Malware Analysis Report

2024-10-19 13:20

Sample ID 240616-c8ezjazgkq
Target b164ad65fbc78eea26727ccac8e94314_JaffaCakes118
SHA256 f62ca82f39c62a9c58912a7a08353ace0e1ff130dcb2c66445f495e957ef3096
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f62ca82f39c62a9c58912a7a08353ace0e1ff130dcb2c66445f495e957ef3096

Threat Level: Known bad

The file b164ad65fbc78eea26727ccac8e94314_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Program Files directory

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 02:44

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 02:44

Reported

2024-06-16 02:47

Platform

win7-20240611-en

Max time kernel

145s

Max time network

122s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\b164ad65fbc78eea26727ccac8e94314_JaffaCakes118.html

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\px59D3.tmp C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0708f6497bfda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a039050000000002000000000010660000000100002000000066737e7582d0183bd2e565576595ffab771ca68954dada44b07aee6e7ba0cf1b000000000e80000000020000200000004242561533c92843fc6dd2ef5f8a6457ed9f023375fb2425145a180b5c35f09e20000000b03b5f4d3fc2afc1ecefa767b859b9f12a0f55142527fa2c1124afad2d332e88400000003b74fbf28d9fe6b1d6d0bc92e4f366e003022e01220bbaff3c00545b12cc8fee9d22d98d2877ea4555f1714a87943a128040b2bfb4448098ef1bff9d60ac6f10 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424667742" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a0390500000000020000000000106600000001000020000000b8bdf31364eb384ac5e28ff7abebc62de3aa64ac537d220d1e13911b943a6882000000000e80000000020000200000002089d73a68ac8a1fc37ea41a1753f489bae8e529bea36b371cd7848dda0ed0f39000000060a249dc4e3f9d4b595eeb5df2305a21dc9d6f0999447eacb923b9bb2703ee004247774ed381ff24250cc407c7afd7ba0cf04399ae9d2c89652632c5a7756175fbaa50b3e56986f5cbb115be86af8180a300392554eb3d7be0baaad6aa3aaf9aa81d21669a5c11aeda78b0d09fcad655cea72a38090003f2a6e8e5c2e37822e0972969329301383f7dad4c234dc4487240000000e60fc511895238287382842df23c32d0b8ed8e44d56d3c4047f05d5b8d0fa4256860f1ae0a4642f9bfe3aff873d64727daf6816fb638578625eaf84d0f8e5c38 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5D660131-2B8A-11EF-A0E1-D2ACEE0A983D} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 352 wrote to memory of 2428 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 352 wrote to memory of 2428 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 352 wrote to memory of 2428 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 352 wrote to memory of 2428 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2428 wrote to memory of 1724 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2428 wrote to memory of 1724 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2428 wrote to memory of 1724 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2428 wrote to memory of 1724 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1724 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1724 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1724 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1724 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1144 wrote to memory of 2496 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1144 wrote to memory of 2496 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1144 wrote to memory of 2496 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1144 wrote to memory of 2496 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 352 wrote to memory of 3064 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 352 wrote to memory of 3064 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 352 wrote to memory of 3064 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 352 wrote to memory of 3064 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\b164ad65fbc78eea26727ccac8e94314_JaffaCakes118.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:352 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:352 CREDAT:603146 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.huisousuo.com udp
US 8.8.8.8:53 v3.jiathis.com udp
CN 139.224.192.17:80 v3.jiathis.com tcp
CN 139.224.192.17:80 v3.jiathis.com tcp
CN 121.36.251.253:80 www.huisousuo.com tcp
CN 121.36.251.253:80 www.huisousuo.com tcp
CN 139.224.192.17:80 v3.jiathis.com tcp
CN 117.25.149.160:80 www.huisousuo.com tcp
CN 117.25.149.160:80 www.huisousuo.com tcp
CN 121.36.251.253:80 www.huisousuo.com tcp
CN 121.36.251.253:80 www.huisousuo.com tcp
CN 117.25.149.160:80 www.huisousuo.com tcp
CN 117.25.149.160:80 www.huisousuo.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 api.bing.com udp

Files

C:\Users\Admin\AppData\Local\Temp\CabBC5.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarC65.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0b884fe28df304b84c88759b73a73d8
SHA1 57d6739bd8070890f1696aac31a49c4242b168c3
SHA256 f187aaa8eb4d58cd3f3381d381da9b0224174f578f1a7de20f7287052d0ee7b3
SHA512 c5a10a7fcbc59848c914ba04e74dbbe93a5ef073f207e92d9d6e836491b1e64f8289b95e2a851758becf34e6762fed687c12aa7acb02785c3f7c8139eef4db84

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 134164dc12d325c5a362e876d8629d04
SHA1 cc9cabb1d23fd3bc35dfbd7e78a52bfc656baf5b
SHA256 abfd1993bed7779205003e87430eae4a415d8c94ad97ec0ab83c5faa11f842fe
SHA512 888e970778ddaa7b8512388ef962eb8599021dddcf7b19430b70344a64b087626395687c80f366ba22280f53c521d811cde5af4da5d61dac0a5a501d9a193189

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a10a43bae2d6a5b9b6569d2347b27566
SHA1 9f09878e2f1152e4e37b5add950a58b07c69f292
SHA256 c1e7b13b6a918a55f981e8d244703cd0e71348909ba9affce65c1bb1ef95007a
SHA512 b1dfd73bf32ff8603f78412252d18fb80258e9e690c41c558f3c245c7fcacb911f540f4cb50c0822a391869cf408d320ffa4ab9cfa83eb351f2f127d395dce50

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a7ffafdfb6184992b5012027dba6f8e
SHA1 60f2618a4ff4d7ab9062c17883fbc56c3ec86115
SHA256 2bea8e35bf66987497bf97b85d107eba4ed7fa57ccabba13eef4851f66a1b690
SHA512 68700099f0d4655598b6f1a5c9278ec9aa9e0240f163bebce2a49ebc82f2cf0bf4e0bb518f3cdc5af12ccc5d1dd14552eec8b969ba03a12a63471e45d4c8037d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 994ac6a05879b200f2f3356c3dcca7a9
SHA1 c3a9e903ed683957f02a60795ef146ba2f272884
SHA256 050f9a4d60f25d9662c85ea2f6164111a245295b7a1a8e1110ff16ed5e3945e4
SHA512 80bad4899fd586a87bf38a6e2118deae1450cbba248b955041cd236ac474f37cef814d17cf75dbd8b1740710d9afb5889f1cd92b77b04830a8d8f8592151ced7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 267787554d338a4a0a1a5f5b8501e55e
SHA1 eae56ee409212938bdfe8d80bd4079f6c1fd0cc9
SHA256 8e6ca9855d2be1b38914510cf2ffe9bad3983f22377863905efc3beff15c1938
SHA512 6f4cd3c5140fbef7ab917c0413760cb5a3f23becd38bab6d1b3e522e764b2ac07bc9c8a17de299cc44765386f710d34e36972ee3596130c9c2d053a9d7e928c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8affff1c464eaf722622f91213ff03c7
SHA1 759b104ee6f18ce1a1aadea0d35e1039be9ef306
SHA256 222aeb56720a61943cf73afeda1856caa855dd3931ff4f8f5db0228a881f08b3
SHA512 562350ff5b7b49bda0ebe716ea9a61a595746ab055bf94e317ff2f446378b8def10ddfb4f102c3cd7e9f80f762eb9d4fe64e4d5f5d46894e2b4f36317f001431

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f2c638e27f2e9e377c778ae4d075a571
SHA1 a0eecd2e47fcbb267cbf47f830ecdbe53e2f744c
SHA256 6e1c51b020bc7491f553939272e104f02abfe54162ae03735beaad33b229c309
SHA512 5cd9ab5f20cc020a0021373cf90a13d3fcba094e908bb96a9f65c81e46df3acdc48c0f3c634edaaedf5c9366a1e5b3cdf93c2129ffdb6f54a410c2137a1d7766

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 25d4fab117a230ada48b87f756f9006d
SHA1 fbc02acdffd5b9f5d51115185d4985bb65e6eb01
SHA256 1459198dc2fd9eaf2b3a1d9904df42d75b14ee62b56814d88e2dff61c464a853
SHA512 7f48626240a601a17534dfa7f04d8824a512c07c4cb9ca411d4d755a29920df34559e9a4198ba76d4cd028cb93a9bdfb057f8d4b086ac68d55b78c91ffec02e9

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 2a591a91440acc2cfabfd0221cfe1378
SHA1 add23a4e51dc5649984f56c235c48382f5c4f235
SHA256 2f37132fabb06650873ad3bd0b15d2c13596fc7be401c0ca05b443c9a227a44c
SHA512 3018caf86d187c14256deb92407157daf116720623c9ecd7d153c8456d4d1f9ec9b7a88db6db9a02f06367301af5d6c3d30e62f8ad04657fd651d4221a9287ac

memory/1144-452-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1144-451-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1144-450-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1144-449-0x0000000000230000-0x000000000023F000-memory.dmp

memory/1144-447-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1724-445-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1724-438-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 62c43a01e9f46796f282873880c294b2
SHA1 434732be902ea0869bcc687f18e3d2baafd9ac1f
SHA256 7cd04eec375f93529a1eda3052647d88101250bd1a937338039d854e30dc9501
SHA512 ce13229efa0ba5b2dae34b7574a8105e5ae383b3244c7967b1f83d4e355bb21ff08b11b6671fb9b14c3420d4ad61232ab3702165715890a327e6bca63214764c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c661c84bcea37504696f19450665cc0
SHA1 749923031c9c1c963a1c716902a49046d8b4f999
SHA256 abd2058bcc946425e8b929f23615b5751ff087d8d5227c723144d28e603e589a
SHA512 560175ef1f87397c4fad605ac56e1964501f05340103f66c1afdac88e6dd891040857ce8d85bd88f51f6f2068c340dc949f8672a0d7ff4a6aae6a54badacf1bb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 86f6cc70baf2cb1a4d8457ab1012403f
SHA1 adf1c346976a92f5ec96139c674e73f83b4b9e41
SHA256 55f0b851e1ed56549c91f26e757ca0ebe7c09fdbd25e5d45e11d9470f3031c42
SHA512 5eaae9749b5f114c9fd228c289cc124486edcfdea35bea4219127bb019355efdeabf00c529ae2deee66676df27ceda2b494c9a79c4eafa2c0cc2aed40c77e671

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7422d1fb16ee64c8e0ce90fef7cad277
SHA1 7631f229bbd5196f5806f7c409b4fc0339ef8922
SHA256 fec199b16dc164586ee15ec4648cb3aa322d43ffe0c735e359d7139982930ba6
SHA512 8b2ef5de0c1eb5dd7a7670dd285e1ef883fa03685be723eaa082ca2269f3a22faa58df1272a79a53117871cd257a9c288ed3c5c01b7a1a90b4d1869b159c90e0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 81bb6139de9fd2078a12eea76d25b530
SHA1 1f2bad2844b71ebb19cd72c9243c07ca5057b12a
SHA256 7f5a5c8a1b4041f11cad914a0df0a8119e02a7641dffba0ae0ef158836bdabf1
SHA512 107384630e8fba60a61246842f875e6dc97330b750ee69d7f88c55871b8fc430ac08663c78cf0481244fbcdf36dec71cff091062576fa342868bc1afa4710c77

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 775c84425f3946765b941fb9d1af0b81
SHA1 66f050990551b8b0a9a695d8275b7ee907e43544
SHA256 938c434ea0810ee811f3e6f1c4b1f7fa34aeb5fab6a27271d25f2fb0bab9c8c7
SHA512 836849cce53abdc2a770ed876ac95ebd44ffc2e0fe28a1f5a88fb81f7ea15ef0d9e4898bada5233edce158e4b1682f591cc9870b79ff1692965a663aafb63b64

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 52c88e4580752e42b5af01ee39688a0d
SHA1 20e6afd2add6685961b6a33a9408741a5a8964d8
SHA256 956e1f487600e4d2705aba4a0217a0aaa7852c682bf48368d1b76537a921587b
SHA512 f012712019849229f45c536ee51f98fd49fc43a6d2a705bdf614a799747b228039748d34851802a38e5d8bb32df01d9582be87ffc2c35cb530b8bfcfd79ad67b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8e2ca9f2a39058d5ec913caa580247b3
SHA1 5a02b2aa61c46766d85d5c0de6eb3a6c75dade75
SHA256 25f9c71e1d1e79c769690ba55c0eaf7751409769351461ab8d9502512a5f109e
SHA512 e035be61341765db08be3ae3f09e9bce06214342c63576e08e3d82ad8fea356c0c3655abc53c239792b84c860bf7b63a1d3bbabe272b6f8341431bfb765f6d48

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e1107353fbf077754f6af5ab58f93c3
SHA1 f14628dc0480e570d3881f7b109006d7d31c33c5
SHA256 7f44beb34241551b127c8cc04f79d371fd3e645cee45c23d51a1b66e0d78f94b
SHA512 9077b7933a5c1bc861c47ee85371122b49fe54bc9bc1b002dc4dc7a8ba692c4f61acc2c617aef4ef22e111a0fb73d6229b7f7833a5f54dff1d36358f15357a73

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 618f0bd9542d7d960fa2a3cb5b4c4cc6
SHA1 91b351e2329f0e184df66313ab2672996abe1234
SHA256 db42956b3569702c955696932bd001161ac3ef82c2ca0e8b8f456614f4f6d876
SHA512 a939b0c2f86b54282a6d9537a9d14e0787f08623a5a9d54abae40ca0cfda1fad7b2e45a594483a6c6b87ccdd4571928626ebf0fa0a064c1ee9c04c542f7ee71b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 02:44

Reported

2024-06-16 02:47

Platform

win10v2004-20240226-en

Max time kernel

132s

Max time network

145s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\b164ad65fbc78eea26727ccac8e94314_JaffaCakes118.html

Signatures

N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\b164ad65fbc78eea26727ccac8e94314_JaffaCakes118.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5012 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5312 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4820 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=1416 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5980 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4620 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 v3.jiathis.com udp
US 8.8.8.8:53 v3.jiathis.com udp
US 8.8.8.8:53 www.huisousuo.com udp
US 8.8.8.8:53 www.huisousuo.com udp
GB 51.11.108.188:443 nav-edge.smartscreen.microsoft.com tcp
US 13.107.6.158:443 business.bing.com tcp
CN 139.224.192.17:80 v3.jiathis.com tcp
CN 139.224.192.17:80 v3.jiathis.com tcp
US 8.8.8.8:53 239.249.30.184.in-addr.arpa udp
US 13.107.6.158:443 business.bing.com tcp
CN 121.36.251.253:80 www.huisousuo.com tcp
CN 121.36.251.253:80 www.huisousuo.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
NL 96.16.53.162:443 bzib.nelreports.net tcp
BE 23.55.97.181:443 www.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 181.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 162.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 216.58.201.106:443 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 52.168.117.173:443 nw-umwatson.events.data.microsoft.com tcp
CN 117.25.149.160:80 www.huisousuo.com tcp
CN 117.25.149.160:80 www.huisousuo.com tcp
US 8.8.8.8:53 173.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp

Files

N/A