Analysis

  • max time kernel
    135s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29/03/2024, 18:22

General

  • Target

    2967cd6153fe527a8df5eec4e879dd6c_JaffaCakes118.html

  • Size

    574KB

  • MD5

    2967cd6153fe527a8df5eec4e879dd6c

  • SHA1

    cdae31662b54449464d2382d0e1cff8ed6c55cee

  • SHA256

    d7423e7e6c18b04b5c55cb0a5302b854e41b5d874bd46cdc605d255885c50b6c

  • SHA512

    3454fea0d60a53be0eab87871f8bce4b771d787097aa0789519fbd6b6b01e0225be180bc3f7a695355d6a69fc0d6dac0ca531f838e6cd9521b894076cb198910

  • SSDEEP

    6144:SgHsMYod+X3oI+Y2sMYod+X3oI+YDsMYod+X3oI+YZsMYod+X3oI+YEsMYod+X3+:Vr5d+X3a5d+X3d5d+X3D5d+X3Y5d+X3+

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 11 IoCs
  • Modifies Internet Explorer settings 1 TTPs 45 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SetWindowsHookEx 26 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\2967cd6153fe527a8df5eec4e879dd6c_JaffaCakes118.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1808 CREDAT:275457 /prefetch:2
      2⤵
      • Loads dropped DLL
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2676
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2568
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
              PID:2724
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2660
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:2616
          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
            3⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2004
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              4⤵
                PID:2500
            • C:\Users\Admin\AppData\Local\Temp\svchost.exe
              "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
              3⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:2188
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                4⤵
                  PID:2184
              • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                3⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:2480
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe"
                  4⤵
                    PID:2608
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1808 CREDAT:668678 /prefetch:2
                2⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1632
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1808 CREDAT:930819 /prefetch:2
                2⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1272
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1808 CREDAT:1324035 /prefetch:2
                2⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2420
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1808 CREDAT:799749 /prefetch:2
                2⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1540
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1808 CREDAT:1455107 /prefetch:2
                2⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2716

            Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                    Filesize

                    68KB

                    MD5

                    29f65ba8e88c063813cc50a4ea544e93

                    SHA1

                    05a7040d5c127e68c25d81cc51271ffb8bef3568

                    SHA256

                    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

                    SHA512

                    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                    Filesize

                    344B

                    MD5

                    9881175819de9ef16df12b32b82f10df

                    SHA1

                    e188fcac1951626529f8484119e4ff7318ea99a9

                    SHA256

                    bcaa0ec9e1cfd246b22246b667fcdfa4af0c4103ead8f650680da1aacb318ef0

                    SHA512

                    7a9844c237414bcaf90877b2063778712a29fe127a989ec0193ead6fe05f371c0c5727417780a27eec90a025386c90f78a0e67f548e182c929b71e20f0a6b44a

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                    Filesize

                    344B

                    MD5

                    253e13629c7b1bcfb679eac17ef4ffd9

                    SHA1

                    352cbf7191ea257a5657959ffa920fa9b82f0ed7

                    SHA256

                    b8946e59cdea64fad7e72c80ebf12d5e2df6284db045dfa6f7f6c8a158b1d1b8

                    SHA512

                    efbe5366e790c73a96f8682d9898de22ee189bab0ae3e946c21115548b1c081aa9718b029531b752eaa9cdfc0638bd3d46871cc277bd5644fc4b818087d63568

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                    Filesize

                    344B

                    MD5

                    88d42af9e9b7e9d82c34f71cd0b8caef

                    SHA1

                    9c5fdd5a016dced696e6995887caabbdf94ec1ba

                    SHA256

                    607783be2fca49c8c47e38bf5e20cd165894b592181680881f9f89a6aabad36c

                    SHA512

                    f83633a04e4d630ebe41cb86c18aea65c470a010c1a8ec2a0d3b9af4abda57a7ab6b0ac2339ec2e1d8c8b86d6a85471087dac7555155d4625760bba9988a34c5

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                    Filesize

                    344B

                    MD5

                    e0fc1e71b5a53d8d7df0977380b08db0

                    SHA1

                    5a10379efda2320458d50f8b08ba6f624e231f46

                    SHA256

                    5672062d49e2b6cb0b7509f476feef5b1e7f79a5c0d431b810a4980472c6dea5

                    SHA512

                    6fd499f96e55cb4581422d9d435a20f0694b0a44077ed31dc38f819074dbd63e0f808d2122e59b34bf62355274c6cb6f1e879f6d1f45b53d0307b0f5432d5eab

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                    Filesize

                    344B

                    MD5

                    bf39771ecf8b09139b467e5588f1260a

                    SHA1

                    ed37e89893fadd07f5fead5fcb8be8d906ffb4bb

                    SHA256

                    fe03260be36b60724d2ab20707573b9b45ec4467de876d466eb402559f5be048

                    SHA512

                    9026567e310f7c51ef93576e6f16a07c6bdcdc1e6a89ad71b06508fdd1822895946ca30ecd0c921b330971735fc34f9ee8da60d39a48e248f96f819e54da1631

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                    Filesize

                    344B

                    MD5

                    e790ab4b2344b9ee27af408aa95846df

                    SHA1

                    473f6ebeb65caad820ced4dd1ee32bb0142976b7

                    SHA256

                    230575102e5df07b160a379ccd68732cbc6f58740c1ae4f1adebd2532277827a

                    SHA512

                    a8c8f0f07c8201cbf2065c3b0ed6be67a39ba68691543e6b2b3861b4deeaa54420882534bd3dc630cb445c039aec75b2e006a85a95e741ffb581d67c949ee2ca

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                    Filesize

                    344B

                    MD5

                    d94895ef4d836907a6b429da22a27588

                    SHA1

                    2a294327e7376614fd5753b7f7a99dc9ef9b755a

                    SHA256

                    dfbe2f87e9463f1f357ae766fc6e265d19d7ab6cd7d0b3d79610faa89b71426a

                    SHA512

                    13c70175cbc07f315e2dc8699c9b36f4abe59f73e7c7110a9ac498215e4c501eda607a9cd6226a2450a9457f79c1d586f0c92853817427e710624af4b137aa19

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                    Filesize

                    344B

                    MD5

                    5204cf05a078011c061efda791551a49

                    SHA1

                    03df6ee898b4530f8602c11ccb62aaa337352cb0

                    SHA256

                    7a8a276102e5fbf2f3e13e0e219882da67f5a6251539a4ce680fadab7f25a892

                    SHA512

                    b4d222d3e509da057e6d3c384323fcb3aa4e3a0b9d66fd05b3b60f519d87ef6de1194f0dd099e17d2c796c83d8965108c90f676d81ceedc59a0d1133d0834db1

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                    Filesize

                    344B

                    MD5

                    64cac734ce489aa543a2e0fdb2c97931

                    SHA1

                    b6a45f369f8f4465e8b9b2eb5f3aa40966f4c3ab

                    SHA256

                    a8b196a34b4db7318d597daf7f806b8698b33b569e0ac4ab6299a610c5a81d17

                    SHA512

                    4aeb36e3bf69dca692259b424015b102d38cd1927c7a6e20867b9cbeb6ef45095998b7e352860014e4a4e5f7d1dd5c04f951ff83cc976ac9552798929d2d816a

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                    Filesize

                    344B

                    MD5

                    c670c4f251360bddce08ebc58e82662d

                    SHA1

                    8aeece7f36a689301a830590a01891f87b955875

                    SHA256

                    07cf90f654cc40c9ff8a0f73910934a00f76103879a409b9d02a37b8a61ba3ee

                    SHA512

                    1dbc1b0e6fdfe7343ec84a9cd120acff39466ecd6844328559e840df4cfa9b710c1791f1269f50ead5380f1aa38a7dbeeee1131250e1a97f239ba9c1998fa7e6

                  • C:\Users\Admin\AppData\Local\Temp\Cab2D77.tmp

                    Filesize

                    65KB

                    MD5

                    ac05d27423a85adc1622c714f2cb6184

                    SHA1

                    b0fe2b1abddb97837ea0195be70ab2ff14d43198

                    SHA256

                    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

                    SHA512

                    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

                  • C:\Users\Admin\AppData\Local\Temp\Tar2E7A.tmp

                    Filesize

                    177KB

                    MD5

                    435a9ac180383f9fa094131b173a2f7b

                    SHA1

                    76944ea657a9db94f9a4bef38f88c46ed4166983

                    SHA256

                    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

                    SHA512

                    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

                  • \Users\Admin\AppData\Local\Temp\svchost.exe

                    Filesize

                    55KB

                    MD5

                    ff5e1f27193ce51eec318714ef038bef

                    SHA1

                    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

                    SHA256

                    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

                    SHA512

                    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

                  • memory/2188-28-0x0000000000240000-0x0000000000241000-memory.dmp

                    Filesize

                    4KB

                  • memory/2188-29-0x0000000000230000-0x000000000023F000-memory.dmp

                    Filesize

                    60KB

                  • memory/2188-30-0x000000007745F000-0x0000000077460000-memory.dmp

                    Filesize

                    4KB

                  • memory/2480-37-0x00000000003C0000-0x00000000003C1000-memory.dmp

                    Filesize

                    4KB

                  • memory/2480-35-0x0000000000400000-0x000000000042E000-memory.dmp

                    Filesize

                    184KB

                  • memory/2480-36-0x00000000003B0000-0x00000000003BF000-memory.dmp

                    Filesize

                    60KB

                  • memory/2568-15-0x0000000000250000-0x0000000000251000-memory.dmp

                    Filesize

                    4KB

                  • memory/2568-20-0x0000000000400000-0x000000000042E000-memory.dmp

                    Filesize

                    184KB

                  • memory/2660-23-0x0000000000400000-0x000000000042E000-memory.dmp

                    Filesize

                    184KB

                  • memory/2660-19-0x00000000001D0000-0x00000000001D1000-memory.dmp

                    Filesize

                    4KB

                  • memory/2660-22-0x0000000000400000-0x000000000042E000-memory.dmp

                    Filesize

                    184KB

                  • memory/2676-513-0x0000000000240000-0x000000000024F000-memory.dmp

                    Filesize

                    60KB

                  • memory/2676-16-0x0000000000240000-0x000000000024F000-memory.dmp

                    Filesize

                    60KB

                  • memory/2676-7-0x0000000000400000-0x000000000042E000-memory.dmp

                    Filesize

                    184KB