ramnit | c653451269c6e7b57a2bb631f545b6eaa8a1a334c988e2771abe6c449a402cfd

Analysis

max time kernel
133s
max time network
127s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66d642c19b78ace5e376a0ceabce9d44_JaffaCakes118.html
Size

673KB
MD5

66d642c19b78ace5e376a0ceabce9d44
SHA1

d4cb4d6e0e1b545a6ec1f596aecb7ab812cc4bc0
SHA256

c653451269c6e7b57a2bb631f545b6eaa8a1a334c988e2771abe6c449a402cfd
SHA512

0cca8a88f738d6b06f42e882e5c76dd82344b16d7bd447e2b0fa8a2ba04690d59222dc86ef3084a45bc08f6537c97f1c5df9898611c144d0817a48bb296ce463
SSDEEP

12288:t5d+X3Z5d+X3B5d+X3r5d+X3u5d+X3f5d+X3+:R+V+9+j+s+P+e

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 7 IoCs

Processes:

svchost.exeDesktopLayer.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid process

2884 svchost.exe
2744 DesktopLayer.exe
2464 svchost.exe
2520 svchost.exe
2992 svchost.exe
2940 svchost.exe
380 svchost.exe
Loads dropped DLL 7 IoCs

Processes:

IEXPLORE.EXEsvchost.exe

pid process

3048 IEXPLORE.EXE
2884 svchost.exe
3048 IEXPLORE.EXE
3048 IEXPLORE.EXE
3048 IEXPLORE.EXE
3048 IEXPLORE.EXE
3048 IEXPLORE.EXE

pid	process
2884	svchost.exe
2744	DesktopLayer.exe
2464	svchost.exe
2520	svchost.exe
2992	svchost.exe
2940	svchost.exe
380	svchost.exe

pid	process
3048	IEXPLORE.EXE
2884	svchost.exe
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/2884-7-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2744-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2744-18-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2464-28-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2992-31-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2940-36-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/380-43-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 13 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\pxCAE.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxC21.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxC21.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxC7F.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB95.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxC50.tmp	svchost.exe

Modifies Internet Explorer settings 1 TTPs 45 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009bb9d23cbbe2c34fb2da11c503b7be2200000000020000000000106600000001000020000000b1541e7cc5b6b7b649de52bac0c94bddcdd80b05aac16c3a9a771dec340ed228000000000e80000000020000200000005080ff4b3d815fbaa4046418739762f2c1f5d2037c9aa1c81e79d0c864f33534900000004b7f973b36c4822d3cac3b234f6000bff1f20ce1f31a5ec209271262abd0ed0bcddbd8554b75c4710ecbb304d0ae230fb1459fc0d490d549179dc7696eb20397607274878172e6f26f0220fb07395e7ca894cfaaf40fda6d08cc594d6c04435fb57cb31d85e3b6dc196c74e1e1fd7f311e77bfa5bacde9b7ad7be596d74206bd92adc217ce475414a4b01174490550b04000000095702352850729714b5a7c52aa09d99b62508da8462a4e93874a2de6bade7b7c2f895424ca8d9d1428f46b82332b66fe447cbf9bf469ad429aa3e1f6691bc56c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009bb9d23cbbe2c34fb2da11c503b7be220000000002000000000010660000000100002000000015742980affeb6226d01fa7b600cd3ed1a0e501f8f46efd9084d98f68603d038000000000e800000000200002000000016a6a9d759937f6dda5daa5270c895cb7869db3d487954d0a7473b7f45ad71352000000048515816617b64017708d7505fa54d67d1ee00f1e60539c5bb616cbdb341abb340000000e417c4e33716b2a4dcc6e22d3ed0ad851a30cd381c7df763bb22c85cc9ea64776d0a63e0572be0548b75a098ecb319b59961c3f14eeedfbdc2535b3b3a4ff9e6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F870AF51-181F-11EF-A6AA-4E798A8644E3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60a536cd2cacda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422532974"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

DesktopLayer.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid	process
2744	DesktopLayer.exe
2744	DesktopLayer.exe
2744	DesktopLayer.exe
2744	DesktopLayer.exe
2464	svchost.exe
2520	svchost.exe
2464	svchost.exe
2520	svchost.exe
2464	svchost.exe
2520	svchost.exe
2464	svchost.exe
2520	svchost.exe
2992	svchost.exe
2992	svchost.exe
2992	svchost.exe
2992	svchost.exe
2940	svchost.exe
2940	svchost.exe
2940	svchost.exe
2940	svchost.exe
380	svchost.exe
380	svchost.exe
380	svchost.exe
380	svchost.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

iexplore.exe

pid process

844 iexplore.exe
844 iexplore.exe
844 iexplore.exe
844 iexplore.exe
844 iexplore.exe
844 iexplore.exe
844 iexplore.exe

Suspicious use of SetWindowsHookEx 30 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
844	iexplore.exe
844	iexplore.exe
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
844	iexplore.exe
844	iexplore.exe
3020	IEXPLORE.EXE
3020	IEXPLORE.EXE
844	iexplore.exe
844	iexplore.exe
844	iexplore.exe
844	iexplore.exe
844	iexplore.exe
844	iexplore.exe
844	iexplore.exe
844	iexplore.exe
844	iexplore.exe
844	iexplore.exe
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE
2832	IEXPLORE.EXE
2832	IEXPLORE.EXE
1156	IEXPLORE.EXE
1156	IEXPLORE.EXE
1156	IEXPLORE.EXE
1156	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	pid	process	target process
PID 844 wrote to memory of 3048	844	iexplore.exe	IEXPLORE.EXE
PID 844 wrote to memory of 3048	844	iexplore.exe	IEXPLORE.EXE
PID 844 wrote to memory of 3048	844	iexplore.exe	IEXPLORE.EXE
PID 844 wrote to memory of 3048	844	iexplore.exe	IEXPLORE.EXE
PID 3048 wrote to memory of 2884	3048	IEXPLORE.EXE	svchost.exe
PID 3048 wrote to memory of 2884	3048	IEXPLORE.EXE	svchost.exe
PID 3048 wrote to memory of 2884	3048	IEXPLORE.EXE	svchost.exe
PID 3048 wrote to memory of 2884	3048	IEXPLORE.EXE	svchost.exe
PID 2884 wrote to memory of 2744	2884	svchost.exe	DesktopLayer.exe
PID 2884 wrote to memory of 2744	2884	svchost.exe	DesktopLayer.exe
PID 2884 wrote to memory of 2744	2884	svchost.exe	DesktopLayer.exe
PID 2884 wrote to memory of 2744	2884	svchost.exe	DesktopLayer.exe
PID 2744 wrote to memory of 2592	2744	DesktopLayer.exe	iexplore.exe
PID 2744 wrote to memory of 2592	2744	DesktopLayer.exe	iexplore.exe
PID 2744 wrote to memory of 2592	2744	DesktopLayer.exe	iexplore.exe
PID 2744 wrote to memory of 2592	2744	DesktopLayer.exe	iexplore.exe
PID 844 wrote to memory of 3020	844	iexplore.exe	IEXPLORE.EXE
PID 844 wrote to memory of 3020	844	iexplore.exe	IEXPLORE.EXE
PID 844 wrote to memory of 3020	844	iexplore.exe	IEXPLORE.EXE
PID 844 wrote to memory of 3020	844	iexplore.exe	IEXPLORE.EXE
PID 3048 wrote to memory of 2464	3048	IEXPLORE.EXE	svchost.exe
PID 3048 wrote to memory of 2464	3048	IEXPLORE.EXE	svchost.exe
PID 3048 wrote to memory of 2464	3048	IEXPLORE.EXE	svchost.exe
PID 3048 wrote to memory of 2464	3048	IEXPLORE.EXE	svchost.exe
PID 3048 wrote to memory of 2520	3048	IEXPLORE.EXE	svchost.exe
PID 3048 wrote to memory of 2520	3048	IEXPLORE.EXE	svchost.exe
PID 3048 wrote to memory of 2520	3048	IEXPLORE.EXE	svchost.exe
PID 3048 wrote to memory of 2520	3048	IEXPLORE.EXE	svchost.exe
PID 2464 wrote to memory of 2980	2464	svchost.exe	iexplore.exe
PID 2464 wrote to memory of 2980	2464	svchost.exe	iexplore.exe
PID 2464 wrote to memory of 2980	2464	svchost.exe	iexplore.exe
PID 2464 wrote to memory of 2980	2464	svchost.exe	iexplore.exe
PID 2520 wrote to memory of 3036	2520	svchost.exe	iexplore.exe
PID 2520 wrote to memory of 3036	2520	svchost.exe	iexplore.exe
PID 2520 wrote to memory of 3036	2520	svchost.exe	iexplore.exe
PID 2520 wrote to memory of 3036	2520	svchost.exe	iexplore.exe
PID 3048 wrote to memory of 2992	3048	IEXPLORE.EXE	svchost.exe
PID 3048 wrote to memory of 2992	3048	IEXPLORE.EXE	svchost.exe
PID 3048 wrote to memory of 2992	3048	IEXPLORE.EXE	svchost.exe
PID 3048 wrote to memory of 2992	3048	IEXPLORE.EXE	svchost.exe
PID 2992 wrote to memory of 2800	2992	svchost.exe	iexplore.exe
PID 2992 wrote to memory of 2800	2992	svchost.exe	iexplore.exe
PID 2992 wrote to memory of 2800	2992	svchost.exe	iexplore.exe
PID 2992 wrote to memory of 2800	2992	svchost.exe	iexplore.exe
PID 844 wrote to memory of 2832	844	iexplore.exe	IEXPLORE.EXE
PID 844 wrote to memory of 2832	844	iexplore.exe	IEXPLORE.EXE
PID 844 wrote to memory of 2832	844	iexplore.exe	IEXPLORE.EXE
PID 844 wrote to memory of 2832	844	iexplore.exe	IEXPLORE.EXE
PID 844 wrote to memory of 2952	844	iexplore.exe	IEXPLORE.EXE
PID 844 wrote to memory of 2952	844	iexplore.exe	IEXPLORE.EXE
PID 844 wrote to memory of 2952	844	iexplore.exe	IEXPLORE.EXE
PID 844 wrote to memory of 2952	844	iexplore.exe	IEXPLORE.EXE
PID 3048 wrote to memory of 2940	3048	IEXPLORE.EXE	svchost.exe
PID 3048 wrote to memory of 2940	3048	IEXPLORE.EXE	svchost.exe
PID 3048 wrote to memory of 2940	3048	IEXPLORE.EXE	svchost.exe
PID 3048 wrote to memory of 2940	3048	IEXPLORE.EXE	svchost.exe
PID 844 wrote to memory of 1156	844	iexplore.exe	IEXPLORE.EXE
PID 844 wrote to memory of 1156	844	iexplore.exe	IEXPLORE.EXE
PID 844 wrote to memory of 1156	844	iexplore.exe	IEXPLORE.EXE
PID 844 wrote to memory of 1156	844	iexplore.exe	IEXPLORE.EXE
PID 2940 wrote to memory of 1884	2940	svchost.exe	iexplore.exe
PID 2940 wrote to memory of 1884	2940	svchost.exe	iexplore.exe
PID 2940 wrote to memory of 1884	2940	svchost.exe	iexplore.exe
PID 2940 wrote to memory of 1884	2940	svchost.exe	iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\66d642c19b78ace5e376a0ceabce9d44_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:844
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:844 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2592
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2980
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3036
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2800
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1884
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:380
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1876
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:844 CREDAT:209930 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3020
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:844 CREDAT:5583874 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2832
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:844 CREDAT:5518341 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2952
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:844 CREDAT:5321730 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b35f4b232dbfc138139e36471e17aa58

SHA1
e054b03e0fc27d7c75c8eeef166cf5af14a6ba58

SHA256
fe067a03996e8d8ca9b467f95bceac3468cab6fd23ac3fddf7066808ba9b3d14

SHA512
92570afa1bd2ad82c0b5aceda87871b8f1afaa8274e1dc8b995c970576113e4697c8732b956130495b609da109c22e351368d40250ee76a986ec908c4001b3c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5f0f290aed8e12c200369d463b9aa1da

SHA1
7fc578d090fab8a822676e43bdaca9f0851aeee3

SHA256
8a34974b381e8c4f0621884446ddf0cf4cac5551ecd9e47cb86c70e1c9cb1efa

SHA512
f02b95bb509abea8e0a733634ef8cc9c2c78d30b4250de35d7b9230a8299559d5efb891119e78d20ed103df4df04c1a7529851aa68d2f0548dc88e2cf7919456

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0c3e2c9f47be21d3011ffa988a7e728f

SHA1
d61918ab0a992f1a2d18d74ec83dac7f5b702c75

SHA256
7945f1f476afeb738cc4a962afe47ad5aafb28b9a5649bc845b84847ee80da36

SHA512
713825d9c6e603de26453ccd796b0e3aa2cbe261a814f99d24f51710719bee9fbc8b2a7b26ccf4e10f515176ffd58dc1e049a86f132ab63bded4886f4de6dd5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
714306e4bc9d949e93d189ad9e2fe2e1

SHA1
f58212df67370eb529de2fcca46adef95b057fe5

SHA256
6e99fd1255bb20a31773f92d06e692f96c3b9f88af030ba4518a2055569b19e0

SHA512
f67c6ca5246025f4917a49e3f912859921862b7f74d2943113562df21ab6f57d6769187af8c87317f7177b62a09134a3ea13b998a7a6c9316ce10aa167a7735c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2051303696b3713d0f5437c49146cd40

SHA1
faa699b38faa40e1e1d4013eab3c2ad2d594af85

SHA256
ac74fc5cf6947e1e27815c3be2a7d3ffe710148a804cf5439612b8682c2b88a3

SHA512
264f6cbf36ec09f01579e6faf5442e1c19cd3705371b93ab0096e395a27b8ef8ac4bc5fdef24bfc3478a5ad6a32e631ead9cf8e2ea25b648458875a50cab3715

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a4f251e750fcc3eed1cd40b16803f6e9

SHA1
ee85e3d0f387d39eef8dd079197a8edb9f187b57

SHA256
eb024809a737b663cc3e949b006b74df197ca5487e29378e4b3768cef6dc8f2d

SHA512
c29e21e942c21866ac27bbd111bf2c58c908d9593766cd79f4f14ac59bb8f3570f4640a95790f71e8aca85c08bbafd0a2f1828cb5e09427496b66e53c4173cf0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b8ba354bebcce6ff0d600c71cdf28c3e

SHA1
0bf0f9a65f616a008fc12048c433846cbb2b2403

SHA256
2a9d662b4f6b191bc29cd179db2bef1ca738af75b1a986c8a65ce79b6f26d878

SHA512
d99169fba8aa843b051db51a746f32111c40f8d2bdfa6d52c5ff1aa79d7a4c741088184d5113fd15df6aa24600e176fc5898b4cbf128bfc1312044b5ca183453

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3df5520d5d8bad19e02a1637d542978f

SHA1
20088c68a3aec2257b55df2a205ee9831cce8e79

SHA256
7516c1e0c197a2797bd5b57083bbcf39ef932bb10df9328868e6a018023ba1b7

SHA512
472cd7731841561ce2e4fc0056aa86cbfbcae5f3c529053e84fb7529f60ffe1cefb0e07fc7ed9b716adba197df8b549e9518abb506d1e55b4d5b5bab7391b7a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cc12142eca33e7a9fcb102f78b3be28c

SHA1
cd5f8f2279ef0bded70ef691d1d61ac2bb37d6a0

SHA256
9772c2bee93b1dae5f02566410f5603fc03234646fb33419de369bcb239af464

SHA512
3ee937b846ee5dda3d82bd04d6b07346cb3eb7550a12b1ffbca38e57320c778c646114b73afd5b410b21293c3c8c2649657cb1acfc590effd026e94bcaa0fb3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b5c93ee352ab7745f8922f32f338bf49

SHA1
e680fc2f15c1d3e96a8b31e183ce9ef242a837d6

SHA256
53cea40eff63f2be7681358555efb2ab789f19624860516f8e5756e4027b2995

SHA512
125513fdaed7ab985d52dc5a1e28cfa63b77ec68ca37f80e72dfc70fc201c0275c1ef3682cbdb315fd5c54b53e863ae0c91ba9d1231fef28552ce9db0d349798

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7cf822c3455419705a5ad8be4dd4073b

SHA1
4a82d6b5c1bbfe7b862d3292dfdd3ae3ebd1e94e

SHA256
514b90c300cf991831dee5edd433c8c09bc6e30d906e4ade73762a59b23083af

SHA512
fc8158f89e0298710e3d5cfda9281141d1862b814380a5057bf30cbc8b0f5f430544973729457707b27d2f880765cf3e7556558daeb5f462b959d9a9fcd4eac6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8afddbd7f208ebfe0b526b1ff794262c

SHA1
acc89a0f6a217a77f596a2d937c8ca59b7941018

SHA256
1707a325999a60ca670ac9c42f6bce555b810ed4dbda98f68f20a12843e0b0d4

SHA512
e884d8db2feb516bc3ea548d1ad30b44a811747872f94e1b3a935cc94cd6a8c9d78ec870c7ecf25259ed856927e454496fb111551503a6ebe63717bef9e36876

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
99461498db2ff62082af10993237d748

SHA1
6615143ec64c9433073930ebc241c3cb740717bb

SHA256
45b43d36cd7764e0df1e508177433c5773bf155acf748c954f487221dad1bfda

SHA512
828d62046be0e66483290d74933e216b180e74a19e2c7dcd9e1c9957e609dad5ce534f199af1a5df125fcc703e9d3a5c53c0f442b543dbbe4a4ff504dd7fa1f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6e8ea56afa173315ae262b08cdea2e15

SHA1
abacffa24fb59046318ced64dc3ef31165ba048c

SHA256
0862b6af69df18dc7c7d759f7340ae5ceafaf19da6cf6cf761d9ea7a2a17b5fd

SHA512
743a24b1dc05e96ac4154500098dadb2ddccbf45dc7f92907ddb05a7f967a2073102a14489bd2677bb849633e02deecd7efc2f7d0167a4e0f962715d85b0e2d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
15ee54f9b5f001c3c3c5178ca56ddeb2

SHA1
ba73fd08d2a23f33d6f289c0332deafe2ea62fdf

SHA256
981ef5c4f211d11abedbc489015d94d13fa7868390cbf2d033a7f26db8058bc6

SHA512
2b2860692e83f9aa49d5a4869726463c9312c85171f927d7392c8f62815e41a9d21f862d2d5e63081acbd85325472cc86ddfd1390f4b8d8ff2362ea01bf71db0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2f4c0cd2d71986258ef812b0ad4ba0ea

SHA1
d942fa9437b3d564c172612d9805e3834d68f355

SHA256
0bc9b6b6259a5fecb5b787069758ccadf675635fbf920597629fd58d2dd11d6e

SHA512
80f3b01d686b10b40cfba02cc11ffe7b0af0d33a89339ea33c84fb68a65346e97a6db0853ed4e83d9b064e4444f221fc03b50a5ffe159a2c8d86cbafe40f4340

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ef6380b8021d75d2c23988f479aabefe

SHA1
d752e40eec8de8708170716fecbbb298db6b8ec9

SHA256
04567d33672f65ca130328a051051a8069ddf10384590d7737d5c0beb15b7fa6

SHA512
f943e48deb940d0612c5dbf6677177befce625a2597b054093c570c5e27abe7d19077d586215e4f4252b841130deebfcfba77b46ed5a825bae1680c85c9a0581

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a5d703fb877e62bf948be78928ad1a61

SHA1
0722ab772d85039b4f496a0c5354d03fc539d418

SHA256
6c414a202f45628c21271537d4fa218f07cd6e15472b0c9d7700272cdee56282

SHA512
2348b513e30dcc42e5081fa10ea64faab51ed6603ab552eb75757f99d35c1956cd332ad9790e8fba716091a6bd55a192d37a1d2d4e00efa1c567bd3735724df6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3223f0d7f75fa05a5da461ae71c1e1b4

SHA1
5f3cb684392c902f5e6c9f950be459774c30b68a

SHA256
06d04eb42d18f90536bf35acc28dd54fe7e25dfb6c78e0fcb835cb5d9228021e

SHA512
9ac844df53aa810e5269aba02362f02aaf7671d735f57204baaebf1314a031a2cee559f6eff2528c77c6c4357ad91e7d6c6d54ce588684c3b2709d21002c6e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab21B7.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2298.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/380-43-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2464-28-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2744-16-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2744-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2744-18-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2884-8-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/2884-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2940-36-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2940-37-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2992-31-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download