Analysis Overview
SHA256
71c4cba0f7cab0e8780786d4951974ba46e8140b5bcc00d0eaa08d63506951e3
Threat Level: Known bad
The file 0bcb10eb7cd8759964f97fb269276091_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Ramnit
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Program Files directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-25 01:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-25 01:28
Reported
2024-06-25 01:31
Platform
win7-20240221-en
Max time kernel
117s
Max time network
127s
Command Line
Signatures
Ramnit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\px1796.tmp | C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425440789" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{41E90151-3292-11EF-B5E8-DE62917EBCA6} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe
C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2824 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/2940-1-0x0000000000400000-0x000000000044B000-memory.dmp
\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe
| MD5 | 17efb7e40d4cadaf3a4369435a8772ec |
| SHA1 | eb9302063ac2ab599ae93aaa1e45b88bbeacbca2 |
| SHA256 | f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386 |
| SHA512 | 522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450 |
memory/2940-4-0x00000000003D0000-0x00000000003E3000-memory.dmp
memory/3048-11-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2940-10-0x00000000003D0000-0x00000000003E3000-memory.dmp
memory/3048-15-0x00000000001C0000-0x00000000001C2000-memory.dmp
memory/3048-23-0x0000000000400000-0x0000000000413000-memory.dmp
memory/3048-12-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2544-27-0x00000000003A0000-0x00000000003A1000-memory.dmp
memory/2544-29-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab2D78.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar2E5B.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f54e748e018c975cbf3cd0fbac771b3a |
| SHA1 | f24d3eeaf142775ae7ce9f87fb64d2088ea05ae0 |
| SHA256 | 61210ea1cc676b3420b400ca38c70fa7735f77e3abd91fd30ebb8467895b3c2d |
| SHA512 | 3f5603c38413c341d02eaee33d79d10a467f7616025425ef08799d06cc7ecf34acf465dc39ff06a53241c1ed1c1a3d95a44e0a63202fe320e2d3f5451b8e5bce |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 45d426dfda48b4369a9d8b5d9fe32ea9 |
| SHA1 | 959c2037028082e9b1571c71fb715ecac51d6e54 |
| SHA256 | e4e71f975017804fec4dd138649131f8d7aef5e3423792a28319d4b2d2e192ce |
| SHA512 | 81a06f615b8b3d59f9a2419f1ff6d9911778164079c69a88db288518bcba28524889fe31acd7280e607d2e5c4d5d7d2739be5b84809e9b4389149bcc8adddf50 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0605ee60ddbff8225ab11af6b34784d6 |
| SHA1 | 2557afd312d5416926ef3cced84da2130f93d169 |
| SHA256 | a4bb453675b0e512f4b4ea6c423919f3337bf614b77b3c9c82a5f0481a7c1336 |
| SHA512 | b5a0de115f267d0f2696d6c2f411a08aa56e88e45202f0c86dccd5459a070cfd434b2c6e104bd5962f884eedff3f7821347f5ea9612ea93fbb1795b9f0602c0e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 437d6f84cf0587037daab68cdea9c9b5 |
| SHA1 | c7743a500cb8325c92644faf00ee22b7ddc03b08 |
| SHA256 | 39ea0e55d3d0e0b8aa949bf38ee8e01b6e4f904dfcd82859dc237678d32f4b90 |
| SHA512 | 88b846b977191ff48ef78fea67f8e90ff09f9038e715f355e12d287613a86749ee7f7a7963d92669c7b00cc34fae4ab8b82b9b98def3cb966fc3617e476e8267 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7125a9d9cb1ae2df410e09b27c5fdcba |
| SHA1 | bdfa6ab3b62464ea49e636121e8c99a4184fc19f |
| SHA256 | cf45c63ddb4f74b19a6465563c408bffe176dc7f9fb010c74213a0c58bf7b674 |
| SHA512 | 83049c7a338b4227335b1bf9f2fface26b7b59d316d0ee18762c47586a4e5582060e7ce636cd639a1572756969c5506c82421450de7175567c2bc0d8b6251f66 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 27a80fb32aa3a5da0fbfe97c3fa36548 |
| SHA1 | c37d8e3f17d8109b84ed7549cf75459fe61f3172 |
| SHA256 | fac3b84b044ad5bcd24f735672720ad8fd6d7220d034628f074ec20b8ec5bdcd |
| SHA512 | 820435e2a18600a55a9764f362cbd052f168d9fce313f18a4a97f6a06a1e5bca3726d96f9f2d00e76c971757e85f915de7c9dbd5d5e8f40957168ad65fa4d168 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8c344de883c94e363af240108a53b30f |
| SHA1 | c900c488741960be0b863a7de18d11dcce7ece6b |
| SHA256 | bb5874db3133851d31af8f7002504055e181182324e130526978273bfc787e72 |
| SHA512 | b3f7dc3614c1098dafb8f6bff2755743715ba5973fed51d35ebd4c150466e1f521a9f880530878531e8bf380aed96ffd054ae2c76e9fcb8c50015c7ce42e6c55 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c24edc84c8bbad46b6fd83bbc89c0f5b |
| SHA1 | a27aee6242ff657d70a986bc2b93af1713c51690 |
| SHA256 | 8d7136e4952c7196c0d295e550cc1b5ae0d806734bad013344b7b434f4d3f355 |
| SHA512 | 120879c4932c6eaa0532ae197b499c1bc4f93d5f2867d4d4a98bdda5e2713be4e4a44ab25128870857b5c8850286de5ff4a2bb888f7c2ded22da68aee2c8d79e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e885060caa03c85aff2d42ccf4a55c94 |
| SHA1 | b4bc75c77c54ec8476ed55d55cf97fd6646f9398 |
| SHA256 | 87fe9602afe84db02d76786e8a0a3918ecacdd2ce7f66f3b9bb35c5447c4f557 |
| SHA512 | 80de2706aab7bc521721b5e8601be8bc5856299a9dec83f43a3d2d363960dccec5efdb02f2d71e1a7883a035231ba69bf3ce87328fab9a57a95a157d7058e1d0 |
memory/2940-504-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2940-505-0x00000000003D0000-0x00000000003E3000-memory.dmp
memory/2940-506-0x00000000003D0000-0x00000000003E3000-memory.dmp
memory/2940-507-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2940-508-0x00000000003D0000-0x00000000003D2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d8ba3376097a725de2b8ec7ec09f3cbc |
| SHA1 | dcbb632710a3fd47e877a386291fdadd61ae1f77 |
| SHA256 | 20aa059142b4704675036cb3eabaa5f34c9a88f10896525cad4139f353d6bc07 |
| SHA512 | c4dd5d98c07ce879198c95028485c4fc936d8babed5a9955beeb2de93a0b28140ec121c030c23ffdb8e9fa9eeae5c5c58e5276981d6e78e38a910fc870199ade |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 05d1af165470230344e113adbff43156 |
| SHA1 | a2a2b190c5ec89d88abd13a4f55caa7ccae49b6e |
| SHA256 | 7645cb51a14cf50387b0b973d4286f5b9e5c46ae20d6dd84d9a74fbdcd1b8823 |
| SHA512 | e9a13634858af8b3c68c3b12973a0a78a33f4b22b3c8a1167d4e718528550e68f461772f17764dd579858925cb529214e6337413b7f75837f5ec7cabd2751912 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a2fe199fe7ff8b93a58c5f5f0d2db8e6 |
| SHA1 | 04cf4ff188aa61f5f8a29e10ed992f71f11317af |
| SHA256 | f3d663a7d9e2000d821c904dcfff35f6912db42355534dd5862620cfc7886a9d |
| SHA512 | 5dddb1316d31d96c84d1d5eb235e78bff5484507227a0d246dca53f383e0fa5f52162c99dffbfbfdc8ab2cfe15f1ef7428fb25906b49c91241230039ce2cc379 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9dbbd06737ae85111360f93ec48c850d |
| SHA1 | 982b0230d10fc9e41fe4d1c35a1dc3b8d6f1f770 |
| SHA256 | a33a1aebf9208f3a3978e8e93a67aed2c27e950f19d33229dcce8e4d0c197a81 |
| SHA512 | cfc30904186dd788676f6def1063dda1f2c1de14e336871bebcc570ea6d67267dd44d49b54f386b9f6495a32b1295d9d1257a0a758ec0c8222ba0bccc76e08e1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ab343071181a2645ccfb5cb78814e55d |
| SHA1 | 4aa7dc70b4510f46b3e60e865e49fdb982d36c78 |
| SHA256 | fabd76dc3b614cedf063c20678fc3a45d873d0d6dd98f181fe5c13eedbb9b930 |
| SHA512 | f5fbf867e6f921640097657eac8a243dd8f544c8fdc61471aeed2075510ff1e521be440d813895ee959f4ccf31b400951bd9599c2ce0a4ad79f4c5eca6504465 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 212891b3d32ea74d0febdff58e509f8f |
| SHA1 | f461dab49b064a45111c12c2eac5eb87a0cc978b |
| SHA256 | af5ad4e201d55524f6642784832c7cca4fca98db859ae517a2d43e1cb96c767b |
| SHA512 | d04fb34276046936c5614fb5f14a4890b8b90e19ad79038c5b670072d76a654eee957811170c6cc7ae70f1ce39c05bc84f0b353b1c5b4f0a90ecdc0feb02c9ba |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1262de72bd56acd518c6fa3af3cb7342 |
| SHA1 | 6a9d8cb4d8a4b72fbd3388a3c6838282ddab9ea0 |
| SHA256 | e9fa16752b9c7d3b6a33b6dd7268bd44f4a17c79d118bcb5c83ba8d066957296 |
| SHA512 | e9439bcf0e7ca2359fd56e36c5671e3bb7771583055e5339b54a4717754f2d48f05724e2a94b2fa5bd336b2df2ac7f0118a24ae8af737b8162c6afc38c2f57dd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d8f822afa45b74ea363765a82b0e11b1 |
| SHA1 | eff05dcc7f14d0b9b071bb5f2e13cc57edb67435 |
| SHA256 | be8cb93af8f2560b2625d51641976df36322a708ba612981701e860b77dfe81a |
| SHA512 | 2038f97e34107520758794bf6093347bb993bc333a0dca8b77420f8456dcec91ff7df3b1811d763048d23b6e5f5a5d11981ab19df7d2bd688f30ffc6112971ad |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dd0cfb8c2e33213226dbae80e2a2aa9e |
| SHA1 | 814aea9320f5ec6b9b449384745b386c78a59abe |
| SHA256 | cdf7bb670352bcaea0dda87bfc7cc561448b9dc88a4ae77f78b3587151ca87f3 |
| SHA512 | 50a7dbd2b98e5d2def7303219bb3a9fe42dae445d6834e5d89a4600a46f9cb1ae5fea429b000422c064c5d824c2f742f7b0f66dd9328ea13cb59bebd406ad0ec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d0f711bb219a057223f887591aa1bae0 |
| SHA1 | 6b3d143b920cced4c5508247532e76fdf48dfe0a |
| SHA256 | 15361160680fcc76f156359c61cf9679255c88370ec7b4b814e64f2f8b1d30c3 |
| SHA512 | 8d3127cb8a5a0f413964634015dae15b7d7102c940b9a99f68b536a5c46775a9f33a93fe0b506152861bf52748e8ae56e749109bc1d5b59644dc8b5611670ec8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-25 01:28
Reported
2024-06-25 01:31
Platform
win10v2004-20240226-en
Max time kernel
137s
Max time network
170s
Command Line
Signatures
Ramnit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\px55BC.tmp | C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114911" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5A3F37B1-3292-11EF-B9F7-C2C57F2727CB} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31114911" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5A3F37B3-3292-11EF-B9F7-C2C57F2727CB}.dat = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "712812359" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "712812359" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe
C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3808 CREDAT:17410 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4264 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.180.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 10.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.162.46.104.in-addr.arpa | udp |
Files
memory/1188-0-0x0000000000400000-0x000000000044B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe
| MD5 | 17efb7e40d4cadaf3a4369435a8772ec |
| SHA1 | eb9302063ac2ab599ae93aaa1e45b88bbeacbca2 |
| SHA256 | f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386 |
| SHA512 | 522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450 |
memory/672-4-0x0000000000400000-0x0000000000413000-memory.dmp
memory/672-6-0x0000000000580000-0x0000000000582000-memory.dmp
memory/672-7-0x0000000000400000-0x0000000000413000-memory.dmp
memory/672-8-0x0000000000400000-0x0000000000413000-memory.dmp
memory/908-16-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1188-15-0x0000000000400000-0x000000000044B000-memory.dmp
memory/908-18-0x0000000000400000-0x0000000000413000-memory.dmp
memory/908-19-0x0000000000460000-0x0000000000461000-memory.dmp
memory/908-20-0x0000000000400000-0x0000000000413000-memory.dmp
memory/908-22-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1188-24-0x0000000000400000-0x000000000044B000-memory.dmp