Malware Analysis Report

2024-09-09 16:42

Sample ID 240614-yn56waxdpk
Target ab3439efd45b417664801d0c5bca50d0_JaffaCakes118
SHA256 ca67bb1bd21c66da011f3f3df9a6497ff82e7ef8292375eb962d2ec7c7e39732
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ca67bb1bd21c66da011f3f3df9a6497ff82e7ef8292375eb962d2ec7c7e39732

Threat Level: Known bad

The file ab3439efd45b417664801d0c5bca50d0_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Program Files directory

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 19:56

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 19:56

Reported

2024-06-14 19:59

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

151s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\ab3439efd45b417664801d0c5bca50d0_JaffaCakes118.html

Signatures

N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\ab3439efd45b417664801d0c5bca50d0_JaffaCakes118.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4068 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=760 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5364 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5764 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5524 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5252 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
GB 172.165.61.93:443 nav-edge.smartscreen.microsoft.com tcp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 23.200.189.225:443 www.microsoft.com tcp
NL 2.18.121.23:443 bzib.nelreports.net tcp
US 8.8.8.8:53 www.geocoding.cc udp
US 8.8.8.8:53 www.geocoding.cc udp
US 8.8.8.8:53 www.geocoding.cc udp
US 8.8.8.8:53 www.geocoding.cc udp
US 8.8.8.8:53 www.geocoding.cc udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 158.6.107.13.in-addr.arpa udp
US 8.8.8.8:53 225.189.200.23.in-addr.arpa udp
US 8.8.8.8:53 23.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 news.share.baidu.com udp
US 8.8.8.8:53 news.share.baidu.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
CN 182.61.201.94:80 news.share.baidu.com tcp
CN 182.61.201.94:80 news.share.baidu.com tcp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.42.73.29:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 29.73.42.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
CN 180.101.212.103:80 news.share.baidu.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
CN 180.101.212.103:80 news.share.baidu.com tcp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
CN 112.34.113.148:80 news.share.baidu.com tcp
CN 112.34.113.148:80 news.share.baidu.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
CN 39.156.68.163:80 news.share.baidu.com tcp
CN 39.156.68.163:80 news.share.baidu.com tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
CN 182.61.244.229:80 news.share.baidu.com tcp
CN 182.61.244.229:80 news.share.baidu.com tcp
NL 23.62.61.194:443 www.bing.com tcp
CN 182.61.201.93:80 news.share.baidu.com tcp
CN 182.61.201.93:80 news.share.baidu.com tcp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 19:56

Reported

2024-06-14 19:59

Platform

win7-20240611-en

Max time kernel

139s

Max time network

125s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\ab3439efd45b417664801d0c5bca50d0_JaffaCakes118.html

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px889.tmp C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a807600000000020000000000106600000001000020000000be91d3205e9a205206eda5febd9a1ac4ef2f51ccab0a254eecf2d719d9066309000000000e800000000200002000000029e7d47a6dc653b17b6493fd1a769c34989d79423e1ae96a525b357cbc7cc25390000000940f7afddef94f5afcf0248cc7e0195c6870db8c6001f1de542418323bc70a7178cb523cbec7e175de973a04b45b923fcaddb31ecf31dbe54e2895b827660b72d89957ff70d60a597d32b4f1d7c5c96fe9e370b3a0e6ebbb519edd74c135011160f84cce6cd9722dd76d3c091e1fd33bb8d1b4465e9bfabfb12f8545f7ab4006264da2411b5cb3f33bfa4d8093fdfd8240000000f8f9f289d2e12f0e19f74b91a2eb146bc26904aed4328bc33029663890b7559e52f46af99ee85ce90cb9ae0e1ccb9f22033c27b20c5bbbc0c3ffa90e43ab6edc C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a807600000000020000000000106600000001000020000000bae873a90a24ae5c545320e57a3e0cff402ffb4e2cc5917b94866dcea584eede000000000e80000000020000200000009dfb59889e7abaee65ec76021cded926e6b61a009ade3aaf96b3511f420e852c20000000e28c86ffcf03acbc3a1aacd845c8c87caa0156b89697260fbb26b8e1fb765a12400000001e11377757f1488e574d9dc9efc92712d1a3e403899e42fcb71ae6afb8573f81a074c2fc10f851863f88e1946b4aefde8ff4a3305b4692b1fada2fb4c6b9f2aa C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424556888" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 402ecd5795beda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{429FF9D1-2A88-11EF-968C-FEBBC6272832} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2552 wrote to memory of 2904 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2552 wrote to memory of 2904 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2552 wrote to memory of 2904 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2552 wrote to memory of 2904 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2904 wrote to memory of 1920 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2904 wrote to memory of 1920 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2904 wrote to memory of 1920 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2904 wrote to memory of 1920 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1920 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1920 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1920 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1920 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1452 wrote to memory of 2008 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1452 wrote to memory of 2008 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1452 wrote to memory of 2008 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1452 wrote to memory of 2008 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 3048 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2552 wrote to memory of 3048 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2552 wrote to memory of 3048 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2552 wrote to memory of 3048 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\ab3439efd45b417664801d0c5bca50d0_JaffaCakes118.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:406544 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.geocoding.cc udp
US 8.8.8.8:53 news.share.baidu.com udp
CN 112.34.113.148:80 news.share.baidu.com tcp
CN 112.34.113.148:80 news.share.baidu.com tcp
CN 182.61.201.93:80 news.share.baidu.com tcp
CN 182.61.201.93:80 news.share.baidu.com tcp
CN 182.61.201.94:80 news.share.baidu.com tcp
CN 182.61.201.94:80 news.share.baidu.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
CN 39.156.68.163:80 news.share.baidu.com tcp
CN 39.156.68.163:80 news.share.baidu.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
CN 182.61.244.229:80 news.share.baidu.com tcp
CN 182.61.244.229:80 news.share.baidu.com tcp
US 8.8.8.8:53 api.bing.com udp

Files

C:\Users\Admin\AppData\Local\Temp\Cab607A.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar6138.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ec754ed7fc384cc15f3b5baeb3eed2b2
SHA1 8a268c4601a778339a0dcf7f81d018d7bb1432fc
SHA256 56cd305ec059fb68109a9fc1022b093cd24acfe6a4722bb0e698182bcb3673bb
SHA512 72b3284a69ec00dc8c673710593f192d9d375db9943dce8b74baaf389083cbb5fe32fb1e9d47fb789f44c93632d1b094c45a2fcd2b05694db45be7bf7140ed3d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 451e13e1a20369d2d2f64ecf5d91b7b8
SHA1 9c136887bc7e2490ad26a3c75c2f0318186bc2c8
SHA256 e37b8fc8f5cebc227b548a340eaadbd06bac5e7ccb1a1192d57cdaf327789149
SHA512 d6173a7026cd1b340064bd41eee57c299be35403bdfc057f061277cded974c34d4e64b5e2c8717db781be5e8b54e8c3629065d61b308f7fad2fed1310e7e06f0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 01a66841337f52a30f5132950487ba0f
SHA1 3827986423b87ed1647f42d6394d23bcbbafadef
SHA256 a60370343a2a98ca6b6966f818415525f4805fcb12993c49f969f5acc0eff6dd
SHA512 46d364aff07ff499d9ebd41507b5ad3e2b4863b4934644d2f6c3e1c2d85e49d447a3c9ffc60b818719a6bf6c49260dc87b6e6b028166c5bf0c0c13725af242af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 882d5f15797e182371f8a6b1a0c8f99e
SHA1 2ad6f67effd6e56ddb44580828ef4a163791d85c
SHA256 9448b8bb9dd0e4e0a268e86f1c0861ef99cbe25297575c8cf172f850a8187947
SHA512 8549d1d7cfaf694998114e1e56cfc47e888044364031febdaffccac5da355b98eec9b18fcfa803833eb8d681b9c0fdf3c157862cd906f3a7174aaabf122d6a15

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b85802e83b4ffd5b3b487776bc2b9224
SHA1 4440cf436c4b9543ee741d220aa47a4141b77949
SHA256 ee7e0fef30ac0cb5401f7ef5a2d39c5aa57af162f3506a3e9d06cc07f94fbf0a
SHA512 9d28ab1353332d3e46fc2eda372b93d419b020ac9baccb818feb97d603e539496109262a4dfca4dea616e027b7e27950fff1a1a732b26e43ebbe03d4cbc72a49

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 52c68b6fe4fe8cd84e5884e009fc34db
SHA1 8277eb6c9948fe57e19f381cd2e38329c852ba1c
SHA256 778028dd2b6b7836b43b50193de0ed2e4854703def09b94f326bdb5056dfadff
SHA512 69a4ff05f9694bc69e4bfc9335f3d5a8e5e731e41d3e7311ebf8bf3f3369578716af3a305c99417347011698f425656c30095bc88036b362f77a2aae1a52d2c2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15df17b94f63b880fcc4c0b04f9836f2
SHA1 1d928d6f0d70d370c205b7919b07b9885d0c6140
SHA256 490a5085eb2f5e15ed93a03e4d054fbeaa6ca9afce0cad11d1c6ca9b6ab5863e
SHA512 df4454353a908feeb8e977d1bd6299b69ccebaf9baf8897116da286a30ac3aef29e2e3de33d154bb2cbc75174e1e26cde6f310fdbcca81054ab1854ab8a2989d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 108e2be4d67fe800cd3d37f5b0330f5b
SHA1 ca3657a8aeefcddf03929e5020c5653371b4f0ee
SHA256 3739dbfb6daeeab53e91d3279830bb1e6a33dea12dcf539c988899800c6b81a8
SHA512 488610fb5348548ea79796ca31d9284bff0a68486433acb019f8050d315c4c14ec0017b230dedba396ca649a3307019516e61de44bfd43b8d1803f14b2596e85

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a04fc9934c1470475f1d335386971282
SHA1 caed9bcb4a47544b512e24910d0d801f50cf3ea1
SHA256 8d68c0deba33fefe970376c8b5976cb46dc0513304ec7fa1cc96e2ef46393c05
SHA512 cee8f02a634628a1f51ae73226d9636a19fb6735dd3b69bc5d742eb92722dd0382a3089ef6c2fd9b80cbb755b33d6f4bec6d565e0399282abfaa88175504fe7f

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/1920-435-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1920-436-0x0000000000230000-0x000000000023F000-memory.dmp

memory/1452-443-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1452-445-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1452-446-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1452-447-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3bdaae1f5e24064347a3b7637b4b7b05
SHA1 4d278f75dd627cea1946d9ab4de05793183ebc52
SHA256 05a4c296d7cf9303142c9a7bf9cc2c983cd611ff1318751666e7b86f40212033
SHA512 2c5e0b249feaa01856e657a103bcc05b3b4d866ec7f24a36500ed7795ca643378eed83419788b1f92f459e235362b13dcccd94bcc539bd230fa0d8c8605b8ce6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c6a8e4d625f81b1ca04dee4dff06a866
SHA1 4daf429385a8715de07706a76ee99d6c63a080d3
SHA256 62b64fd8b02ec93711b647b67af20892c0290ec37e6fbe62aff0f6382041aac6
SHA512 795c94fab4ccc25cf2f1458beedcf7de94acd567f24fa51d237a746035279771abfb7318e28ea9ac5381a8e5e657ef586f714449371c9813ae8c0ebcb0a7a595

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f584ac720f81522375f735293e50e3f
SHA1 3c2d92317f1e5ff72c9e69b24fcb6ca46d234d8e
SHA256 d5411662553b55f8d94b2a4b5fede0422435a8c39045496d8c7d334d594f4adb
SHA512 cf4cfb16da731e2cf766ab7fe8dc6cce5a6716554d7481d6b8a534129224393dc899f73091653d3155d47df2d245065d451772dfa565dfa198df0874515e9bf2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 df450fcc2c7c9e59b3f4cc48013358b2
SHA1 f3dd42623c406717afbfec0da9b88ad224323938
SHA256 0ef63e4fcc3812274cec345f6d1fe2348c7d7f58dc944dba674370e8afd7a4ce
SHA512 30d9bcc7c38321203638906046034a2e7b44dd459c31563a78f8bdf058a925b3c8421cd2bcd1e760079fa0d7ea1ec35aa9935b6453255b03fe2bc16e2d608e29

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c6a02df5ab701e2a7ede7615cea81d81
SHA1 5d20ba4156c17ca536b21c9b3879424eeef4b7e8
SHA256 5832d7870f0834065cf367160d1de47564068e4a341beeba23d435486a0cf0d0
SHA512 aa862bbe4eaace54f959ee23fde5a4f5a1e3de8fcdcc264921079744e84ed522c46d27e76b0ab0a66ad4defa12681bcdcfc6493f39a90c5553cc18a489901434

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 402c8bf22e4b814369dd91d8ca277f99
SHA1 bdb030aa15049c00fe555a09da347b1d01a02615
SHA256 3494e1373e82ec147eedd813e574f697a75b3345cdd957a13b18d23bba7bd24e
SHA512 2addc8c1e6730994308a1497976a802d4ef844f321360d32fcbf77aa33166d648f5e953398767990a0d0732a1e76ffa275369d38238aa138a1694b87db1b14ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 58e5bec7b10f50ea007cac7ba3fc4bc5
SHA1 e327fafc19b43030ad8d9e925379669ef741f6c5
SHA256 cfd0f19f0402f782287a5a87e6f4be09a4d1c23ac76645f7f15c11539cd90a34
SHA512 fff4e21c6e8a87a885716ecc6f6a05438f6317ca0eab77ba8eb39e0d192903422785bad565ccc02f1389bbb89d38461200f8bb9982f09b98970ea8c3068d7da1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5624c28f4b9718becf3a90348d00c6dd
SHA1 2a444ff9f41bd3c3c5152dbf0ef9c261f4a9bbf4
SHA256 5b81cdc41d5ab18a3052481760507257943c17ce7255fe3e98a2f389ae161d4e
SHA512 2e0adaed0fc5584be5138d8e661ad03da03e4d54f32631a472efef6f65b62d1d4ecc833d47c6ab6bbd2aeea0cfb360445e74355d5c96603e9273ce5c3feedf44

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2f3f45a9a0850c1e3775470e7711e16d
SHA1 37f3c3a1d1ff1240e92e01a8e8af0c37e6b61eac
SHA256 edde6a6e67116df0059c9d593e1de7240ade682dfd8a9a7d5b50c0148d9567d4
SHA512 1d8b0ec6aabe8f9994acf9fc71873f1b3c6745ebcd4eddec9d9143a1df6741f5b6b1e125a913dcb6ec4c23e4fec6d71e2168c0eec848610ab7fa9a27fac04662

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f6bc45ee1195818a13063de4a208491
SHA1 04e9976b15b9d623b3ee113a524d39558d1f5eac
SHA256 ef2cae0b44c26934f2acbc532f6bae6adec383d6405445f1248ade4748e3ce3b
SHA512 41f0f4275e7b69784b997188858598038fc02dcfcc174bb1b36b07c190e4f0db75c736841a81ee4dc47fd1564fc7473657364cf8219623e93270c96e7306e752