Analysis

  • max time kernel
    133s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29/03/2024, 15:59

General

  • Target

    26408b773465d9620c1e7ead72797da3_JaffaCakes118.html

  • Size

    187KB

  • MD5

    26408b773465d9620c1e7ead72797da3

  • SHA1

    3d6d77797bc486b2e556d217cc66760cc9241a5b

  • SHA256

    d0c261049e7acd76fd882f79da864965a000a66dd4dc7b25c524ac25cc6700ed

  • SHA512

    2b131be3b783da9c105ae88a4bc94b0873bb5bfdd98733308ed44f3e305661943a07246c1032c9f7fdb77c722f9fb39fb03e88ba106dab47c9f17ae7e8bfba33

  • SSDEEP

    3072:Hm2FE0VZGEeyfkMY+BES09JXAnyrZalI+Y6XXI6EyA8:G2sMYod+X3oI+YS1tA8

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\wininit.exe
    wininit.exe
    1⤵
      PID:388
      • C:\Windows\system32\services.exe
        C:\Windows\system32\services.exe
        2⤵
          PID:480
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k DcomLaunch
            3⤵
              PID:600
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                4⤵
                  PID:1816
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k RPCSS
                3⤵
                  PID:680
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                  3⤵
                    PID:764
                  • C:\Windows\System32\svchost.exe
                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                    3⤵
                      PID:816
                      • C:\Windows\system32\Dwm.exe
                        "C:\Windows\system32\Dwm.exe"
                        4⤵
                          PID:1160
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs
                        3⤵
                          PID:852
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService
                          3⤵
                            PID:968
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k NetworkService
                            3⤵
                              PID:276
                            • C:\Windows\System32\spoolsv.exe
                              C:\Windows\System32\spoolsv.exe
                              3⤵
                                PID:340
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                                3⤵
                                  PID:1072
                                • C:\Windows\system32\taskhost.exe
                                  "taskhost.exe"
                                  3⤵
                                    PID:1108
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                    3⤵
                                      PID:2832
                                    • C:\Windows\system32\sppsvc.exe
                                      C:\Windows\system32\sppsvc.exe
                                      3⤵
                                        PID:3000
                                    • C:\Windows\system32\lsass.exe
                                      C:\Windows\system32\lsass.exe
                                      2⤵
                                        PID:496
                                      • C:\Windows\system32\lsm.exe
                                        C:\Windows\system32\lsm.exe
                                        2⤵
                                          PID:504
                                      • C:\Windows\system32\csrss.exe
                                        %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                        1⤵
                                          PID:400
                                        • C:\Windows\system32\winlogon.exe
                                          winlogon.exe
                                          1⤵
                                            PID:436
                                          • C:\Windows\Explorer.EXE
                                            C:\Windows\Explorer.EXE
                                            1⤵
                                              PID:1192
                                              • C:\Program Files\Internet Explorer\iexplore.exe
                                                "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\26408b773465d9620c1e7ead72797da3_JaffaCakes118.html
                                                2⤵
                                                • Modifies Internet Explorer settings
                                                • Suspicious use of FindShellTrayWindow
                                                • Suspicious use of SetWindowsHookEx
                                                • Suspicious use of WriteProcessMemory
                                                PID:2164
                                                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2164 CREDAT:275457 /prefetch:2
                                                  3⤵
                                                  • Loads dropped DLL
                                                  • Modifies Internet Explorer settings
                                                  • Suspicious use of SetWindowsHookEx
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:2128
                                                  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                                                    4⤵
                                                    • Executes dropped EXE
                                                    • Drops file in Program Files directory
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious behavior: MapViewOfSection
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:1236

                                            Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    68KB

                                                    MD5

                                                    29f65ba8e88c063813cc50a4ea544e93

                                                    SHA1

                                                    05a7040d5c127e68c25d81cc51271ffb8bef3568

                                                    SHA256

                                                    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

                                                    SHA512

                                                    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    344B

                                                    MD5

                                                    6ce2f873d7f6f0b4ee823d834dcd53cd

                                                    SHA1

                                                    179eb6122b3cd378f9f23d79a47fdb1894677c73

                                                    SHA256

                                                    4d6afb283726f4667408a651655631fea48a7979a2bc0d6872e6db8ba57bb643

                                                    SHA512

                                                    92952914ba5c9eb490a06aab9d6899187f4b6e1bf2127ee8d248a5fbb4724718362216bd3fb2409f4037a31e54139ad45e24c38b1b162323fb336184f9ef3dae

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    344B

                                                    MD5

                                                    fb6ddce48ff87e5645aa5e8bad22a376

                                                    SHA1

                                                    6c15871aaadf7f77066283c7652f8404986c48e1

                                                    SHA256

                                                    2142fc2025b98a11a52ef0ab9439fa62bb0ab7af89fbced4dba42fedbaf06e83

                                                    SHA512

                                                    902885d6a05febcd38d5bc98a6ff9a2a9738546f36b0a4c277f6fbe477acb9d2ea23dcb39ba5d701277c88174a3847e0b171071c0742101b3bab212c1f1e4bd8

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    344B

                                                    MD5

                                                    e914464829bdc512a8e78becc5099f05

                                                    SHA1

                                                    c423e4e276efd3328ba66b0cd0ad5280367a375a

                                                    SHA256

                                                    fb4385c71c99e02776c25ab92ed0cad41eb91652ba0ce42486de74a9873c1614

                                                    SHA512

                                                    12c2c8a865d419c81e90dc07ea24192b92328576535b2d4ec4a35b8a927a104a03d7dca67c32423dae926a5cf6587566be06983e392e862406a6df8d40a110d3

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    344B

                                                    MD5

                                                    9b611f30aa30c7047909bbf19a7e4a07

                                                    SHA1

                                                    98bae3a3c1f4c71137f0f2070d5d5bd53f1cc6af

                                                    SHA256

                                                    dbbdac93178ae348da4664c8647e5ede01279dcdca9186f05876c5f93ba94b04

                                                    SHA512

                                                    0e0f832b186da2ae732f866cecce68e08a68dcfe75efae58b14a326621ef066d5884deed7d4059c4d365e7f7f25dac81e568ffaf396c712703f56a6ceebd0819

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    344B

                                                    MD5

                                                    886a5cd4cacfb4bcfd69f9bdaaae36c5

                                                    SHA1

                                                    3f5e02bca79558f6b833f2c95d3de226f9edfe59

                                                    SHA256

                                                    5451d5ca2dff20a4c96a0a772c19cf8b51f25259f160f26649a4516560a54af9

                                                    SHA512

                                                    0970fb5d46097bc1b67b49797bac9068cab24a2f63a269bca82e87e24e53ac6fccc3daa6ad71d0222545efe64c42e6455e935cffc5e33768ad8a20c812eda77f

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    344B

                                                    MD5

                                                    17b0a0c711d764253afb4cdd0b65412c

                                                    SHA1

                                                    b5289474f92fdc90114bf30b90e409b6dd423ca2

                                                    SHA256

                                                    e6e4da0ded7dca423fb6f83b2bcb1892c3c915e85bc16fa76266a11a0a77d4bf

                                                    SHA512

                                                    0dc7e52f01e602d9c5528ca6dade23c7333a9ce01ea4b63142a7d6d74a1a71a075b2b7ce817345635ced0cf1c63aea9d62da348fb791913d3bab46453423591a

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    344B

                                                    MD5

                                                    d8e432be0a2dc0563ee15cae88a956a8

                                                    SHA1

                                                    324b49d9c0713812179e6426cb61aa7b8d839c38

                                                    SHA256

                                                    05635c3f48c67ce78c8e340c583206eb99d16151f0693f406fe186b124bb2ce8

                                                    SHA512

                                                    69edd8e851cd7f19e7cb70c243e144d28c0c3a0fe0aa82c3e6e13985caece8604238fb4d39140da213834a0223977a3ef587d4ebf9c80a2589bd43a42f2ce27c

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    344B

                                                    MD5

                                                    e79a674a4c0a665b3f6e5fa5a64ef875

                                                    SHA1

                                                    f3904f17092a91f0f1c153f51cfca1768142728e

                                                    SHA256

                                                    83ccc75ad03f2fe21eb850761edf775745b0c4a97639000ac8af394d904db6bb

                                                    SHA512

                                                    6402e58ab93823634f36995e00f69d661b92dadeb4f59632829b89dc00fa1680f4a3892204bdb30a7b2e0c68b7557b2423e277379e833c66a3cc0d09c09d85aa

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    344B

                                                    MD5

                                                    fcd31878afc4c7a199505bcb07072c58

                                                    SHA1

                                                    d56969ac2006d2be354f85fdf87be8560d6fc94a

                                                    SHA256

                                                    487cedaaa398e78f251e9fc4372444df2c42abb0ead668f3cdff6c2cec071f83

                                                    SHA512

                                                    6511cef96fcd8cfe6e3b26d728e9d1bdcbe0b04034a2b5eb14c5494857d17bc898260bc6d887c4acf82bf2fe2b196796fecb4bdf63b9bffc8c04f7f07307f522

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    344B

                                                    MD5

                                                    27b3de95918ec65b2bafe977eebd1ddb

                                                    SHA1

                                                    bf50eeb84768dfa1bacaeb0ed204c5426b80c04c

                                                    SHA256

                                                    dbf0c9f7c1ec4c0978f71ca4a19f296ca15b6f7a535f211582e3d3334612e4cd

                                                    SHA512

                                                    090d243f4ae9c4ccae8b809abf000c19c58eba8f52a1f8a87d683dbd602c79cec6f8f56ea528ef96f75325a52e648d33466790d3d7108ad4e6073e428134daa7

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    344B

                                                    MD5

                                                    7c4e849c569f6451d55a9a573385b5a1

                                                    SHA1

                                                    c4b038affc561352c735dd4e1611a1566f67a9be

                                                    SHA256

                                                    dcd3ecf4268cf846195a4bd38688f9f3e74f83733466afa256c8e6f81644c8ac

                                                    SHA512

                                                    45b35fcc5dfab57bb4114f30eb6b2e11358068a8c743a1e539f20f7f39b0fbca8e593583871fc394a3add707c3a8ecad938bcad6b24aeae6bb57a09aad28f47d

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    344B

                                                    MD5

                                                    4a19f8fe52ab0580330a327fa4faf225

                                                    SHA1

                                                    42767ca8e0a58fd7df145b2034bf50b18ed3a3d5

                                                    SHA256

                                                    87f7c93646dfde8cd20170a92b761a680bd254150dcdf2a5c92017d4b8f3e7d8

                                                    SHA512

                                                    0d894fe451845d873dbd3f3b9d55da89fa3be2a1063cf1799e1ce549ab50e1c1b578ce231d9af8fef91f7edae8a0fc207684a9ce814ab2e90942c4ecb282e142

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    344B

                                                    MD5

                                                    6232c22cb7a5af3b58fc54abab65552c

                                                    SHA1

                                                    a5590a1abea574c81710728117072b4389ca5690

                                                    SHA256

                                                    6d5e876c788db45022915bf6f51840c2384f0e5e22fe8a15b9bf8aa963d0bde3

                                                    SHA512

                                                    1da7e8d23b6e2496eed81f7a2f74ec7dc9632e932d6632480b85e3d59d773b2dda4aca76ea3ae41827829ead925df98452d2f8f9a49e6bafaee8d1cde5fe0767

                                                  • C:\Users\Admin\AppData\Local\Temp\Cab371A.tmp

                                                    Filesize

                                                    65KB

                                                    MD5

                                                    ac05d27423a85adc1622c714f2cb6184

                                                    SHA1

                                                    b0fe2b1abddb97837ea0195be70ab2ff14d43198

                                                    SHA256

                                                    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

                                                    SHA512

                                                    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

                                                  • C:\Users\Admin\AppData\Local\Temp\Tar381B.tmp

                                                    Filesize

                                                    177KB

                                                    MD5

                                                    435a9ac180383f9fa094131b173a2f7b

                                                    SHA1

                                                    76944ea657a9db94f9a4bef38f88c46ed4166983

                                                    SHA256

                                                    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

                                                    SHA512

                                                    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

                                                  • \Users\Admin\AppData\Local\Temp\svchost.exe

                                                    Filesize

                                                    84KB

                                                    MD5

                                                    df455f0fa8fb3fa4e6699ad57ef54db6

                                                    SHA1

                                                    51a06248c251d614d3a81ac9d842ba807204d17c

                                                    SHA256

                                                    15068b86edc0473a4f96f109830318e0540af348197e2b65f2e90ff32cfb14a1

                                                    SHA512

                                                    f69dea5b68e4fc8737fc0e6ef48476d3ed0a5ebd2f9dccc9d966df137f9ffdbb51e413a0852c22399afab53ea8a2755664afdcee6897a1cf387a9a620481b2a6

                                                  • memory/1236-8-0x0000000000400000-0x0000000000436000-memory.dmp

                                                    Filesize

                                                    216KB

                                                  • memory/1236-12-0x0000000000400000-0x0000000000436000-memory.dmp

                                                    Filesize

                                                    216KB

                                                  • memory/1236-10-0x0000000077EA0000-0x0000000077EA1000-memory.dmp

                                                    Filesize

                                                    4KB