Analysis

  • max time kernel
    118s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 16:07

General

  • Target

    aa96a2aeb4016fcadca7c70faaf35676_JaffaCakes118.html

  • Size

    2.7MB

  • MD5

    aa96a2aeb4016fcadca7c70faaf35676

  • SHA1

    4711dcc4d37d162a62b2e590bf86d993edba398c

  • SHA256

    5248d27ed0f12bf7e2410e0682dd84b02789d5cac5e8007216f4be1cac12b0d9

  • SHA512

    c3ecc09395066fe050fb1d0e99000551f613687aeffc728d0721c035ba521b01cb1a0da2df1e182e005e359fab8a661142e13472b394aebd4e01aed978db356a

  • SSDEEP

    24576:K+aDHsJ+aDHs2+aDHsk+aDHs++aDHsz/+aDHs1:YS

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 16 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 13 IoCs
  • Modifies Internet Explorer settings 1 TTPs 44 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SetWindowsHookEx 37 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\aa96a2aeb4016fcadca7c70faaf35676_JaffaCakes118.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1748 CREDAT:275457 /prefetch:2
      2⤵
      • Loads dropped DLL
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2768
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2696
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
              PID:2576
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2688
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:860
          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1856
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              4⤵
                PID:1088
            • C:\Users\Admin\AppData\Local\Temp\svchost.exe
              "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in Program Files directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:340
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                4⤵
                  PID:1448
              • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                3⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in Program Files directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of SetWindowsHookEx
                PID:2416
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe"
                  4⤵
                    PID:2384
                • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                  3⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in Program Files directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:1248
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    4⤵
                      PID:1820
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1748 CREDAT:209936 /prefetch:2
                  2⤵
                  • Loads dropped DLL
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:2584
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1748 CREDAT:6566916 /prefetch:2
                  2⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:2820
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1748 CREDAT:537608 /prefetch:2
                  2⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:912
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1748 CREDAT:668683 /prefetch:2
                  2⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:2024

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                Filesize

                342B

                MD5

                8ebf393b6d61ecba9d159c04bb2f940a

                SHA1

                e4f8570ebefbc90807de5414e9e228572f177fc9

                SHA256

                853c9562ccf683ee450bc8c45bd795bd262c78432ab1d65c60b52c6d3186196d

                SHA512

                8a855f4a2c87008659ce4d065aea24515d7b5f9aa965e0495054df66842e322f46a6194d8a9c33b3d221d5ae988b4b82cb2221a37a075b486cf6e3d32e5c0f68

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                Filesize

                342B

                MD5

                4eaf519179b770c005e6cccb0dbaf55f

                SHA1

                e9ebf5b0f2ffe2ac99ced5079c6e03569761c100

                SHA256

                e8d894a81d37d9183bfffc895da7bac784979cfc77032d9e9bcc09cf7bdd7aa4

                SHA512

                19e7ff208ceec440551648e32a432eb13ac0b1c5296d274c9257ac56f8fcf925b2d7e3e840c11f10aa0289f63d25387928cc63ca1a1dbb37bb75f4ce9e38bc51

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                Filesize

                342B

                MD5

                8eb83a7a387647d47aca432eee9d4b8d

                SHA1

                45cdc2549ba96968e103e350db15b34b30a8742f

                SHA256

                9c657178d1484e074a4267fea38bfc26454da9b6031846d1edaf5bded46947bc

                SHA512

                eba0efcbff0ef76dc9f680d2e1e1280d659e7eb25219253e8ae282914e73936fe585db9eb20ef15758d74710172d89f9c6e42f1a938bc23112c705bedf57d390

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                Filesize

                342B

                MD5

                23024b4a0aa07effb9d49152dde841b3

                SHA1

                443a6ff973b0c43a2eeca1e24e67f4a051e1d732

                SHA256

                29dd02251dea68db1de92d414a45b4a610810818ec6b125ba3a0a4e39a61a9c6

                SHA512

                181c1a1221a4a575db673c79418b6840e52345f864cef2798656314b3c14de84f7f9751292db4ec5fa838148fe5a551b0fed663c346a0e1c50059fdcbed449f1

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                Filesize

                342B

                MD5

                c3c29107087716cf00bb11b0749d74a6

                SHA1

                0cc8aafdd50dae1a46ff2f790d999d6b634c9599

                SHA256

                5a040998edc48c2e9ece20bd74441ce441b97c3ca86204a04db1fe452a3b1bf1

                SHA512

                173184453b63f59028b362018eb76715a473c19114ab0e8c30e75b5aa96086634eecb59be8ee55bdc7c7ab79208c831102b43df0be6eff64fadc60c6aed85e75

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                Filesize

                342B

                MD5

                ca54c2eec669a3563654881e85f0bf82

                SHA1

                4490a022529d1cd403d37a6a6f0783d916797b5d

                SHA256

                756980946502e4df51c89d697aef101ef707b21ead35b257fad5d70e01786cbf

                SHA512

                765d788a9c4c41dcc4bdd1898c123383ce16c429e3f73ec720106c2f4dc0831439e3d0ec240e71ad63dd653e1517e2b46ad6fad645b7f37d3d82edd24f8673e7

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                Filesize

                342B

                MD5

                c4c1be40d33e14891880d2d5ab41bed4

                SHA1

                47486e76ea5ae5c1b022cae6f2248544ac499095

                SHA256

                0abbd0af6c42b1d5efd0eb101a98be786b3927fa7be748c97cd5183b10f770af

                SHA512

                a72ea8ee12584acea1da0f9b8795f5a97fa2310a2a3679ed70dba36430c0e2d6ab7cb7b11d76cd9477fcb04314853199f862399f06a48aac7df92d531b3fe8b9

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                Filesize

                342B

                MD5

                54e1f93948f5bc4152ac7a048b65c37a

                SHA1

                6d553fc2891b5dbd76fb5adbe8e212b41eae88ad

                SHA256

                267dcfe87d943aa7bce9adbebd6dbabed5ee7ab4597f7a22b33635b261cb0eef

                SHA512

                f0e1c5123587b58ae49abfa294b72ffc1fbc08cc114b6130989ab322268fb7a947a00d2b1158ce920a505c27156c19acb7babd8deb93aab13bd3bb0874dc73a0

              • C:\Users\Admin\AppData\Local\Temp\CabC62.tmp
                Filesize

                70KB

                MD5

                49aebf8cbd62d92ac215b2923fb1b9f5

                SHA1

                1723be06719828dda65ad804298d0431f6aff976

                SHA256

                b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                SHA512

                bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

              • C:\Users\Admin\AppData\Local\Temp\Tar1921.tmp
                Filesize

                181KB

                MD5

                4ea6026cf93ec6338144661bf1202cd1

                SHA1

                a1dec9044f750ad887935a01430bf49322fbdcb7

                SHA256

                8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                SHA512

                6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

              • \Users\Admin\AppData\Local\Temp\sdl22BD.tmp
                Filesize

                172KB

                MD5

                685f1cbd4af30a1d0c25f252d399a666

                SHA1

                6a1b978f5e6150b88c8634146f1406ed97d2f134

                SHA256

                0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

                SHA512

                6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

              • \Users\Admin\AppData\Local\Temp\svchost.exe
                Filesize

                228KB

                MD5

                e9c85c499f6b7c7e91a44567f27ecd68

                SHA1

                6f89d9176e58f04c3cd48669f7a0b83660642379

                SHA256

                f09ec41136e8e5e5076ca495192d9326e5581c748148fa877412d466db26112d

                SHA512

                dd40f713857e9c574e5d34dd292d17fbb94a38c1f1d7f2cf90e043b713c42358d74327e403d3617f5985fbafd35d90c24fbfbeb97cd95a02224a24d75396a5e5

              • memory/340-64-0x00000000002A0000-0x0000000000313000-memory.dmp
                Filesize

                460KB

              • memory/340-50-0x0000000000400000-0x000000000042F000-memory.dmp
                Filesize

                188KB

              • memory/340-67-0x00000000002A0000-0x0000000000313000-memory.dmp
                Filesize

                460KB

              • memory/340-60-0x0000000000270000-0x0000000000271000-memory.dmp
                Filesize

                4KB

              • memory/1248-82-0x0000000000290000-0x0000000000303000-memory.dmp
                Filesize

                460KB

              • memory/1856-61-0x00000000002D0000-0x0000000000343000-memory.dmp
                Filesize

                460KB

              • memory/1856-55-0x0000000000400000-0x000000000042F000-memory.dmp
                Filesize

                188KB

              • memory/1856-49-0x00000000002D0000-0x0000000000343000-memory.dmp
                Filesize

                460KB

              • memory/1856-54-0x0000000000380000-0x0000000000381000-memory.dmp
                Filesize

                4KB

              • memory/2416-86-0x0000000000230000-0x00000000002A3000-memory.dmp
                Filesize

                460KB

              • memory/2416-73-0x0000000000230000-0x00000000002A3000-memory.dmp
                Filesize

                460KB

              • memory/2416-83-0x0000000000370000-0x0000000000371000-memory.dmp
                Filesize

                4KB

              • memory/2688-37-0x0000000000300000-0x0000000000301000-memory.dmp
                Filesize

                4KB

              • memory/2688-41-0x0000000000230000-0x00000000002A3000-memory.dmp
                Filesize

                460KB

              • memory/2688-40-0x0000000000400000-0x000000000042F000-memory.dmp
                Filesize

                188KB

              • memory/2696-27-0x00000000002F0000-0x00000000002F1000-memory.dmp
                Filesize

                4KB

              • memory/2696-30-0x0000000000400000-0x000000000042F000-memory.dmp
                Filesize

                188KB

              • memory/2696-31-0x0000000000230000-0x00000000002A3000-memory.dmp
                Filesize

                460KB

              • memory/2696-23-0x0000000000400000-0x000000000042F000-memory.dmp
                Filesize

                188KB

              • memory/2768-20-0x0000000000230000-0x00000000002A3000-memory.dmp
                Filesize

                460KB

              • memory/2768-13-0x0000000000370000-0x000000000037F000-memory.dmp
                Filesize

                60KB

              • memory/2768-14-0x0000000000400000-0x000000000042F000-memory.dmp
                Filesize

                188KB

              • memory/2768-11-0x0000000000230000-0x00000000002A3000-memory.dmp
                Filesize

                460KB

              • memory/2768-6-0x0000000000400000-0x000000000042F000-memory.dmp
                Filesize

                188KB