Analysis

  • max time kernel
    122s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    16-06-2024 02:53

General

  • Target

    b16e2f5641e6778e0d6d21e77669a046_JaffaCakes118.html

  • Size

    497KB

  • MD5

    b16e2f5641e6778e0d6d21e77669a046

  • SHA1

    af7769990ec5cfdbdef690e880520a266be8aee3

  • SHA256

    6d3ea39053ad385ca802f0bb5f5b560ce2e5b29e20ace5548a6b783952d89bd1

  • SHA512

    43aa31cd960e02c2b16fdd577a1a1714e0fd2678eef473d6adb2a28ef02e57acef32c550020bc46c9f930feee0ff64631dd01c57b1e1949f13934f5436213107

  • SSDEEP

    6144:SmPdsMYod+X3oI+YesMYod+X3oI+YXT660zo0K3sMYod+X3oI+YQ:5Pp5d+X3a5d+X3xu6A6b5d+X3+

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\b16e2f5641e6778e0d6d21e77669a046_JaffaCakes118.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2056
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2056 CREDAT:275457 /prefetch:2
      2⤵
      • Loads dropped DLL
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2592
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2636
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
              PID:1340
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2436
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:264
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2056 CREDAT:5911555 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2512
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2056 CREDAT:275464 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1696

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        546d8b0aa488c740a8e8e8b471e5dad3

        SHA1

        c0b3ecb27016b69f500ddddd3047a9686aa53486

        SHA256

        19d103b6c11fed0b09175634a70fbc98c11841663006b667184e6bd75151fa5e

        SHA512

        3b6b416a8e288e2e4a65abfae76a12b389ff9665a9ec12ef5de3f83ebe1bf9d17f11f366b5c914af0915b18b847ad82852e1b64f7a9ccde84a3655211ddc6f93

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        a49721e0608661d75972e3c4df04c0a7

        SHA1

        0ea94b1bca6e3744ef6373bfab67fd255c772cf0

        SHA256

        fd07736996538ffe837f239e10d4934e81ff294653bfefb4275b65952138b59f

        SHA512

        2ba81159f107664ce3edf076a2146179fda2b2aeab4732535d63bbe3460cfb0a00fd590f12c831a5740fc66121e4d66910c481dbe2456c352ad1301ce62ad59d

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        62991d60df108c8c4b7474a1b7b68e54

        SHA1

        b4048474cffd83495c1cb0b336bbf37972b57232

        SHA256

        580ece44ffeb3be11c1f02a0c3cba6409fe2929287abca761a23a63712ab1649

        SHA512

        a9798c77c5df5877ce501178e2ded34e5dec1a597b7215e5c4778970f97003554590dc9f7bcc014e1a7e957aca99ca60e9da7e5db472021681ea697b1c494927

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        31ab0f52ecbcdfb141a99055d46bcdc6

        SHA1

        4e30a7e41c716132dec31d6a5c31ad20f62a1f1b

        SHA256

        d6029e1cc2bccfe5bf944081076f287396ba29c251a45297085fe539f7f5d99b

        SHA512

        f056808c68a60c37bb98f2db03b72218dbe34a8dc996ffe1d1286d4a5fec28f63640b2e64a052e9391554689f5ae8261323781e42056c6b8885f8dd987b893ac

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        2875c81ee5e7630d870401e8014c9d46

        SHA1

        e09a1cba4a3d15d23204a68002005ddf402f937f

        SHA256

        3e5fab2d117fa373c5f4eb8db8b0c3b8f3e246654989ab521d2028edf0ae8e0d

        SHA512

        0e0abeb4c344e8e05935f5d07733c94aa802c8c1f215ef6c3218a3d3cc74daa910f7433635aa8cf70c8101739e60556e30bc3b0352415655e23e273fcdc6d78e

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        09228a49f0c00516b799980b3b8f5444

        SHA1

        fda8cf95eb4dba5ebe34f793d18511626632b17e

        SHA256

        f97e07293666c45c18071b163b9181122440c67300837b8518c4d7be68aeeecd

        SHA512

        080ebef20690296eefd3105ef51e74323ca95e1ba27642ad38f693fb1a3c2b87027a075032278d2b03138776b177a63690cc6d7cfb2dacc7e35deee49b49f2e4

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        4931f274f07fa044879bf29ee4d63903

        SHA1

        bdeba677c9399a42eb6544f31da8fd96dca73932

        SHA256

        23c8a69712225325342d784c4bd7a37cdc3f33ba833f3a1ebbf538574b68ebc1

        SHA512

        67e165c1c7109c245a8ef1fbf933409c0079cb442f3c533ab2016cd4e4c14715602ba6a098688e044451520f0c82be229678800f3ab078a1d7b34b247d4fbb0f

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        081b90e718d8e3f1cfbb7e03a07a8ea0

        SHA1

        d5b5686293cfbf5b13e02bcde452a1e1cce50f7e

        SHA256

        7d1ffa9aad425cd174a9f766732e5451183dd81363442332770425f6edc82782

        SHA512

        8a092d32ff05734626213b05c5fd84bc6cb58dc5cae69de67fadc5a427fece5407653d04383ebaf151c3e5286f7dc03c52f4b5326b576f14cc4d3c6a67fee000

      • C:\Users\Admin\AppData\Local\Temp\Cab7A02.tmp

        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      • C:\Users\Admin\AppData\Local\Temp\Tar7A92.tmp

        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      • C:\Users\Admin\AppData\Local\Temp\svchost.exe

        Filesize

        55KB

        MD5

        ff5e1f27193ce51eec318714ef038bef

        SHA1

        b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

        SHA256

        fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

        SHA512

        c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      • memory/2436-23-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

      • memory/2436-24-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

      • memory/2436-27-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

      • memory/2592-12-0x0000000000430000-0x000000000045E000-memory.dmp

        Filesize

        184KB

      • memory/2592-8-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

      • memory/2592-9-0x00000000001C0000-0x00000000001CF000-memory.dmp

        Filesize

        60KB

      • memory/2636-18-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

      • memory/2636-20-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

      • memory/2636-17-0x0000000000240000-0x0000000000241000-memory.dmp

        Filesize

        4KB