Analysis

  • max time kernel
    122s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29/03/2024, 02:34

General

  • Target

    164b8dd103a4ceabed1b90a5c2978af4_JaffaCakes118.html

  • Size

    455KB

  • MD5

    164b8dd103a4ceabed1b90a5c2978af4

  • SHA1

    a79760613f7fbc791d17a04de9f8153e233ba83d

  • SHA256

    c4c7fb7c7febf27275f9fa8b62a40b307dbf8eb98dacb90af2e9a76660b4fff3

  • SHA512

    f92f3dadabac292420fe698150d10059a88b71fbd77a3f9f5b37ff4299ffc04878285a13dc9ba3dba01a989f8fba7adec6e0a74912fadc566baa12e04a28244b

  • SSDEEP

    6144:B0sMYod+X3oI+Y5sMYod+X3oI+Y6sMYod+X3oI+YzsMYod+X3oI+YW:BC5d+X3r5d+X3q5d+X315d+X3c

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 9 IoCs
  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 22 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\164b8dd103a4ceabed1b90a5c2978af4_JaffaCakes118.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3044 CREDAT:275457 /prefetch:2
      2⤵
      • Loads dropped DLL
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2412
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2248
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
              PID:2216
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3052
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:324
          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
            3⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1312
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              4⤵
                PID:1048
            • C:\Users\Admin\AppData\Local\Temp\svchost.exe
              "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
              3⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:336
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                4⤵
                  PID:2736
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3044 CREDAT:209932 /prefetch:2
              2⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2340
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3044 CREDAT:209940 /prefetch:2
              2⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2644
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3044 CREDAT:734213 /prefetch:2
              2⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2712

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  70e52efebf3f220d937ef39642930125

                  SHA1

                  0153812083a8793427c018ee748da58e330ecd6d

                  SHA256

                  07232352aee5238e71b54c373f071a6dd8eb831a5e3ddefe39999f43f1020366

                  SHA512

                  01c11fb5fc61d9db44e38dba84f01eab4ddfee3c7100a4e8e60d5ebc83c38c9cea3fb299c5456daf891977f772f3d382741226632d77d0cb7fba700c9ab02b92

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  225e8eeb7e111e7fdf75b6e8c72efe0d

                  SHA1

                  8f27eee7dac56c1e91ba36cf9fb400146c7f8df3

                  SHA256

                  9965c3e028e770696190480b7b87030d58910614969b8453f49216a38570bca9

                  SHA512

                  efad71dbf6d67c80639040a8da8ef275671cac854fcf22c394bac38e94f8cf44c2e22144f54fda1db1c7d02b5c96b1d4cb6f7aee14d806b9a66bf8e059c70557

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  37c3302e535b9066e66298b488a788c1

                  SHA1

                  c91cf55961d6b8e94d688582fedc803f75f5944d

                  SHA256

                  f4427d33548690f234a48dc488eeaa61eb889c36898f7e5cec49fa0d315c474f

                  SHA512

                  c0ddf1fb84d05a3885896e3598bb352b8c99e3ec16a50e1afa4d00a45aa3c08ee1ad0315c82b38315e55f9f59741e4d1d96a5748a06b43b0f2c7b827e289d02d

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  13bd57cccf8b73d320db643ebbcadeaa

                  SHA1

                  2a0f9383e7c12899c4e18f4cd39197bd96169a27

                  SHA256

                  71e5fbb6b1a81281b00c8cd5da7887f86a40942633effd107eac337452ee0ba8

                  SHA512

                  074940351888e5ef2cafe768fed9b8310e3f443f65452e6fba203de7b586eb7562fa8f9fbda3bf82f2d10dea6ac5d3767112d16f045cec85284c3ca53e78c8ff

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  bb3b9dbddc14c0277c5b7445aec2e9a5

                  SHA1

                  c723ce9e0201be78eb6c67fc4d08ef0982fc9889

                  SHA256

                  43a8b99fb353d16731fa2ba235b51cff837478ea78b6ac56e9f2374e9e2720ba

                  SHA512

                  c206a70a36149f79d970cdefbf5f5b484bacb5a3fa7ebaa8619e200f4c3a9330cd84e4513b79d060a87c588ec0a042ba94a4f763978b69cac341bc08f928ef70

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  7dbe29d848c2d9dde6785e1109648e77

                  SHA1

                  4baf2d7808559d5ebd56d0786d5b7269675e7a3f

                  SHA256

                  05e7f915c551fed59758316f8894da5ec3673cc1b21417b6ca298baccf5ac8a9

                  SHA512

                  190a99fa077ea2111731bfa9ef20c691a8934ecca26572dc0ff59802cfc29ef933b1ecaebe719e3aa2929666e5060e4f127bc382c0c580b177e7446b73ca60c4

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  45bf676322122e4c10e5497ae0253896

                  SHA1

                  fd310f92a4c66c7ee65d81b7500dc38474c637cf

                  SHA256

                  251c71488b60af5d1479af4ce007fabd06aea4648d64df03ee21e28a9d5fd93e

                  SHA512

                  2282d04343cfd6f445397b8a905c36b5cee992f0abdf392c932563c07b0bc8df93b1a400651f69c5a7afb847ae14e49f112164d7dd6c91eb51da4c75f709deec

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  56cc131467e3344a7ba6291b6103a0d2

                  SHA1

                  3a615b387fed685ac3a53ec5f5a1234bc01625d3

                  SHA256

                  80fa1addd458c1f5a53dfea43614ac5ce9d8562296276199b339717afda13784

                  SHA512

                  2b9cba234f97021cd4d34d2ba8b0cc10f49ca366392cb2f664eaf8cbd1aa47a841b6198276c9efe1475bcb12aee9f02fc3c1612e88fbab802c5267b7be286b1d

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  e45cec6b540a4df2293d0ba760fd3f6f

                  SHA1

                  bc94e48b34caf3460b8b0775bd0e82afdec8cdb0

                  SHA256

                  3afbcb9d9fa42404d3ed648efa80345473ccc1985813e2cfba2fe5245a6adf40

                  SHA512

                  76ad8d86c6291a32c69c124847dc48be778c0b90300ab3abe101eee9e6a81a4911b093ac82584aa75cfd2573983b16977d07153fd921e32c87bb98c7b73f8306

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  f673adc0c4949bc973a9480a95878088

                  SHA1

                  180e933df2bdba59c18f872c21b67284496fa592

                  SHA256

                  e7abcdf1955c1ace48088008882decb466b570743edb54e95b66b07f7a3992a2

                  SHA512

                  91ac4168dc883a37501db0e9e4757d79e1a7c145ec749512b64008930b4768a7047e53dcbd49d675158b627dce6cfe38387abd61a1b35cc51e2e69bb6d22c527

                • C:\Users\Admin\AppData\Local\Temp\Cab5486.tmp

                  Filesize

                  65KB

                  MD5

                  ac05d27423a85adc1622c714f2cb6184

                  SHA1

                  b0fe2b1abddb97837ea0195be70ab2ff14d43198

                  SHA256

                  c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

                  SHA512

                  6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

                • C:\Users\Admin\AppData\Local\Temp\Cab5574.tmp

                  Filesize

                  68KB

                  MD5

                  29f65ba8e88c063813cc50a4ea544e93

                  SHA1

                  05a7040d5c127e68c25d81cc51271ffb8bef3568

                  SHA256

                  1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

                  SHA512

                  e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

                • C:\Users\Admin\AppData\Local\Temp\Tar5598.tmp

                  Filesize

                  177KB

                  MD5

                  435a9ac180383f9fa094131b173a2f7b

                  SHA1

                  76944ea657a9db94f9a4bef38f88c46ed4166983

                  SHA256

                  67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

                  SHA512

                  1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

                • \Users\Admin\AppData\Local\Temp\svchost.exe

                  Filesize

                  55KB

                  MD5

                  ff5e1f27193ce51eec318714ef038bef

                  SHA1

                  b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

                  SHA256

                  fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

                  SHA512

                  c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

                • memory/336-33-0x0000000000250000-0x0000000000251000-memory.dmp

                  Filesize

                  4KB

                • memory/336-32-0x0000000000400000-0x000000000042E000-memory.dmp

                  Filesize

                  184KB

                • memory/2248-16-0x0000000000240000-0x0000000000241000-memory.dmp

                  Filesize

                  4KB

                • memory/2248-18-0x0000000000230000-0x000000000023F000-memory.dmp

                  Filesize

                  60KB

                • memory/2248-17-0x0000000000400000-0x000000000042E000-memory.dmp

                  Filesize

                  184KB

                • memory/2412-7-0x0000000000400000-0x000000000042E000-memory.dmp

                  Filesize

                  184KB

                • memory/2412-9-0x00000000001C0000-0x00000000001CF000-memory.dmp

                  Filesize

                  60KB

                • memory/3052-22-0x0000000000400000-0x000000000042E000-memory.dmp

                  Filesize

                  184KB

                • memory/3052-23-0x00000000003C0000-0x00000000003C1000-memory.dmp

                  Filesize

                  4KB

                • memory/3052-25-0x0000000000400000-0x000000000042E000-memory.dmp

                  Filesize

                  184KB