Analysis

  • max time kernel
    121s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    16-06-2024 06:06

General

  • Target

    b20c8a186c62e2c9ae1918656201ad40_JaffaCakes118.html

  • Size

    234KB

  • MD5

    b20c8a186c62e2c9ae1918656201ad40

  • SHA1

    30f6f1964ffe13f9877f5dd47e935850fb416083

  • SHA256

    b7ae8d4e6a5edefaf39773dbcdbf61d2d1780afb077286f6ea6667f7630c5abe

  • SHA512

    04070c727857ab55aa38f9ca6accdb6dbd40358ef13d90fc2d555b8f05386669fca0800ded775761a92396c94b2fa7763f84ed123983fa9e066d33830053946e

  • SSDEEP

    3072:SRjjyyfkMY+BES09JXAnyrZalI+YwyfkMY+BES09JXAnyrZalI+YQ:SRnsMYod+X3oI+YtsMYod+X3oI+YQ

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\b20c8a186c62e2c9ae1918656201ad40_JaffaCakes118.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2336 CREDAT:275457 /prefetch:2
      2⤵
      • Loads dropped DLL
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2180
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2744
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2656
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
              PID:2004
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1072
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:2920
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2336 CREDAT:406535 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2596
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2336 CREDAT:668676 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2012

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        4714906e87669f9a29cc4eef8a505c32

        SHA1

        aaaae28f02c2fe65d2dd17d34ca474b20627fc90

        SHA256

        4ff08710d231f835a0904812499e8858ff94e99fcd14a5ebbd0c388eda743655

        SHA512

        c03ebcda99ef70b979bd71b91f4dda23c10497df9ebbc671940e3161e98343ca69defdd38ae91a8da23f4b6e3815426b265ef67cbeaa85ab529ec241e55d1759

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        64e735482d25c8f306659b9e4216e678

        SHA1

        17d8fb0d764ee128c5b9908f47d7649ec7ee2371

        SHA256

        d25ddf9e2da33dd93bcdd6dde9d5c43c497cc3a2d0a3b221513754328f8be49c

        SHA512

        7f9a879734ad20f51842bc432ec597008aa4cf08ba74d6e50c2b43e25a5103e79cb16a4d93537941d7e245751d8696225e80e12412089c9a12cc0e10e64172d6

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        2707f413383474e446fe265b4bce1b3b

        SHA1

        b1bb42994b1f06272ddfa05f7658bb4350f70f61

        SHA256

        d53761d8bf81f2ac65477bd26edf9487b7f69442e737bd98789385c0d7534654

        SHA512

        2ed6c01584f042d80e3e195894c9c1412ed11382e427a52471d5580eb19808600078790389d729237172112377761c6e6b391cc6ce7a5404585dcd6f9a10afdb

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        f937a74da011d4c8f4cc79063a6e934d

        SHA1

        879a0c0384a0628f0f12bb31d6c9ba5aeaf7503b

        SHA256

        d4031107ce8427410f00182c05e69d2788230fdae998aa69a2d8787544101f87

        SHA512

        2aa6eb73609c22673b58c22ac01536a4265459e85465f9450363abc7d88e782ecf15398c0592b8b4f226c75681bb35e553103a72d03e15a4dd72c148deb576f5

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        be0982a5f7a62399865440f78afc3b0f

        SHA1

        486e2c71278a145143ea71a823498d9c8a35cc55

        SHA256

        4ae0398304e5dc357ee64ff4ad395f6203390989d8ee692385875091496616db

        SHA512

        c21a2f5b875e603693bf3bd7229c21befd2a28fa96cd4c31e4c6559bf181be593414826bbace540fb9e3e33fc74de66b0d9b3e9989190234cb32543172828827

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        a14b9ba23776c4263b291ab5886a0045

        SHA1

        f95c19fdcb835e3b1f90afaa0c3034b2ebe2d0c5

        SHA256

        417370cdcb87a3e3afce5e9a886bbca70e05a56a37149b80c36a3e7716def887

        SHA512

        f0a6a1af887886f589ac2927ad9afbf5f1098e0a1510346a84650a1a99b89dc6278be2de5b66a87c14d7050979bfbf14d61074f8e451ca0a75229d126d3f20f0

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        62414d2ccb63b1c4bbb4448a332a9ed8

        SHA1

        a11b1e6568a154073f247298fe722f57c70dd4cf

        SHA256

        a677ef773c0f3d3e95cf3332abb563935d3ea3b411123c22414ef5dcf5872a45

        SHA512

        3ad914d4a18216def50d453cc00d32e1d7fe687cee7ebba1c91582b64940b706e424f196eb4a9412be917dbea704ab50e1476cd089db2d44d0ce215e936c33b7

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        03ae9323a7868ded97e45828c4a4edbf

        SHA1

        b4def382a8801da388552892e5755c5c77affc3b

        SHA256

        a82286f1e6e6d43968e3778edde568f5bc22cea65ab9e98d9fd0c9f4661070e5

        SHA512

        38d526b0ae3ff7d0907b0355068a8dc0db0b306461d14644d23d5611198479e1e1ed5b99d3b144a3f9ded36df58c4c5152c90397e910fe4df64199f8bfb7828e

      • C:\Users\Admin\AppData\Local\Temp\Cab5A34.tmp

        Filesize

        67KB

        MD5

        2d3dcf90f6c99f47e7593ea250c9e749

        SHA1

        51be82be4a272669983313565b4940d4b1385237

        SHA256

        8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4

        SHA512

        9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

      • C:\Users\Admin\AppData\Local\Temp\Tar5A89.tmp

        Filesize

        160KB

        MD5

        7186ad693b8ad9444401bd9bcd2217c2

        SHA1

        5c28ca10a650f6026b0df4737078fa4197f3bac1

        SHA256

        9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed

        SHA512

        135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

      • \Users\Admin\AppData\Local\Temp\svchost.exe

        Filesize

        55KB

        MD5

        ff5e1f27193ce51eec318714ef038bef

        SHA1

        b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

        SHA256

        fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

        SHA512

        c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      • memory/1072-13-0x0000000000240000-0x0000000000241000-memory.dmp

        Filesize

        4KB

      • memory/1072-18-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

      • memory/2656-24-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

      • memory/2656-22-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

      • memory/2656-21-0x0000000000250000-0x0000000000251000-memory.dmp

        Filesize

        4KB

      • memory/2744-8-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

      • memory/2744-9-0x0000000000240000-0x000000000024F000-memory.dmp

        Filesize

        60KB