ramnit | 8838da839cbd91cc5821d4617438431a146e929eaa7a69569c138d13cd9b3d9f

Analysis

max time kernel
149s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6dcb6f9f2b9f6d06184b779c9d6aff7c_JaffaCakes118.html
Size

2.7MB
MD5

6dcb6f9f2b9f6d06184b779c9d6aff7c
SHA1

c9977ab539600da4ecb258abed52b3e670a19e19
SHA256

8838da839cbd91cc5821d4617438431a146e929eaa7a69569c138d13cd9b3d9f
SHA512

82fabcfae01469eed8199338a1a2c432ee3ca7361069e60f7bb3ef53c39b136ec3e85e520774c2606809aa19b9dab6ffc20005de9c37f29faa4ee173db71a9eb
SSDEEP

24576:q+aDHsJ+aDHsX+aDHsT+aDHs1+aDHsT+aDHs1:4

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\jfl3562.tmp	acprotect

Executes dropped EXE 11 IoCs

Processes:

svchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exe

pid	process
2828	svchost.exe
2472	DesktopLayer.exe
2952	svchost.exe
2944	DesktopLayer.exe
1948	svchost.exe
2616	svchost.exe
1936	DesktopLayer.exe
2120	svchost.exe
540	DesktopLayer.exe
308	svchost.exe
1252	DesktopLayer.exe

Loads dropped DLL 25 IoCs

Processes:

IEXPLORE.EXEsvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exeIEXPLORE.EXEsvchost.exeIEXPLORE.EXEDesktopLayer.exesvchost.exeIEXPLORE.EXEDesktopLayer.exesvchost.exeDesktopLayer.exe

pid	process
2760	IEXPLORE.EXE
2828	svchost.exe
2828	svchost.exe
2472	DesktopLayer.exe
2760	IEXPLORE.EXE
2952	svchost.exe
2760	IEXPLORE.EXE
2944	DesktopLayer.exe
2760	IEXPLORE.EXE
1948	svchost.exe
1540	IEXPLORE.EXE
2616	svchost.exe
2816	IEXPLORE.EXE
1936	DesktopLayer.exe
1540	IEXPLORE.EXE
2760	IEXPLORE.EXE
2120	svchost.exe
768	IEXPLORE.EXE
540	DesktopLayer.exe
768	IEXPLORE.EXE
1540	IEXPLORE.EXE
2760	IEXPLORE.EXE
2760	IEXPLORE.EXE
308	svchost.exe
1252	DesktopLayer.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/2828-6-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2828-14-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2472-30-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2472-24-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1948-528-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2616-552-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2616-532-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Drops file in Program Files directory 13 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxE18A.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px3583.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxCF70.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxCF22.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxD05A.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxCF90.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{152E58D1-19A2-11EF-BECC-D2EFD46A7D0E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422698808"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 001ac230afadda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071efed47ed7c2042be437824b1e37c86000000000200000000001066000000010000200000000edf3295688c34a0be7bba7590092b708489a727d000dc0a4d2fa8712049708a000000000e8000000002000020000000cf7c4f1332359655bdd5898d4960022a585bc7d79914e888f1b989acc63ceb4520000000f853d0fd847c9563b0c91d77247f07cf8f63bc917e5b9f32228c3b2c658d66ed40000000e959496d77e4c6adac8a590486e30afbca47623d74f5a660cd7e9ccf51b49895f861058990ce18f2ca5b058a091c31f1fedb46cb67df64dec329a3daa0138897	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071efed47ed7c2042be437824b1e37c86000000000200000000001066000000010000200000009ec708bacbe52a21c76c73e17d5bf1983a26465da3cd9b8edd7c9d48a9103bac000000000e8000000002000020000000df279d74bd1927fd474448a6cac70cd6a69b10bbce393c1c3cc3181a2f4b3d9d900000005416c08edde4aac0fa0242be2465ce7dbb53aca2d83662a40163082ac33ece8aedf628698d7571b71eb565f5b66e95fa7c70626742a8ae1bb69a3478dbb2ce351dbed82df2487cfea3d25f8d11ebed6aa2dbb4b42eccb9ab37a10a40ee89c1a60395d2e55a3f2069f08d2eca01767b2d2d7cd5549f60a6136290d55b45d9f64da42477a893a930d9fdbf9a23543dc88540000000f0ba5b925eea747ba4ed171c9efd888e00149c1a5c3520b14d3afda88aa35cc3de18c378946154fe40432dba5bde5c428edf5d0253536edd9d02ea9debf90dd4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

DesktopLayer.exeDesktopLayer.exesvchost.exeDesktopLayer.exeDesktopLayer.exeDesktopLayer.exe

pid	process
2472	DesktopLayer.exe
2472	DesktopLayer.exe
2472	DesktopLayer.exe
2472	DesktopLayer.exe
2944	DesktopLayer.exe
2944	DesktopLayer.exe
2944	DesktopLayer.exe
2944	DesktopLayer.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
2616	svchost.exe
1936	DesktopLayer.exe
1936	DesktopLayer.exe
1936	DesktopLayer.exe
1936	DesktopLayer.exe
540	DesktopLayer.exe
540	DesktopLayer.exe
540	DesktopLayer.exe
540	DesktopLayer.exe
1252	DesktopLayer.exe
1252	DesktopLayer.exe
1252	DesktopLayer.exe
1252	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

iexplore.exe

pid process

2932 iexplore.exe
2932 iexplore.exe
2932 iexplore.exe
2932 iexplore.exe
2932 iexplore.exe
2932 iexplore.exe
2932 iexplore.exe

Suspicious use of SetWindowsHookEx 43 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exesvchost.exesvchost.exeIEXPLORE.EXEDesktopLayer.exesvchost.exeIEXPLORE.EXEDesktopLayer.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exe

pid	process
2932	iexplore.exe
2932	iexplore.exe
2760	IEXPLORE.EXE
2760	IEXPLORE.EXE
2828	svchost.exe
2472	DesktopLayer.exe
2932	iexplore.exe
2932	iexplore.exe
2816	IEXPLORE.EXE
2816	IEXPLORE.EXE
2816	IEXPLORE.EXE
2816	IEXPLORE.EXE
2952	svchost.exe
2944	DesktopLayer.exe
2932	iexplore.exe
2932	iexplore.exe
1948	svchost.exe
2616	svchost.exe
2932	iexplore.exe
2932	iexplore.exe
1540	IEXPLORE.EXE
1540	IEXPLORE.EXE
1936	DesktopLayer.exe
1540	IEXPLORE.EXE
1540	IEXPLORE.EXE
2932	iexplore.exe
2932	iexplore.exe
2120	svchost.exe
768	IEXPLORE.EXE
768	IEXPLORE.EXE
540	DesktopLayer.exe
2932	iexplore.exe
2932	iexplore.exe
1916	IEXPLORE.EXE
1916	IEXPLORE.EXE
308	svchost.exe
1252	DesktopLayer.exe
2932	iexplore.exe
2932	iexplore.exe
2760	IEXPLORE.EXE
2760	IEXPLORE.EXE
2760	IEXPLORE.EXE
2760	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exesvchost.exeDesktopLayer.exe

description	pid	process	target process
PID 2932 wrote to memory of 2760	2932	iexplore.exe	IEXPLORE.EXE
PID 2932 wrote to memory of 2760	2932	iexplore.exe	IEXPLORE.EXE
PID 2932 wrote to memory of 2760	2932	iexplore.exe	IEXPLORE.EXE
PID 2932 wrote to memory of 2760	2932	iexplore.exe	IEXPLORE.EXE
PID 2760 wrote to memory of 2828	2760	IEXPLORE.EXE	svchost.exe
PID 2760 wrote to memory of 2828	2760	IEXPLORE.EXE	svchost.exe
PID 2760 wrote to memory of 2828	2760	IEXPLORE.EXE	svchost.exe
PID 2760 wrote to memory of 2828	2760	IEXPLORE.EXE	svchost.exe
PID 2828 wrote to memory of 2472	2828	svchost.exe	DesktopLayer.exe
PID 2828 wrote to memory of 2472	2828	svchost.exe	DesktopLayer.exe
PID 2828 wrote to memory of 2472	2828	svchost.exe	DesktopLayer.exe
PID 2828 wrote to memory of 2472	2828	svchost.exe	DesktopLayer.exe
PID 2472 wrote to memory of 1428	2472	DesktopLayer.exe	iexplore.exe
PID 2472 wrote to memory of 1428	2472	DesktopLayer.exe	iexplore.exe
PID 2472 wrote to memory of 1428	2472	DesktopLayer.exe	iexplore.exe
PID 2472 wrote to memory of 1428	2472	DesktopLayer.exe	iexplore.exe
PID 2932 wrote to memory of 2816	2932	iexplore.exe	IEXPLORE.EXE
PID 2932 wrote to memory of 2816	2932	iexplore.exe	IEXPLORE.EXE
PID 2932 wrote to memory of 2816	2932	iexplore.exe	IEXPLORE.EXE
PID 2932 wrote to memory of 2816	2932	iexplore.exe	IEXPLORE.EXE
PID 2760 wrote to memory of 2952	2760	IEXPLORE.EXE	svchost.exe
PID 2760 wrote to memory of 2952	2760	IEXPLORE.EXE	svchost.exe
PID 2760 wrote to memory of 2952	2760	IEXPLORE.EXE	svchost.exe
PID 2760 wrote to memory of 2952	2760	IEXPLORE.EXE	svchost.exe
PID 2952 wrote to memory of 2944	2952	svchost.exe	DesktopLayer.exe
PID 2952 wrote to memory of 2944	2952	svchost.exe	DesktopLayer.exe
PID 2952 wrote to memory of 2944	2952	svchost.exe	DesktopLayer.exe
PID 2952 wrote to memory of 2944	2952	svchost.exe	DesktopLayer.exe
PID 2760 wrote to memory of 1948	2760	IEXPLORE.EXE	svchost.exe
PID 2760 wrote to memory of 1948	2760	IEXPLORE.EXE	svchost.exe
PID 2760 wrote to memory of 1948	2760	IEXPLORE.EXE	svchost.exe
PID 2760 wrote to memory of 1948	2760	IEXPLORE.EXE	svchost.exe
PID 2944 wrote to memory of 300	2944	DesktopLayer.exe	iexplore.exe
PID 2944 wrote to memory of 300	2944	DesktopLayer.exe	iexplore.exe
PID 2944 wrote to memory of 300	2944	DesktopLayer.exe	iexplore.exe
PID 2944 wrote to memory of 300	2944	DesktopLayer.exe	iexplore.exe
PID 2760 wrote to memory of 2616	2760	IEXPLORE.EXE	svchost.exe
PID 2760 wrote to memory of 2616	2760	IEXPLORE.EXE	svchost.exe
PID 2760 wrote to memory of 2616	2760	IEXPLORE.EXE	svchost.exe
PID 2760 wrote to memory of 2616	2760	IEXPLORE.EXE	svchost.exe
PID 2932 wrote to memory of 1540	2932	iexplore.exe	IEXPLORE.EXE
PID 2932 wrote to memory of 1540	2932	iexplore.exe	IEXPLORE.EXE
PID 2932 wrote to memory of 1540	2932	iexplore.exe	IEXPLORE.EXE
PID 2932 wrote to memory of 1540	2932	iexplore.exe	IEXPLORE.EXE
PID 1948 wrote to memory of 1936	1948	svchost.exe	DesktopLayer.exe
PID 1948 wrote to memory of 1936	1948	svchost.exe	DesktopLayer.exe
PID 1948 wrote to memory of 1936	1948	svchost.exe	DesktopLayer.exe
PID 1948 wrote to memory of 1936	1948	svchost.exe	DesktopLayer.exe
PID 2616 wrote to memory of 2524	2616	svchost.exe	iexplore.exe
PID 2616 wrote to memory of 2524	2616	svchost.exe	iexplore.exe
PID 2616 wrote to memory of 2524	2616	svchost.exe	iexplore.exe
PID 2616 wrote to memory of 2524	2616	svchost.exe	iexplore.exe
PID 1936 wrote to memory of 2812	1936	DesktopLayer.exe	iexplore.exe
PID 1936 wrote to memory of 2812	1936	DesktopLayer.exe	iexplore.exe
PID 1936 wrote to memory of 2812	1936	DesktopLayer.exe	iexplore.exe
PID 1936 wrote to memory of 2812	1936	DesktopLayer.exe	iexplore.exe
PID 2932 wrote to memory of 768	2932	iexplore.exe	IEXPLORE.EXE
PID 2932 wrote to memory of 768	2932	iexplore.exe	IEXPLORE.EXE
PID 2932 wrote to memory of 768	2932	iexplore.exe	IEXPLORE.EXE
PID 2932 wrote to memory of 768	2932	iexplore.exe	IEXPLORE.EXE
PID 2760 wrote to memory of 2120	2760	IEXPLORE.EXE	svchost.exe
PID 2760 wrote to memory of 2120	2760	IEXPLORE.EXE	svchost.exe
PID 2760 wrote to memory of 2120	2760	IEXPLORE.EXE	svchost.exe
PID 2760 wrote to memory of 2120	2760	IEXPLORE.EXE	svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\6dcb6f9f2b9f6d06184b779c9d6aff7c_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2932 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1428
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:300
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1936
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2812
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2524
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:2120
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:540
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1488
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:308
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1252
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1552
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2932 CREDAT:275469 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2816
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2932 CREDAT:209951 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1540
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2932 CREDAT:406548 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:768
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2932 CREDAT:865292 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
914a30926387536e33007b8b9581f02b

SHA1
38deb6c53791cd2b02628a1d247d07edbf3f5d76

SHA256
858259fa16c81eaed30100fb03903a82245f284025eb60a9c8db9647a2a62b0c

SHA512
5235d4ff4a907fb9fc8050c996a6ae5c3743d31717d07acd0596694d185d15ed8a71fc7c1354307d264f1e92a8b7d03b9bffba3296b1f58d6da1672bb170cf19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7c39fe9f83de253ac055943db906ba10

SHA1
b0103c7e3f88b26763b4e0fcacd32f03025e6b48

SHA256
405e1ec8c4581633603be46eead4de317ab0f8c18990141a979aa6eb4ae9490f

SHA512
a66cb975b38df841cc37e0debd4f912431d1e41502b3ca374e648c7c27192d978728f1228b48744583d8a2d7d50cb8d71e8c8dca29f10b9670a13bf7cf32540e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
59776d8626f424c0d90680bc342007e3

SHA1
379b3a1581ded86374c9cb81abcbdf9700773535

SHA256
db7a7e212b5a03f45874740c7743fa1f3b18ea67a367926c1c0ba5ffbe9e7985

SHA512
7a93182ecc4602f89ad6ef3d7a2443a6d4ff1a4b2321b81c7c53a741374b59568019754b5bb29f59708f3673a00d3f5b76632e26316e3bd758d9ae35885b52cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3577fe1d3d2edeccf47fbf88da9be150

SHA1
c4abe23552ff30067f136127f14a7c1b6ac5bc03

SHA256
1541ccd06f78330bb56c873f0a99fc41dd2a9737cd32d93be367ad3a4c4d9582

SHA512
cc0fffb58dfd4c1b7a39046ad35e42bd084e27b449fcb582b33d95bf8407e63291e2034b67b74dd6ce686ef3c521d1d1620319d7ae93060f290cadd0a7238bc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
648ff8f9f0224dd32214d565eb5b625f

SHA1
a229a503acc9614510406453885be4a43fb2d216

SHA256
3bfaeb251ed5b803a99d37b142b7adb458167f1121c5d336c493989bb2b97623

SHA512
64752d3042361d1c0b732903d5901b107121685fba821be74f174b1b728ac3ae4e8833c19ec66281fee6e246d589251d1dd82405627dcdfef87cea2eb2029014

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2fb8c4d8c36a0e3fa728fff607bf56bf

SHA1
0601ad2880f6460f4583a93a8f8229f651516096

SHA256
43ec04b5028d3b160f6bea29eb4f72b25eca0a26a38677fc5570c49568b9c2f7

SHA512
d0ce290e6c376c5e42ab988fc1f6f8534037b7bdfa75b53ca91d00352f770c0bbb0050106b08872b22a65ecb615f22a5b8cb5672824345584dd6fd0ec183cbbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c4dd4e6e467b5c50d7fc3ee2a6c0bd22

SHA1
238048c2a410883300abeccb1edb82cad400f313

SHA256
6cbb1ac2fc0e2fda681bbd9fe067bbab111cce0bb790c4b10122df9421d6dbf7

SHA512
9c13a62145b4a4ebec62710ffc863bc637f727fe4bc81f92537f3f6ec22ea168a800f2204a0ec62bfc245c90bddbe3434111bbb0bfad6fd4bff06d7bbf1969c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD5B.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE5C.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\jfl3562.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
228KB

MD5
e9c85c499f6b7c7e91a44567f27ecd68

SHA1
6f89d9176e58f04c3cd48669f7a0b83660642379

SHA256
f09ec41136e8e5e5076ca495192d9326e5581c748148fa877412d466db26112d

SHA512
dd40f713857e9c574e5d34dd292d17fbb94a38c1f1d7f2cf90e043b713c42358d74327e403d3617f5985fbafd35d90c24fbfbeb97cd95a02224a24d75396a5e5

Download Submit
memory/308-597-0x0000000000370000-0x00000000003E3000-memory.dmp

Filesize
460KB

Download
memory/308-603-0x0000000000370000-0x00000000003E3000-memory.dmp

Filesize
460KB

Download
memory/540-583-0x00000000002F0000-0x0000000000363000-memory.dmp

Filesize
460KB

Download
memory/540-591-0x00000000002F0000-0x0000000000363000-memory.dmp

Filesize
460KB

Download
memory/1252-611-0x0000000000230000-0x00000000002A3000-memory.dmp

Filesize
460KB

Download
memory/1936-559-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1936-564-0x0000000000230000-0x00000000002A3000-memory.dmp

Filesize
460KB

Download
memory/1948-536-0x0000000001BA0000-0x0000000001C13000-memory.dmp

Filesize
460KB

Download
memory/1948-546-0x0000000001BA0000-0x0000000001C13000-memory.dmp

Filesize
460KB

Download
memory/1948-528-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2120-577-0x0000000001BC0000-0x0000000001C33000-memory.dmp

Filesize
460KB

Download
memory/2120-573-0x0000000001BC0000-0x0000000001C33000-memory.dmp

Filesize
460KB

Download
memory/2472-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2472-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2472-27-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2472-31-0x0000000000230000-0x00000000002A3000-memory.dmp

Filesize
460KB

Download
memory/2616-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2616-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2616-547-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2616-542-0x00000000002F0000-0x0000000000363000-memory.dmp

Filesize
460KB

Download
memory/2616-553-0x00000000002F0000-0x0000000000363000-memory.dmp

Filesize
460KB

Download
memory/2828-20-0x0000000000320000-0x0000000000393000-memory.dmp

Filesize
460KB

Download
memory/2828-13-0x0000000000260000-0x000000000026F000-memory.dmp

Filesize
60KB

Download
memory/2828-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2828-11-0x0000000000320000-0x0000000000393000-memory.dmp

Filesize
460KB

Download
memory/2828-6-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2944-523-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2944-527-0x0000000000680000-0x00000000006F3000-memory.dmp

Filesize
460KB

Download
memory/2952-511-0x0000000001BC0000-0x0000000001C33000-memory.dmp

Filesize
460KB

Download
memory/2952-516-0x0000000001BC0000-0x0000000001C33000-memory.dmp

Filesize
460KB

Download