Analysis

  • max time kernel
    134s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    11-06-2024 03:11

General

  • Target

    9cd0a1afb88a14efb6d39e6991bb50f8_JaffaCakes118.html

  • Size

    251KB

  • MD5

    9cd0a1afb88a14efb6d39e6991bb50f8

  • SHA1

    625351db3d097661a8b4a81a914121d28cb33468

  • SHA256

    bcd0c8c5618276d52cbf38f1c5a7ef543950695e22735b2b595e1e06b61b7d1f

  • SHA512

    7ef4cf98ef55d54128cf25837a6780ef2823e62508f820c855c5ee4a1fa188353444ff7cc5c88bf0298271a3a92cb70f114f5101c85c1a759b5548c6fa161d75

  • SSDEEP

    3072:SEayfkMY+BES09JXAnyrZalI+YIggM8P4RwmxaHcxI8xCzx23yfkMY+BES09JXAZ:SE/sMYod+X3oI+YW/sMYod+X3oI+YQ

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\9cd0a1afb88a14efb6d39e6991bb50f8_JaffaCakes118.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2076 CREDAT:275457 /prefetch:2
      2⤵
      • Loads dropped DLL
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2560
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2812
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
              PID:2564
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2428
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:2460
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2076 CREDAT:209930 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2708
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2076 CREDAT:209937 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2884

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe

        Filesize

        55KB

        MD5

        ff5e1f27193ce51eec318714ef038bef

        SHA1

        b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

        SHA256

        fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

        SHA512

        c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        7b19123558b9a66480dd5054d5f33685

        SHA1

        0f24bfd5b51ae3d50a6718d01ab04fddff8f2557

        SHA256

        b638f0ea66d77cbd5105b72d59aa34c95b43391b0cd39377195a0bc4e6fc6642

        SHA512

        cc38dd6a82c1a354ba9fc9a05bdfc07c57878d84a6d0f3c3ba6127973156992d5f4bb7b859677043a905e504eff6fed30b05e6b88867bb694968dd9268c77361

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        f0dc3bd35d050a8abd9db99876a2cae4

        SHA1

        bde2f04a3f5567bfeb3a359e499b7f898d3f0c93

        SHA256

        8ab9ba161b18529300b7f919dfff8b3b2e9fdfef86ff91264ff6fe26b119bedb

        SHA512

        f3d7da98604a0182d8b41a692de58180bd3c4c86771aaff2225e250ebc75b3acab8e7ac9283b9258d24cf6bddde3b5b70b2916888ec33f61fdf6f5bf42932bf3

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        4069fd71ba3ef6903589fbe1e5c77ded

        SHA1

        f6771b326d1fb506d0a894d0c1a01c3179ada445

        SHA256

        b79aa6689a463438400240443e877667b94b629f01571cc05c231794e9667c10

        SHA512

        3cbd4c4a49e3080d8d54330eef27aaf9d297dc3528a975b2df323b2e026bd983ae117c5642f1b9e724a9b03a57a5270e5c5dd07fdd33ce1ac84e8857af8056be

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        7ada516cee5370a555c56986eaa2f7b7

        SHA1

        8bce25c754111cf11e4b9b5723166bb7e135a278

        SHA256

        0d01d7ef6818b9e202c0eed876af6af173187c1bdeacdef2313819097774f2d9

        SHA512

        bbcec4f5ece470129ad7a6db7c06f3e416e64a6726cdfb8344ae0d7a31f99096201046914c1ec13597a008ee0e71f934980be0b55b8f0f0addf5907d8679392e

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        54ec3c597777326fe0303c2f4c3bf5b1

        SHA1

        a05c93f1b18df3fae4dd5cbb7127a888667678f6

        SHA256

        bc7fb16a5bf5594a639a8de8743ac9d5bf7e8643bb065520cbc0345c26de71ea

        SHA512

        2a77de1fd5b7d6ebed67971c64d5cbb07ffe96eed06382ea42cfac12eba29a2142363d52fbaef46ca9cc1745249344cd5b84b7f7283e333f1212a53b634b79ae

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        731dee992624ace63e9a65c712f09f58

        SHA1

        fe95e3339e39ea96b78e13fe772506436990a121

        SHA256

        89c0287e7489d2d4b8206e37df6d3fd75738551d0123930985a037da545c1836

        SHA512

        bf420f9a3f3faefc29073843b598ac26015795c7f6e63f434540cec508893f782d03a0c8073bf7c7c928f3efcae7743b3d50ae424dca442b30ddccf15c259316

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        695274afcd4f47da429401279cde9ea3

        SHA1

        9b5b3c1fce771b193cea93cbc23243eb30bfba68

        SHA256

        beb218b0b5a30b43ec2981fabcd9d70925c8d10839754d0c18d76c84875555cf

        SHA512

        a470e64d35650ffef4aca66c42f355b98941e6faeb3326d16a8eac66ca33bc7cd1870c8141fc9e5449f28bdf94d7a92acc5d3a913f570f43a561ef648f38f451

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        61a137fa4fafc678719308c50daebe1d

        SHA1

        5a02936c0d315c2731fbc94b076c95624aa21758

        SHA256

        955550284290da82a40c13c816586d0fa76f4811f007129bfeb4de9657da2ae4

        SHA512

        200868f169ee48ea9eb6e84c650ded5368a9bfba0ab387ad477b142be03400ebc7dc362601cc7e23965fb33d8b3e0d6f971d390ca950198e14460fbb6551486e

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        22e66d10089debcff088a2cb8c3779fc

        SHA1

        eae7188636104414e9b5c4801ee89a8509642993

        SHA256

        28b1dee38a5a472085a8f59060ae84aec335f80bfccfa6bce9ee86bc46ba566b

        SHA512

        fac76c4e975e51bf40ce80384da7e98b04952762eabedee758434250e593b25748a22d77b27bdf3792b6a7acab2652488218faad1ec3966ea665854d687de53f

      • C:\Users\Admin\AppData\Local\Temp\Cab227E.tmp

        Filesize

        65KB

        MD5

        ac05d27423a85adc1622c714f2cb6184

        SHA1

        b0fe2b1abddb97837ea0195be70ab2ff14d43198

        SHA256

        c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

        SHA512

        6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      • C:\Users\Admin\AppData\Local\Temp\Tar23B0.tmp

        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      • memory/2428-23-0x0000000000240000-0x0000000000241000-memory.dmp

        Filesize

        4KB

      • memory/2428-25-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

      • memory/2560-9-0x00000000001C0000-0x00000000001CF000-memory.dmp

        Filesize

        60KB

      • memory/2560-10-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

      • memory/2560-6-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

      • memory/2812-26-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

      • memory/2812-20-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

      • memory/2812-18-0x00000000001D0000-0x00000000001D1000-memory.dmp

        Filesize

        4KB

      • memory/2812-16-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB