ramnit | 682341c730507bb9b2ede33a8007b4d3bc5c781f8c87fa2ace2f60f559ebc6a0

Analysis

max time kernel
133s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6930263bdcda38a1562ee0615777ccc2_JaffaCakes118.html
Size

672KB
MD5

6930263bdcda38a1562ee0615777ccc2
SHA1

630a8ff9da84c979cc930a0cb4e199d84a36988b
SHA256

682341c730507bb9b2ede33a8007b4d3bc5c781f8c87fa2ace2f60f559ebc6a0
SHA512

5f4d8084a54df6536474cad4e65067e5eaa733bf4dd30c60cf2605355cb443988227ab2d552fa566e9c3369c4bdc3b116ef949d4b0aacf4e3c9586e93e054af1
SSDEEP

12288:n5d+X3V5d+X3N5d+X3p5d+X3Q5d+X3f5d+X3+:X+Z+R+F+K+P+e

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 7 IoCs

Processes:

svchost.exeDesktopLayer.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid process

2608 svchost.exe
2776 DesktopLayer.exe
2544 svchost.exe
2528 svchost.exe
2884 svchost.exe
2720 svchost.exe
2868 svchost.exe
Loads dropped DLL 7 IoCs

Processes:

IEXPLORE.EXEsvchost.exe

pid process

3008 IEXPLORE.EXE
2608 svchost.exe
3008 IEXPLORE.EXE
3008 IEXPLORE.EXE
3008 IEXPLORE.EXE
3008 IEXPLORE.EXE
3008 IEXPLORE.EXE

pid	process
2608	svchost.exe
2776	DesktopLayer.exe
2544	svchost.exe
2528	svchost.exe
2884	svchost.exe
2720	svchost.exe
2868	svchost.exe

pid	process
3008	IEXPLORE.EXE
2608	svchost.exe
3008	IEXPLORE.EXE
3008	IEXPLORE.EXE
3008	IEXPLORE.EXE
3008	IEXPLORE.EXE
3008	IEXPLORE.EXE

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/2776-17-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2608-12-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2776-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2544-25-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2544-24-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2884-32-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 13 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px21B4.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2240.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px225F.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2211.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2240.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px228E.tmp	svchost.exe

Modifies Internet Explorer settings 1 TTPs 45 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0672eb0aaacda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422587041"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DB75C7E1-189D-11EF-9CE2-EAAAC4CFEF2E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f8c48b30cbec0f429f21de75199b2e62000000000200000000001066000000010000200000009605a828b75aab31de4bff7f3c2a8b80989aa3a510631c21e81c3f69b18eec85000000000e8000000002000020000000eacc4ab926d7ae29bda2c875e256fa39f8570a30c0e1332dff43757a0a6381b9200000002028455694106dc223ad148f7359588df9dde7d9beeaf1bd442a45cdc9935eed40000000f78cf461beae30ee8c537c52f28f6ec3f27402b6c64fb2f2ee20434614f61f4494a3ea0f95edab8b2f6d6c8cbe2dfcd1b9704a6dee7da4b408c444f7c42f2606	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f8c48b30cbec0f429f21de75199b2e6200000000020000000000106600000001000020000000814cb22bdb0be548c4d6dcefd4710c1ed26bf82c4ae4092473e60d129687c5bd000000000e800000000200002000000098630def3a2df1770e9a7e72262ba2581246936569e0389b790a1a9e00e6d9a790000000534f29e0afe05f1fcda93d0317e6af995ab1edb721ac92e1b29f2c535855da7ac7e55bf3ad80c2a07cf78fbc9dadb8065972881e20812a52dbcee5fed5773a6200262042c9721675adf69101c6cead414a58cc697ec30dabaccb6d378aa4dfa64f492f4c451941064e70cb6cb8eae1e4492e845866d35c9343029d13a8167c30c1a1db9e9ba4b9659b8a19b52153b134400000006ac1b785efca0a38626858a68a4cc611a8adad4019ede80b67e15b2fec6723731bc129708143d1d1f5141e0bae75243aafa033d99e5b043cd1f0ac005d7d79cd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

DesktopLayer.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid	process
2776	DesktopLayer.exe
2776	DesktopLayer.exe
2776	DesktopLayer.exe
2776	DesktopLayer.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2544	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2884	svchost.exe
2884	svchost.exe
2884	svchost.exe
2884	svchost.exe
2528	svchost.exe
2720	svchost.exe
2720	svchost.exe
2720	svchost.exe
2720	svchost.exe
2868	svchost.exe
2868	svchost.exe
2868	svchost.exe
2868	svchost.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

iexplore.exe

pid process

2020 iexplore.exe
2020 iexplore.exe
2020 iexplore.exe
2020 iexplore.exe
2020 iexplore.exe
2020 iexplore.exe
2020 iexplore.exe

Suspicious use of SetWindowsHookEx 30 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2020	iexplore.exe
2020	iexplore.exe
3008	IEXPLORE.EXE
3008	IEXPLORE.EXE
2020	iexplore.exe
2020	iexplore.exe
2020	iexplore.exe
2020	iexplore.exe
2020	iexplore.exe
2020	iexplore.exe
2520	IEXPLORE.EXE
2520	IEXPLORE.EXE
2520	IEXPLORE.EXE
2520	IEXPLORE.EXE
2020	iexplore.exe
2020	iexplore.exe
2020	iexplore.exe
2020	iexplore.exe
2020	iexplore.exe
2020	iexplore.exe
1552	IEXPLORE.EXE
1552	IEXPLORE.EXE
1368	IEXPLORE.EXE
1368	IEXPLORE.EXE
1872	IEXPLORE.EXE
1872	IEXPLORE.EXE
1872	IEXPLORE.EXE
1872	IEXPLORE.EXE
1872	IEXPLORE.EXE
1872	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	pid	process	target process
PID 2020 wrote to memory of 3008	2020	iexplore.exe	IEXPLORE.EXE
PID 2020 wrote to memory of 3008	2020	iexplore.exe	IEXPLORE.EXE
PID 2020 wrote to memory of 3008	2020	iexplore.exe	IEXPLORE.EXE
PID 2020 wrote to memory of 3008	2020	iexplore.exe	IEXPLORE.EXE
PID 3008 wrote to memory of 2608	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2608	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2608	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2608	3008	IEXPLORE.EXE	svchost.exe
PID 2608 wrote to memory of 2776	2608	svchost.exe	DesktopLayer.exe
PID 2608 wrote to memory of 2776	2608	svchost.exe	DesktopLayer.exe
PID 2608 wrote to memory of 2776	2608	svchost.exe	DesktopLayer.exe
PID 2608 wrote to memory of 2776	2608	svchost.exe	DesktopLayer.exe
PID 2776 wrote to memory of 2736	2776	DesktopLayer.exe	iexplore.exe
PID 2776 wrote to memory of 2736	2776	DesktopLayer.exe	iexplore.exe
PID 2776 wrote to memory of 2736	2776	DesktopLayer.exe	iexplore.exe
PID 2776 wrote to memory of 2736	2776	DesktopLayer.exe	iexplore.exe
PID 2020 wrote to memory of 2520	2020	iexplore.exe	IEXPLORE.EXE
PID 2020 wrote to memory of 2520	2020	iexplore.exe	IEXPLORE.EXE
PID 2020 wrote to memory of 2520	2020	iexplore.exe	IEXPLORE.EXE
PID 2020 wrote to memory of 2520	2020	iexplore.exe	IEXPLORE.EXE
PID 3008 wrote to memory of 2544	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2544	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2544	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2544	3008	IEXPLORE.EXE	svchost.exe
PID 2544 wrote to memory of 2420	2544	svchost.exe	iexplore.exe
PID 2544 wrote to memory of 2420	2544	svchost.exe	iexplore.exe
PID 2544 wrote to memory of 2420	2544	svchost.exe	iexplore.exe
PID 2544 wrote to memory of 2420	2544	svchost.exe	iexplore.exe
PID 3008 wrote to memory of 2528	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2528	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2528	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2528	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2884	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2884	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2884	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2884	3008	IEXPLORE.EXE	svchost.exe
PID 2528 wrote to memory of 1764	2528	svchost.exe	iexplore.exe
PID 2528 wrote to memory of 1764	2528	svchost.exe	iexplore.exe
PID 2528 wrote to memory of 1764	2528	svchost.exe	iexplore.exe
PID 2528 wrote to memory of 1764	2528	svchost.exe	iexplore.exe
PID 2884 wrote to memory of 2396	2884	svchost.exe	iexplore.exe
PID 2884 wrote to memory of 2396	2884	svchost.exe	iexplore.exe
PID 2884 wrote to memory of 2396	2884	svchost.exe	iexplore.exe
PID 2884 wrote to memory of 2396	2884	svchost.exe	iexplore.exe
PID 3008 wrote to memory of 2720	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2720	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2720	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2720	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2868	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2868	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2868	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2868	3008	IEXPLORE.EXE	svchost.exe
PID 2720 wrote to memory of 2852	2720	svchost.exe	iexplore.exe
PID 2720 wrote to memory of 2852	2720	svchost.exe	iexplore.exe
PID 2720 wrote to memory of 2852	2720	svchost.exe	iexplore.exe
PID 2720 wrote to memory of 2852	2720	svchost.exe	iexplore.exe
PID 2020 wrote to memory of 1368	2020	iexplore.exe	IEXPLORE.EXE
PID 2020 wrote to memory of 1368	2020	iexplore.exe	IEXPLORE.EXE
PID 2020 wrote to memory of 1368	2020	iexplore.exe	IEXPLORE.EXE
PID 2020 wrote to memory of 1368	2020	iexplore.exe	IEXPLORE.EXE
PID 2868 wrote to memory of 2196	2868	svchost.exe	iexplore.exe
PID 2868 wrote to memory of 2196	2868	svchost.exe	iexplore.exe
PID 2868 wrote to memory of 2196	2868	svchost.exe	iexplore.exe
PID 2868 wrote to memory of 2196	2868	svchost.exe	iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\6930263bdcda38a1562ee0615777ccc2_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2020 CREDAT:275457 /prefetch:2
2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2608

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2776

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2736

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2544

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2420

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2528

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1764

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2884

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2720

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2852

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2868

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2196

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2020 CREDAT:209930 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2520

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2020 CREDAT:668682 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1368

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2020 CREDAT:799754 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1552

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2020 CREDAT:1061891 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1872

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
8934584ac96a1e18de3df7363ae826d3

SHA1
e9412be2c094bcdda5345502e852c8da32792b68

SHA256
985c88d9acbf6059485c747810d60cf73d9d138f4d97c8b195f80c00ae45288f

SHA512
715fb250163ceceb037b8194d029ff40ca172a79a70cd64f7011c96308b86a977cc3c1c10a8684fecbcd6bf2b47d3a1e0d80bf5705ec552cd11f33672fc7abe4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
743b864dd619f4c5c66ee4f9b612ccaf

SHA1
abbffdfe50cc888146ef7648c1c76037c8ddf75f

SHA256
33bfb5f2cb61af3567598f7e3326c55e6a6cb7da2e7b19e2fe4e9d040c7d1331

SHA512
cc0a13be79822544e691aed47c2526bb996ed81488002d39f57ea3e5db6aa66d9fb93ec5df94fe7b2915c5f5c694ef8433a80ec5c744cbd33061cb1a39dc9684

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
67b896be70813c0b1572d5b5485d2cd0

SHA1
b871720461a6ce0f5da3ae187925816a2cbe1a11

SHA256
5340c88862e0f7201b7f90dd0e5af09457c2934329f0a16847aab8e760d480da

SHA512
6e682edc8a30f7fef185902cd43b1c7e647cdeab5b9a8101e676f2be0e2bf181a57a724cc1fd763e6d3890f6775a504ea5535a776a2d30e807b81f50256aa962

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
7517dec9993c19028ff6bada8184a157

SHA1
b74260fad3b7d7f272fa02967ae0daf85b7e842d

SHA256
0b0b8505f8958b459fab7c8697c7740dd7e6938a0e58fba236ef60a227717baa

SHA512
191e46c4efccc5a911f81add053e0eb942b38f6e85b16c9d71657884025becb251b71d752b117698b4bb7e329b5d311f0e8dd1e513750cda3b1b816d78d2b44d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
8ee4f1fe830d7eff1d8c691429f6148e

SHA1
f5916f1ef56a548dbdbe502bb5ee064c5dff998b

SHA256
1539ed0fa595989a9e153c676c3b448070c49e8e82fdef409b584fbe78dacd1c

SHA512
5f2ea7e817eb934e1c765e100bb7c4053b457fda6c24be60d0df7ccadd9711f185141263cede95c5ac417aad1304c4b6779ab89ce963ae88cc89aad417ac088b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
acf3213a8a5f14d0988e358d874c5333

SHA1
f4b321adea038dffdaaa6796aa4c19d532b4ed95

SHA256
79fff065243a4f350d52e83af57626ec338d6db626ff038afced65be51acb622

SHA512
7c44936c59bd5df055213649330d7559e67d4c0e1605a13039b6c563d14fd6d0f6fb8c486466362568c31e9c6e73a12f9cc9193d67dd44c9c548064864032ab5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
8176ca343f7326193ce4823f08ed8a4c

SHA1
f9920edbdeb50b8cc4383428766f95f1b191a0e2

SHA256
949beb661f8139a4a5511002a739cf6477f181d6cb9279f7bd784c2e15108e91

SHA512
3d78bac87fa60f2aac936a07efb51a6be8ca8c53b1b2f55e9bebace9ee5471f6f40f5e08750e7b1051289c1526898a04a71e78fdacb79f7af3509f787502e642

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
51cfa1f1032cf1bf73f0e2e94e771df8

SHA1
95025c4e5ef72bf02fc3d32c9db5f35b27e3dba9

SHA256
980068f0f6d7f282c7ab4670fd2977bc78c02b4b61f6f0e88e615c8e765e0537

SHA512
63f754912729f8c8d462d4744f128b8be81ba45bc1c45665719b72bc856079c37eae8ba38c161bff3e2a096c9194fe82ca8251b3cae3dc22cbfd2dfc06143355

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
440dceb6dcfb74cba8c0e9b891810a27

SHA1
48c623683ca2f8904f48cf70a1284a14eed1f360

SHA256
de8aeff0c7a71e0626e331d3f3c969f9e214a62de0cabf2fe6024ac0a0dd47ec

SHA512
cafcdae475dfb227b5c48c41bdaee27cacfe40a6be6559dfbf78a8fb03ceaf813ff2638d41343ba8fe985252ef7bfdb9fb2defd1e4d0956df2384566c9cbb51d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
5cd3360c935eef8f071256fc6128fb5d

SHA1
a6156a71f45e1e7a5ec29e1eb05949db1ebd713f

SHA256
2fff51046da9c87c3036c1f2409c5f7921f5666f84ebc1c8e4fbc4fc7d183d03

SHA512
7fa4e775a5dc16a87e45b5e409e12563e6a24430621ec4334bf907dbd98020b89da05e73758bfbe8988d2b6bcf17c051f3acb6a5fe25a7f449d8bedc6b9f0045

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
3705213fbb84996bb09f0506e0bf459c

SHA1
9ef02f7c9af0376c88527fad94517bd388ec2c6c

SHA256
2d2633fa569c82fecd627540b6c7263ad9d1e05e431e904c727923a93b8fd643

SHA512
dca98cf007862ed1f54abcfe8cc82c1642761531f66af48eaac3cc5de0d1a50c7ba81ceefe44c8d9cbd927546e6483122c7f95b134be2d340040745572a8ce53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
2f4a42536a90d6e6d3e198c70603e8d2

SHA1
fdfcbf757c091e6bd7388ca65506c63980a1eecf

SHA256
9c59b9807be72dd32881fa72ff0c19ba0a0ab623fd4b4af8ac4852247c952bd5

SHA512
e11c59ffc382285f04dacd90bb0b208efb50b1a8be1358ac231f0535ec991d0d85edb766ca5968c62a40ca1b2520936f6f2eacda075d2d501631e3f856a67748

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
221add9133aa5738940ecc31cf32f957

SHA1
5db76d4d45b3373c3e80fcde441cc22d4ccac360

SHA256
f2c7f5f14889610b7cce85cc5a89492c3b31884567d75f1e84fdfab1bf957942

SHA512
6b7821ac38d988a38b6d768392c0479baeb72089337b0372bdf2a38cdfc3461389641b40f6af2ecd456cb9568dbcddf7df26c44f17ce7289df83025ebb618a0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
82ab4d0d4029ea969f03e50cedf85961

SHA1
7d17f4306c560c2ad6a64cf5b9985e10378ad965

SHA256
6134aadba1785bc803aaa5e7f6279cf193a9dc71f247e06305170fc62ff18ccd

SHA512
5ec53cc79f7583b34a9a7b559090efd9872914ebd803ada0c97d8be1cb05edafff974392c9f6851be47fd8bf63ba0ca5ff970dc093b1caa27c8481d2e6b13f01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
a6c477c0381f39565aa623fd449871dc

SHA1
c24d922ac6b94d1653c480d035e385db72365c82

SHA256
3ca0f66138b0253a7041e42f63c97398ed98f9148190db106fbaf6ec6d880e8c

SHA512
0b17e11a92e85fbc1944c54cb3f1014ac2fd0c751d9927ba34fb409f4dde751abf38ba66069fc37ff18da18b14865845cd859abaacbd482807f48e3b8fbbc4d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
cf398e5cf49ae0d46041e3bcb4d202a1

SHA1
d214e74bb2f6955869cc062d9d187189a64b4c24

SHA256
d8b0c11ccbf53395a27908d9f4147312a079c5d07a94a5bb5e7ee08f82478240

SHA512
219e4eb2a4e10daa921b0187494f26e98844da6a740522966ab161815c310ca62cfe5d6558add58b015bc63e59c52f1ff23081dacd4a99a1b51b5db06e6ba1a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
b7b115cac781d7c5d8eec8024c7e9849

SHA1
d8707222668cb1ab251031586a197fed99632fe4

SHA256
c3a6b61c10c67670d08fdd72e304501f9553749383d42b02c05e7d316f900cfe

SHA512
3fe4ca78d7744d641c31b2bd309b1bcd54f2d8848a5e356ab42ac3b5ce7d35526a77746b8ae81df5905bf4a6c453054626fa20369ae1d653b0bfbb8489605f7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
bbe6a78617b39372c825b7c0e22fdaac

SHA1
328f94350a4ad4bde624af355329b5bd2ef3e3fb

SHA256
f827f9a01df1950fec4b2488a63405f96964da17cae671e4852e886230b6e8f3

SHA512
e27a1ad2b4e5b2511c71740e426d46a47728938c1be4ca6065f49d9867e71729cab050edad62a9f51e3d0427c8fb45ec53c970653ca4b8563fb6bf13f5ce8f5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
3883e19b473449ccb1207cc6c51d2bcb

SHA1
ad260bb87acd3cef601f969d2513677f005f4d3a

SHA256
e50a5ca9f7e9b40557f2394b3823402e50a5ae0ce87ef7d3e989320dd11e8f27

SHA512
1d8bea6a3d4c2517be6a192d500786e3cc4f633385b4e54ecdd4f19209acb5daecefca390958e4227cf0f7159151553dcb0debb3720149eed9f6de61463c42e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
cf83b2cef8e71450171b6e133a746493

SHA1
aa8c3c6b35b3c8ed81ed98528479df92d1e6f245

SHA256
bab206cecfd7a374a120396aa6b04ac1e4b6a6f68c1a217ad47e4a90242dfc6c

SHA512
1bae1c30c6f8567933a2e814268a66a4f37e1d3b119e35d681c0c25ac9a9b96dcbe6916e2830ed44f0ec6010b02c9f569c71e807b611dbfde8129f383f32c3c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3891.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3972.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/2528-30-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2544-22-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2544-25-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2544-24-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2608-13-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2608-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2776-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2776-16-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2776-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2884-32-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download