Analysis

  • max time kernel
    118s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 05:28

General

  • Target

    7912bcbfb5d6498b247a3f2f82023da3JaffaCakes118.html

  • Size

    347KB

  • MD5

    7912bcbfb5d6498b247a3f2f82023da3

  • SHA1

    f50f03d0f8e4fbe7c5b2ecc2bda281411e04be48

  • SHA256

    4e77dfe80540eacad617949db6131777342316cce3448e78fbbf00cbe61d2f35

  • SHA512

    86be277d5ae824c104985844fd7d9f3851df6fc487942047eedad0b99115ea93881c41b5df1bc380fdf3fbe9a5b604778bf7ecb368309f34cd719cee843cf8b0

  • SSDEEP

    6144:CsMYod+X3oI+YqdsMYod+X3oI+Y5sMYod+X3oI+YQ:A5d+X3c5d+X3f5d+X3+

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 7 IoCs
  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\7912bcbfb5d6498b247a3f2f82023da3JaffaCakes118.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2976 CREDAT:275457 /prefetch:2
      2⤵
      • Loads dropped DLL
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2628
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2776
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
              PID:2680
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2564
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:2536
          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
            3⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2596
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              4⤵
                PID:3016
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2976 CREDAT:209930 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2544
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2976 CREDAT:275465 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2568
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2976 CREDAT:6108162 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:3020

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          5513337626960d642d8c4c3bb62a012f

          SHA1

          0031c5b61b7fd1edf74ac54df3e03588879cf637

          SHA256

          cb230220495249d45f7541e6c1d485a7b1ceabf90fcafe8b0ec73794ba57484f

          SHA512

          859caec6d676cf5391097dba8f8b5a3ae26739362580abc6eaf80006675e5fa979f7aeb72cbf00ee64cb9c84129c7ae50d637f1f8132a948098f56fb22b9d75c

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          0ae2f203338aad25e0ea52b872e90463

          SHA1

          03288891c4343d55a7a5ca4c5c0b786694286e6f

          SHA256

          154217be235c4a730e5adb14e79dec0104bc1e7035d301cce0ae79ff17059dab

          SHA512

          5ddae4eeaf23fb3b5de4db61f6d27a48c64718762021083f8e168a6e087d79685f13dffe0edfa32f01b22e64f5e660eea0eb0627603bf0b86513d12380b1b5db

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          c8bf5ac028be6a00488c3ad00870a4c1

          SHA1

          19cec90d5751c82b6f287be124a4112427fce82b

          SHA256

          d66e65676c794df6a528d50b71a1bfbda6d0c8c3bc7b810f713643b7704dfb19

          SHA512

          42c29399b53eec885ed218f81e84551a855f781707ee266535bb966579c62e0907352ef02194ba4e8737809ac830d15f89170103314a9f495019a743e5cf127d

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          fbcbb080e89dd37774205215ecd846b8

          SHA1

          58a0650a821e694386bcc6af5675a9aaff97d7e7

          SHA256

          8eb50144122c15abbaef6cf203ff16c26e8c680c96d1f1e429c1af610a02df72

          SHA512

          338fbcbd36d53b5153deb842cf2fcc47e4b8179063e06ecb9fc08551f85fa6f3ff6e1d3e7a544ec8cfbda3156bf929f1dfa99244eca5628983134645eba8cb5e

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          4badcb37e74a698a3f755ea2cf06b02f

          SHA1

          f6a7002bcbd73d45abddaf44c48f51df90654f6a

          SHA256

          45acf459d7ac4f43090d6e4ca7726357ccc52f7f3f5a2708aa964592260b94c2

          SHA512

          df7a89696fcba0bd433d957a2a51819db0f2358c4e2b5f18c8a61a2284023d5ebc60adc458fabf2c19f52e511cae4aa30688f3a065c8006a0d3568a07b4209e1

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          c2f757d85a37cbd261af687598dc2b4a

          SHA1

          59d174eb66742cef031e7b71fcebf71ea1482b46

          SHA256

          3d249c111e6ab321f28925edb55568092f1536b2078cb712dfbec31a33fbd5cf

          SHA512

          c877ad859fd6d9d36e70bedba0a64ed6f1e0dae2f31191e3980d78d351dc4afc83b1827fdba014d62dc6ca24db12bd88bb9b9f76b503b46d20381456821864a3

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          d72345ba279a0ecebbc0610a8e501255

          SHA1

          59cb2cf364241e3a0d90dcf37ad93134b618f9b3

          SHA256

          55de17273591413919fae1ebe5c3de48ccc6436cc97f660709cd5d652d962276

          SHA512

          99e65b81e9b4fde25e4124dad3f9f9ba3793168a4767e1d9b90d5915b9cd875e0da6d812233d678c61eb99f59193cc902519b3cd72f52bbf67d41a6cf08fcee3

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          5420bb253a7544a623f99fb6b710dd34

          SHA1

          68d9cb5da93528583a21c9a3e3df09f6f55b0d8d

          SHA256

          471721aa9f1643899da94c6586b263fb8989fcb339bdc0c1ca7bc5ba44376359

          SHA512

          031e8b2b63fcca385964f2734ed12f655ba6d854654d8f8895f46d8805c0c9a44ad9d23b7a97db48ee876df1c783577107632cc0b9f848b58d9f5889bde601f2

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          f57ce59c87e872fab5fd0b6dd21519d3

          SHA1

          7c6e4396948ddd58bdd023dbe916c946b16a56ee

          SHA256

          b48244200cb2e0373cbbcb30bb9b3faa1eaa147f867c0ddd0c548da59e5b34e1

          SHA512

          36b973dd36512e1e6ed42a758d455311b4aea88f87948695dabb4492376f0aaae18d595b2a82409b3cd07488e6465bb3477ee82d43cb1ebfb8341d8a22fba3e7

        • C:\Users\Admin\AppData\Local\Temp\Cab483.tmp

          Filesize

          68KB

          MD5

          29f65ba8e88c063813cc50a4ea544e93

          SHA1

          05a7040d5c127e68c25d81cc51271ffb8bef3568

          SHA256

          1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

          SHA512

          e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        • C:\Users\Admin\AppData\Local\Temp\Tar509.tmp

          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        • \Program Files (x86)\Microsoft\DesktopLayer.exe

          Filesize

          55KB

          MD5

          42bacbdf56184c2fa5fe6770857e2c2d

          SHA1

          521a63ee9ce2f615eda692c382b16fc1b1d57cac

          SHA256

          d1a57e19ddb9892e423248cc8ff0c4b1211d22e1ccad6111fcac218290f246f0

          SHA512

          0ab916dd15278e51bccfd2ccedd80d942b0bddb9544cec3f73120780d4f7234ff7456530e1465caf3846616821d1b385b6ae58a5dff9ffe4d622902c24fd4b71

        • memory/2564-21-0x00000000001C0000-0x00000000001CF000-memory.dmp

          Filesize

          60KB

        • memory/2564-24-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2564-22-0x00000000001D0000-0x00000000001D1000-memory.dmp

          Filesize

          4KB

        • memory/2564-20-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2596-30-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2596-28-0x0000000000240000-0x0000000000241000-memory.dmp

          Filesize

          4KB

        • memory/2596-27-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2628-12-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2776-17-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2776-15-0x0000000000250000-0x0000000000251000-memory.dmp

          Filesize

          4KB