Analysis

  • max time kernel
    122s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    16-06-2024 02:07

General

  • Target

    b1417ffa64a687df94e59636fc5df94c_JaffaCakes118.html

  • Size

    350KB

  • MD5

    b1417ffa64a687df94e59636fc5df94c

  • SHA1

    a735fb9649e1a7439a103745d66b3fc56c3592b5

  • SHA256

    47aec0387e1474fae2bf9034720de01991bc878b5bab7388ab6de287b4925ff9

  • SHA512

    616526573625015ce88495f478b1f33729ab50d4e321859a46cb2c1251c3c7a4e9885639e855893c2d93cbda6919bd0e0fd816e042a8cb1e9c4407be2d826ef9

  • SSDEEP

    6144:tsMYod+X3oI+YpnmrQdsMYod+X3oI+Y5sMYod+X3oI+YQ:55d+X3J5d+X3f5d+X3+

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 7 IoCs
  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\b1417ffa64a687df94e59636fc5df94c_JaffaCakes118.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2204 CREDAT:275457 /prefetch:2
      2⤵
      • Loads dropped DLL
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2668
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2744
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
              PID:2488
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:652
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:1144
          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
            3⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious use of WriteProcessMemory
            PID:2444
            • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
              "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1652
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                5⤵
                  PID:700
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2204 CREDAT:406533 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2576
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2204 CREDAT:209938 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2752
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2204 CREDAT:406545 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2896

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          88c8f274070d05840d29e6d6c5dbbc33

          SHA1

          25212d5c99e4bf5e9bf21a6970207ed445b0e31b

          SHA256

          7c913aa52907bd14ce4cda9b6fc6c97dc4f7ef7922957620709d5aeb6066a197

          SHA512

          297b554cb2394b860b230f81660df789f66bd4704913c3d0213c6ef472ef982ac886a77ece909b107413dde6f0dd2b9f465cc2c19d17ae08a125dbdd6ff2bb67

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          18b3c2dd82114465188ef5c2922de740

          SHA1

          3f9bd553283663c38559f6f35a0e1ae352bfd851

          SHA256

          bb9ccb9e4e9ef575236df5ccdcb138c644b120377871063b9f0f669530a5c84b

          SHA512

          478e3a53c14ef48fe080c89567a20105368a22f8c527c4c7f6b728b0a09ebd4f9649fc85872f32d333ff04c3f88e47b3c3b3b6a0e644137b0560994e1c353edd

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          01d5457f49ff612894fa156b7b69b3b0

          SHA1

          18b3d47189a29dfb43ce51d73273034240b4b37a

          SHA256

          75ac035e1f02c41df1d17cd1b0a3e1b023a0c001605cf19999c72fdd6537b898

          SHA512

          0b818f2326d959a7c3dc372ba135b3f51fb2a36fecc1b804b994a7f91e96cdc7f987c95d6d6dd8e31e40644fda3464c554abdff50052fea13b8b82c793a27a95

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          01c476712e0a4b7db214089d255a4719

          SHA1

          be1a3f98ce6858fef515e4c8f33bda34726d6a2e

          SHA256

          317d97335f91304f7448c590b387833beda2cdcd26cee86028e10fe5eb055c00

          SHA512

          ca304bbfd0151cb95e0f3693ddd34384408e25b1f77832b399a7d179aaf1ade4170b5484ed86599d4368aa4116bceefb3be0ba38cc581dc60c184aa66d2a568d

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          5002c2f930a194d35dfb8bf445ce179a

          SHA1

          8639a7176196a409a5297d536881f8f8db5065b9

          SHA256

          9611362ae9a9588ce4c574e989f6dd9def5327cd1e7bb37b529198c46f1fe0ed

          SHA512

          780413bd2ad292d59313f08918fd46ce08785a2d3a2c913431b3455a3186a5a981bd4a1f5df3bec637b9d6713ed86461cb54b31b27fc19887667980abc6b6fb7

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          4edcc8578697199c2485c44594bb8821

          SHA1

          d10d192280415b5ca0bde60e8e57c0ae8f7279e6

          SHA256

          4f9664180e427acf87cec1c53a3d205e0f7a046a9e0834996c356bc32f165fee

          SHA512

          a4b00a69d92627ebc2e8690366dbc880935cfe33d0e8556f954bc5bb976a2d9dc9c48472d6967573ec2f525a806d659436cae11987fb1f015b18303c3540b2cf

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          cde2b2be4b7629f6d6df968ff15d9af4

          SHA1

          b82ff92d03e93f7dd6cf7b7b7186ff416ef7809f

          SHA256

          d28ab2b034e7013af1ac6f3c1b81b7bc9d46f9dc56d06d9129f87e8376ca8e71

          SHA512

          618778ae84bf7361abc5ce47ebfcef10f0e94b00a2d66c783b4505c753adb7ed47c03f06cb6d205f517d6fde7faa2e72b61484bb92501ef9319037e7ca2151cd

