Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    16-06-2024 05:49

General

  • Target

    b1fd7d85480aa32192c83a4c4b681619_JaffaCakes118.html

  • Size

    343KB

  • MD5

    b1fd7d85480aa32192c83a4c4b681619

  • SHA1

    890387e7a31e1e67d87e6f170a6a7adef21307c3

  • SHA256

    467d19258dba9ab3d9f1460683ccd6602f1dd906055bf97c02177b804a07a32d

  • SHA512

    b84788a81d9122d76105ad399ff07303cd5353a14d410e74d7691642c1a569883e9af37b99ce776eb65a8b81f6256a756eb7419d357939168a19817dee56b6ec

  • SSDEEP

    6144:SmssMYod+X3oI+YfisMYod+X3oI+YjsMYod+X3oI+YQ:da5d+X3W5d+X3R5d+X3+

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 7 IoCs
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\b1fd7d85480aa32192c83a4c4b681619_JaffaCakes118.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2328
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2328 CREDAT:275457 /prefetch:2
      2⤵
      • Loads dropped DLL
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:3016
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2792
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
              PID:2592
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious use of WriteProcessMemory
          PID:1240
          • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
            "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2540
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
                PID:2680
          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
            3⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2248
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              4⤵
                PID:3016
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2328 CREDAT:275467 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2672
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2328 CREDAT:406550 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1896
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2328 CREDAT:734216 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2896

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          8eb65ae6817a9682c6992caea4557887

          SHA1

          59bdf13164f35bba5b1ec825e26767caa6b3dab6

          SHA256

          e0bfa0492f1f4ddabbe1c51bc6226d84e9504b1dc527633fb4a82e03329c3ea1

          SHA512

          c7783950ceff3e5b2ee44fd62d6c4c0a201ed0f66e61d39583ef97eb564120bbfe86df2dd74cae43942942dae41cfa167443f6327f7e68d2b79080838dbec2a8

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          6a782b3e2911fb3601c7e87d2e73d67e

          SHA1

          f61c370706a3dda2d71589ef0a95e53b54438fa5

          SHA256

          948aaed92edf56a8b27bcef1cb6387c6e7279688a64dbe89d6ef10b7ab790c95

          SHA512

          9454b576151141782946e43384fb5daa990eec305ef17196e057b65d0146ae470e937c7a8a57b81ed3031acfbb4b630b90118786e4cdb4876a0e9ddf852152e6

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          debcb219e3e57ca0e7f89bd8ed988ea8

          SHA1

          889b939c82fc602745df4883358574807b867b30

          SHA256

          5b947da3ef4a3d638bf575750c3006bfb86608181309122ce958ac9951906870

          SHA512

          c6de4b7010a9c9a75cc40b2639cfd996a3332631a555bd0109358678f8714422dced3fff01574c153d565a96faee37a0ca3f933bc22d2050fbe2eb74bc08bf47

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          f9b94c7242ee6584c72663495329b1d8

          SHA1

          3d6874f1e88dc581140ecd96f6b683e8ab0a780d

          SHA256

          3cb337877da3b59ab0baac968ae4591beb38eef3d10b131cd9ccf9c3d57c9d64

          SHA512

          41c3358ec579c63424d5a01601ff7e9234094f38b0441bd12d0c37601e7cf6b82c7acbef4e05f0e58c101f9d4c39fef706adbd73b1692888ef468a8cf9ed203f

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          00ea59455bfeefa545fc96390916f293

          SHA1

          0f2db637a85fd61b9566381d22d9b65d0c13638e

          SHA256

          4822985ca0ec233e943ab9621dbb8cd2092cfe168eda2b3db49ca1d05db01629

          SHA512

          856c38cac03184efe05a6fa24b947506ee05630abafd5b3ea8c931f5092e0639c70a802bda5995fd32cd41e603fe5bb3e91c64b878d9d42097a19e9dfd6e0924

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          0b70bb15f0bf611c5a333379bfe9d3f1

          SHA1

          22e7ebef5ab5a54bd20409824e3459c90fb6fe83

          SHA256

          bec76c57c9fcf10eaa8d43f3a99859a037d6a05752305d7ef970797dad7a2c76

          SHA512

          7ba1a58c43c7e137a86d17b4c9953691f8b5aa2c600d4826cbb01dcfbc915b05c46fbc3ea4fe735d44548f9e158cc4b722f32e2641a782176b0f6daaab33e679

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          771d76c21091008c8a8f32eda73454fa

          SHA1

          068ffe6514a04911313fcec5b6a4623b85fc87c1

          SHA256

          5203669775dfa7fd6dec29ae942bf7f7f941d8487ad43b8e24e9c7027e744ab0

          SHA512

          e1234fb31d3a880bf483dfef57a791f2a5ec5451570eaf70de7b9f6600d9ead7cb5a69ef0931cff65fffa81b7915f4bee64d6eef8b7214f820b3449738a018ac

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          a4a204eb406640a1c39e482a910bc63c

          SHA1

          a6ec0b35f70de79ead1f1698101438f6cfc86093

          SHA256

          4fb51650eef91945b74c303491e89db4d18a41ba7ddd88e335ea17e614faae92

          SHA512

          dcbdd2885dba1717a26300bb63caa3fe1828d093dbf75afe4211778cd810687a0d20157f7246d08dbd631011e7ca798f0d5625b0a6cf5f770799479b4e4cf687

        • C:\Users\Admin\AppData\Local\Temp\CabC70.tmp

          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • C:\Users\Admin\AppData\Local\Temp\TarD20.tmp

          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        • \Users\Admin\AppData\Local\Temp\svchost.exe

          Filesize

          55KB

          MD5

          ff5e1f27193ce51eec318714ef038bef

          SHA1

          b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

          SHA256

          fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

          SHA512

          c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

        • memory/2248-455-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2248-466-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2248-463-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2248-460-0x0000000000240000-0x0000000000241000-memory.dmp

          Filesize

          4KB

        • memory/2540-461-0x00000000001D0000-0x00000000001D1000-memory.dmp

          Filesize

          4KB

        • memory/2540-462-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2792-20-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2792-19-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2792-17-0x00000000002C0000-0x00000000002C1000-memory.dmp

          Filesize

          4KB

        • memory/2792-18-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/3016-9-0x0000000000230000-0x000000000023F000-memory.dmp

          Filesize

          60KB

        • memory/3016-10-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/3016-6-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB