Analysis

  • max time kernel
    142s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    16-06-2024 02:57

General

  • Target

    b1726df79d3aa47c41ae4ad97457962d_JaffaCakes118.html

  • Size

    238KB

  • MD5

    b1726df79d3aa47c41ae4ad97457962d

  • SHA1

    a6d61e354702dac0f3445c3896b780b927995648

  • SHA256

    03a189118de6101de4f2432081a66a7026239edfee22a556812f666b86f28f88

  • SHA512

    b895315ede63a3030b7bc29081e10b1ab84c65e9780dbcf2b7b598035c0425d75a56a6a4535c130b1a09c3ffba162df16f90b2169dc4473107951b803431317b

  • SSDEEP

    3072:SgGau3nyfkMY+BES09JXAnyrZalI+Y38byfkMY+BES09JXAnyrZalI+YQ:Sh3ysMYod+X3oI+Y39sMYod+X3oI+YQ

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\b1726df79d3aa47c41ae4ad97457962d_JaffaCakes118.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2432 CREDAT:275457 /prefetch:2
      2⤵
      • Loads dropped DLL
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1960
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2864
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
              PID:2704
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious use of WriteProcessMemory
          PID:2272
          • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
            "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:264
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
                PID:1308
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2432 CREDAT:472070 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2528
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2432 CREDAT:537620 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2344

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        8f989b714c7fd67d55e28d7ae2549480

        SHA1

        00fc6b45a51b1ff75eaaa1fdef4f9161b5789346

        SHA256

        b4d38b867621510fbf855ef7bf55f44f42cd8d4af7e748fae5ba3932e92198ff

        SHA512

        e06538762ceb3cb1bfcc9014b12e3dff87cc1b9b871105107ad8b88d6f3c10a6e7a553f956c70b9cc8cc4912c1649095a31cb840ec7808adaa38b3299bd4a752

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        c332341a508d05195091217eb9d1c39b

        SHA1

        eb5e08a733edb54fbcb3ef9a9c0b84e8bf523359

        SHA256

        984ad3e051911d9f06afec845fb664b3a2c18babbd4482abd2c86edd7d763606

        SHA512

        982c8fb1b54f682f0f2171abe616205110d10f2970a3a863cb9b4898d742a8d634d23d7b3fcacbaa0904cd5347b278c1dc2429dc3240e586d46fbf105bcf4276

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        873b415ab8396814ee8bffb087a6c4a5

        SHA1

        6e46f0b96f984c398b7ddaf9e1e1ebd89ab74ca7

        SHA256

        c72024e59dc6a19f4224c87a0aa5a8b586d7619339ba36962f68c0e34b2254ab

        SHA512

        daf57b24fb837d13e6e42a088776a523a648449d95faa3546ef9655aec448664544c17776a3e72f510d7bcd35497ff20478124fbaf1969db6a5099ed750e8da1

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        b47abc0ef91864ea81d6b077803cfbef

        SHA1

        41b4b41c3a221dcc30b0511ddec72fa8a9bd32b2

        SHA256

        702af0679afc71eb678fe2d5892a7e6aa979fc425340fe024afbe667b35f9b7a

        SHA512

        eb8e3cb2f14b135a1f1c4ca65fd36c7b5135e483b07efbfc1978d6a39d0db2125e941c55f52b0d7c7abb4346d93e48db9548c2d1ae086854a46ecd61c78a22f6

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        e9b6d32727e766fbb49d77371ec98f22

        SHA1

        eeef03fc8022b3ea7c1d76b6470cb738eebb957f

        SHA256

        e04c7ad6e8f726ba0345eb0ae8305162f22b630e06c87d23afb22805a314c4e0

        SHA512

        ac349ddbe6df5d1abbd309d9b8a12156e14dce3fe7d39bc3d12f8bfb690ec9873a1ca6f75be1e45da93499b286566809907805481954b586631620d49d708527

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        eb60961a73df531ab8f9586ddbfc912c

        SHA1

        6514100849e467510af6906dd021808630f5c016

        SHA256

        1aba5db1ca209679e9f88b2cb40c9d7a289f9e5239db0c049fa43abf57599ec4

        SHA512

        91c95bdfa1ef4ac7024a4ddde46e9e58ec953fa7bcdd5ff3708a359456fda4d01fddc8fe22b110e9e108d4e9553383649de5233d81b8a85ca9680668d89aac13

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        dbc50f06cf3d50af3f9d45eaccb48b4d

        SHA1

        a137de6e8745b21879dddd2c4f1ee76ef3c68503

        SHA256

        8f4f82b9e6b3897898ee63a9469fe000af92172e58b6a24f6dada6d05dc41d25

        SHA512

        c2a6745aba4426581b05ab2ebe3efb3bccff651d1e451ff49d86612f5324918fccdc6da6edc9e775ac9850c5bae56e93adc4eae7b7a63940147a762f44dd5cf1

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        5b2b18433b9ac40fb7e33f93c6c88aee

        SHA1

        c49188ffc9cc4d41b7e8b26667b9a78f78e3af16

        SHA256

        54ba0f994e174c059b5bf9837c96ec8d920d3ff153ddc25a08a02c17b6b081e7

        SHA512

        651587e19d32d04e65b0b1c683d7fe4d84a75a75ded7dfadc01149485d611acbe1cde94652615fb914fa1aef536be66defe64f42a180de91b8bf9d5269c5eb08

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        fd549512b7657c3d2529ccd3141bf819

        SHA1

        4617e8924c1d3389520ce8a83913b3f7b465e9a5

        SHA256

        04bd9423f7e93a31e4097073d427cbc8300201d83520b75ac556717ee981a650

        SHA512

        ba3e614237ceefc833b5664e38b889e3394b1313879d1262809ea988754ddd93c01c606d4f7d649075ba6fb09073d88572a22ecf8ca273029f490bda4d90ccad

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        943b733c66d71985ffceb9baafb0bbf0

        SHA1

        6913b920038b5e4db963e46db4778c6551e69a5c

        SHA256

        def1491d8b683d9e429d4c91d2ba32b4a0ad648b2682d2e34f9c593146fbafd2

        SHA512

        53b02c6d5b60e9d4ff29e11e60a34262c9859898e05ab1ed1fb00e6be2ce7cd8a07a726168ac82543b16bec02643ccb4ecc14992e29a38262c228d292e69e770

      • C:\Users\Admin\AppData\Local\Temp\CabF9C.tmp

        Filesize

        67KB

        MD5

        2d3dcf90f6c99f47e7593ea250c9e749

        SHA1

        51be82be4a272669983313565b4940d4b1385237

        SHA256

        8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4

        SHA512

        9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

      • C:\Users\Admin\AppData\Local\Temp\Tar1129.tmp

        Filesize

        160KB

        MD5

        7186ad693b8ad9444401bd9bcd2217c2

        SHA1

        5c28ca10a650f6026b0df4737078fa4197f3bac1

        SHA256

        9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed

        SHA512

        135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

      • \Users\Admin\AppData\Local\Temp\svchost.exe

        Filesize

        55KB

        MD5

        ff5e1f27193ce51eec318714ef038bef

        SHA1

        b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

        SHA256

        fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

        SHA512

        c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      • memory/1960-9-0x0000000000230000-0x000000000023F000-memory.dmp

        Filesize

        60KB

      • memory/1960-8-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

      • memory/2864-20-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

      • memory/2864-18-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

      • memory/2864-17-0x0000000000240000-0x0000000000241000-memory.dmp

        Filesize

        4KB

      • memory/2864-15-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB