Analysis

  • max time kernel
    134s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    16-06-2024 04:25

General

  • Target

    b1b6a8aba281ea115f4482d8f81fc2d0_JaffaCakes118.html

  • Size

    460KB

  • MD5

    b1b6a8aba281ea115f4482d8f81fc2d0

  • SHA1

    e10c85b832f6e927c47ba9403270cb5762abdf4c

  • SHA256

    ce53a7c5fbff464e5360656020ae8c6fe7e051a303db230b0b7dad52db4e083c

  • SHA512

    e9900427660a1c4a08b1e1a048b742796b222081881cfbf8c879be72399ff34b897cdae5d7281cb30c851ef869de946b33e02735f1ec03a9142942af1a6dc725

  • SSDEEP

    6144:S8ZsMYod+X3oI+YMsMYod+X3oI+YlsMYod+X3oI+YTsMYod+X3oI+YQ:3l5d+X3o5d+X3D5d+X315d+X3+

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 9 IoCs
  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 22 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\b1b6a8aba281ea115f4482d8f81fc2d0_JaffaCakes118.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2388 CREDAT:275457 /prefetch:2
      2⤵
      • Loads dropped DLL
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:3020
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3004
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
              PID:2816
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2620
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:1092
          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
            3⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2528
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              4⤵
                PID:2956
            • C:\Users\Admin\AppData\Local\Temp\svchost.exe
              "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
              3⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1272
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                4⤵
                  PID:2892
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2388 CREDAT:275464 /prefetch:2
              2⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1172
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2388 CREDAT:406538 /prefetch:2
              2⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1620
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2388 CREDAT:734218 /prefetch:2
              2⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1944

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            342B

            MD5

            c74af8559e2cc271d9dea17f6ee58886

            SHA1

            dbd37f48b9c75d93829926d77515f8a4c9e2c4de

            SHA256

            856ef6f4a04ad62baf7e50c7b70aa4c86f12529d6d604fb629f7a9d48178c6c7

            SHA512

            a101cb4e8e211f8339142292051380e1877092d3587e3657ac00656a6c9185932e4503ea29df83efa5737ed1ca6ecbdfcc8dbd9ed8f3dc4410a5ee7758fa3610

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            342B

            MD5

            5e2c6551a15fc6276584e38b68310db8

            SHA1

            0ecd34437bc0a07ecf1879949334c7db645f725b

            SHA256

            275d6ac3ad68a60a6164e35df0f08e94266ac184c462dbd8ffe3bc69eabeee72

            SHA512

            aba65dc982af008d14f00c10bcc7fbf8b3c51b493b851727a3dbadd4e6ea746dc18179134fc78ff16a3e1b531fbbb9136480dc28d03649bdd055efb3e157a179

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            342B

            MD5

            83efa1aeae6f792c3a9a148486967505

            SHA1

            0f561ded50008448c63767b9de7f48cddd3dea88

            SHA256

            1e145fb51335565dfc3656253da358c0878ce020d9b9f64d7e0d5c17bb1a3bdf

            SHA512

            da7bae2419eb692d8028a2c5b31268dac699b70974f12f7c7c875f93753fd759b2704864e23619a201f9f46d39ae04756bff60aab8d409ef5d250ecbae0cae07

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            342B

            MD5

            2a08c93411552211e2c9ac7460bf4962

            SHA1

            1f6c1aad14e81fad7a6ab067287d874319c98bd3

            SHA256

            46a263aaafbfb2d9e958f43de1846abaeec58472145ff599ebe9336c8402758e

            SHA512

            f54f203977ec4d39d611072fac6602bebba339fa327069441115f53520f3976ecacb7813e4ef09c6e85385dbb337f8b2c5ba432d32797ee71755ba996e3995e8

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            342B

            MD5

            73374188efa0e28c78b8f8236ec0b280

            SHA1

            2e2e55e9419b801e66dca2d0a18bb23d7c011095

            SHA256

            8ad5e5f0f790dd459b4f847c55929bd085b2a370798c5ade7614bccf01d1c4eb

            SHA512

            6084dbc1a152c46de05d80aad29cdefd2eb3024cc77c237c4e642e0e2b7df738668a7d9a20fbba9c6632c039ea9c0e0d7562f20850c3ad575bd093650c561f35

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            342B

            MD5

            db92ae56996b9dd6a66b820caa1eff12

            SHA1

            dedd3bc9795ee0704c4b04223f1fd8b44639f06b

            SHA256

            70b5efd2044c1748ed82762853853bc9f1c2233831a39212417ffcd47232c0a7

            SHA512

            f517c3aa05cc7ffef5256e0f6b033187c2d5d2ae2644be56e83e36a9ff5e1bb9a68e2ad3133ddb445e9e02255440efcf36773c89907a3c95e571c65558566c2e

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            342B

            MD5

            0baa61996405e3a4f1ce8ac768561e51

            SHA1

            e4899df21d924db9d0e9989289d78795031689bc

            SHA256

            7b7e35dc355a16fdb909431f982523ba224af834fb38f1a51a2e35ee8dfcf48f

            SHA512

            02304afa8f9d678e806ba37811f222b16b41ded7189a244f76c6ede33915f1d2b4de8f90ae3cd3cd499221f22942b86bb64a347ad9272e12c59c4fe01de586ab

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            342B

            MD5

            a882ce78dd63d42af5e1b41247ebafa5

            SHA1

            8444906e5ca3983dccd75210231e49ebefc26e8d

            SHA256

            57c56a46a0a4861bb51ed84fa9bc625b6813f6f4c7f675386689842480484459

            SHA512

            eb6e3691de5601a16d9040679725c6bc9b0890a497c48053f048fb760e5378a16ec004d018d48dba3e900b8839817042c2f08aa6d868de6d01f33c840a90dd9d

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            342B

            MD5

            ccfc1f101be534225007f40f3efb778f

            SHA1

            80222c7642fdd411194667ca6adf784de9001f69

            SHA256

            ae51c1f0cd1ef5dde8c86bfb734d1fb7c91e1ad48c9e0005188adf92752f00bc

            SHA512

            dbd039047663ca0826efdae22b69bb92efd78d699e8b0a262a0be23f0bcce7ea49c2541cdbe0db070318a1b539a3533a3069ff9ba10c9a4c2061005a761ebfdf

          • C:\Users\Admin\AppData\Local\Temp\Cab149C.tmp

            Filesize

            67KB

            MD5

            2d3dcf90f6c99f47e7593ea250c9e749

            SHA1

            51be82be4a272669983313565b4940d4b1385237

            SHA256

            8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4

            SHA512

            9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

          • C:\Users\Admin\AppData\Local\Temp\Tar154E.tmp

            Filesize

            160KB

            MD5

            7186ad693b8ad9444401bd9bcd2217c2

            SHA1

            5c28ca10a650f6026b0df4737078fa4197f3bac1

            SHA256

            9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed

            SHA512

            135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

          • \Users\Admin\AppData\Local\Temp\svchost.exe

            Filesize

            55KB

            MD5

            ff5e1f27193ce51eec318714ef038bef

            SHA1

            b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

            SHA256

            fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

            SHA512

            c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

          • memory/2528-31-0x0000000000400000-0x000000000042E000-memory.dmp

            Filesize

            184KB

          • memory/2620-26-0x0000000000400000-0x000000000042E000-memory.dmp

            Filesize

            184KB

          • memory/2620-24-0x0000000000400000-0x000000000042E000-memory.dmp

            Filesize

            184KB

          • memory/2620-22-0x0000000000400000-0x000000000042E000-memory.dmp

            Filesize

            184KB

          • memory/2620-23-0x00000000001D0000-0x00000000001D1000-memory.dmp

            Filesize

            4KB

          • memory/3004-19-0x0000000000400000-0x000000000042E000-memory.dmp

            Filesize

            184KB

          • memory/3004-17-0x0000000000240000-0x0000000000241000-memory.dmp

            Filesize

            4KB

          • memory/3020-8-0x00000000001C0000-0x00000000001CF000-memory.dmp

            Filesize

            60KB

          • memory/3020-9-0x0000000000400000-0x000000000042E000-memory.dmp

            Filesize

            184KB

          • memory/3020-6-0x0000000000400000-0x000000000042E000-memory.dmp

            Filesize

            184KB