Analysis

  • max time kernel
    121s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16-06-2024 02:05

General

  • Target

    b13eaf479d14e6840396dcb810cafe40_JaffaCakes118.html

  • Size

    874KB

  • MD5

    b13eaf479d14e6840396dcb810cafe40

  • SHA1

    0962f6defe8494e5d65b63d0d555e344656ed925

  • SHA256

    23893b889aa871c6ab56eef24a95d784be1facbc1513c3858b7546af2405aaf5

  • SHA512

    ee5436f1712da17d4194b6979912d62efd9d9fe697138c2f6313b8c7e480297c156c9fc26b79ef00331191de7631cc4b8f3f31501057f63d3ea363dfc2742ded

  • SSDEEP

    12288:ne5d+X3uT3aDu5d+X3uT3aD45d+X3uT3aDk5d+X3uT3aDi5d+X3uT3aDe:nc+OTz+OTl+OTt+OT1+OTb

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\wininit.exe
    wininit.exe
    1⤵
      PID:384
      • C:\Windows\system32\services.exe
        C:\Windows\system32\services.exe
        2⤵
          PID:480
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k DcomLaunch
            3⤵
              PID:616
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                4⤵
                  PID:1728
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k RPCSS
                3⤵
                  PID:692
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                  3⤵
                    PID:764
                  • C:\Windows\System32\svchost.exe
                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                    3⤵
                      PID:828
                      • C:\Windows\system32\Dwm.exe
                        "C:\Windows\system32\Dwm.exe"
                        4⤵
                          PID:1184
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs
                        3⤵
                          PID:876
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService
                          3⤵
                            PID:980
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k NetworkService
                            3⤵
                              PID:300
                            • C:\Windows\System32\spoolsv.exe
                              C:\Windows\System32\spoolsv.exe
                              3⤵
                                PID:356
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                                3⤵
                                  PID:1088
                                • C:\Windows\system32\taskhost.exe
                                  "taskhost.exe"
                                  3⤵
                                    PID:1100
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                    3⤵
                                      PID:3060
                                    • C:\Windows\system32\sppsvc.exe
                                      C:\Windows\system32\sppsvc.exe
                                      3⤵
                                        PID:1660
                                    • C:\Windows\system32\lsass.exe
                                      C:\Windows\system32\lsass.exe
                                      2⤵
                                        PID:496
                                      • C:\Windows\system32\lsm.exe
                                        C:\Windows\system32\lsm.exe
                                        2⤵
                                          PID:504
                                      • C:\Windows\system32\csrss.exe
                                        %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                        1⤵
                                          PID:400
                                        • C:\Windows\system32\winlogon.exe
                                          winlogon.exe
                                          1⤵
                                            PID:436
                                          • C:\Windows\Explorer.EXE
                                            C:\Windows\Explorer.EXE
                                            1⤵
                                              PID:1208
                                              • C:\Program Files\Internet Explorer\iexplore.exe
                                                "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\b13eaf479d14e6840396dcb810cafe40_JaffaCakes118.html
                                                2⤵
                                                • Modifies Internet Explorer settings
                                                • Suspicious use of FindShellTrayWindow
                                                • Suspicious use of SetWindowsHookEx
                                                • Suspicious use of WriteProcessMemory
                                                PID:2184
                                                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2184 CREDAT:275457 /prefetch:2
                                                  3⤵
                                                  • Loads dropped DLL
                                                  • Modifies Internet Explorer settings
                                                  • Suspicious behavior: GetForegroundWindowSpam
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of SetWindowsHookEx
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:1928
                                                  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                                                    4⤵
                                                    • Executes dropped EXE
                                                    • Drops file in Program Files directory
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious behavior: MapViewOfSection
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:2656

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

                                              Filesize

                                              914B

                                              MD5

                                              e4a68ac854ac5242460afd72481b2a44

                                              SHA1

                                              df3c24f9bfd666761b268073fe06d1cc8d4f82a4

                                              SHA256

                                              cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

                                              SHA512

                                              5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              70KB

                                              MD5

                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                              SHA1

                                              1723be06719828dda65ad804298d0431f6aff976

                                              SHA256

                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                              SHA512

                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

                                              Filesize

                                              1KB

                                              MD5

                                              a266bb7dcc38a562631361bbf61dd11b

                                              SHA1

                                              3b1efd3a66ea28b16697394703a72ca340a05bd5

                                              SHA256

                                              df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

                                              SHA512

                                              0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

                                              Filesize

                                              252B

                                              MD5

                                              1b123bc70fe75a84a488e7b2b6e3566b

                                              SHA1

                                              75d74c40365135c06d34ca9601a1bd07049a978c

                                              SHA256

                                              c0a59407d233559c4a237cc351b63d21c3cc7024f90af3bcbbbfad99bd9ca3c6

                                              SHA512

                                              63c87f20e410e572a1004454ca0becd225483090cababfc1b212d4d2c0582ceaa920823ab3eac15fd777c5b75f8c4de2b9f8cabf8512ccf9d042f8035f1db56a

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              304B

                                              MD5

                                              1a02cc323ea5319f8f2e7462a760828a

                                              SHA1

                                              51189ebd9c8be1f199a8fb9a8423d451974b22a5

                                              SHA256

                                              d1c15a1dba5db328da9d288f619b7b08d29b3761797840828b57cd33aae78dad

                                              SHA512

                                              324f0cdbc3624be820946b763132c5e2ff337ce6e456eb7000ff072a66524265e3f49e7a74201268ca73c6b730faa96befdade0ab5000386834495a310471b0a

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              304B

                                              MD5

                                              d951da4c4a531320e0f7c3e181e0c946

                                              SHA1

                                              6823e6a846e293184f58e6b9e87d1c85a93a4b5d

                                              SHA256

                                              e74d6cdca8e37d1cd28be579b12b20c53eba55fe32cbb5492ac1db8b3c4e95ab

                                              SHA512

                                              005b379fb15e8cf7b940a079d882eaff604a59d37bb96cf64d811668978bf98664e864e203d635dbbb6e1300f74bf8ff18876dfafef859419f04ab1317fa2ffd

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              304B

                                              MD5

                                              cd03905a59c74eeefc38c172bb0e9403

                                              SHA1

                                              01df8bc252b4917ffe53da591506d8306152fe0e

                                              SHA256

                                              9a69d0ee1882b6eeab6217b48eb9259087c95e58a79dd714b8eb07cad6974ba2

                                              SHA512

                                              268653e091c6c776a81eb6c6ce72d81927e57b80c603c5a84c01be58fbb8c10a54a2de8e6e0dfa1242e0624eb4d70f16cc9d0bd3ed6fb483478a678b39cd52d4

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              304B

                                              MD5

                                              61f04e44a6b6359730e3402bbf399c83

                                              SHA1

                                              1fe5778537a820dad4a48b3b5112c23ffbe397eb

                                              SHA256

                                              559dc4632df680a957021e7a203cce6dd37e2ce8e02f11882342114162df165a

                                              SHA512

                                              73935539d005fca3e425e6d28565e9b63e87fca19a5b967c7d1761becb45e6a3b48cd626395cb5e04fd8d71ac05c025c54c14ddf9ba69f2662fd1c6cece505e2

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              304B

                                              MD5

                                              24ae6aa961d6201c27fe6c9218f2e1f7

                                              SHA1

                                              fe424aa1e8f4940028815f39bb0f7a4c9a1f7f8b

                                              SHA256

                                              f9ee8d1a88c0cf3fb789c025b6ce14484f45c14636226e2c1aad15916281d6a1

                                              SHA512

                                              4ac6b688b19fdec8dd4ab2d44c17127761c69c2e7d4eccd6265f6e3a338c96db1afc8810644ef27b22627c0bf241c5c414e0a1f584f78ef761fe9729fb45a661

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              304B

                                              MD5

                                              efdca019ea6c7097916eb3f2728d2df8

                                              SHA1

                                              5b21f2a9f108aec220f78e54f3f251656032ef90

                                              SHA256

                                              6c069972d7b8eb50d47b3856a6dcbe61265b57625548feab9eb7e3f28253f3b1

                                              SHA512

                                              7292562be3fc833429d0a14baee1a05cc084f35ecfa7224b698c8d4ed8af5fc34ef93178fe6fbe70f0a6656ab98117aa2e740684de6e9b1fd4f789dc54d17e96

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              304B

                                              MD5

                                              74916996ea1a0971854da3c418aee14d

                                              SHA1

                                              a48e845e3f17a12653b26a488df7b759679f2ca7

                                              SHA256

                                              ff32005a57df01041852c6cf493f201e2163c974a0ebe6538c52a4f7211f4997

                                              SHA512

                                              7c338f8b053ef41a3df0a8f929b0d489f450f5c4bd790815ec9bfe53fbffb995f2d303dd6c195d9c3c2054b2cdbca18afc3702efc595cad67d1fba9cfd0afc69

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              304B

                                              MD5

                                              80209eff0ce0b3eda2f5e5680861dde1

                                              SHA1

                                              e6ffb57ce04faf473ce0f4f47a16b2752fcd188f

                                              SHA256

                                              ae5a8b3671a7d27391fa463d9e92a577734d0e627ad899243e5488b5cfd43ef2

                                              SHA512

                                              d19ad52d18af94ad2f82711cf841e7083101f96d26a803f66c0a01ed30ace160d0c35ac6d000ab099cf8d306542721f4e4aff415a7f68eb91c47dde4fa88e7b2

