1 b11b918d7c445f013ec09a002c52f5f1169b0458
SHA256 d1c6c2e6c9b19ac552a6dc9b86f458bf69f6e9ac78ac7932049704fcfbf268ad
SHA512 9711b71ac5763c456811023f2b3b89a8a0b07183b6ab49e3ff508654c4c12d1104acb237fed03c1c5cfcefb850118b2640f812d3934bd022ab7274b47c3e0f39

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8c68239d1fe13036d4c89f62d97600af
SHA1 3e81d80d89f3f0b44e66ed56570bd8651f833a76
SHA256 8d7691635646ad8ced99bde9d73364fad6c55953fc6023ce916f18daa0469c3c
SHA512 bbe30820bc74d1127915657e5632421d2dc143bb8c253821165bb3139956ea05a5992c191418015b8285154b89242f6dd97022bad44056cc1216f472d0bc6338

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 f850074bc1a3e0ab9947a6f593dd55e7
SHA1 a402e9fe84c8725259304803bf26fd2ea7f04be7
SHA256 83acbc983b684021a2ae56e7642b89334f64795e5840d55d0121d86184aef796
SHA512 19a28df58ccff97380a0a8d672d5dc31f5b83190c7336accdf12705571d9a28ed6617d64cdb60d61824d7974de1e5a35f58f5657731617ce937b6cd98686fc3a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee62a5b6886da17a1d888b9a5bf65865
SHA1 4e4934c0668a3a2f1c8fec054d89a698cb4ba0cb
SHA256 7dafa87c750f4878cc5c1fef2e6d857d9e13c877a1b38e7c521fb153105247b0
SHA512 06ed604e0030c85bdee171a9a406387404fb90c50821aa8ff60368f55bc2a192e941247ded6cb2583260bcbf48ca9f76b251ca096c3a085456977ce88dcfe697

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0569287894294fcef6cfd74d8d376717
SHA1 81e2b4f1ff5cfd3ff2f2c05e2cb77da275abd359
SHA256 2a3b0fb4c034d06c3c27feaea55830c2e3aba583d17508863b8d67a9a14c73fd
SHA512 2594a02f1bb06124a29553619488def09ea99812183db6dd1552d075557846190a6c5cdc6b76c9c4a7459a48757a4d15065934acd897d0c613d214c8404c944c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7aa0604b8b04303f20ffdd3a8a1f4f3c
SHA1 1a289b47da367fc974c1b1749078da5f9e07cbda
SHA256 73e562cfa3f871824f303cea342db54f09862d984c5e8c6eebe89c258d624ff0
SHA512 5a88bf11836098fd7c50741af5d61ff1287d28131bdfc3cc3a885375c9abb4a396716d81404321012e14600269167268c090b11b5a62326d89525611a1aca146

memory/2588-576-0x0000000000230000-0x000000000023F000-memory.dmp

memory/2588-575-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/2544-583-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2544-585-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2544-587-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4537db98950ef13031195ed807fca4d6
SHA1 a31d5200226c7cc8fcb71f9de59257ab8fc341ee
SHA256 192cf958dac1041b29905306a9a5f72ee09ba0c20e577537c5ec5108bc5883ac
SHA512 066e8a84a2243657f7fe278fe44375ca21fe82f1ad11fbe9e2f99f05746304ae43c43a3a2ef3e274033fa73177b4280547f99a5d69734ceedf2e43cfa5d0db9a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f5188bfc7defd2976f7b41999b34332c
SHA1 3afadfbc075deaa96344e7851aa5a40b2c217f5e
SHA256 eaa6711c56651d3cf9ad74f65319531097f004697b3ac878e9acb09a7e468e19
SHA512 15e2f70470cd269d25ecf5e4bb610d2f2ce26fe9ee7953206ae10f9bc5de6c5a2001690a00ebe4469c04f8f768f104c9f0b8fc0635862fc82cbf2b0887a13151

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 09b4085c53081a82c306c06a88815425
SHA1 bef8549818fbd08328f3bb75937686d9aa757f60
SHA256 4cc049bb3a2bb38e5e5b70f596f44ea05ee418a48bd165f44f0511f714c6e14c
SHA512 81be94bb601ef8d4a69d3f8c82a9ac842659c489b19a307b2370b0a66856325ecd716285de155c1fc26f23d4a2c415b8bcee97b09fc8c2f0c3b83ed8a1879542

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d74c7649070b92fa1c7f55c87f286f5d
SHA1 8258a63b3425ddd2150632c938d005829d8660ce
SHA256 591d6c05cc2ec4b9205b7d1970d79d899f43815b56357a8eae6c1e226c8f3112
SHA512 91d33ddd59f3cd0c891c87e4b4d3cfffb910fb3bf48d73101cacc31ffb35bd9d05566d2707db5236995801b37c79eb5b956b61eccca766aa54b5c353bfd6697f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 19cab3b244d7b0b80b6128ca31ac0d8f
SHA1 49f91372c5b0ccfdfca423d02137ce39b8f60260
SHA256 a7eed0a4874dce304d8e54736720074d126f69e9a28fc06ecf2839e18a11a989
SHA512 52526662d63e8cecb401680d12c1a81d227785035c72fa1b3b8371bcf0a52391308d064ca195a297859e1af8889954b49f60723331e2be4e37174d89ceac3928

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 082ae9f9dd8f95e4b8253cebaf04ece1
SHA1 9272c62f523de165cb3c98af9b7456848097afc6
SHA256 dfce99f2000b0ec3ebfc33654870a36abf86b04a59c8cb900d9191bc90c03c01
SHA512 d6a0fb9672604cd87e6031e3868d71903b34408232dec3d57fdd8fb81d85727176c5c0cf95c63792c13cfef755df4839437864dfbc06c7d479691015b1deadaa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b7764297cea4882ac2111dcb8e6a49b7
SHA1 82e4a1de2a6f4cc5f94e61bda062610d708cf6c2
SHA256 49b585d3cf14e47d9dd2c569a0ba35f581bff7e82b2fad8a85d856f7aedaf830
SHA512 23bb4c7ef9ce8de50238420a1ae43a1ae285e25e520c970c83465b6a367f73c871f4d6b5936274f581e1d201b599cc63486970038b8c860b0fc9ffadbbf9729c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d4b4d0aee81a079bca07112b5cda1395
SHA1 d7b91d4080377f734c09341fd933f404cabe6bf2
SHA256 b02d53d645bd9af1d760e5367f0931c86918b320e90f3735d5130b65a3468f4f
SHA512 4596719b16f70e1d3090dc1fbf9d570a115be96e4e013db912390659e3b82978f3d06ef81b48cf3c8e3515e6b4964db2ba871994d55740c5733618a7e8612b22

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4598138aa8f0079fbd7e63f06ad1bd8f
SHA1 4e77be8bac6d09b8d6468109392da0a779855237
SHA256 67f83385a9c3ba55d8b240cb6d5e2bdf37d59e301dbf083b3afe7a7ebb085ffa
SHA512 5bf374e4fbd14b06e15cbbeb12de4bc677b33d2f5f1043e8bc0ff98d1b1c649273e259022d032f89b43c63de324b39b02a353340a5effab88f5ea44824762cda

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a247151931af816f457f08b459a7bfba
SHA1 050064f5ac69386087802c374029aa4e236b3929
SHA256 f32f87a87770f04fae705ecb2fa780aae997012eda15e7fae303daf44d693fd6
SHA512 cd2f2fd239e5aef0e1ff51a147db16b7743f9f5a3181a221a67b8d4e48a8b39e998844be828d46358eff42e5dbb36f251b71f7f74bf73568958868b268fe8d45

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 820656868e1f23fc6ca9de3a7c74e5ba
SHA1 8d1bf07a88503a8cb56a5c8eab90a32ae4e576c2
SHA256 dd1cdad68cf6a2151059f425edae2ca6e3b83decf0e3f9fd0a0f1a98417d8f9a
SHA512 46546a9cce3e1e49c14d0b0cea22337a8b5a117d3b4830a60706b54d15263e2b9a7aec4af70dfae834e1dd66316cb4315fc1130fcbf396871c9d7db5c5b86d18

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 14:09

Reported

2024-06-14 14:11

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\aa1905f984132e1d326c1fbec2e58fb1_JaffaCakes118.html

Signatures

N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\aa1905f984132e1d326c1fbec2e58fb1_JaffaCakes118.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4988,i,1305347165619645738,15927664461101562802,262144 --variations-seed-version --mojo-platform-channel-handle=3948 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4992,i,1305347165619645738,15927664461101562802,262144 --variations-seed-version --mojo-platform-channel-handle=3828 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5032,i,1305347165619645738,15927664461101562802,262144 --variations-seed-version --mojo-platform-channel-handle=5300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5436,i,1305347165619645738,15927664461101562802,262144 --variations-seed-version --mojo-platform-channel-handle=4480 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5444,i,1305347165619645738,15927664461101562802,262144 --variations-seed-version --mojo-platform-channel-handle=5532 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=6004,i,1305347165619645738,15927664461101562802,262144 --variations-seed-version --mojo-platform-channel-handle=6016 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5652,i,1305347165619645738,15927664461101562802,262144 --variations-seed-version --mojo-platform-channel-handle=5772 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 siteapp.baidu.com udp
US 8.8.8.8:53 siteapp.baidu.com udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 2.17.251.4:443 bzib.nelreports.net tcp
SE 23.34.233.128:443 www.microsoft.com tcp
US 8.8.8.8:53 siteapp.baidu.com udp
US 8.8.8.8:53 hm.baidu.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 172.165.69.228:443 nav-edge.smartscreen.microsoft.com tcp
GB 172.165.69.228:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 znsv.baidu.com udp
US 8.8.8.8:53 znsv.baidu.com udp
US 8.8.8.8:53 bdimg.share.baidu.com udp
US 8.8.8.8:53 bdimg.share.baidu.com udp
US 8.8.8.8:53 56.104.245.94.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 4.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 128.233.34.23.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
CN 39.156.68.226:80 znsv.baidu.com tcp
CN 39.156.68.226:80 znsv.baidu.com tcp
CN 182.61.201.94:80 bdimg.share.baidu.com tcp
CN 182.61.201.94:80 bdimg.share.baidu.com tcp
CN 14.215.183.79:445 hm.baidu.com tcp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 129.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
CN 183.240.98.228:445 hm.baidu.com tcp
CN 111.45.11.83:445 hm.baidu.com tcp
CN 111.45.3.198:445 hm.baidu.com tcp
CN 14.215.182.140:445 hm.baidu.com tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 hm.baidu.com udp
NL 23.62.61.106:443 www.bing.com udp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
CN 14.215.182.161:80 bdimg.share.baidu.com tcp
CN 14.215.182.161:80 bdimg.share.baidu.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
CN 112.34.113.148:80 bdimg.share.baidu.com tcp
CN 112.34.113.148:80 bdimg.share.baidu.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
CN 180.101.212.103:80 bdimg.share.baidu.com tcp
CN 180.101.212.103:80 bdimg.share.baidu.com tcp
NL 23.62.61.106:443 www.bing.com tcp
CN 182.61.201.93:80 bdimg.share.baidu.com tcp
CN 182.61.201.93:80 bdimg.share.baidu.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
CN 163.177.17.97:80 bdimg.share.baidu.com tcp
CN 163.177.17.97:80 bdimg.share.baidu.com tcp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp
CN 39.156.68.163:80 bdimg.share.baidu.com tcp
CN 39.156.68.163:80 bdimg.share.baidu.com tcp
CN 182.61.244.229:80 bdimg.share.baidu.com tcp
CN 182.61.244.229:80 bdimg.share.baidu.com tcp

Files

N/A