Analysis

  • max time kernel
    140s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11-06-2024 00:34

General

  • Target

    9c736e13831e5a85131a32fb1923eea3_JaffaCakes118.html

  • Size

    191KB

  • MD5

    9c736e13831e5a85131a32fb1923eea3

  • SHA1

    31a7f5cf63d7f9d6a0f4faf9c78d96f9a6a70153

  • SHA256

    93f5c54469b5f6ed5bf9fba77dd230e9e13a8727ba25fd682dfdc0d6375b2686

  • SHA512

    4510819093cc85c4d6f416269efa88139add8576bce704aa9485f980ae58483049ac6d2b382c1c9555b68c6131546e2b531a4749484e22909539409d91c8aca8

  • SSDEEP

    3072:Sml8456yfkMY+BES09JXAnyrZalI+Ye47uM9f7UL:SoR5fsMYod+X3oI+Ye4pf7UL

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    1⤵
      PID:376
    • C:\Windows\system32\wininit.exe
      wininit.exe
      1⤵
        PID:384
        • C:\Windows\system32\services.exe
          C:\Windows\system32\services.exe
          2⤵
            PID:468
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k DcomLaunch
              3⤵
                PID:588
                • C:\Windows\system32\DllHost.exe
                  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                  4⤵
                    PID:1320
                  • C:\Windows\system32\wbem\wmiprvse.exe
                    C:\Windows\system32\wbem\wmiprvse.exe -Embedding
                    4⤵
                      PID:2408
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k RPCSS
                    3⤵
                      PID:664
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                      3⤵
                        PID:756
                      • C:\Windows\System32\svchost.exe
                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                        3⤵
                          PID:808
                          • C:\Windows\system32\Dwm.exe
                            "C:\Windows\system32\Dwm.exe"
                            4⤵
                              PID:1168
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k netsvcs
                            3⤵
                              PID:844
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalService
                              3⤵
                                PID:984
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k NetworkService
                                3⤵
                                  PID:304
                                • C:\Windows\System32\spoolsv.exe
                                  C:\Windows\System32\spoolsv.exe
                                  3⤵
                                    PID:380
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                                    3⤵
                                      PID:1072
                                    • C:\Windows\system32\taskhost.exe
                                      "taskhost.exe"
                                      3⤵
                                        PID:1092
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                        3⤵
                                          PID:2068
                                        • C:\Windows\system32\sppsvc.exe
                                          C:\Windows\system32\sppsvc.exe
                                          3⤵
                                            PID:3068
                                        • C:\Windows\system32\lsass.exe
                                          C:\Windows\system32\lsass.exe
                                          2⤵
                                            PID:484
                                          • C:\Windows\system32\lsm.exe
                                            C:\Windows\system32\lsm.exe
                                            2⤵
                                              PID:492
                                          • C:\Windows\system32\winlogon.exe
                                            winlogon.exe
                                            1⤵
                                              PID:416
                                            • C:\Windows\Explorer.EXE
                                              C:\Windows\Explorer.EXE
                                              1⤵
                                                PID:1200
                                                • C:\Program Files\Internet Explorer\iexplore.exe
                                                  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\9c736e13831e5a85131a32fb1923eea3_JaffaCakes118.html
                                                  2⤵
                                                  • Modifies Internet Explorer settings
                                                  • Suspicious use of FindShellTrayWindow
                                                  • Suspicious use of SetWindowsHookEx
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:2772
                                                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2772 CREDAT:275457 /prefetch:2
                                                    3⤵
                                                    • Loads dropped DLL
                                                    • Modifies Internet Explorer settings
                                                    • Suspicious use of SetWindowsHookEx
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:1612
                                                    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                                                      4⤵
                                                      • Executes dropped EXE
                                                      • Drops file in Program Files directory
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious behavior: MapViewOfSection
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:1524

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                70KB

                                                MD5

                                                49aebf8cbd62d92ac215b2923fb1b9f5

                                                SHA1

                                                1723be06719828dda65ad804298d0431f6aff976

                                                SHA256

                                                b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                SHA512

                                                bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                4fd7b76bb744d1ff83e813b647fd732f

                                                SHA1

                                                9b47ecbc75fdc6789659424440f32a6bdd53fe44

                                                SHA256

                                                a2b79861d7f2d5c55dbd8da537d17f1f29fd0cd45406d5d4b56343ca6c27571c

                                                SHA512

                                                f5dd57c5322f974c37617959a2583717a9f9c18ecad79904b1712b832236b68696d8757edb4cacbecd560ee837cc3f2b7c177ed313d3af2c4c2c6e649f09a4c3

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                aafe8aa5f10335bc5b87f6e9de87c8eb

                                                SHA1

                                                bc02784d0931cf6c22c1f9c7b52c505543ef15d1

                                                SHA256

                                                c1e129b488bb357c6f5be386f0a7c9c7ec9a0872965ba84095f2e00eb1b9dc04

                                                SHA512

                                                3450650f7762397ed825bf160e90a840a10778469fbb05158e62e4ec8585569ffad52de7cafced9be208f8ae4c64f49951801ca25360fd19937c52cc0ab2b96e

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                8b379924e8dd3a5234d83dae07ca4ed1

                                                SHA1

                                                61a4ca727d573bf907d36d852d3a86c9c17fe405

                                                SHA256

                                                f388752c0f4ef43d86008899f2e79d979523e0e6e2b5b686029b50240d6829f2

                                                SHA512

                                                e9af7b5c8e15270948765395e48f076080e6637e3a00b20ec7d9b8100da2a05a2753964d1de4195365bfdfdababa27e63ba95604d9f93f159b8201ef1b23b624

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                40a18dcc57104810ace1c78f2883f292

                                                SHA1

                                                0bb8c0b6a76e1e9d2e00ad8c9b99ae1bb4206ef5

                                                SHA256

                                                60ca7089f6900936f3d31bb7b416e52836f17c6d0bb6f6768c3c533077f67ad5

                                                SHA512

                                                7f59120b720a967865e13eeead7fda3ae7bc99adc902495a4eafd24b6e62414613bec7ad0e9ee2e3108fa41ff26b4b938c29376a00a3eae7f37898e35ff1a59d

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                1fdfcce1ef1d9b771f0440b945ed9ec6

                                                SHA1

                                                59fabe28504b9ada1855901f540c00d9557f927f

                                                SHA256

                                                baecf324c88bb7c2eb3bcd5e7db505fa361c3c9632d047762d5ba41abff0796e

                                                SHA512

                                                9eddabc3842cce3a38886aa57b1a745eb14c6614e7cebd576db05d988b9e682e6d1653ca8e53ce464c6092b06125c62dcf636f2ca058ffe0de0068c7b3595b83

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                1a0d7256fc39c087e1f9944da5d25987

                                                SHA1

                                                336869ba6e81752ed4a0e7d01e0e81ea530ef495

                                                SHA256

                                                c8b4db113caafbff51b1afce2844890c216e4325cc690946391c2924a7332f7a

                                                SHA512

                                                f2e03fd203aac3af6f7eeeff6942283b624b2ae94ae121f8a45e5950d1de61bb357d5b0834ede707cf3003d8926e09d0fe7dc07f3ad8e7b45a08fc614b0eb6fc

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                50d3cce38054e1ee5fab7b9a719f9c2f

                                                SHA1

                                                6ff908a0bca95ddeea8b4452d1fd7d0c14f85d6c

                                                SHA256

                                                5a9b2eb5fb58e06b8e6d5c37846f8590d88c60b03044d95a3cbd7658c3d35055

                                                SHA512

                                                106eb124d4f78b60eaf6b649ace3da4fa36af2a80fa217bfd728ce1efca97e33883bfdff40133c9678cbd9d97908e05e103b19b5f829a9aae4005c40c432ab0e

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                165280db60d53068bc8b7385acff1d51

                                                SHA1

                                                28d0e9e148092afe05a75ce44b24a9e2d5668baf

                                                SHA256

                                                c27901b791267858550382080518a25089675d754586dbd83a2d52708d33b04f

                                                SHA512

                                                7efaf6a7be109b98d54f90953ca7bb5c0d793dbc9a2ca18efede724845bf7a71fced27e602964d530231e3f94d51b1e26155936615e8533e2e616b380afca41c

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                6b2487ee1f44451ce9a7e54a134cd59c

                                                SHA1

                                                7315a7056c0d2e33a3501e05f412368fc94174fa

                                                SHA256

                                                48d67e08434937c4f7935d12a2101807f5662f77a650707c6a06938ba0a490f3

                                                SHA512

                                                1bde12004b9bb47150605cfc8d2328d2bcb6562086d83492bad90b5ac5831ca940107a9c5d767d41c6eec67fc064b326b3b1bed94726ed5af2e30bfba87bc43a

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                48a8f1a9a886bc51bef55f07b3323b0c

                                                SHA1

                                                7714f0e9db9f6f68d676b8f76ed3f4297635ae18

                                                SHA256

                                                0aa8d6bc8ab47a0ca55beca9dfdac8840b51bd34b446fbb0c22f3d70d115018d

                                                SHA512

                                                6074994ffed3e4053db2ee04689f6e0f9cd9c7214181b9776ababeac2b104ae3b094c364b64ab3739c41be221b220a59753aa746d5271bb483ca2cab81b2c179

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                e350bf7af2b3dc35c16bebb7e8c35440

                                                SHA1

                                                f7fd1a7a3dd0a1877efdf9ce3b1cca3f2cf29d07

                                                SHA256

                                                010026c82c5d4fdab6cdd28a662fc2cc41550f634db8fcb31053a3b789e07d9d

                                                SHA512

                                                1b1a6286263436297818ff6c5fc950f45ce49c270637c7037fc62e2837b1049f8f68c6afbee599d9d4a9bbebb332e32e05aac06ee73765d6d7f096f7017ab4a7

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                67d3e38042a56944b639d3abe6273bf5

                                                SHA1

                                                83dada17053ad0b5fbf6320837f22d17384b5258

                                                SHA256

                                                554f58ee84b409bbd609a923aca478ec5789465aca2c82311e3b88c9e2419ddb

                                                SHA512

                                                2a8b34ff1dadd042bdb5be757cd15e88bde6fcc146335c71860e32199633195bdbc163cab6177b156ef956c5c0d5e14aceeba1f535a0316736b90ccf0f5c86f3

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                6b942fa3d8ce3ef4c3363a294185917b

                                                SHA1

                                                8bbfecb2ab42d7f30e98b31b6c050e2aea049cdf

                                                SHA256

                                                834b6b2bcb2fe0474fd50cc2723c280cb922cf9073c29b70bf040a91f81f5d76

                                                SHA512

                                                d606c3e5a4368d669a4dd7a86327406596c401cd40763265f41894af736be9bc650cdd27329c917095569b136c568b4e54ba99d1c95e60a79532149341b56518

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                2beb48fc87ece17db5835d1cb8b9465f

                                                SHA1

                                                f272ac6c9e7ce3acf2f046fc9674183473e6283f

                                                SHA256

                                                133ab222efd0bb3be8b3c55caf3625ea6b346ab4181f81e6d08c8e3d02f02a81

                                                SHA512

                                                c03254a12a281a77f50d3c99a156e23c190f906cbde4115238fcc648f4cfbe3845e020855c0c2dd22a5feeb2906307254eb4c5916466cc842b02a7063943505f

                                              • C:\Users\Admin\AppData\Local\Temp\Cab8C69.tmp

                                                Filesize

                                                65KB

                                                MD5

                                                ac05d27423a85adc1622c714f2cb6184

                                                SHA1

                                                b0fe2b1abddb97837ea0195be70ab2ff14d43198

                                                SHA256

                                                c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

                                                SHA512

                                                6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

                                              • C:\Users\Admin\AppData\Local\Temp\Tar8D7A.tmp

                                                Filesize

                                                181KB

                                                MD5

                                                4ea6026cf93ec6338144661bf1202cd1

                                                SHA1

                                                a1dec9044f750ad887935a01430bf49322fbdcb7

                                                SHA256

                                                8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                SHA512

                                                6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                              • \Users\Admin\AppData\Local\Temp\svchost.exe

                                                Filesize

                                                84KB

                                                MD5

                                                cc9104bc71a23e14787188f3634a4d05

                                                SHA1

                                                0b537406933abc1738ef32b96069961d024f1b8e

                                                SHA256

                                                aa797033a44b0ab42e6428552b5e85bc735c84082493f63b4b3ad0843859b28c

                                                SHA512

                                                023b9655cef044082ceb44c6644d834e4ba9af088843674cc8e816cb4f4981bf0958b0c82002c1597c8818e57af0f80d4cf3ab771e68af5a33cff752363c7df3

                                              • memory/1524-483-0x0000000077A30000-0x0000000077A31000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/1524-485-0x0000000000400000-0x0000000000436000-memory.dmp

                                                Filesize

                                                216KB

                                              • memory/1524-482-0x0000000077A2F000-0x0000000077A30000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/1524-484-0x0000000000280000-0x000000000028F000-memory.dmp

                                                Filesize

                                                60KB

                                              • memory/1524-480-0x0000000000400000-0x0000000000436000-memory.dmp

                                                Filesize

                                                216KB