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              304B

                                              MD5

                                              8cd7210220f9d8731d4809cc2ba69508

                                              SHA1

                                              e5425df0c2d2a0cecbdc7f71bfbcf0dd4ec3a4e8

                                              SHA256

                                              19e808cf6187a2bfac9205079482e0722ee0ed598e43d4b528a0541343b6b029

                                              SHA512

                                              119ad18e89d34bb7d2abc30c74ec6dcead2c975c021b728e1c38f7daac323a3b3c53e368395955e223e3279c5aa052284b01cfa6ad771381c5e13b43e44c38b2

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

                                              Filesize

                                              242B

                                              MD5

                                              2c31d18297e19318b434d8f87272aa8f

                                              SHA1

                                              b8f2fcc88d2f7db21968375d76e8b3e7c5c7efe8

                                              SHA256

                                              910907046210e399f3b5b109d05a51bc6174630ab2a16bf89ac0efa74d059759

                                              SHA512

                                              3ab633b124d77bb3d681ac54bc5eec7357d5a365449135adf887b17510b38a173fe2b3072616d5c39581e3c58405917819a33f6552bdc7da74b0310daff0855e

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\swflash[1].cab

                                              Filesize

                                              225KB

                                              MD5

                                              b3e138191eeca0adcc05cb90bb4c76ff

                                              SHA1

                                              2d83b50b5992540e2150dfcaddd10f7c67633d2c

                                              SHA256

                                              eea074db3f86fed73a36d9e6c734af8080a4d2364e817eecd5cb37cb9ec9dc0b

                                              SHA512

                                              82b4c76201697d7d25f2e4f454aa0dd8d548cdfd3ebfa0dd91845536f74f470e57d66a73750c56409510d787ee2483839f799fef5d5a77972cd4435a157a21a4

                                            • C:\Users\Admin\AppData\Local\Temp\Cab3536.tmp

                                              Filesize

                                              65KB

                                              MD5

                                              ac05d27423a85adc1622c714f2cb6184

                                              SHA1

                                              b0fe2b1abddb97837ea0195be70ab2ff14d43198

                                              SHA256

                                              c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

                                              SHA512

                                              6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

                                            • C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\swflash64.inf

                                              Filesize

                                              218B

                                              MD5

                                              60c0b6143a14467a24e31e887954763f

                                              SHA1

                                              77644b4640740ac85fbb201dbc14e5dccdad33ed

                                              SHA256

                                              97ac49c33b06efc45061441a392a55f04548ee47dc48aa8a916de8d13dabec58

                                              SHA512

                                              7032669715c068de67d85d5d00f201ee84bb6edac895559b2a248509024d6ce07c0494835c8ee802dbdbe1bc0b1fb7f4a07417ef864c04ebfaa556663dfd7c7f

                                            • C:\Users\Admin\AppData\Local\Temp\Tar2DF4.tmp

                                              Filesize

                                              181KB

                                              MD5

                                              4ea6026cf93ec6338144661bf1202cd1

                                              SHA1

                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                              SHA256

                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                              SHA512

                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                            • C:\Users\Admin\AppData\Local\Temp\Tar3603.tmp

                                              Filesize

                                              171KB

                                              MD5

                                              9c0c641c06238516f27941aa1166d427

                                              SHA1

                                              64cd549fb8cf014fcd9312aa7a5b023847b6c977

                                              SHA256

                                              4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

                                              SHA512

                                              936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

                                            • \Users\Admin\AppData\Local\Temp\svchost.exe

                                              Filesize

                                              84KB

                                              MD5

                                              c25baafed6fd4a75f3954528e64f8d64

                                              SHA1

                                              372cbe86a3fefbc39338ecd8f80b5aa05ccf2a34

                                              SHA256

                                              ff96bd48cb454d39b1c62fc657e9540b66a7c0b7225184d0d747341fe835eb47

                                              SHA512

                                              c7f4482ff598187ce80537088030d482b22e81e16d65620bbcf50a169c8dde5d89cdeb353ed4fc039920250c42de8fed3eba406e1bb248e58df907d105776e6e

                                            • memory/2656-10-0x0000000077D00000-0x0000000077D01000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/2656-13-0x0000000000400000-0x0000000000436000-memory.dmp

                                              Filesize

                                              216KB

                                            • memory/2656-9-0x0000000077CFF000-0x0000000077D00000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/2656-11-0x0000000000280000-0x000000000028F000-memory.dmp

                                              Filesize

                                              60KB

                                            • memory/2656-6-0x0000000000400000-0x0000000000436000-memory.dmp

                                              Filesize

                                              216KB