Malware Analysis Report

2025-01-19 07:06

Sample ID 240626-hqs2bs1eme
Target 1119e8ce501dac1c72ebd88286f14500_JaffaCakes118
SHA256 2862543b053023f0dcd3b75a7e61f30705d2da01826c67fef66b55cc3b68dd5b
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2862543b053023f0dcd3b75a7e61f30705d2da01826c67fef66b55cc3b68dd5b

Threat Level: Known bad

The file 1119e8ce501dac1c72ebd88286f14500_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

Executes dropped EXE

Loads dropped DLL

UPX packed file

Unsigned PE

Program crash

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 06:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 06:56

Reported

2024-06-26 06:59

Platform

win7-20240419-en

Max time kernel

132s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118mgr.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{45144091-3389-11EF-AD38-76E827BE66E5} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{451467A1-3389-11EF-AD38-76E827BE66E5} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425546880" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118mgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1860 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118mgr.exe
PID 1860 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118mgr.exe
PID 1860 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118mgr.exe
PID 1860 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118mgr.exe
PID 2864 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2864 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2864 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2864 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2864 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2864 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2864 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2864 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2660 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2660 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2660 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2660 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2600 wrote to memory of 2728 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2600 wrote to memory of 2728 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2600 wrote to memory of 2728 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2600 wrote to memory of 2728 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1860 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118.exe C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe
PID 1860 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118.exe C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe
PID 1860 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118.exe C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe
PID 1860 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118.exe C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe
PID 1860 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118.exe C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe
PID 1860 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118.exe C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe
PID 1860 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118.exe C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118mgr.exe

C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118mgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2660 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2600 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe

"C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe" -eula

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1860-0-0x0000000000400000-0x0000000000418000-memory.dmp

\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118mgr.exe

MD5 23842802587d1c2570eec734a06cc188
SHA1 aecd57ced1f79fa0dcc93076b3254216d08b907f
SHA256 aa94699c1420a0a2c0d07a936fe2acc26cdbb410f7bc47552110504e91b4a8d8
SHA512 80ebdf18eff5b25e4ce2dccb44d5b55a9e377b5b339da3a253679d0a4eb0e6fb57595aabb979014aa4e3d59f8622d4660df763d79d8a813365eff0538c05b1c7

memory/2864-12-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2864-11-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2864-14-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2864-13-0x0000000000330000-0x0000000000331000-memory.dmp

memory/1860-10-0x0000000000230000-0x0000000000276000-memory.dmp

memory/1860-9-0x0000000000230000-0x0000000000276000-memory.dmp

memory/2864-15-0x0000000000340000-0x0000000000341000-memory.dmp

memory/2864-16-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1860-36-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{45144091-3389-11EF-AD38-76E827BE66E5}.dat

MD5 1f0a47c8e8f711cceee3b044ad6bb8ee
SHA1 490a28feb39c6b1dd58f7f1ba6a90196858a852d
SHA256 92a06ec629ec3a61857aeb1eb898a70683bc1a2b6f60dd219d475c5e11fe7218
SHA512 b23b58b948bb52296c66d629d966ca1a2d03cad617b1bf61074aec64174cd250835e5fccad070da6f8cc10870ffcb6266fd6c625ea67f39641109924cd64404b

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{451467A1-3389-11EF-AD38-76E827BE66E5}.dat

MD5 28a1ddb5cae103d36fdd815027c2589d
SHA1 8fecf62c8f16c9bf28e9bd9b84ec5870163b13ce
SHA256 8b41db34e568358473aa4ca3f19415e4cb40e6b3458d0c96734c5c2223105e18
SHA512 9cd6a194b19d0ddba49bb5da08e74458cd8e0a6090ae32bbd6c0c02ecd1372393908323621676a70f1d02c06723e4bfd3bc25eef846e01cae0e9c8257e075f6d

memory/2864-2208-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab1D82.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

memory/1860-2223-0x0000000000230000-0x0000000000276000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab1E11.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1E25.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 603c4d7ac690db6eada43f640782fa73
SHA1 178af4aeabbbf260a5740c9937d09a6bd6c66a61
SHA256 4072a0019f9733fab14295d2e1b3552494b9cc4edbc35aa5b8711c2d9e00aa2f
SHA512 a108b4a7e29e4b398c61746500dec74f1aa614aa558eb13014c3416480b730995bc3d7e325f04160c23fa4996f9810d3a90568a3f894a3177158fc63450f01b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4ce4b91d6dfd3a606fc0bb4960d5978c
SHA1 24d441080e0ea190b48908ff64b53487e7d9da35
SHA256 e854b22f56a098d54b99c86afc94ae26a355b5e7f1115e6b4ee3479984862c6f
SHA512 eef4e8530ce6080c00c6f99ad1dcb423e1c45c0c125621820fb7639389c79b298fc7879fbc1b21606c2973a7f2c8fcc734187bde2399647dc3cf2a27170fa36b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ccb4dccf270921c5191075222e4881ef
SHA1 f85f700dcba289aae05ceda1fc70c18467ba9401
SHA256 2861caba50eddcdd2b99c2cc76ada7a211a09b893ff47ae094eb62066f2ec433
SHA512 eba6d827da69a50c7a4fc40bb7804ff0609c81f075fee346bc277d80a070ba0565604c27094987986521444cd58378814365428e7b375120a68f59b8e1e792f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 974a3d98b833956282fb32e31a51fb3a
SHA1 bb1c3002531fa84584408c362c39fec248e315bf
SHA256 592344d9bff18c4078d8af40075ac95bcbbbb62d8ee5663195f162a8f9dae90c
SHA512 abc90b53cef52124f79561483afff08799246952ed41200d306a674afc2c94779cc823f5681475101212673941ac985da92142a90a2c81b0b6388cd10c021d68

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7d5ecff538c2df4a13c40b75acf4121c
SHA1 9bde300a1c4540f44142b2d10203ec2f0d677aad
SHA256 36c4b1a5d9531c8bdda106c32d000b30342604fdd85081eb376483d7f441d241
SHA512 f5314ee0c5de814bd029130968ff1a4c155f151717276397d84dc41a98aa43645a817e06a07d0a288bfd46d17640a03c2f0df4cf1438ca8d970280f300a927bc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4fa327fb53b161d2afcc49bf72ee6d68
SHA1 0310d7d0d528fb7167a7a4811fe8f0b387e5b3db
SHA256 a3fb9a823dcba903965727a30bca375e8756855a0ec5deed9bca59372dc77ebe
SHA512 29bd08714a72244d9d6d3a36859cf6b1dc90dd24f7d08f57f4a89155e56f3cb4bd997b6eb5405889039563bfd91ecdb4db2e0c7dec8ac288f137a2eccc0917b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b4a8fb6238f75338a089d72d7acde3aa
SHA1 b7a083633adeb880aa7fb6eec791a22ea9b39a4a
SHA256 315c12948a2e3c8575fa71d017328367971b751c22fd151a16aebb139ae8d6f6
SHA512 c21f960cf021419d766474dea9ca1afb053519413cbd91e689b47c1c2aff64f92dfe542dc46ee10325a98c86c5654d65a15e3cbea9ecd43e70161363fb58874f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a003761fcb66a775921a68bba3dfb458
SHA1 0b7bc7407ba7780fdfaba09b3e84d8ace0ee1e9c
SHA256 dff2c636e1876be4a2062f83d1122aa7b6f3c16758cde5bf43a4d77d59b8088e
SHA512 c48b4df2d443f7bf39a164ab9c8e10fc72079d88f1cd930ae9446436ab440c6080922e876288800ec913f50ed062a3a54d6286c3bea2e24df5c08db8a65e5671

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a44c5553fc9d175555829cf6900ecea9
SHA1 588ffae5dc52ea10838f31cb2fcfe1c115edc32b
SHA256 9964c5d514730c171406c31059d590bdb8bc29ea4c26e6e6cc3b8063c0c9c016
SHA512 d64f3050b24025d57b7e2a6a24ea52efa68df28760add613e7431d534061fa92009c55718a24dcad3fe3122b4e9cd332089754e7ae31a1db2a100d70ffac171d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fe06a827095ea87e2da904be7344531f
SHA1 7ca61e162e20021b0652f07bec94de13a6459416
SHA256 7dac0d4c376aa99d5e2d83f075ae5531150a000ef78d6da063ab1a734997297c
SHA512 e27e924374f594474cca3c18c20b028be89e946c346e50707b10a683a4b472c9a1944fbb5c9ff93e0a81a60f187c2a5c15bdb138555757f38c6ec6c21a2d0ab3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0834959b5c818e77eeeb4273ebe9726c
SHA1 bb5179ce6865c084b3f6406a30a41086b3280cd3
SHA256 c8a4c4b303de2ecd9b05468aca828d99592e5a76b7665daef3b47aa71b489278
SHA512 a2e56ec5bb4dd0b48e45bfd4ddbd345af5d42aeec8b9e1c77bb9ecbd9e879800e9b26bda283cffb78da04b7c14bca31e27fc7c856b906f6d4c3336b1eca34bcc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0b3986a763a5d66b84626c4560614408
SHA1 3547ab8dfba4c32f72151253de252e5b6698c4e5
SHA256 8ca2107cb661ca47914cfc713eca67cfe1ee26be5584a92e52f2f608986adaac
SHA512 2bea695dac3290c21119c591fa79f46676d227855b5cebb8ca2a0f1beaee0701c28495664bf4d9aa2526248c2c4fa65a47847a434f44f8480fc1f09c1dffd778

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c012204cfe2ca8f4499dee39b9ccc70f
SHA1 3f17dbb9d0f5c532472c6ebf098533515070c682
SHA256 dae634ba024b708e8b1cb679883ea18155aca6048e91a8b2207b26bdaa7bb2ad
SHA512 d63675e27d39f78883824aa34a58019fbcca99c0f10f4072401c70cc1e53d6ede08aa46400778ce8064092e88ed0d1399d848cf78a1c1018cf93a462fded1720

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a52eef7196fdb7b55f211cb56577c303
SHA1 53922e0e082d09465217fe1c4606523587fa046a
SHA256 5e8cc52e8785895cba1c29d87471e34a57d35768faece413b8a1da4a00da0c6b
SHA512 b8fc00cc211247256731db8c272ab6b60e110b6b966b3d362cce148e8be14152c9e480d2c26177ed05dc0eebe5b0ee93e782af652ef50a6bafe4386daed74b35

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 de431aca913e804a68e77e0f62e3a36b
SHA1 03ab95239641bc56233b854a393aa0017a35767a
SHA256 e3f9d2139b9fa40c3c419fc3292ba6080226b41db69d32a48c8168df0b86a47a
SHA512 8dc45a872d8342ecada01fb3f3669d9065a1d841c8bf98499c4e7424d0fecea7d25e6689b0ba54f8d0bd348f735f106b3777b21e306bfd833da9245f278cb15e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 592aca85520e145bbf1b9aed7d1adc7b
SHA1 a6ae121e658ee36daf34d41c65538cd01c2054d0
SHA256 6ce0a03384ea18e4ea574ea9416604e92db37788f6633fb32c59428815461571
SHA512 d1cead30db8eb6c2e5daeb76a7364d320e3206e6c31d891de91c46da4ebf09cc7d7efe966afe5ed795ddd5c49f436d2f6753abf3139dfd9c63dd24cc98ba85ab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b7b0267cb5bea7d865915c644051684a
SHA1 48e8418d4f58ff16256c7fdd68102d733ad9ee26
SHA256 5dafc85cd0ebf14178a071beacb3337f4b8bb0b174af46f0b925d988bfd17375
SHA512 b7df6fd2c5d533e39a9563fa5b963fa88534cb38faecd36c82eebf5b63249fea0bb0f2c566e1d85e5f7c69b10fdae3dd9217d28191d4791bd5a0a8ef351643dd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b68e125c391d119043658ea287659fdd
SHA1 c0afafc76be9c96b9a35501575df2a866d3413b1
SHA256 aa10cee05902107dedb2647bb855699a0c034554099479a566ad2e989118db9a
SHA512 13e927634e291e4f27702b48a8c5276fdbb7d6a935777c469e1f59d0f307be756643dbc16e11f2f596a827781b411b18b06cdcbbb48205ed33d38e6ac5c6158b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 06:56

Reported

2024-06-26 06:59

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118mgr.exe

C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118mgr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4268 -ip 4268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 268

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BE 88.221.83.226:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 226.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/732-1-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1119e8ce501dac1c72ebd88286f14500_JaffaCakes118mgr.exe

MD5 23842802587d1c2570eec734a06cc188
SHA1 aecd57ced1f79fa0dcc93076b3254216d08b907f
SHA256 aa94699c1420a0a2c0d07a936fe2acc26cdbb410f7bc47552110504e91b4a8d8
SHA512 80ebdf18eff5b25e4ce2dccb44d5b55a9e377b5b339da3a253679d0a4eb0e6fb57595aabb979014aa4e3d59f8622d4660df763d79d8a813365eff0538c05b1c7

memory/4268-4-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4268-6-0x0000000000590000-0x0000000000591000-memory.dmp

memory/4268-7-0x0000000000400000-0x0000000000446000-memory.dmp