Analysis

  • max time kernel
    144s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    11-06-2024 03:31

General

  • Target

    9cdc3ab1ec0498cd16b1ce5d8573efe2_JaffaCakes118.html

  • Size

    531KB

  • MD5

    9cdc3ab1ec0498cd16b1ce5d8573efe2

  • SHA1

    32a8944e9a088a9de256710f5d5b52fe8843c34d

  • SHA256

    2ff63ce7d6c154e13899100aac7e8a0dce768f83b5dc4b71233fb285f172ccd3

  • SHA512

    b9bb5dd2b1226aeb4c70983c840e9039ecac9ed22b315d1c6ea0b4231b060ccdc07d1bc727b601925e7a3a58139559db7230dfba3c6a0fbcd9baede89e78b7ef

  • SSDEEP

    6144:S5sMYod+X3oI+Y7meFekWjsMYod+X3oI+Y7meFeklsMYod+X3oI+Y7meFekw:g5d+X30ey35d+X30el5d+X30eE

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 9 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\wininit.exe
    wininit.exe
    1⤵
      PID:384
      • C:\Windows\system32\services.exe
        C:\Windows\system32\services.exe
        2⤵
          PID:476
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k DcomLaunch
            3⤵
              PID:596
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                4⤵
                  PID:1448
                • C:\Windows\system32\wbem\wmiprvse.exe
                  C:\Windows\system32\wbem\wmiprvse.exe -Embedding
                  4⤵
                    PID:2916
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k RPCSS
                  3⤵
                    PID:676
                  • C:\Windows\System32\svchost.exe
                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                    3⤵
                      PID:748
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                      3⤵
                        PID:812
                        • C:\Windows\system32\Dwm.exe
                          "C:\Windows\system32\Dwm.exe"
                          4⤵
                            PID:1144
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k netsvcs
                          3⤵
                            PID:844
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalService
                            3⤵
                              PID:964
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k NetworkService
                              3⤵
                                PID:112
                              • C:\Windows\System32\spoolsv.exe
                                C:\Windows\System32\spoolsv.exe
                                3⤵
                                  PID:1036
                                • C:\Windows\system32\taskhost.exe
                                  "taskhost.exe"
                                  3⤵
                                    PID:1056
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                                    3⤵
                                      PID:1120
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                      3⤵
                                        PID:2188
                                      • C:\Windows\system32\sppsvc.exe
                                        C:\Windows\system32\sppsvc.exe
                                        3⤵
                                          PID:2080
                                      • C:\Windows\system32\lsass.exe
                                        C:\Windows\system32\lsass.exe
                                        2⤵
                                          PID:492
                                        • C:\Windows\system32\lsm.exe
                                          C:\Windows\system32\lsm.exe
                                          2⤵
                                            PID:500
                                        • C:\Windows\system32\csrss.exe
                                          %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                          1⤵
                                            PID:392
                                          • C:\Windows\system32\winlogon.exe
                                            winlogon.exe
                                            1⤵
                                              PID:432
                                            • C:\Windows\Explorer.EXE
                                              C:\Windows\Explorer.EXE
                                              1⤵
                                                PID:1180
                                                • C:\Program Files\Internet Explorer\iexplore.exe
                                                  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\9cdc3ab1ec0498cd16b1ce5d8573efe2_JaffaCakes118.html
                                                  2⤵
                                                  • Modifies Internet Explorer settings
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of FindShellTrayWindow
                                                  • Suspicious use of SetWindowsHookEx
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:1676
                                                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1676 CREDAT:275457 /prefetch:2
                                                    3⤵
                                                    • Loads dropped DLL
                                                    • Modifies Internet Explorer settings
                                                    • Suspicious use of SetWindowsHookEx
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:2308
                                                    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                                                      4⤵
                                                      • Executes dropped EXE
                                                      • Drops file in Program Files directory
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious behavior: MapViewOfSection
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:3060
                                                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1676 CREDAT:340994 /prefetch:2
                                                    3⤵
                                                    • Loads dropped DLL
                                                    • Modifies Internet Explorer settings
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:1312
                                                    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                                                      4⤵
                                                      • Executes dropped EXE
                                                      • Drops file in Program Files directory
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious behavior: MapViewOfSection
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2100
                                                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1676 CREDAT:406540 /prefetch:2
                                                    3⤵
                                                    • Modifies Internet Explorer settings
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:2248
                                                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1676 CREDAT:275470 /prefetch:2
                                                    3⤵
                                                    • Loads dropped DLL
                                                    • Modifies Internet Explorer settings
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:800
                                                    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                                                      4⤵
                                                      • Executes dropped EXE
                                                      • Drops file in Program Files directory
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious behavior: MapViewOfSection
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2412
                                                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1676 CREDAT:406561 /prefetch:2
                                                    3⤵
                                                    • Loads dropped DLL
                                                    • Modifies Internet Explorer settings
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:2392
                                                    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                                                      4⤵
                                                      • Executes dropped EXE
                                                      • Drops file in Program Files directory
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2680
                                                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1676 CREDAT:2241557 /prefetch:2
                                                    3⤵
                                                    • Modifies Internet Explorer settings
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:2028

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\Temp\~DF8DB4D6EF1EEA2AC5.TMP

                                                Filesize

                                                16KB

                                                MD5

                                                6585454cdde61809f12f1dcd33867757

                                                SHA1

                                                57622c863a4592c2c8f033082ce0bced8f190f51

                                                SHA256

                                                3986ab998508a9e4a932c7588cb76b937f0cc3781ca357153ae3db323e7f70c1

                                                SHA512

                                                afaefcce077a8bc1a7288977e911b5428be9697bbfd3a4d586261df69c18dc7c33ee8cb76f02255c8b8ef8f9a554e1f1ac5dde368cc4cae0e80a1461f1f40412

                                              • \Users\Admin\AppData\Local\Temp\svchost.exe

                                                Filesize

                                                84KB

                                                MD5

                                                bee6f1f011766a1f40f0318adc585640

                                                SHA1

                                                f9452d74dad86e1dd38108965e40585ff8ef7951

                                                SHA256

                                                c8f1baab39b7c77de4504ce7f758ef46c0659e01f6af6922d1a4518687aa6ec9

                                                SHA512

                                                13714e5ab6d7da1ab4faa85b4c9801866ffa89f5b39aa053a03aeb13d4adbad4d9bc518f5586a18bb0bc7723f0e6168940ed70d7d6cf71d82120135fe0d51bd3

                                              • memory/2100-21-0x0000000000400000-0x0000000000436000-memory.dmp

                                                Filesize

                                                216KB

                                              • memory/2412-32-0x0000000000400000-0x0000000000436000-memory.dmp

                                                Filesize

                                                216KB

                                              • memory/2680-43-0x0000000000400000-0x0000000000436000-memory.dmp

                                                Filesize

                                                216KB

                                              • memory/3060-6-0x0000000000400000-0x0000000000436000-memory.dmp

                                                Filesize

                                                216KB

                                              • memory/3060-12-0x0000000000400000-0x0000000000436000-memory.dmp

                                                Filesize

                                                216KB

                                              • memory/3060-11-0x00000000003D0000-0x00000000003DF000-memory.dmp

                                                Filesize

                                                60KB

                                              • memory/3060-10-0x0000000077BA0000-0x0000000077BA1000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/3060-9-0x0000000077B9F000-0x0000000077BA0000-memory.dmp

                                                Filesize

                                                4KB