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          361aecc1cb30b2d16c154b2a80902948

          SHA1

          2d7a6c5a832515d6c3b846e8760819b25a0b265e

          SHA256

          c135870024b13980a28bb7b5199a986a3405f99809d272e75a85d1699492c464

          SHA512

          8a92749c70c837de2cbf2cdf369232693756217a139c799dadbd7f712bdb556d0517c2cba1c17a538523ab41f6315488b76fe46f5acce208010bc768e629ba56

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          40b65f0b7a6cc6a575ab1a132cc38bb5

          SHA1

          21fb4fc116e88932cb295c2e531acbede8f1ae76

          SHA256

          c5beae55b5b3d8acbb3811ac99b2fc21992140f2cef9e01f6c09c436232036e0

          SHA512

          d640e5baa73f39acfe0a59147b9500b63fc5c00ef003274e6ec4dfba26ba748ea176d3ec53124a4b0a8e0d92f6f3d29858593d8886b63b9e2680c0f8171d32fa

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          3f513a43e95c44cc27aa352e6f27519f

          SHA1

          3762f51cfdac5326fba2f778e48df82bb326e63c

          SHA256

          1109a20e110ff720b136e2e4e0102af58ee527d63a19a9c36d080e5e742350a5

          SHA512

          ed8a0eee895456340815274aa16fe559b73050606229d32494487be23e95892f891b0ffe4ffce961bdffa14e9e84a5618cc90382e9d58df561426d688be65c88

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          80d55fabf89b7bc908d74bcf38443411

          SHA1

          e4c49281ca36f12f1833889397eaa0ed4b34c216

          SHA256

          874d64f3900bfafe370fef817b85bef94c0ac3129a22d85987c083904b6f677a

          SHA512

          2ab96f3981f73718e1447c94a46d5e70055a83148aff2d257b809d1285de7ff3352f34fd5cb0be7bd30616ac8e7f68eb6b8068fa7053b7c187543f940dc4b2f5

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          ad42a78025682bf0fee6dff8ae245017

          SHA1

          d14389d920088b7f9864e4d51f9589c38c391a56

          SHA256

          c019b22ec5616eb14596eb77a032666bfb4b5675246db54b4fe52b44a0112a0a

          SHA512

          47a34c35a498ca97a25108591b7a49ffbdc1a664e833e02a8d2d6aaf47b699f46082abe632a69677afd5b447b15a6b0047245823b3016267355914dfffe28613

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          65e6fd56d72303eacef3974800e8a055

          SHA1

          27dd8c586f6a56adcd0410a5a49ef2b365d91bf5

          SHA256

          0a60aac3d74e7f52cf44abe9d2e1acec2bb04100afe1a85abe250769f006fcdb

          SHA512

          cd23272d62945da67b230ab4f350516a4205bd054d629a085421d2a968d921eeae63100448d2f343d7b88448c9034e34879892cdf46516fbe0d03c3706c6b91b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          18744de8d8145f2cae9d99a65bd18d44

          SHA1

          20c01a79dcba4faa9ef4fc72b9897cc7f71a320d

          SHA256

          98b12ed82cd2c5b595d0d840251dfc910aaa3ff5ed8d459da6a7d5c3f7b70509

          SHA512

          00c4f4d7a6d21cbcc0d156404787fe54565bdaba1348483212404cee940a587f13a6e95d4e88ba4a5d4c1a621c3e226268c4a51648858abe89584b24f8258d64

        • C:\Users\Admin\AppData\Local\Temp\Cab7A11.tmp

          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • C:\Users\Admin\AppData\Local\Temp\Tar7AB1.tmp

          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        • C:\Users\Admin\AppData\Local\Temp\svchost.exe

          Filesize

          55KB

          MD5

          42bacbdf56184c2fa5fe6770857e2c2d

          SHA1

          521a63ee9ce2f615eda692c382b16fc1b1d57cac

          SHA256

          d1a57e19ddb9892e423248cc8ff0c4b1211d22e1ccad6111fcac218290f246f0

          SHA512

          0ab916dd15278e51bccfd2ccedd80d942b0bddb9544cec3f73120780d4f7234ff7456530e1465caf3846616821d1b385b6ae58a5dff9ffe4d622902c24fd4b71

        • memory/652-30-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1652-34-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1652-29-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2668-12-0x0000000000240000-0x000000000026E000-memory.dmp

          Filesize

          184KB

        • memory/2668-9-0x0000000000230000-0x000000000023F000-memory.dmp

          Filesize

          60KB

        • memory/2668-8-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2744-17-0x0000000000240000-0x0000000000241000-memory.dmp

          Filesize

          4KB

        • memory/2744-19-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB