Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 03:15

General

  • Target

    85d4d320040914343343acc669c40356_JaffaCakes118.html

  • Size

    530KB

  • MD5

    85d4d320040914343343acc669c40356

  • SHA1

    91bf94c108c9a83b7d5e60cc52a6a8afdb11b2e8

  • SHA256

    faf36bcc0b3b4b5a1d30b09ab1a5cfa25f697129bfca2b20a5747175865a21c5

  • SHA512

    fa4a78b7a5437cdb9ba0d4c792e6324e7e5c8ce5967fda3f6739c88a5b5da8ed94192ed71fe51f17931cafa1a4c5d59cb74fa6761c31312206faff2e23d3ad92

  • SSDEEP

    6144:S5sMYod+X3oI+Y7meFekTsMYod+X3oI+Y7meFeklsMYod+X3oI+Y7meFekw:g5d+X30eL5d+X30el5d+X30eE

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 7 IoCs
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\wininit.exe
    wininit.exe
    1⤵
      PID:384
      • C:\Windows\system32\services.exe
        C:\Windows\system32\services.exe
        2⤵
          PID:476
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k DcomLaunch
            3⤵
              PID:600
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                4⤵
                  PID:1460
                • C:\Windows\system32\wbem\wmiprvse.exe
                  C:\Windows\system32\wbem\wmiprvse.exe -Embedding
                  4⤵
                    PID:1676
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k RPCSS
                  3⤵
                    PID:680
                  • C:\Windows\System32\svchost.exe
                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                    3⤵
                      PID:756
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                      3⤵
                        PID:820
                        • C:\Windows\system32\Dwm.exe
                          "C:\Windows\system32\Dwm.exe"
                          4⤵
                            PID:1348
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k netsvcs
                          3⤵
                            PID:856
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalService
                            3⤵
                              PID:992
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k NetworkService
                              3⤵
                                PID:304
                              • C:\Windows\System32\spoolsv.exe
                                C:\Windows\System32\spoolsv.exe
                                3⤵
                                  PID:112
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                                  3⤵
                                    PID:332
                                  • C:\Windows\system32\taskhost.exe
                                    "taskhost.exe"
                                    3⤵
                                      PID:1268
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                      3⤵
                                        PID:3068
                                      • C:\Windows\system32\sppsvc.exe
                                        C:\Windows\system32\sppsvc.exe
                                        3⤵
                                          PID:1520
                                      • C:\Windows\system32\lsass.exe
                                        C:\Windows\system32\lsass.exe
                                        2⤵
                                          PID:492
                                        • C:\Windows\system32\lsm.exe
                                          C:\Windows\system32\lsm.exe
                                          2⤵
                                            PID:500
                                        • C:\Windows\system32\csrss.exe
                                          %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                          1⤵
                                            PID:396
                                          • C:\Windows\system32\winlogon.exe
                                            winlogon.exe
                                            1⤵
                                              PID:432
                                            • C:\Windows\Explorer.EXE
                                              C:\Windows\Explorer.EXE
                                              1⤵
                                                PID:1380
                                                • C:\Program Files\Internet Explorer\iexplore.exe
                                                  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\85d4d320040914343343acc669c40356_JaffaCakes118.html
                                                  2⤵
                                                  • Modifies Internet Explorer settings
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of FindShellTrayWindow
                                                  • Suspicious use of SetWindowsHookEx
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:2368
                                                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2368 CREDAT:275457 /prefetch:2
                                                    3⤵
                                                    • Loads dropped DLL
                                                    • Modifies Internet Explorer settings
                                                    • Suspicious use of SetWindowsHookEx
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:2524
                                                    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                                                      4⤵
                                                      • Executes dropped EXE
                                                      • Drops file in Program Files directory
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious behavior: MapViewOfSection
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:2796
                                                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2368 CREDAT:340994 /prefetch:2
                                                    3⤵
                                                    • Loads dropped DLL
                                                    • Modifies Internet Explorer settings
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:1528
                                                    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                                                      4⤵
                                                      • Executes dropped EXE
                                                      • Drops file in Program Files directory
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious behavior: MapViewOfSection
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1916
                                                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2368 CREDAT:275471 /prefetch:2
                                                    3⤵
                                                    • Modifies Internet Explorer settings
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:1888
                                                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2368 CREDAT:209935 /prefetch:2
                                                    3⤵
                                                    • Loads dropped DLL
                                                    • Modifies Internet Explorer settings
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:2952
                                                    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                                                      4⤵
                                                      • Executes dropped EXE
                                                      • Drops file in Program Files directory
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious behavior: MapViewOfSection
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1536
                                                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2368 CREDAT:406535 /prefetch:2
                                                    3⤵
                                                    • Modifies Internet Explorer settings
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:1904

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

                                                Filesize

                                                914B

                                                MD5

                                                e4a68ac854ac5242460afd72481b2a44

                                                SHA1

                                                df3c24f9bfd666761b268073fe06d1cc8d4f82a4

                                                SHA256

                                                cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

                                                SHA512

                                                5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                70KB

                                                MD5

                                                49aebf8cbd62d92ac215b2923fb1b9f5

                                                SHA1

                                                1723be06719828dda65ad804298d0431f6aff976

                                                SHA256

                                                b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                SHA512

                                                bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

                                                Filesize

                                                1KB

                                                MD5

                                                a266bb7dcc38a562631361bbf61dd11b

                                                SHA1

                                                3b1efd3a66ea28b16697394703a72ca340a05bd5

                                                SHA256

                                                df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

                                                SHA512

                                                0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

                                                Filesize

                                                252B

                                                MD5

                                                c74890ef51c08e50b9d891678f7098fd

                                                SHA1

                                                a1171b43f317275f261a23ce5825bd7c69190475

                                                SHA256

                                                c31b2109648d2534685ad878780a438f1916a8c0656d2289c5f6d9c563a32c79

                                                SHA512

                                                d3a21f1e24294bdbbe4665ba380a798d5a79ac8d10ea1aee3c7ea95c07082478b292d3ed0afb5c002bae6a5b8ed8b411c19b8cc268d7554b022cfedfdb112d76

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                4120a38e4cddbdd3a4c2f0d357a00c2d

                                                SHA1

                                                4a0181647db336849169f283709e5c52956eef80

                                                SHA256

                                                66cf4ebca4c119e4aa1d6da5ea79baf786d5e2a039157f261582da9312e6d1bb

                                                SHA512

                                                29f6cad21a15b50c8194bebfc4d82219b7c29ab100761748fba35bea35829ff64013d20955d25187884abf9a7a362b8836d81a54fef225fa5efe4f0cece0e5d8

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                6e2346bc255c0474dd0e34466c466e6d

                                                SHA1

                                                9b93573b3b7bde7c45b405d2221fe5d3d6ced741

                                                SHA256

                                                349e1cc3b1aad40335568394fcba08649024d5785f0595506746fa873980e02b

                                                SHA512

                                                b0a86f53afe184204fd98ee28eee1aff3ba1c5361b91dc9b2aa5f9e2ea175c321f4fa7f12a3de183314cdcb19a32f01b1e4db5b0a99cfd987d369d92cd4ec024

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                bad1994316203ef35dc955f54eb15e86

                                                SHA1

                                                acaec82abc753f851d3a9d2fd7d9dc7cf4fa1015

                                                SHA256

                                                7125b333d33c75a6e81ebaa3f3455c3e230279142cd6d8cc53b0cd57264d29a4

                                                SHA512

                                                f99a8dbe1b90e69ac841e564ed9effb59461185ec4c7bd1456ca85e2a1d7eda16cc81653892dfa54dd17a677e269ef352dbb34c40bf48b201e0e1729b5b595bc

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                ad042a67d0520ea6a95074b395db4c17

                                                SHA1

                                                3aad2347b3f059e943ea27cc5b04a9ce8dd69baf

                                                SHA256

                                                ab9c87d8061fd6fd0a4afa6c6baf2e0352a3f1eec3f4008cdcf9f5bf6987556f

                                                SHA512

                                                4347d66a331c52665bdc1f0ec48a6f70ac9fe80d8d8cb39cf6a1ab250776afd8138d84dc8dbe507b4f7b9e642a7de6d8c9cd8eea16f58421a6437c12d8a5eca4

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                09851b80ee79b4474ee07b58c2609ca1

                                                SHA1

                                                aeda8bf6dee3eb0187258c30dc96f58a6462f911

                                                SHA256

                                                745d91f67a257eacfc5de2def7ea45334c7f2b2413293c2901a8d15f521c8567

                                                SHA512

                                                8036e7dec9d86e5869a233ed4d7eaf405019e15cdede6aa3c6d6a0ce4930b4f5fdd08fabb38417e5dba826b79575600b85d881d8acd4ad2d3cb55ebfc5fd8f49

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                b65d5dec1627130eb25c054cd8c83576

                                                SHA1

                                                027bf285d589f5ae3916b10f50eb1c243266878e

                                                SHA256

                                                da7609ba26acebd74b3ca40e90e516345a18c444953a577aa499085ee33687f9

                                                SHA512

                                                7745dca0169d52cf31cd1668532e14e7cf8d66e58454cfe495eb9af9e008dc6d3e8ca06bfd57898452f06a8243ce565251602ebe1b4f88405c2733e154255853

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                4e13608d5f74e2c02fbaa8535179588f

                                                SHA1

                                                4f206946ba9d9f9a98bc1fc2ed53d58f334126b8

                                                SHA256

                                                8291ff933c38b640976c2de628267407471946b1ca33ce2569e840adb11dc640

                                                SHA512

                                                6ed88e6285fb5c08ed13cf3f0f6ac0336ab56b2dea9e86c03208326ec168d9af9bc6a372b51ec0d1c0cfc68d8d1396fc1691ce87dbaede8ae23a9133c19881ec

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                3a0ad626a58dae196360a15015c783ac

                                                SHA1

                                                d67067edab056b8afe61b627aaeb2f5b19e46a88

                                                SHA256

                                                fdee30cc9f376290bcf152dbd34e81d1caa19cebe1fe2ee8ef642f611f0b4c0b

                                                SHA512

                                                ea58a7bb78b2c9bbc429730d3fe1c45fb0cb7d038b91b46c9b1772dee6f6352150874dc2dde6ca7dcc4761cd2d50aa7ff9f0f2f48554f7457c61140a119f0fd6

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                e2ab3d8f4dd261f0822f32efb7f7d413

                                                SHA1

                                                c69b0a229bd083fed5eae437611571676c209ebb

                                                SHA256

                                                6f55c4b6299c4dc9bc25e59492d40c2761a24bde4d17eedfc1cb9f0994a4fd35

                                                SHA512

                                                ab95a5baf50495dd8eac57ff3f95d38463d65b06d5ff5b3d3b6c8e739cf18eb44a9c3542087ffc7dc308743b03ab0d91c8961e3f20b466cfa60b22097a717298

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

                                                Filesize

                                                242B

                                                MD5

                                                c38e07dba98a815579c76d7b25ad88b4

                                                SHA1

                                                e313ea3c14ab7bb5a2be6204e04e57421fc49940

                                                SHA256

                                                97b9a930ae1234cbc3998dd848f62c0191760901cb8e8c058817b881106a59c0

                                                SHA512

                                                ed328656e5be017c353eed822e1629fb8a248bfa4532c888db5009aac513a85678f7605e800591e6f5e069c69e9ac98a1dea93b94d2886780029ad568b9cfadd

                                              • C:\Users\Admin\AppData\Local\Temp\Tar1B14.tmp

                                                Filesize

                                                181KB

                                                MD5

                                                4ea6026cf93ec6338144661bf1202cd1

                                                SHA1

                                                a1dec9044f750ad887935a01430bf49322fbdcb7

                                                SHA256

                                                8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                SHA512

                                                6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                              • C:\Users\Admin\AppData\Local\Temp\svchost.exe

                                                Filesize

                                                84KB

                                                MD5

                                                bee6f1f011766a1f40f0318adc585640

                                                SHA1

                                                f9452d74dad86e1dd38108965e40585ff8ef7951

                                                SHA256

                                                c8f1baab39b7c77de4504ce7f758ef46c0659e01f6af6922d1a4518687aa6ec9

                                                SHA512

                                                13714e5ab6d7da1ab4faa85b4c9801866ffa89f5b39aa053a03aeb13d4adbad4d9bc518f5586a18bb0bc7723f0e6168940ed70d7d6cf71d82120135fe0d51bd3

                                              • C:\Users\Admin\AppData\Local\Temp\~DF89C140F759C32DAE.TMP

                                                Filesize

                                                16KB

                                                MD5

                                                901721ab29a4976184688deb9f222265

                                                SHA1

                                                ede3ece0f5c97d4da00082d71006f8d5834e9e5b

                                                SHA256

                                                3be88c2417359421d2f07865aefb2bb4dc8d4cb76220c94879d1831d5ad5b2ac

                                                SHA512

                                                017686c1e528c0880e576cdacfd67fe7fe271b9f24c135044f1bb728d454d6d498d18e940bf802b436ea9e011851e125b7924655c2ec20883bc9c4f92cd5f341

                                              • memory/1536-602-0x0000000000400000-0x0000000000436000-memory.dmp

                                                Filesize

                                                216KB

                                              • memory/1916-21-0x0000000000400000-0x0000000000436000-memory.dmp

                                                Filesize

                                                216KB

                                              • memory/2796-10-0x0000000077980000-0x0000000077981000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/2796-12-0x0000000000400000-0x0000000000436000-memory.dmp

                                                Filesize

                                                216KB

                                              • memory/2796-11-0x0000000000240000-0x000000000024F000-memory.dmp

                                                Filesize

                                                60KB

                                              • memory/2796-9-0x000000007797F000-0x0000000077980000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/2796-6-0x0000000000400000-0x0000000000436000-memory.dmp

                                                Filesize

                                                216KB