Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
07/05/2024, 20:04
General
-
Target
2185e715fbc49ab3cb2e44cf4abbda36_JaffaCakes118.html
-
Size
530KB
-
MD5
2185e715fbc49ab3cb2e44cf4abbda36
-
SHA1
9a5a1cfecfe755a82bc30654f0b301c03d971d90
-
SHA256
9a883b3998701ffe89ce58d06a3e4a0dc4cdb146546fc5ec64dcc3020d308ab0
-
SHA512
4aa492b0e2860e007642983bb2f503f750b788bc1e8177c2ab9eeb3ca5fa79fcb81c4455ecca3f837a6da71539b8621a08f87b57aa7319e0896a2ce63f09bca0
-
SSDEEP
6144:S5sMYod+X3oI+Y7meFekr7sMYod+X3oI+Y7meFeklsMYod+X3oI+Y7meFekw:g5d+X30ef5d+X30el5d+X30eE
Malware Config
Signatures
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 7 IoCs
-
Modifies Internet Explorer settings 1 TTPs 30 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious behavior: MapViewOfSection 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 18 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\2185e715fbc49ab3cb2e44cf4abbda36_JaffaCakes118.html2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:275457 /prefetch:23⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:340994 /prefetch:23⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:275467 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:406543 /prefetch:23⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:209933 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
344B
MD5e05c715616d1f017b052dc4f4a118045
SHA14c50a50ada843cfe84a485f42d243c0cafe8e720
SHA256ca357667d04093ce8e7ef8d15ea96a5945be371c78b176569e094d1234dffc16
SHA5129998236fa331a0cc12e49820c4493415f2904fd50265b7be65db10227311987f1da87d8ea24672dd1f85f3e912d4f510ad93bea4d1553542757299170ffbe87d
-
Filesize
344B
MD53debd0a1b1adb1df4f5f5b58ea895479
SHA1f94c645127a84a7a5129513c198ee3fd450d384f
SHA256ceca3ad85aff8e2cdf0436b6e50fb847bd8c175f1bb82462c1882ade39f8fed2
SHA512a8b061b719c09b762ecb5b4febcabfe9db9c2cd8850307f9f3cdeae35102696603c8ebe13b012807fae65bcef8babbd3f6a9d20208e06b6c70dfda905228bf5f
-
Filesize
344B
MD590df23e103a5ea99f6d79bdf078df3b5
SHA1cb812dec4838c524852779bd5496bb7cdb300a66
SHA25693a63e7cb6a87cfd14ec8271919171e1c735646283644db6fba8b017c192198c
SHA512ad6c601907bbdee796d54a91b9dff9ddb6a54db9c2e8338127b5584a9f64d4636ac836f3e547e2a63ffb666cc0457fa5b9e96d64d8bb1a2028bc0eaf5e0a18bd
-
Filesize
344B
MD551bd7f832a899111accf9d5de784be4b
SHA1131b5a022bdc21c796e102020ab8910635cd0df5
SHA2562e8cfd62da6c4fe9675f3e4bf9b6eaf9290b825af3e8abb805b86e8c6317f687
SHA5123e01ad57466267710f194027cdd050bc17929edf5008990bda7234fda973dad5eb225efa7acc2e5fd0e9b5031014f6f769e9d4ea3a95064666a2bbef1c10137a
-
Filesize
344B
MD5898913888cb076552c42d08b3804320d
SHA11bceabb2d7a4101166858079cda85edf29191023
SHA256d19470e4915b5ba841c75924bd24cd614de5e94b2ef943051b184508778916b9
SHA5122e04c4ed4ccd188563dae7e15fecd7acdc0f28b94a9aa7f966789873f2202af40833879beb6bdc2d3965de9aabe37d82872a3572eb192a747d8cb483332a1c57
-
Filesize
344B
MD5c686afce8e078c3caa47a64d3ce0ae5e
SHA146914f9db4722cb7e824bc8cd63f4d80004f86cb
SHA2562eeaf10e62d4e79d6533c9c7c553c3f4940345cb8a6e8d61e3d277aac106992e
SHA512b45bd3a6e025a36469056f0a6031ba0c3f926a5ab4cf023acc86aee923fd5b2a141895d1d9022bfe95a702c1b3ba93ec8caaba77ac0c1c656c6173649a0d5830
-
Filesize
344B
MD50c93dbc00ddcd2d2e3592174cc6f0300
SHA1e2df903b6b01160c82745e95fa3d2709f490e5d8
SHA256a358b5f109491c512ab5a04336fc1edf1d97a2d012b2da8c4c8b3c597eb98602
SHA5123feb8f0b6c059d2f5b6137690614964b5a1d0fb6810aececf90965c8fbf5e4c8d2ea28f1979508ed5e85d369e493783fbb335b841b375faace1c8a7cab5cdabe
-
Filesize
344B
MD503fedec67a1c438485470a1422bd092d
SHA1155cc7f668c9c05a1d87f5ca63f08a06a8db894a
SHA256508b7d0c0e3b8805592ca4acca61beefa438c0850b9348585cdecce768d6cdaa
SHA5121d9ea7c70e3be03432305de6f13a3a0cc10b4a65c649544b46ca46a600d4c4489efafb421bbd5fa0241698d5d9c513f9bc42e341ca8ff38a4be2c0e926d32627
-
Filesize
344B
MD5cad76caec63f9ff3007d61280cab4eaf
SHA1efc985f380483505d781b3455593f38d9b3f3593
SHA25653f3bb57da9ac8d16f7ec6ca50a83b7ab2b5b96fdf6dfd46c325ced1c6035c70
SHA512cfb69f209e9d8caef76fcb69c20fb397903ff4fb244b7c3a609cb8efb0e4089fa1ceeab23033ee6b234c9304f64e88261868722e709c5afc6a1ecfe569bdeeb8
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
16KB
MD53427ea31cef2666d77a0cccf07fa8e36
SHA18289381f21bb7212a07ee95c3b7cc25f0916a1c0
SHA256a463698740f3e04b4ec9344196ef028038cde50e91dcfc00cf3377227b07ae07
SHA5128c63f4ea61e75173bacb924dcdd11d63710991a8b0a76fc2fb54cedcb525af6f22a0f7f2ce96b3f1119d92d79a2f78711a0263e6ac4fe181b96060e769e30b03
-
Filesize
84KB
MD5bee6f1f011766a1f40f0318adc585640
SHA1f9452d74dad86e1dd38108965e40585ff8ef7951
SHA256c8f1baab39b7c77de4504ce7f758ef46c0659e01f6af6922d1a4518687aa6ec9
SHA51213714e5ab6d7da1ab4faa85b4c9801866ffa89f5b39aa053a03aeb13d4adbad4d9bc518f5586a18bb0bc7723f0e6168940ed70d7d6cf71d82120135fe0d51bd3
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
4KB
-
Filesize
216KB
-
Filesize
4KB
-
Filesize
60KB