Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11-06-2024 01:09

General

  • Target

    9c87b9787af0bb8f3df2698f8ae19bea_JaffaCakes118.html

  • Size

    466KB

  • MD5

    9c87b9787af0bb8f3df2698f8ae19bea

  • SHA1

    97c4343484af3943e5ba2ffd48ecaa23b93a36da

  • SHA256

    cc3d7b68c1f56641a5ba85352618e478ef6515e7d060760d30d54430d3f0046f

  • SHA512

    059a4fcb630cd588db36c61859f2afcacb59159cd19fa4e6522f795556aa35df5be28b1e48791ede00d4c4a8e930719389e6e2f3241a862407526866fbbbfe21

  • SSDEEP

    6144:S/jsMYod+X3oI+YtisMYod+X3oI+Y1sMYod+X3oI+YLsMYod+X3oI+Yg:S35d+X3Dg5d+X375d+X315d+X3C

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\9c87b9787af0bb8f3df2698f8ae19bea_JaffaCakes118.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2896 CREDAT:275457 /prefetch:2
      2⤵
      • Loads dropped DLL
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1960
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2672
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2392
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
              PID:2528
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2896 CREDAT:209931 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2364

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      a5edc7946452e73fdf69f964035119eb

      SHA1

      8502dafb4a9d8b20f1ece10a89d3f46fa6f27c67

      SHA256

      e974a426ba5c858d9a85cd59d047333a0f7755cdb5d54e84487f79d2288ce5c1

      SHA512

      f57428cf10aa6d5de6f930aa86dfa5cf9591162f81c5dfd59a996d5920e8328c27a9549e05dbcb766af4575f3ead380304322df869baf6ebd6afddeb634905ad

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      b27a22e370a9a55c8bb6170478672065

      SHA1

      ff4753f15039d98dcedb13b83e0682f04f5b9246

      SHA256

      c9d18298a9f090729b49c7e22a02983122f476ea502c38667e3c2135129a47a4

      SHA512

      cac60f7c85470d31516cf2faaa15845e6cea0fd801f0212bb48282ee0f8d3417917552c7682f830c46fc75e16ef1eee5655596f28831c914f72f1befffea1472

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      46902780f9c84be4ae0c12edd8aa7242

      SHA1

      206517331530fa3e7f5ecadf59ca4ae7a4998d25

      SHA256

      965f4d2d80e1f6d47c8f473d3f4f812069a63403a86e5982143392229eac5ad6

      SHA512

      4309ca837aa21201bf11b891e8c584541111d1030dcdf878a48c29af9fe9dc415701c79fe110d7095108803314798a21c4ad2b36a50d2936613efe1a6739218b

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      899c9a662b2e8be7d8589f7294b42292

      SHA1

      9076f99d5e5709e0f362ef6addb73d82b2630486

      SHA256

      71d309fd22f09a31e70cee5025f2f996a2ce77458f0ca520fb34c39fa0fec17d

      SHA512

      7840e99bd63dafd904c4c4145fc028b3992fad88b716d7b52f7326b3b4c2e8c592f61a3b92a6486d0beb8fe8ecd603fb3f1a1deca976239cbc4a2250eca43345

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      ee18249d6cd6406e9d1588fef252f2cd

      SHA1

      474644ceb9c6246789ec80fefb2c6e44c780421b

      SHA256

      715a101b02bb64b2b814c0954274b01bfc8ab25acfa1a816bf389a2d7b9c1fc1

      SHA512

      119520752563f59e1151d35625530a0151d5887176b12d166fb1077cfb95f3fed103ebe9f080ac6900c5c888b2c41cdf87ce662da130da432850742b8f650e6f

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      ebb1a249c2a843c81ba3ec983221d530

      SHA1

      f81c6407462b1c74c19ca23a6c1ca4ca136a29ca

      SHA256

      637fb0ac5e4729d6a5f03a9680f830d42f03c9f5ecbd8645f501ac17fe53277d

      SHA512

      6cf078e3b87671f92f2c5180f47bd96c698d785dd4471733321a3f09d0f4dc978b2ba8bb5e10ce7fbdb86e6fe59263e38f1ff4234248982a4559f13861daaf81

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      5a0bf8160abe12dc8a6c703354d9f9fe

      SHA1

      326acb3e5687547ab42825a69e691b6bff06396b

      SHA256

      faa3a4437b3a8c3fe6892eeed24a3ef020734b78aebf106be6a129a9e3a9d746

      SHA512

      19a2c08badeb66181386d0a0a3676455629fd0367abb9f2bdf08fc2470d957206debeb55628c7c065290ab3de8d6291b9cd3725ebdd253389f0b5f2c7da8e1c8

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      835a5623611acfbe3b2108bb80fa7cc6

      SHA1

      c2bf1550024d6a4614509ff461f9046658cabfae

      SHA256

      62aecd0fd50f69b256b4974ac332f46ef6ee1fc7dc105b462e147a9b809295f5

      SHA512

      2d3f7c0902db6b88d79b278f5c724693653219b4d0f2060568f27d0afb49a48fce0caa6b561366cf8a589a547ce06c310cc1641541c57f82f5632668ac93aadc

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      4776ec50a86edbb4b0105f5a9fb89bd3

      SHA1

      666a3b03a1ffc4d5489987832909a59f3c77f614

      SHA256

      2b2420d534bf3d23a41bc291ee9fb7f712cb1ab4991dea3d63d588a5c7190fa1

      SHA512

      78fd696da291b63e8354a02d68962ede382b997cd31d181c5c83b5249fda7f1e7862db6a45c72640e95802420db939c91c5da03f553c709afc32ea4f877a8672

    • C:\Users\Admin\AppData\Local\Temp\Cab96C5.tmp

      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    • C:\Users\Admin\AppData\Local\Temp\Cab9783.tmp

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\Local\Temp\Tar97B6.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • \Users\Admin\AppData\Local\Temp\svchost.exe

      Filesize

      55KB

      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    • memory/2392-16-0x00000000001D0000-0x00000000001D1000-memory.dmp

      Filesize

      4KB

    • memory/2392-19-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/2392-18-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/2672-7-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/2672-8-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB