Analysis

  • max time kernel
    121s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11-06-2024 00:40

General

  • Target

    9c7698351fa0d2d4070b618f9f0073e2_JaffaCakes118.html

  • Size

    788KB

  • MD5

    9c7698351fa0d2d4070b618f9f0073e2

  • SHA1

    4e28c9d2a2e53ae6550567cae3660b5692401901

  • SHA256

    06edd7a4e4ce3aa50a35c636c78625948a0aa3526f9d5a7dab44a245d561fd00

  • SHA512

    a3b4af52cbc0d881a7dfe0487d67ebb2b310debe3c75a4bd08b706ffd726602607bc6478613f0c1812cbf0090d06cb9f6f12d07097d1caf19b2fb8cfc69b6da2

  • SSDEEP

    12288:v5d+X3l5d+X395d+X3R5d+X3o5d+X3j5d+X315d+X3u:f+J+h+t+i+b+5+O

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 8 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 15 IoCs
  • Modifies Internet Explorer settings 1 TTPs 44 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SetWindowsHookEx 34 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\9c7698351fa0d2d4070b618f9f0073e2_JaffaCakes118.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2156 CREDAT:275457 /prefetch:2
      2⤵
      • Loads dropped DLL
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2264
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1276
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1572
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
              PID:2568
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2764
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:2532
          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
            3⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2500
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              4⤵
                PID:2364
            • C:\Users\Admin\AppData\Local\Temp\svchost.exe
              "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
              3⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:2376
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                4⤵
                  PID:2484
              • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                3⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:1880
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe"
                  4⤵
                    PID:628
                • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                  3⤵
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2660
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    4⤵
                      PID:556
                  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                    3⤵
                    • Executes dropped EXE
                    • Drops file in Program Files directory
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2600
                    • C:\Program Files\Internet Explorer\iexplore.exe
                      "C:\Program Files\Internet Explorer\iexplore.exe"
                      4⤵
                        PID:2712
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2156 CREDAT:209930 /prefetch:2
                    2⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:3004
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2156 CREDAT:603144 /prefetch:2
                    2⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:2692
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2156 CREDAT:865283 /prefetch:2
                    2⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:240
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2156 CREDAT:5387266 /prefetch:2
                    2⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:2624

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

                  Filesize

                  914B

                  MD5

                  e4a68ac854ac5242460afd72481b2a44

                  SHA1

                  df3c24f9bfd666761b268073fe06d1cc8d4f82a4

                  SHA256

                  cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

                  SHA512

                  5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                  Filesize

                  70KB

                  MD5

                  49aebf8cbd62d92ac215b2923fb1b9f5

                  SHA1

                  1723be06719828dda65ad804298d0431f6aff976

                  SHA256

                  b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                  SHA512

                  bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

                  Filesize

                  1KB

                  MD5

                  a266bb7dcc38a562631361bbf61dd11b

                  SHA1

                  3b1efd3a66ea28b16697394703a72ca340a05bd5

                  SHA256

                  df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

                  SHA512

                  0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

                  Filesize

                  252B

                  MD5

                  67eeddb426fe54c42bc08311906c394d

                  SHA1

                  fefd89bc02f899a613f7f7a1b440e9e5479acf32

                  SHA256

                  ac7cc266824e1b6132d826776733a2f4bffeb31d5ddd613153bf7a36f044344e

                  SHA512

                  1e22e1eab978feaaeb097b1033081f9a5dda4141c3d85d0127926361a7fa96fbfc36f77db398dd318c486c7ce56e253399e16a5b59079e6dfea1496810c2272c

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  342B

                  MD5

                  be8754728ceca2871d908e82d3a40579

                  SHA1

                  0a07c9ee97795c283a5b48764a0ae38419a64ff9

                  SHA256

                  1d28f50e210f92c7edcd55d52e8db8bef930b78468d6115b2652f8c75ebf56f2

                  SHA512

                  970acbee26cb584362b35fdb1540e644304df076a03e66cebc9e669f948766a3b48b6c23949d3350ed2ca5327649d8ad6585c0c7a9963ef9338305ca6f4e497a

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  342B

                  MD5

                  40b557088e3eb9b0a6bd9512ed095529

                  SHA1

                  f8afee0b240e20aba78cf8c169b9c690245306e6

                  SHA256

                  90f0bd03151ec14b98eb767c72e35d4386b5743a50efe31a43c3b046b7b0e8c5

                  SHA512

                  b086c55f8c5fc620694051fcccaa125e7e9c8b976906e9f1ca9612c3c1dd9820151dca94a07c4aa477834210f1d248420adf3b0ac54c4343b0e5fa8997970af0

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  342B

                  MD5

                  34e7859883779a4d7a4fb9412b59a836

                  SHA1

                  42590506d8538c3ef7230ac9d41aba84a764006f

                  SHA256

                  ca38dc811a258c2f1e4dcf91fd42fde32c85ba113d2ed08853f1fcd404fcada4

                  SHA512

                  7a2c5f44232494498a6a700b2e9e7d479acce0d4ab3910b11a7156e03d511535d3830062b1662b054efe89fef28ce82f7f9024facb730c8c1198dc4f41f966b3

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  342B

                  MD5

                  0f0ce3bdc23a55f360efc9e86b1986f3

                  SHA1

                  78ce50c16f13854b3af9ae8ec3e96347111b1172

                  SHA256

                  3845fa2c3ca7f530f8ef009db2f84eaa59cd6115fd6182c8e90103b60d8368e6

                  SHA512

                  36eaa0d28e9c1229c502fa59da516544942f4af7badba2e20539e81e1c375845649bace8f5b8699ac1e9f98e66d9050a57e118e2ef6c6f3b0bd09432b477522c

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  342B

                  MD5

                  ae73a075543082461feb1debf7d6da8d

                  SHA1

                  dbc8b1ae82c755d39fc2e2984603abc6a2c20675

                  SHA256

                  46cf33884846c62d276a6b8484aa7ea6386b4f8b28cfefc291c80b02fdb314e1

                  SHA512

                  d54680bb02b4846ee5a9b2ccf57a6606b6a3e05e97780ba9a7a0407d6e5a4a665ff5ee1b9b6c8f2bc50d8c62da01b0aa12fec42600c77b24974035476a28595b

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  342B

                  MD5

                  d15b91b789f409b80ddd648d9f0fc5cb

                  SHA1

                  57f220d9946de52c6a1d5966b94811c4e956bdf1

                  SHA256

                  4a459ecf17dca4ef06487095113a8c88fe63e0a454e69bfba701f9c936fc5edc

                  SHA512

                  4a3b71dc94e1b91893d0278f4c2b8bdd89e3b759087883575092f05f234636e739d2acbd597e3d5d788f2d102cbad02b1dfd6a942c6f946426ed956471497069

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  342B

                  MD5

                  2968897e4c914adec882a4760e68b8c5

                  SHA1

                  469f5bf6520f5d46dc173b4ccab5df7963011c01

                  SHA256

                  d08442e2fa75426112913b8cb2061389331cffcae30311757f40f68f0f17407d

                  SHA512

                  8e032b23b476d9203d30d114e40dbece7d4a09062a1f652b9c79465fb433c88649d6fd093a214c77b4120b094ffea5e8c96672ab84d4c4a7b21218fc4d2df934

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  342B

                  MD5

                  14d40a4080811d7b23a76dc41b592e7d

                  SHA1

                  92ec156db902cc0aa41e5b0eacb1991528c3915c

                  SHA256

                  aba2016787da65ebb31a24f0f19338938d81aceb04dede5dc05dd32a618c1bbc

                  SHA512

                  9713886f4445d050c8ab70307cbdeebced7f61c961db2684aba3a96161d3b40e4852d2b09b98e3bc24c19631f31e8b68584dbc28c133f619ebdbe330ceb95a4b

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  342B

                  MD5

                  babfe65d1071030306d1f7d9da2278d0

                  SHA1

                  5220c0e76549f6498e4ba9a456bea49c2a7cd139

                  SHA256

                  53d562bd67ed8ad774784f5dcf37778293344000695b83481e00f01619ba2db4

                  SHA512

                  51099e5393f21a060fac6d503ce69f924f7915fde746b976258441bbe107066b53ef9743167f62630341f266f502797586685c674972e16d82e4e9343af53cf3

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  1b6dc94ee54d119085a76a3f0e836873

                  SHA1

                  d136214b9d315e47734129c5f2f4bbbec5efcb66

                  SHA256

                  75c2b645f2ec4bea8b1090bdbd5e12088761ab2b4890d3b61565c7469b93b527

                  SHA512

                  2ac5d789611aafd11e671e72494d779ddef4019483a4d1203ac3eda0f9525a9051c4dfb0e0d530a04ca7c21ca1cca62ccdec4c002d46f218be26a4f11b723173

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

                  Filesize

                  242B

                  MD5

                  f65b372f9408909040a1daad9e67d9cc

                  SHA1

                  63f12db9b1a516e8037687ff3af3e8fe12f506f6

                  SHA256

                  229148bcc3459743a1862ccfc183bcf67addaa44e588e50c56af0457efc57ce0

                  SHA512

                  199a598ebebaa7f6c4c808b51a4505730363a87fc744a3ae909b2340119fd22a605399c2558cbb0661c21040f8e5e4950f00da429e43b7831177a3d79ad8c79e

                • C:\Users\Admin\AppData\Local\Temp\Cab1D41.tmp

                  Filesize

                  65KB

                  MD5

                  ac05d27423a85adc1622c714f2cb6184

                  SHA1

                  b0fe2b1abddb97837ea0195be70ab2ff14d43198

                  SHA256

                  c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

                  SHA512

                  6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

                • C:\Users\Admin\AppData\Local\Temp\Tar1D44.tmp

                  Filesize

                  171KB

                  MD5

                  9c0c641c06238516f27941aa1166d427

                  SHA1

                  64cd549fb8cf014fcd9312aa7a5b023847b6c977

                  SHA256

                  4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

                  SHA512

                  936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

                • C:\Users\Admin\AppData\Local\Temp\Tar1EEF.tmp

                  Filesize

                  181KB

                  MD5

                  4ea6026cf93ec6338144661bf1202cd1

                  SHA1

                  a1dec9044f750ad887935a01430bf49322fbdcb7

                  SHA256

                  8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                  SHA512

                  6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                • \Users\Admin\AppData\Local\Temp\svchost.exe

                  Filesize

                  55KB

                  MD5

                  ff5e1f27193ce51eec318714ef038bef

                  SHA1

                  b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

                  SHA256

                  fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

                  SHA512

                  c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

                • memory/1276-9-0x0000000000400000-0x000000000042E000-memory.dmp

                  Filesize

                  184KB

                • memory/1276-8-0x00000000001C0000-0x00000000001CF000-memory.dmp

                  Filesize

                  60KB

                • memory/1276-6-0x0000000000400000-0x000000000042E000-memory.dmp

                  Filesize

                  184KB

                • memory/1572-20-0x0000000000400000-0x000000000042E000-memory.dmp

                  Filesize

                  184KB

                • memory/1572-16-0x0000000000400000-0x000000000042E000-memory.dmp

                  Filesize

                  184KB

                • memory/1572-18-0x0000000000400000-0x000000000042E000-memory.dmp

                  Filesize

                  184KB

                • memory/1572-19-0x00000000002C0000-0x00000000002C1000-memory.dmp

                  Filesize

                  4KB

                • memory/2376-33-0x0000000000400000-0x000000000042E000-memory.dmp

                  Filesize

                  184KB

                • memory/2376-35-0x0000000000400000-0x000000000042E000-memory.dmp

                  Filesize

                  184KB

                • memory/2500-29-0x00000000001D0000-0x00000000001D1000-memory.dmp

                  Filesize

                  4KB

                • memory/2600-48-0x0000000000250000-0x0000000000251000-memory.dmp

                  Filesize

                  4KB

                • memory/2660-43-0x0000000000400000-0x000000000042E000-memory.dmp

                  Filesize

                  184KB

                • memory/2764-25-0x0000000000240000-0x0000000000241000-memory.dmp

                  Filesize

                  4KB

                • memory/2764-27-0x0000000000400000-0x000000000042E000-memory.dmp

                  Filesize

                  184KB