Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
24-05-2024 07:52
General
-
Target
6dcd9f3e5881740ab0b96b6900256c40_JaffaCakes118.html
-
Size
190KB
-
MD5
6dcd9f3e5881740ab0b96b6900256c40
-
SHA1
bf1f7bde038400d246fe621e311e135bb058132c
-
SHA256
c701df2abd062506ce9e0acb3c09b0926328259c6db7db8393068750d412d3c6
-
SHA512
9f9fd474e2b7beaa2ef68a49e365ee5b335676d76fc6213e49a6d3a363bca88f476f3253cac8f9e0bbb79e1b47bf5e74a38e4d809397f3168b5300fbe78a1e21
-
SSDEEP
3072:Y+tX7tSjPHf0T8b6jFK+FyfkMY+BES09JXAnyrZalI+YqQoc3OSu:Y+tX7tSjPHf0T8b6jFK+wsMYod+X3oI8
Malware Config
Signatures
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: MapViewOfSection 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}4⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\6dcd9f3e5881740ab0b96b6900256c40_JaffaCakes118.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2240 CREDAT:275457 /prefetch:23⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
344B
MD58d37ed70506d2048cbcea477a11e4ebf
SHA1f74b314431a89327843fdae4edf8aa73e57f8214
SHA256e94d2774bfa631f23fbd9d9fa059c4512c694806c43472a01e59886eeb200fce
SHA512328a8b213c9053ff7be85316aa50403b23e412b4b1f83f39e24f6c7a6baba52eb8d6ab8823948c6220974372d738b322277522d48afaa967a1de67f2d0de888c
-
Filesize
344B
MD56bc45c62ad7a3930fa1225a1a43c874d
SHA19f83f50674043e972273c9aeebcfc6f7733bba28
SHA2564179ddd46eff662e269e66c1387f4fd0e9e5b33f6df9f8cc94d0ec8f2f56b8f9
SHA51223311fd6c392788f959d03d6538270e5c9f8645cb0db8bec387e2c8b5ee9b9b6bf840cf260d7d531e790c021b3c5812311af520950ee40828793de296f8a0352
-
Filesize
344B
MD5fb9dceac37412988ddee568d36dc8445
SHA1967e7bc8a9c04aeebc9c85bb880fa8787c7c5105
SHA256b3f718144b5533d124add64d8b476e3a4d854ef04ed6583c90c8f6fd33910997
SHA512974abab58cb3f0e70732fd3a6db2159fd60db41e573d899a87de4c04653fb2e284f3e544368d2e4568135f113098d8083ce5df1ed122ab42cb588028458d2bd2
-
Filesize
344B
MD5291bada38c5a65d8d7c1ff148d2fa3e4
SHA1a366d022b12d143f111db4852e5517ef198d0d1b
SHA2561f73667850d2b1560b6659ca8cbc1fd85e93d06793bbf26a33179488345a8e68
SHA5124fd11b4a1ae2806d51c79029460d711d5470c4032ef7f3c3ccafa92faa2a17d2b43f57ebe384bee8c2273bd0f77be99714530e6091d266cc1dce979dd367d302
-
Filesize
344B
MD563c2044500b7eb631d1471383327f65a
SHA17f49e3c2b9ab021c5059a3f84216fb4fb6783650
SHA256557d704fad0006254715f0b777676b4175064e6819f6bb64eac9a8897a5cbae7
SHA5126cc65cdabc4ec5b962cded378117b0c693c38c82e543b5752c7b52dd354cabe12bc2701b0be37ee98a81e8941dbb0b8152f44d56d6318e1e70a6a73bf802c493
-
Filesize
344B
MD5540a520847c188116f040e568bf435ec
SHA1a4d365a80348ab16cbd60b3d4cd1029940f02dc1
SHA2565efbfa56635aa9ae5efc0b6b27940393b8747bc8b11cf018657e51beed9d6029
SHA512d380acea7cd56ff497140c49e269a8d3cca880ec363538c74cc86ebec38b6bcad8a77c3fc343ccdd71215be1a97d7699ddae0c8b3eb81b970e98e56c08a5a0f7
-
Filesize
344B
MD5a187ebf5d253d45977db9182b5ee2c1d
SHA14babfdf1c637b02fe36112efcec74e771ae24409
SHA256fa83e1251477c9429714aae268daef083ba93150336f9c1c62896f735ecb8058
SHA512d876a24bb840694cccbc9bafeb79998bd927a2a80415f1b3c678346aa7fb41106f1614a4321399b0bdaa07eaf4f3dc263f117ac96d7cf43af77b578f5f7c7d71
-
Filesize
344B
MD5ece94bc3e672165e28f215e091bfc088
SHA1dee7f7190fac9dba3b271f434f3648e99512ebe5
SHA256140ae70800a32d121d51ffcfa25df74ac8c21dc9f339a96fc250de8282a87dd8
SHA5122765d1f902c6c6fc887926e13786efbccb9f1447ce494215188a6eb706cb0a2d43e3d7a4210c1995a00b504ee3e3b596c62c81adff8f4605ef8a9e46dd072886
-
Filesize
344B
MD59207ef489d9dcecce03cca5cf832fca1
SHA1a1410694defe82044ed2711815184b9313c04fb8
SHA256dfe4d232555bd47f3018144700bacf8307f03d8cb7f4e4963cf765bf8374c9af
SHA5126b361ce50b217f20f456b9d81cb37c042042950c9ef75c30d947fa26d19bc3c7bf873f7f7f818ac78a6280173969d2c2b4df12ac125a8df53243bab3b73d105e
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
84KB
MD5edecf326547a172812e19e959ae0a3ab
SHA138d27b9faec6b872063e09b76a92489660c0d4a6
SHA256e28a84dec39e994f7c1b7c53ae7b9e802be68492b31104ce71570d4ddd1082c2
SHA5125819edbd978cf4c507af924794a66631df858eb008f000f50123bc9eb7aa424ec898d6cbdbbf290d222f338f94935582bc06eaa62c189792555bbcc9f14ad4b3
-
Filesize
212KB
-
Filesize
212KB