Malware Analysis Report

2024-10-19 13:20

Sample ID 240616-fjrtksvank
Target b1cf832928bba1e48a9ff55b49669c1b_JaffaCakes118
SHA256 85119b993bc8dd097e44f25e937f4cfef931d8ccc7b74e27db960ac61670fa06
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

85119b993bc8dd097e44f25e937f4cfef931d8ccc7b74e27db960ac61670fa06

Threat Level: Known bad

The file b1cf832928bba1e48a9ff55b49669c1b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Program Files directory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 04:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 04:54

Reported

2024-06-16 04:57

Platform

win7-20240220-en

Max time kernel

119s

Max time network

127s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\b1cf832928bba1e48a9ff55b49669c1b_JaffaCakes118.html

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px1861.tmp C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000181f1089e9cf8144a9a275dbb3cc585f00000000020000000000106600000001000020000000f2387789bc6e887fe4264ee02f060321a8bc0fd88b138e2471b6ce3b25006269000000000e80000000020000200000000ee4f1088f67a35d5f1d37266fb67f23897f4e191f42b8f07e74ad88dca7319e9000000047e57af351dd0b2751a1b7b7d4fd84f8c67b0d3a4f2b1acc13105c6440e859a2fe72bc874da27cc894349ddaa4dee6db7c83ada4e8a685ede49fd69cca0dc953bc0148297948d3fb53293f47d65439b2229f125e1fa231e17dc76707b07639a1a6c3e5812f43941e85bbb4f0d1ddb4fe8e6c0c7e8d86b073f5b9e7bcdda297ec4f9bc3c682cba1102bcc6fd3743bd12b400000009ae0ff09ba5f1e42de8473f70c52fb02fefb5a86fbc8d4cc5a1c8f4ec31b4131419032de932605bab69106fe08e13453adeaa7f8e7ea07084743ec36795f81c7 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f03eba58a9bfda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{838AB971-2B9C-11EF-BB01-66D147C423DC} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000181f1089e9cf8144a9a275dbb3cc585f00000000020000000000106600000001000020000000f561fa37baf820c2e7d8638d51f3a632a35c310cd1473af4ccc774c3dc87cf73000000000e80000000020000200000003016abec0b7d0f8c38f95ed17e6a9e4e9de2e227efded7c732fc3ee9078d6c2220000000d3b0b4ba6ac28ee134314d0ab8ca96efc06f2c43969fce9b8cfcbb043d3a6bc3400000001c749a60962fea62d97c6162758fd80f51ccdc07311eb617933763d8d7a4b9dec3c204732be09b67f04adb469ee1c14ffd2be1491c2f1e7e9c68daf7342a5c21 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424675537" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1732 wrote to memory of 2212 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1732 wrote to memory of 2212 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1732 wrote to memory of 2212 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1732 wrote to memory of 2212 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2212 wrote to memory of 2576 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2212 wrote to memory of 2576 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2212 wrote to memory of 2576 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2212 wrote to memory of 2576 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2576 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2576 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2576 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2576 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2720 wrote to memory of 2264 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2720 wrote to memory of 2264 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2720 wrote to memory of 2264 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2720 wrote to memory of 2264 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1732 wrote to memory of 2668 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1732 wrote to memory of 2668 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1732 wrote to memory of 2668 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1732 wrote to memory of 2668 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\b1cf832928bba1e48a9ff55b49669c1b_JaffaCakes118.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1732 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1732 CREDAT:209933 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.me.com udp
US 17.164.2.10:80 www.me.com tcp
US 17.164.2.10:80 www.me.com tcp
US 8.8.8.8:53 www.icloud.com udp
GB 23.208.240.96:443 www.icloud.com tcp
GB 23.208.240.96:443 www.icloud.com tcp
GB 23.208.240.96:443 www.icloud.com tcp
GB 23.208.240.96:443 www.icloud.com tcp
GB 23.208.240.96:443 www.icloud.com tcp
GB 23.208.240.96:443 www.icloud.com tcp
GB 23.208.240.96:443 www.icloud.com tcp
GB 23.208.240.96:443 www.icloud.com tcp
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/2576-9-0x00000000002B0000-0x00000000002BF000-memory.dmp

memory/2576-8-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2720-15-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2720-17-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2720-18-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2720-20-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2D99.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar2E7A.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d01799daf68bc41cc94f3369ff485cd
SHA1 d5bf68b39dd4457dbc309c0487fca3167c440f2f
SHA256 a4332bbce2f877b22cf012308ab3de90e0968b3d21fad7086d5c0674a196a836
SHA512 bfd8e922398a61b3a49bc4e64dbb585c9d1432c850f189b080e62c26b1b53a0192a6ee38c6cf93179dd18ec9f7cb91c6fbc65eef6f8b07811103b2248c0fa41a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 53996b01645f5842750c26e99282903f
SHA1 2e9965b847bee869dbc6170ce9f05f99d1e36037
SHA256 69188adf9f802c97e77056e97b80020a45d665ea29ec07baab976323e214d580
SHA512 62c4c03e92e8115502d1f7ab2ff6fe05b9f1ed0c4632b1ae16c66da2be82151b7b4bde3d4a3e7c80cb1819f710b527072a2d19cf0871bccf6153cabc055db6f6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 05d331acb3e917f7a627689ecc780824
SHA1 35e64a8f5773f4eeb84eafde4d4d477d28c2806d
SHA256 b95fec81a36989af4b5ea80938fd093371f754ff41a0d176c592e061a431b50a
SHA512 f6aa08e4b6c4d48c2b873985e7e945ae1bb8f9993077ae35b6555546caeae3f40eee3b50898dee8e9e5018692bfead3f16d16ecd6de382b76242fce3d1521812

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 04ed27841a623d415669ef5abc3ec8e4
SHA1 54115aec7abfe0376d188c10e6edcd8c93e6306a
SHA256 8e9e21911f21aa635692dd76460278906833d5adb31d6e109443ef07e2a768f6
SHA512 b499b6d5b9b4ba84869c2ebb43804de949470473af2fb359ebff49b732d00ffe71eca08c046e440bc00999c5d1818a00812154cfc0827bc353aa3a149958557c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c6be2aaa9bc00e4a367858d7d22e577
SHA1 c276ad911046c98717da392591b37fc774e8cd98
SHA256 802d2af6230aa3028f074690e8163a8c3ec1166d4e8855399fa8fe712998e4e2
SHA512 dfecf63e37f1c918e7802d162b47273a7a70623166d504777033c8e4c63c09a30226e6723fe28fd45ad15450bfef4aa78f8437544902bb78f3d2c779d6bd196e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3dee4c04dd171cc2bf02006fad709607
SHA1 47928a67edb9d3ec473cf4605b1af8bf3fb0545b
SHA256 1e4228cf03f81a6a6a6c9fc08367207dd9d2e80af89932702e7753ea25a05cbf
SHA512 887373b59402e4eaf4059b8de5b5147d6266a117797c3022ee825f5531c6619c5cbab46c1fc2960e9192e6c77ea8b663e731c36b6a582cff7cf0b746b957f431

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a683a49c2f41ccc036c35dd765b77937
SHA1 f647505f83933def7003f0063dd754f71aa15876
SHA256 947715b9244643fc2b1f0c398b7ecb2b311646a18742b74409c7db5a6c85b15d
SHA512 c4215c118a84e3376f45b6ec0f660c32198135e0d690929cc05e53b4d43531f0676596037df4a770adf13db6b8b1094bcb521abe75adafed0995a05b26f4ac58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d7753f34af93317e99b4157c7e5998c
SHA1 4e86ec09ba8574ce8b93c006210214afe800bfc1
SHA256 40cffcf5718f7368bc8021fb30993a5b0eca250dc48b069c632803efc583c01d
SHA512 581233cb2eb5a8f0539eb79202df494d389ee499f88734ab81d843c117a7e9d436be9bfa212093c1c76a242764f9fba2cdbc59afd73bccf477c12c8e77de1ce2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 872d5bb237198a0d78e25934fd8c77aa
SHA1 7a14766134fd9164118b0282bb7097b784485c63
SHA256 bfde17c5b1fa7e9c6b196c6633866a08613b27154277785865a9c4b5a5f4674e
SHA512 442259b3127e21035da78814ecc591ae945a3a42b8adca47d9937878ea7b3f44b0ab808e45fcc7f03cc76bb5b909ee6bf17441c407374fab61f12b70f1898f17

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76cf3d30a633926b5b4151ede94fc31c
SHA1 b872c36c0eb957273d0f322ab470d44760f8290e
SHA256 619665c729e18ac72e3a48d591f717c17a7d4a361ed4a80084f87fc06f9fb2ef
SHA512 c1d136cbd22fb6882247af9b7a71f104599156ede74ea556b11551c2266f5b2df61922621cacd83291cc8db4c3958849224da344034632f7f67997d0b0ee691d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c979099ee1d5b926adafcfff19fa77ff
SHA1 43c8aff0e0befcf9a590ac164a24b7c7e6887cf9
SHA256 a3b5c322d2c87e6d39b07d08549e71c0e6b612e98800877bf5fac976ddf6af8a
SHA512 9cb616421b5d7f4d4c557f383ded2d9cf8f67c66ff75f62753deeddc6b6f2e1080bb0990a7a908f7dff0e4cd2e6495e404f6db93909faf8b56a2cad9354ebe1d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7c1f25a9358e07a1c4c209fe5469251f
SHA1 8d7327bf45197769eb7a5c97d841c29738acdd40
SHA256 d3317bff838e5fad6dc5c649bd93d4e2862cd8b9b49a650595c678ff4764b6a3
SHA512 5f2166bc6e87f2783081f09edc8b4b25c63e71ef9f47baffdd73a889132964d90e959d41bdf433fb43b1bc0e83279130a938958af9ed6f19977adfabed4ca023

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a448c7267ebba115034de103411fe31c
SHA1 d79087a658a1dbc5462c99b5430caaac62f3d438
SHA256 e11ca2ea53be980644b0f105a35ceb9f477f4a63ac6ff45ccfd8c68bf661a70c
SHA512 467e3442b14983cb8d364be8ac8eaeb467353f08725ef67e8b5c8ed2a304c2b56c08b4d85d72b5e1e8be990179b5052323ff817dd924450877839969d0a495f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 82b90a8fb0c3e53a9f72f2c5d97def99
SHA1 32165b7891e05430d28916379b1d4d82a9ae53a2
SHA256 81bd03b732963d64dc1ad301893f58f2af1966c788a1d06afaa2f622be42e019
SHA512 8d5ea5c4932856ad404c11635c538b799e1e7493224baef0c6412121a8112caadc887c2cac94bd21efc698475c4b0c22e27af42b2317b52d29a344afe66668b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c4d6c02a1c37cc5be20d5782993f61d4
SHA1 5dfa31caf989bbf5b05e0ef6866cee2c58d82a5c
SHA256 8bb27d4a2d27fd7ebec866a2b75625497fa76802d4db9e4bcd8a091eab8b660e
SHA512 200a13e75702925ae25589b69b49ed44b70b081c8d5a7463b6666ea759618937870e201ae01c096d9635396dc3cb0c51d95734ece672a8d71d0f3a9fc6ebee5f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 deaf4b92ceb350b61baf2289206cc1b1
SHA1 4bd708fe3c5ca5b7d6b2b4eff216d1c7b1a27c9e
SHA256 0475519b9a4d9f09cb9b59d1a8f7ad0b6ae3f4d099bb424d473f27879061d14c
SHA512 b6ca7a5c4548b06a249233720d64d288c028b7d2b6026964aba61108e198f9e6463d5c8d735d118e7d3768124f91921050534af06953f527aac3a5b3a31b613f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2f5811e1bc15e69273e94e13f0b3ef04
SHA1 53e6986ef7d83fe2a3925e71dbd1461c0fb809c3
SHA256 7909efea24f37327345f2689e57ca78fd62d825d0c2ce96d44084a9f3aa0f799
SHA512 90e709c619f3457323a16cae9539d5f520eb23c0d1204b375cd74a6c1c9fab9c5d8c886a400f9e142a159eca2ef51faa7be6f9a311bc1b02e798d549e4ffde8d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 972809a86ac94fc6e9ddfb231e0a7420
SHA1 86d04588db834e612e99095f3934c6d831ac8a24
SHA256 dc7b143c4c7984f24da92878fdfa55a5e27802edccce49662e12b2423f6a4f5a
SHA512 148ac89871cfbb7088f3935474cb4b70f109db117f6538506e0afde014736bb56d8356ee9d856cb445118bc28cd92cfbd6695435ce27db55e8b553c745106ba7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 91116f208dd8d8491938124243a0a24a
SHA1 828e30225be1ece49ec7ba7fa687715a8a693f6e
SHA256 abfc3c5dd299273d3ee8d4be3bcb03b7292625bd137ab99f2e1dbf4917c41f75
SHA512 c5b580aa0afbca4dd4162fa1ac56fe8f00c4ece1963bf7642719c28f57ad34ea0e0fbc212e6aac0f14919617f7bd5dd8e3511e8f77e3f337d24974a83a0d2730

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 04:54

Reported

2024-06-16 04:57

Platform

win10v2004-20240226-en

Max time kernel

138s

Max time network

144s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\b1cf832928bba1e48a9ff55b49669c1b_JaffaCakes118.html

Signatures

N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\b1cf832928bba1e48a9ff55b49669c1b_JaffaCakes118.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3724 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4972 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3372 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5432 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=4832 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 www.me.com udp
US 8.8.8.8:53 www.me.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
US 17.164.2.10:80 www.me.com tcp
BE 23.55.97.181:443 www.microsoft.com tcp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
SE 184.31.15.40:443 bzib.nelreports.net tcp
US 8.8.8.8:53 www.icloud.com udp
US 8.8.8.8:53 www.icloud.com udp
GB 23.208.240.96:443 www.icloud.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 104.242.140.51.in-addr.arpa udp
US 8.8.8.8:53 181.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 40.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 10.2.164.17.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 96.240.208.23.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 52.168.117.173:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 173.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 120.150.79.40.in-addr.arpa udp

Files

N/A