Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 20:54

General

  • Target

    ab69ac66d84fa9968c79d10d93a794e1_JaffaCakes118.html

  • Size

    348KB

  • MD5

    ab69ac66d84fa9968c79d10d93a794e1

  • SHA1

    02c9f1160dfee01e29f38cce605796d80269ec83

  • SHA256

    4d148469b4270fceb2e968f2179d98956c32082b5bde7e1f688027611e627499

  • SHA512

    fb571be5fb4442228cea916311f3d04338d4621aed6184f8eca0d839179a179e34a379c6b636af91c6ca5070197f60e8e9fa99269de26e07608bd3a465f428a4

  • SSDEEP

    6144:z9sMYod+X3oI+Y4jsMYod+X3oI+Y5sMYod+X3oI+YQ:zJ5d+X3m35d+X3f5d+X3+

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 7 IoCs
  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\ab69ac66d84fa9968c79d10d93a794e1_JaffaCakes118.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:275457 /prefetch:2
      2⤵
      • Loads dropped DLL
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2124
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2524
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2424
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
              PID:2608
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2944
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:2860
          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
            3⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1252
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              4⤵
                PID:856
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:275464 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2684
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:668678 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2140
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:537608 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2676

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          fc5500e150ea7fb35dbd3ac1d0e420e8

          SHA1

          8105cde6d8429f073ec960aa4d523f58a3dd638b

          SHA256

          a3bd20440d9ded7d1e643b06d64a92142010abd21e376978ef5b675f87545e4b

          SHA512

          1c4be7ea36cd647cf18a896dd2d62c40f432801ca771209b38fa114a7e9aec7f7e8e29eb413a5799ec3a765a324d9f2b4b2efad12a2329940f48ddccdf21d919

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          c0bb2f70106de8a7bc4d3a6bef4cd245

          SHA1

          4e4e1023a99702c77a0c4ca9c063dcf8e63ea145

          SHA256

          4633b99cbc0160bc4fd95ca4a1c967b0ca18464064e83427a5deb4dbdb5ad32b

          SHA512

          0b5257eed15c2de74f6021f2a461c930113cd79b35458de35d2cef55b3bec8431b3dadaec6a7e5e7ff406ffebbf10c9cf675efb17c42b70b6ca596cbc43853f5

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          b871146fecd969c378df85db33a04852

          SHA1

          cd59a73e8fa951fae8745d1c34be05369ab32d9a

          SHA256

          cd0c1db9961ef4bf296ec88c194a91e4c350df49486233b4267aa92de4d145eb

          SHA512

          72ff6779086aaae214dda5cebde0848a393bf34bc9235f206402e3649f565e065314b74115265b4da210a3b7d53bda0d324250e9949e464f06f69e4342d6e80b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          ef02c35aef939021304d13cc488d9557

          SHA1

          996b38dc0ee839304d5114e818a706f0db9d00ca

          SHA256

          fcac30c067b7b0f93a5a1ffc6f400f7ad59c48c2a6e9e8c7cdcaa181a69da97d

          SHA512

          eb3a94f497f66f2ca55f52f01def40c7cacd7e889dbb191073127f1aed38a149cd17238a502f530895954724f385e60bacdad0d45308225d742204e18604a1dd

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          0f28ae94dcc59081f12b09c90710adb6

          SHA1

          34abbf97866c75274c8fb4fafa170f77ef72cdda

          SHA256

          70c747565a6084fbc155a6450ecc567ad82ddc1d45a5c67366cdfc36b96f863e

          SHA512

          700342f66098a46c825dfb6eaf3e6b652bf8805f82cb246a6c2f689a58e8f8056a742714853b3b58991e590bb3ad51d7cb265808608b399cae84ebbfc975d9b0

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          98e2fd559863e08e07d4829275c67103

          SHA1

          1aba2237b36bc1c99948ac08c1d646b058c8fcc4

          SHA256

          7d37c56585e4c0e549c5729a2e2ea60deb0b7d99d82c6524457e3b6c8b0b1737

          SHA512

          5d733439e490a00a2830d33af05d23a138846a63ba03a108d8681da90211fcba1c88385bd9a98c56c927c6fb582880869eff07e155d8edf6060acab1c78738a4

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          8a570d790b2cb94baf4a5609b73f3a53

          SHA1

          5bc684f452657e45afccfa1c9ec124d1b5b9ebc3

          SHA256

          3ee6402e0624d9049163b6ec0af0875136fd724221472c84ff3c7f4c3e9895b0

          SHA512

          92608e60f01bd3d577ad470de37c62771caa088f3b3a89e57721e11216df5982e35d3a1dc5eb34f8a32840cc08ac2f1ff500c7facd1d71155ac4a2f90d99bc62

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          8997964a52b5887df8ecd1fddda1bb48

          SHA1

          6a291b07613b67be3a8b048961c39e5373e38688

          SHA256

          0995690bff054a7dcb308b58ac4ae3776c2e1a0f260d2c2b1a956e4fe6ea0453

          SHA512

          7493c60beffbfec34eeffee782765a76e9ebf7ae3e1f17d049010c3f595db6ac45ca200d6382b0f85d7043e2ad3b698f9c0852597fe6c6134df462d2dd00c158

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          c5bfd0a4969b0a8c2a43a42021282989

          SHA1

          f03162c92322efccfc025e805994e2c4ebdd0357

          SHA256

          8017725c58921171712927bd9fe3f5e4ccf1e573dd35e54a4cde9f79c9702893

          SHA512

          e4ac1e7c224fe3617ac067bf29705674ea04ce0d4e86a6a1db2f408a54c18dc1bfd9874881d2b9b06f83f8309bd39a20624e1fdf094861d76cc73e0eef2f0f90

        • C:\Users\Admin\AppData\Local\Temp\Cab1AF2.tmp
          Filesize

          65KB

          MD5

          ac05d27423a85adc1622c714f2cb6184

          SHA1

          b0fe2b1abddb97837ea0195be70ab2ff14d43198

          SHA256

          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

          SHA512

          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        • C:\Users\Admin\AppData\Local\Temp\Tar1BE3.tmp
          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        • \Users\Admin\AppData\Local\Temp\svchost.exe
          Filesize

          55KB

          MD5

          42bacbdf56184c2fa5fe6770857e2c2d

          SHA1

          521a63ee9ce2f615eda692c382b16fc1b1d57cac

          SHA256

          d1a57e19ddb9892e423248cc8ff0c4b1211d22e1ccad6111fcac218290f246f0

          SHA512

          0ab916dd15278e51bccfd2ccedd80d942b0bddb9544cec3f73120780d4f7234ff7456530e1465caf3846616821d1b385b6ae58a5dff9ffe4d622902c24fd4b71

        • memory/1252-28-0x0000000000400000-0x000000000042E000-memory.dmp
          Filesize

          184KB

        • memory/1252-26-0x0000000000400000-0x000000000042E000-memory.dmp
          Filesize

          184KB

        • memory/2424-16-0x00000000001D0000-0x00000000001D1000-memory.dmp
          Filesize

          4KB

        • memory/2424-18-0x0000000000400000-0x000000000042E000-memory.dmp
          Filesize

          184KB

        • memory/2524-8-0x0000000000400000-0x000000000042E000-memory.dmp
          Filesize

          184KB

        • memory/2524-9-0x00000000003B0000-0x00000000003BF000-memory.dmp
          Filesize

          60KB

        • memory/2944-23-0x0000000000400000-0x000000000042E000-memory.dmp
          Filesize

          184KB

        • memory/2944-21-0x0000000000240000-0x0000000000241000-memory.dmp
          Filesize

          4KB