Analysis
-
max time kernel
117s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
27-05-2024 02:48
General
-
Target
77a9a1f81a1f4b424242a14e6f1a6915_JaffaCakes118.html
-
Size
179KB
-
MD5
77a9a1f81a1f4b424242a14e6f1a6915
-
SHA1
7d70d74ab8ec09c99b9909c7d592943167fcf715
-
SHA256
2865796700a842d861662d6c339e3a54905ade5e5aa36052e8e0e80091f0a684
-
SHA512
e85e8a413f5c62b2d47eec11431b73575b014b8ada7aff97e29d8b92d42760c6dc51be5d74f198e921c38000676e91d5f5035b631fda9375844ea65b615a2be1
-
SSDEEP
3072:SztD6UMyfkMY+BES09JXAnyrZalI+YFrGOiDXev:Sz4UxsMYod+X3oI+YRGDev
Malware Config
Signatures
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: MapViewOfSection 25 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\77a9a1f81a1f4b424242a14e6f1a6915_JaffaCakes118.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1708 CREDAT:275457 /prefetch:23⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5a11711f62081d9bf2dde9d89d875ce93
SHA1e50313ee74460c71aa8312c0f0f9e5c457d242cd
SHA25608db610545a629ef1e34642ed643fd4064c8f1745ea034c393f68977aa388e25
SHA5129a3c53595d61bfdf8c078ca5f91fb2593033b22c0bb6081b8545f069aabfe4b5ce5977845cab75252c59209ae55baa43b6cfb88aced2fd1c7b4676424feb3846
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5e72b3cd231c8f9c7c810412a9035f688
SHA19f653311f1745a79ddd44fa0c5fdce578647502d
SHA256cee5105e4644527f3059c2c907e6ec9b91128447fe61b56db9783e9eee71a59f
SHA5120eae9a465bbcbb3f7fdc3f59109a3e73a82e28276f98bedb2af65387fd1709ff2d4bf67618310b3a13aa033bc3574055b2109cbb737ab045b2645e5d7828094b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD513ffab6506c0caa6ae49975c6e3ae94b
SHA17ac949fefa913842b865ed8f6d214f9e38040856
SHA2568c5a7170c24d9dc83711a59a851666f8f610ab96425725b6fbf4e970f13e3aa5
SHA5122a30a335bfdb4075ac66be06dde1b28292dc1189e3ae88d64a7292b5cd1a50eeb9ca1af3a9a5dde4f9dae2812dda45e548473bdf9045fde513a7e7b6df8c0a88
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD52fbfb536e368eaf0373e3eddf6bee1ae
SHA13e31a3a14989135e0771389503ad3d326fac84af
SHA2569ef5a55581739f8b71ad5d92dbc5f48e802a6109dbf5d2521bbf142a070aa0e4
SHA51244294b6787f8e28b3d447826ddfa1d5ac674e651c4abee54415e5a3f753416970d5e5cab5d99a206a8b6268e1ebe9a02b2ef9f96ea6d826a100541e6ab2e6dc5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5bbfbc138c8b568cc5f19a5c2014d2121
SHA15d77378031e76643c8a20ba364740ef3a19a61ae
SHA2561a9070bbc43eb7fe9ab1b2110a05cf68462399900a87a205c49905630db1df4a
SHA51221a94fac3fad394400707d6f812c07b41549e2207fe7a1553a49c32c8f03eadc44c25becb99997d4018dc62e1199ecc6241a20d20b5d5b54f42b166cd94145bd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5984d5258d516cc93fcc1e84a917c316d
SHA1fbcda1a73a21daa5634a4aec9a159bb60f220802
SHA2560774c56cb6eeae0417c624fc8c4c32429286483e700a296848d317051819004a
SHA512dce22a0597020728ff1b1fdcc4701f741d0edccc6ed7f1279661f9c323a0c056355523fcb841ffcff2b789c983d9f15b92ef92f47ffa08f3402c9c0d872cf42f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5501351546c5f3bd69c0cd7a362ed7d32
SHA1f63372ac7b4351e1aa3770e2a087596bfa233095
SHA256e4db030fbdc5ec2ee5da6f4bad6e02e40218c1c3eb8e30303bfe73bae93f0487
SHA512d9e3483b12ede1c44da3e8296b723b0703c317923738d99592f99be75df98552334820af1c568b5554fa1d81d4c3b3104ae44865b075e88842588414d822c0bf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD54b5b67910157dd3030770d4fb8cfcf09
SHA1394ab2de651c957e7e5a4fea62630a7fa9c18324
SHA25692c764579480450e72dfdde00eb9d6a0a771765efcff1b981966ab1225f2e2e1
SHA5121350b1935479c48fe04a17565202529c8d6909c3164ae910aa5a2cebda068dd7513a7b808ab1f5a1c7b0e79a9ebf273d0a6fa8e46ba88f79b9b78e5429b0fb8e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD54715efeebf65d736abda6c69bf5ebe51
SHA1375787b24b3056c71280efae46e73b66e63e200d
SHA2566ba57f5467d0a934e370c8cd9a0b1a35d0cab653b2e825af35fe2040bd901333
SHA512991cc8bc116730d4c8987835a0aa62d7259ef02246114bd07c1a2572e2bded840a8c47ac06a858d57f0df73977f10e704afea0ede4e302f3a722cb9471895b99
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5ca49a9ae35814f9f8087cce71aa71b4b
SHA1848da980a8a68cbbffc6cc52b1790b5e2b8d2b0f
SHA256444a79d8a2c18a657ea2716cfcc5d06f249915e02df67591a35673a44ca87a68
SHA5128e858bc5986481d39122c78e60b306d118af9e3288bd806ac54714c6689fb89129112f475883c6e3d271f719f4a4c70c01b5fb918bc6af943f41bb009e442e25
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5f11969d3902d83259006f5edfd04eb22
SHA1b10b1506c3c0b0ed93231b91843be0d39c33cea9
SHA256cb9ad2d5e311d9cabfc38b48b8882d3800b428345b744d3313208efa1fc1845b
SHA512515c095eece6f072fa1ba33f82f540f1f449f924596c323113afe91b6b15196aff281c1cab2d3b8530ebf0a69915703310829a6e2b630d0bac50191497a00e86
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5104b3f6a721c576886144bd5a429b7f3
SHA136c2a2fc335e9bcae11023381cbe8561eee24d77
SHA2567cccaa29c8d3f4c8d406b0a9491b052f2ba7626aea61330217f7f8fe01be353b
SHA5129a81feef59f50bcd59ac32bf7c1e88696817cf48def596b7c0df91ea7708a43b1583e998814f81bcf0efbf64f7762f841bb8a99ac8e1a651bcca20379fcdc761
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD51356b786e38cee2c2f006622c6839aa4
SHA151bb270172fd89e568a8db8f2e88d90813d2a5fe
SHA2564deda97753bd37f2d28409d960a9a2352334f78125abfe9279d5dbdd4fcee74d
SHA5126b0320a746e2c0ce54884e177c30f47b8de9715654ac92e946bf59e7c3d67f7c3c11d6a138ac298eb7cfd371155e4f1bea1525bdced64b25e147244de3d7da0b
-
C:\Users\Admin\AppData\Local\Temp\CabEF80.tmpFilesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\Temp\TarEFD1.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
84KB
MD503451dfbff127a5643a1ed613796621d
SHA1b385005e32bae7c53277783681b3b3e1ac908ec7
SHA25660c6c49b3a025dbf26a1f4540921908a7ea88367ffc3258caab780b74a09d4fb
SHA512db7d026781943404b59a3d766cd4c63e0fa3b2abd417c0b283c7bcd9909a8dad75501bd5a5ff8d0f8e5aa803931fc19c66dcaf7f1a5450966511bdaa75df8a89
-
memory/1804-10-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/1804-6-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB