Analysis

  • max time kernel
    117s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    11-06-2024 01:17

General

  • Target

    9c8cef8c3120c7a813eac430175405c0_JaffaCakes118.html

  • Size

    117KB

  • MD5

    9c8cef8c3120c7a813eac430175405c0

  • SHA1

    6afdf6845aec12837ea915e39b72513ff56355dd

  • SHA256

    8bf9077f384ef1e62e287a8b6a9b2b9b2297f73ab5abf8ce737a97559b6b66ef

  • SHA512

    cc7cc6b6f9c2e57a8457f3a2daf678a21806f90bfd3c04ce29046854ecf65a70657ff95d99b173d53406e32078304e7bc7bd7d5756564f4c539f5d7a8744ab47

  • SSDEEP

    1536:S9AIEBzyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJrusBTOy9w:SiIEBzyfkMY+BES09JXAnyrZalI+YQ

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\9c8cef8c3120c7a813eac430175405c0_JaffaCakes118.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2880
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2880 CREDAT:275457 /prefetch:2
      2⤵
      • Loads dropped DLL
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2504
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2816
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
              PID:2072
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2880 CREDAT:275471 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2512

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

      Filesize

      914B

      MD5

      e4a68ac854ac5242460afd72481b2a44

      SHA1

      df3c24f9bfd666761b268073fe06d1cc8d4f82a4

      SHA256

      cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

      SHA512

      5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

      Filesize

      252B

      MD5

      bf9cbe08226b0305179068c99486cdc6

      SHA1

      4ffa90dd1767bc45f2d3c91d3d0ab8ecd68a7c72

      SHA256

      cef7715e7abb1460c617c3a021ee9f46d055e942ce753980156e46c845cdd06c

      SHA512

      8d1d531c16d506cf38b5c55b3a6d39d6cbf5c2b9433999a7c9de6ee60ba558d4eb2a8b5aa0814ec83ee44c7fc03cf4b2d43481594ea0642f7e9f2e38574d1693

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      450f29d8f302b399c014385b15d90ea6

      SHA1

      8b69382aaa81cd1d951b9996214369b5ae500ee9

      SHA256

      920f7b108728fceb4440bddcf7f580ce935c89377a597021aae8d0350db26bf2

      SHA512

      ed74b39b3dc5e9cd55a3f32e61615b125e90af305be76dc175d0a249cbf229b68f7a4e5ccb73af2a3a502c5c78b1a01fa43b676d1543d4c73394cc866b5373e8

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      e7674b5bd306b42ae8517bdb401da377

      SHA1

      1c429cab1f85da194d38d5cd81d27eaf1dbf932e

      SHA256

      61a2c87c05339a335bdf262b055fa00ffebed939f72c17408d0f03aa3d9471e0

      SHA512

      6dbad584c22c260d382a73cfef0f62e260752322aada669e228cb7b3fd821e3dbe05d6d28d3fc278515b04d073074bd9ccfdb32c1cd55f6ac3d2854100d6b08b

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      082d2e85acdc62b2e54d57e1980bfff4

      SHA1

      3d9da594f6b19cac4df5b8440ed70c4e7ac26b12

      SHA256

      a4a5910f96c513007ff3a467bbb155a5bbc2d9d2f074c2b53ab2c341d9079d72

      SHA512

      e11e36d779903996efa6c9ccecd8c19b652f10181b3d93546fe21dd529824cc01d35f1566efec9ed8494bb654e82d1b0c72a50d95a9a9c5237b1e933d07a62ae

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      89c9e12eb1c4de6e3d21004bfe7477dd

      SHA1

      8a74f61b0f814f04a06383cf7fcb154f52cf3b68

      SHA256

      7c8c1de586cbd0cfacb158c29466c3326c02dd9054ba9d0919469bfab64f1e28

      SHA512

      4a59945a39413e0d26cc56b9c1d5f66c964374445c59797dd6f849e065ef1c177d4f4b7cda4dc947b27886b31b896675916cdc0c6921ae4b53459c57b2b84ee5

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      ca0a8d33373a28082a3ceeb7b15fb8e3

      SHA1

      83f92f4f2a89aef6e39eb23634a39be3562133da

      SHA256

      cedb7c885380986fb269a5c3bb7677d9e642f729566fa30c145d3f4fb6d1a649

      SHA512

      a7588f28eba828c17074b268cb4a4679306bbb33b00f8ef18ea1c1e56fbe4f2295089381856f24086ab32eb76c1ed0df9e1884bf31cee31f6ee78bf2cb01674b

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      5a3f9adaf7a972dc7ccfafb8a50e5710

      SHA1

      b706e00fbbf796860bfbd3a7a5c7e67f089d9a56

      SHA256

      699e934500a8a6eecb7125b6925e46c1ffc4b959d053124ce0c643c442857295

      SHA512

      e44a420d0b29315b928dc7b64c296374b26c807572c51e58c03939550fc597ef6170cf41c31298fc8a40d19a78e9cb2cf634d4496132874ee125ac09eeb7b44d

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      d07a82149d461d74744ff59b5ac5ed7b

      SHA1

      3c1d0518d8b89799e5b1ce8a49a5bb4d3466da23

      SHA256

      dc38bb106bffeafe47688fc754d352fbd99f7d821c23bc8346da3d14dca7cfa9

      SHA512

      71494158f687b7b5c9c470febe0557ad88920c04cf2dff58f9e342cb4dc50e9db64fc6aa855782f0647dd2504304d159ac359bc53f5325d4de12f6a449cb6cfc

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      209134b57f5461032129c041a350156c

      SHA1

      66255aa821d823c02824bcc7b99332a85092a9bf

      SHA256

      e73ad369a853e36274960708ac02855593e710179160a2bd6bdea09900981038

      SHA512

      eaee4f7cdbdded4a114b7a0cadebe7c75d31a91a2b00075e868306c07bb0685cc05c639a951b171cd917f238ffb994d7c763f9e8ae4350082091ba2c033bdd05

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

      Filesize

      242B

      MD5

      dcfc854d9a0eae856fed1a77ff76acb1

      SHA1

      402010ec142a8b9b1af19f6aa3ed2ec8db96f216

      SHA256

      eeb9755518f3eddc4f676f976312fabfe2277a4dd57550cf87da21d555f7e2bb

      SHA512

      36ed8dac4bca9a0a3375706bc0ab06875a978048ed94d9e74d2552b366d12cd055e73bdc7110dd35eb24ad12e86df7f691d8500223496d81921a971a256f9b7f

    • C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

      Filesize

      4KB

      MD5

      da597791be3b6e732f0bc8b20e38ee62

      SHA1

      1125c45d285c360542027d7554a5c442288974de

      SHA256

      5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

      SHA512

      d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

    • C:\Users\Admin\AppData\Local\Temp\TarD1F5.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • \Users\Admin\AppData\Local\Temp\svchost.exe

      Filesize

      55KB

      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    • memory/2504-8-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/2504-9-0x0000000000230000-0x000000000023F000-memory.dmp

      Filesize

      60KB

    • memory/2816-20-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/2816-15-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/2816-17-0x0000000000240000-0x0000000000241000-memory.dmp

      Filesize

      4KB

    • memory/2816-18-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB