Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-05-2024 20:11

General

  • Target

    7e3f7e32ac280481951e67b2e42ca9c2_JaffaCakes118.html

  • Size

    252KB

  • MD5

    7e3f7e32ac280481951e67b2e42ca9c2

  • SHA1

    509182a0660a0d7c4b4db05238ae4f61ab124660

  • SHA256

    fdf40cccf62b2f73118882ac3ef72cf8bdc3f9e4c1ab9a8a16bf94ce2f41a123

  • SHA512

    2473126cd112c47b70b3401d8b34d8f637a012af596f7765131a4806a1b04a150c443bd83fc1fba09a6eb6567079fed0e7e19206c6c13201891255b45952f5fc

  • SSDEEP

    3072:SDWyfkMY+BES09JXAnyrZalI+Yd5SdtyfkMY+BES09JXAnyrZalI+YQ:SHsMYod+X3oI+YdbsMYod+X3oI+YQ

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\7e3f7e32ac280481951e67b2e42ca9c2_JaffaCakes118.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2220 CREDAT:275457 /prefetch:2
      2⤵
      • Loads dropped DLL
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1280
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2724
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2624
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
              PID:2732
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious use of WriteProcessMemory
          PID:1980
          • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
            "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:820
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
                PID:1044
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2220 CREDAT:275464 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3056
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2220 CREDAT:275473 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:884

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

        Filesize

        914B

        MD5

        e4a68ac854ac5242460afd72481b2a44

        SHA1

        df3c24f9bfd666761b268073fe06d1cc8d4f82a4

        SHA256

        cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

        SHA512

        5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

        Filesize

        68KB

        MD5

        29f65ba8e88c063813cc50a4ea544e93

        SHA1

        05a7040d5c127e68c25d81cc51271ffb8bef3568

        SHA256

        1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

        SHA512

        e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

        Filesize

        1KB

        MD5

        a266bb7dcc38a562631361bbf61dd11b

        SHA1

        3b1efd3a66ea28b16697394703a72ca340a05bd5

        SHA256

        df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

        SHA512

        0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

        Filesize

        252B

        MD5

        99c4898e24de652d9c83baed9b749d07

        SHA1

        7d0aaee32f8fb4e5578072a8399320cf5665e216

        SHA256

        747b088329734e44dce0667cc10a721cc71528a93d3153e454a42372f7427758

        SHA512

        bc8314c44a1ae638a0395c645abb9a8ac9170c6f047f091b4eafc80686a928e7cd8c4f6d7428542e7a9d0de02ad18e1bf130280ea5f7bb2aee59d95020638117

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        344B

        MD5

        1172b9934ded69b6234cd9fceaf37aa0

        SHA1

        d931149ecda4e1bab655a2bd329f0258788b4175

        SHA256

        91b36150046cadd46c9c3e6d2e5488258e4b9d148a744dd3dea76dc2062b08ae

        SHA512

        28f3244aa9f2f10e9de0f10554262b6b28d6376f0024e2db632f6b5b82c92968b1cabc075b830f4adc5e1edc824f48c7610d2fc6b70fb6918a5fdd2644767664

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        344B

        MD5

        cca940517c4712a11877e453e3b3a513

        SHA1

        a2d74d1f1c930187a824e1361713d6ac16385bba

        SHA256

        5493fba460e373e0c179d2137fadabdcc8ecefd15bea08a6ecfa35875599c4d1

        SHA512

        a029d98b0085253f255ce685bb0d58e7f554905a8c0ccf9b3095192d7a3ddcdee4a00fb1bd4011f99ee73c5a10207c5b2f547f56c263d49f996e063a75ad7083

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        344B

        MD5

        589efc7bd1b45228d829ded7c77e6318

        SHA1

        80881a9207002dde8cdb73768aff5502db8a3b44

        SHA256

        14bfb9a1717f442e02758429f7301a2617782ee2ec74869e13c440ddaf11ab04

        SHA512

        2b8dfb808fbba7686b6236445394ba40facd705b8f8b4eeb0fc650d7f3fd3c9af33963663def9a19973532a3aa7cd640f4b445c85983e2eeb30de49ff77338ac

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        344B

        MD5

        001898d50613833a3d4ca53c9ee040ff

        SHA1

        91f49b4ed8c277983b93cbb40792470210bb58a3

        SHA256

        587b262c0aae91233454912199034f39d2e1869b145477bb587df754185f8ec8

        SHA512

        7d88a491e6cc203573bbde252e9ee5cdcdf47769b08ed1aa5dd717e2949a0808f7c74bd5190eb509d77b4ec0717c84a1aec5a67b1f0d9e3e293b3fca08285157

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        344B

        MD5

        302055d7e9d516640355c13d2ba2d5f8

        SHA1

        d2a535bb505b0e025a4a9cfa4785aadddb6e6099

        SHA256

        696c33b54c924be54e802ba7fdfaecd57b87ae997f4216ec0277c97be35a409e

        SHA512

        c36d17c45f75b5e4d96633218ee348dc8c2dec25076813febd848daf29a63f5154023706a60199d46a98213d867ea30fa353fe9946ec51fcb6d91471c35558ca

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        344B

        MD5

        69d97a10e5a2db7472fd6652b12bd078

        SHA1

        2914a1ad38720258ba932aefb62187ed6826c46e

        SHA256

        d3614e14798e74381a9ffd75ddf9f2439b5907218c240ba9ded4f1df0d83b1a1

        SHA512

        c809c097a2e15fa7fd3d7e01714d00c88f07b73f456da08f8b053d6a12da8fe51012212362db01da404d3ff8d61300a79e77ce984709069587e148aa6e7d37ec

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        344B

        MD5

        3353e9490517a4f55285b466605b4264

        SHA1

        2aabbff0088339721bd0badd84681b6fafa19ce6

        SHA256

        14a1fd7f5fb81af51683757728dcdd37b5dd3b54c90edf785ee87cb6d91fcb82

        SHA512

        b93b6721234969a0d31fc747b860226d5ba64cb1555f1e910097949faf7e69ab349aba81e3c8bbcf9f01f37733e21d61ae507345549297cb5c9e3e9905e5a56c

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        344B

        MD5

        ee414aba77ec99ddfd56af7dcbf5a317

        SHA1

        9437936dc3791e98f9075835e421ef3ec89d496f

        SHA256

        2006b781f9f9dddcfc94d27fbe89dcd805df9cc8d583d00e0d17be60ac934385

        SHA512

        0747ce4ea752a1cdf257fed57be975c713ea6adcb2daf4fac7fd702c306a6f1add3fc7e997227944b80ede6f4fbdc4b0d68c68b0fa3b27605e2b7a35ec957c1a

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        344B

        MD5

        1833cead9e2c2f7bb850c230eaabd466

        SHA1

        eee959b6858f201926f1bfdce3502a44040513bb

        SHA256

        f828323a0e1662822088a2466abf247160b6587ca726ba7049898e2baf965ec4

        SHA512

        43b0306b34547f9dad092548275762e34d4e80bc148e52f9322ba94946fd82ad80871a4922505b3a50b53215328ff8274ff8b588e95108b2ca9e6a0fab09802f

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

        Filesize

        242B

        MD5

        7c988689671d80f2a86b4739ff37ee40

        SHA1

        b06d595691aef2ca0ca81be6ea53cc680fd2624c

        SHA256

        2df8e69cb66dd5261acff1734dae660f1a4e9d08efce32fa1f0a4a89e0e7722f

        SHA512

        dd25cf1dbde7462c46914c60c5f1709bb5eeb50dce65c5ae9355760724a281f6efb124c88ac9bb87ce5dec2cf5f2683f58eae408b9a21a0b02305e7ed7f80a96

      • C:\Users\Admin\AppData\Local\Temp\Cab1E1B.tmp

        Filesize

        65KB

        MD5

        ac05d27423a85adc1622c714f2cb6184

        SHA1

        b0fe2b1abddb97837ea0195be70ab2ff14d43198

        SHA256

        c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

        SHA512

        6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      • C:\Users\Admin\AppData\Local\Temp\Tar1E2E.tmp

        Filesize

        171KB

        MD5

        9c0c641c06238516f27941aa1166d427

        SHA1

        64cd549fb8cf014fcd9312aa7a5b023847b6c977

        SHA256

        4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

        SHA512

        936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

      • C:\Users\Admin\AppData\Local\Temp\Tar1FD9.tmp

        Filesize

        177KB

        MD5

        435a9ac180383f9fa094131b173a2f7b

        SHA1

        76944ea657a9db94f9a4bef38f88c46ed4166983

        SHA256

        67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

        SHA512

        1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      • \Users\Admin\AppData\Local\Temp\svchost.exe

        Filesize

        55KB

        MD5

        ff5e1f27193ce51eec318714ef038bef

        SHA1

        b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

        SHA256

        fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

        SHA512

        c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      • memory/820-649-0x00000000001D0000-0x00000000001D1000-memory.dmp

        Filesize

        4KB

      • memory/1980-643-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

      • memory/2624-19-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

      • memory/2624-17-0x0000000000240000-0x0000000000241000-memory.dmp

        Filesize

        4KB

      • memory/2724-10-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

      • memory/2724-9-0x0000000000230000-0x000000000023F000-memory.dmp

        Filesize

        60KB

      • memory/2724-6-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB