Analysis

  • max time kernel
    117s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    16-06-2024 08:48

General

  • Target

    b2a44ebcd43824126edc85d3f2bc3ca2_JaffaCakes118.html

  • Size

    347KB

  • MD5

    b2a44ebcd43824126edc85d3f2bc3ca2

  • SHA1

    f7ac814a366c089e48b78e9d444e2cb5d4d2e766

  • SHA256

    972bf30a80e63035f9b42bfe0d7f766e82f35a102328357cc479a41cc0b0f999

  • SHA512

    c85c00e970eeb473c87333c45556c4a0e6cc64666dbe18009bda191733f26c31551aea7c672756c677f3c21959d12dc4d6df6ea9690b233d5ffdb78bef49c83f

  • SSDEEP

    6144:JsMYod+X3oI+YNpsMYod+X3oI+Y5sMYod+X3oI+YQ:V5d+X3F5d+X3f5d+X3+

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 7 IoCs
  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\b2a44ebcd43824126edc85d3f2bc3ca2_JaffaCakes118.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:275457 /prefetch:2
      2⤵
      • Loads dropped DLL
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2172
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2616
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2700
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
              PID:2716
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2588
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:2420
          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
            3⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2484
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              4⤵
                PID:2960
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:406537 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2536
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:6435842 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2796
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:275468 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2760

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

          Filesize

          914B

          MD5

          e4a68ac854ac5242460afd72481b2a44

          SHA1

          df3c24f9bfd666761b268073fe06d1cc8d4f82a4

          SHA256

          cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

          SHA512

          5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

          Filesize

          1KB

          MD5

          a266bb7dcc38a562631361bbf61dd11b

          SHA1

          3b1efd3a66ea28b16697394703a72ca340a05bd5

          SHA256

          df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

          SHA512

          0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

          Filesize

          252B

          MD5

          eb0358451e87b709637f689e493aed12

          SHA1

          2206f19edd854bfea06bded679e85ca08dc8625a

          SHA256

          ef71bc0a2dcc6f580d8f39ae9b287a8a37ba20bcf934266e96b87a2c93002b9f

          SHA512

          de904221672bc9c960b95556a843eb6b6481fec9bc147d7ef122ff3c4cc38cd6b053c2c3f9f7f1439135399e651f7df661f637edda57749cbabf95921f32ff21

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          2845136a845fb23da8402f5bf3c73034

          SHA1

          7e0b78be98c2b7784a2ba0a9545657b3d87f7a26

          SHA256

          101b1e6c9eaba3b435f783972048ce0f3a19d884fc9005f5725843778babb679

          SHA512

          2e95829e9f4aaf986574805e23d6282f677be4ed0e7be7fbbf86daad8938bcc2dc723ce3e9feac1544d472e8e82eaad125b86254cf71a7a7f77a5eb2bb4fbf8c

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          6800eac5dd7656441b9878e34d401229

          SHA1

          14a70dff3f94dd4748405e64d75ada385f3477f7

          SHA256

          15b33eaf3673140db3cf98dedeed11b821d4183adb7f809cd474bf73c6fd3574

          SHA512

          8d4677bfbbba4f5bc7cf7f9b67b998ba8e20bfa797194e51a673556f8e98ee66dcd40cb199c2eff0c25fdb1b4ecc8ae8cc39c0ed2d5333324c94277518f17ec4

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          b8f3de473ccd2b1813506010612bd9bf

          SHA1

          99914bfff8ca04e1c7147b9a34198260c4f80cb1

          SHA256

          5615aa442623de58ca376482eb1837c0c91f33e081d785645d439e6e491bbc36

          SHA512

          d3d3a56106823628075840d9b3a2b1d3bbf2396849d70db66ae152ab59bb376c1f1cf24d8177638f00edb5ae6e301e8f8dce3a8ae4a87a00f43caf150e09876f

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          f03bdea359734141f0d0cab557437758

          SHA1

          33462aa4234e25eb07994a5a223035964112ec76

          SHA256

          cc1c205262ce16e579558840a05a6e2a9908bda2880e1056e025621cdeded67d

          SHA512

          fa8545f6455f6a3a3941b3d8d3e7616800fdbb85bc9809ba9df8777cede4236a25cd8f7cfce3a7bf753f4f9537e6bfe3ff90fb01ef5c86c6079c2bdb21e7dd6c

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          134eadda5f1b02d30e6861e4d6a14ac0

          SHA1

          e69c05cb40f794070dfef753624e49a6a167e998

          SHA256

          24a830d471f57a517dab7bc1fcd84b5ff545aa181ddedccc8520391cba7b37bc

          SHA512

          1f943b04eb7fd91703bc4ec81bf59906fd591b1fe281ecb4788f5d03d599a81e8dead548c7dbd99a309c6317c309562006577c0d17a3779db852b386972fc80c

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          8e62764285e1cec64783fc83f6ed5bd7

          SHA1

          9d5949071f931cd5451eda10690f34ab8f045759

          SHA256

          31b5e6e07762a6e724630e2ad305b4dddba6b5623328f1589690e926b078c2ad

          SHA512

          1f1ce05b3a4b1e0247b8885957da6f3fb1a45d0f9cbc88c0ccf4dfd0c1d5fbe2b5710765865cf9a82faf73f96c98806bb3af04bc2ae3709bb78c0cd91768977b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          ece813abb7a19da31dfd09dc0261c5fb

          SHA1

          ce047b98d376ac847431cdb40b22244efcf2e89d

          SHA256

          418ab22a456580cbb5f121b128efdcae6437503c94416de923d275de37749fcd

          SHA512

          260e07493abe15c1fdf357cc003e007ea89df4f70eb8fe5baa19d1570a5cb681514ada5f71b106481e47f7bfa5aa0cf702e4242c6f0d22c400801049d095ba89

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          f98d49ff871f99549f9ca77aa9d18693

          SHA1

          557d5a0f3fa9ca86311f5e354044196d71cf49b1

          SHA256

          f26fb8c7bd2d56fa8a33d2db5b565fd2b2ebfa9f1ab6219e6ed0960bef88dfeb

          SHA512

          1d39356ccd55524d8e796735aa917615d118b5bb916611597884b3550f7f5740afca08055b61ffeb9749b7b129df942448e91d8b969ea5076716da2207d21474

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          ad0e50c012dee32c3fc2faac3874f109

          SHA1

          719a8015a292204ecc2dd21704150284f61c54c2

          SHA256

          d4ebfc1987f1bd72d6dd7a5b64903d8e473d90ca7b6144ab410ab801be4460b3

          SHA512

          973de1ff824e17f8852c687a2aca4bac0a41cee3ab46816fe2f67b32f127a2f6fc1aa35fc3101f4c793613b69f97fb1e9ca869e2576463c088447a8421154e7b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

          Filesize

          242B

          MD5

          1aa56850dbcdd469c6e79a69ee63c720

          SHA1

          8541333482241063f7eb902da9bcd06275b3eb60

          SHA256

          4ead70ff5d4e35ef3369d0a503ebba0ef3bcbc66597446db341b03dd19152372

          SHA512

          231123d6a473502ed053af76d66c7a937707e3915a4bcc44273a3021a0c16d9c9ac2a3e14fe7ab5d329567590f09034ebea7abbbb65e1ad110553a16818a21ab

        • C:\Users\Admin\AppData\Local\Temp\TarFAF.tmp

          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        • C:\Users\Admin\AppData\Local\Temp\svchost.exe

          Filesize

          55KB

          MD5

          42bacbdf56184c2fa5fe6770857e2c2d

          SHA1

          521a63ee9ce2f615eda692c382b16fc1b1d57cac

          SHA256

          d1a57e19ddb9892e423248cc8ff0c4b1211d22e1ccad6111fcac218290f246f0

          SHA512

          0ab916dd15278e51bccfd2ccedd80d942b0bddb9544cec3f73120780d4f7234ff7456530e1465caf3846616821d1b385b6ae58a5dff9ffe4d622902c24fd4b71

        • memory/2484-28-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2588-23-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2588-21-0x0000000000240000-0x0000000000241000-memory.dmp

          Filesize

          4KB

        • memory/2588-20-0x0000000000230000-0x000000000023F000-memory.dmp

          Filesize

          60KB

        • memory/2616-12-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2700-17-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2700-15-0x0000000000250000-0x0000000000251000-memory.dmp

          Filesize

          4KB