Analysis Overview
SHA256
bcfeda6d22c47c5c1ff37c1abbf3145f94e056d3ac4250e944b82dd0f77b9998
Threat Level: Known bad
The file 109501687d7ed43ba97699f19ce50b45_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Ramnit
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Program Files directory
Unsigned PE
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 03:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 03:32
Reported
2024-06-26 03:34
Platform
win7-20240611-en
Max time kernel
133s
Max time network
127s
Command Line
Signatures
Ramnit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\109501687d7ed43ba97699f19ce50b45_JaffaCakes118Srv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\109501687d7ed43ba97699f19ce50b45_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\109501687d7ed43ba97699f19ce50b45_JaffaCakes118Srv.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\px1A73.tmp | C:\Users\Admin\AppData\Local\Temp\109501687d7ed43ba97699f19ce50b45_JaffaCakes118Srv.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\109501687d7ed43ba97699f19ce50b45_JaffaCakes118Srv.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\109501687d7ed43ba97699f19ce50b45_JaffaCakes118Srv.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425534611" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B425FE01-336C-11EF-A05A-CE80800B5EC6} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\109501687d7ed43ba97699f19ce50b45_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\109501687d7ed43ba97699f19ce50b45_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\109501687d7ed43ba97699f19ce50b45_JaffaCakes118Srv.exe
C:\Users\Admin\AppData\Local\Temp\109501687d7ed43ba97699f19ce50b45_JaffaCakes118Srv.exe
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2832 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\109501687d7ed43ba97699f19ce50b45_JaffaCakes118Srv.exe
| MD5 | ff5e1f27193ce51eec318714ef038bef |
| SHA1 | b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6 |
| SHA256 | fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320 |
| SHA512 | c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a |
memory/2620-7-0x0000000000400000-0x000000000042E000-memory.dmp
memory/1556-5-0x0000000000230000-0x000000000025E000-memory.dmp
memory/2620-10-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2620-9-0x0000000000230000-0x000000000023F000-memory.dmp
memory/1556-4-0x0000000001310000-0x0000000001356000-memory.dmp
memory/2304-18-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2304-20-0x0000000000400000-0x000000000042E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab3094.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar3124.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b1e8729ad6625b4aeb7fa4d5e30b5dc5 |
| SHA1 | fb85f5b987464a7de1096232017b686aff3146ae |
| SHA256 | 844e566cd77ed9035b4531d4d5388f03fb34f37ab8d0afcc659a7b8f0facc73a |
| SHA512 | f31aa76f009897bec1eafb4a00defa1f77d37259497bca484b5e080fa491296268e7f969e898ac39097e9b96713c891a111137a860f977456e499a44a9e8a0a3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b0c5d4f1c68464116c05bf1fd1c48040 |
| SHA1 | 7ee997b4244b99bac9e90d9091e306e5f452d6e2 |
| SHA256 | 47cb9168d436cf3735959ec17fb1654601854416988dc850103faae7bbd33d96 |
| SHA512 | 493a10357fcaf8712a1659fae527c2d902a9856c63b6377bff662905cdeb33f30a2833fb0b60716c0fbc3905800739947c8c39e9aceec34aac5e16908488a6e9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 056e8e9dfc818da3bcb9d0de8bac39d7 |
| SHA1 | 5f92b311d5682551cc5d27342b0228e76c82a30f |
| SHA256 | b51fd5a777414984c9cd25bec317fccb5c9785dafe63528a650e7f15e74adbf6 |
| SHA512 | efc60a8f9bdb6f3a00f94c50e0a436d185616af5fcef170950607173a3787f46458c413fc59899f01d8bca0a14f2428b0d841b53d2169fb769e0a82af35194df |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8f23ccfde9d270873c6d867c174222c0 |
| SHA1 | 4d2b9deff5ed4e0a2b54ede96ca46a5bf6e39a29 |
| SHA256 | 37b491c4d2cae4854fee65b6c447aa25f380d71fdc9f4655d6c9138c11a7e907 |
| SHA512 | 23d2828e07753436eb4570a1e9ce35806047427a16d0439cba619640821f3e781ec46e91f271bf40f8e58c5f98f4b8d55eb502d105bd8e426192683753735bb3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b9d9fac46a176c1ed75138dbd9c67f88 |
| SHA1 | 58004556f5d39ea5006669d400078390886ea1c3 |
| SHA256 | f0ba2ae0e0e1830236a488a4bec01b813efafb830d4cade839f88c1a27284972 |
| SHA512 | bc7b40a32eac8528ef4193f38e7cbff0a874a1c1643dbac05797965e560736ab2c54237324576e17fd9bde2c7e16e15e8e584d78dc17f7507d2b7f6d77667212 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 25f0da179ac470be2442a9dad2de837b |
| SHA1 | c0277e158c71b1f3ff71b275050a09889c01a1ec |
| SHA256 | 10e7237e0795e3fc3e7c147a8ba5927cea2bf40df5b470fa00c6ec6e721ddf68 |
| SHA512 | b416e140cac2c388912dd64de9f443dba9f6c5abfe99da9828d6d341b90ca976be0b8772d445bd80062f9c94862dc833c581083b47878fae9f566fbf78108e4b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | af3f090dbc22b2a98355d85d338d8c1d |
| SHA1 | 34317ef10bf584279e43ca3c2ba20b9e204edbbe |
| SHA256 | 671cc0f60fea614e8e6645c9329bd6e004c0ea17d382860a932cadc08fccd04b |
| SHA512 | 5c57a66c012acc6ca12decb92a8463108dadca7258308f31a1505e4d1a1c201b9b0d79e0138342b1ca2a34fdeb8d4c36e6ad3b52e8b3d04b5fc66acc5f0953d6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 283eb380d211765758cffd25b15560b4 |
| SHA1 | e54e197b4024b10c765470bb8dc7188621811d38 |
| SHA256 | a1a80d9629c4d377cb3854633094c874548250d879948ecbfb914cbf45406362 |
| SHA512 | f0a727ca53b05e2a77ed8aace619d59bec745fe3ba9bd1aaf3f56c6bcee2cefeb760b4a1721a63bb0d3c044cef4eaafe7d5d920fca7a423b1357d4d2a0b82154 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cb3fe63ccd8bcceb124f3b0acc243fd7 |
| SHA1 | b1ea725fb6bf662a3ffe956772dadb617a71b764 |
| SHA256 | ca05519c05fddb9e55752c01a01f9fd70eeef360fb0aa4968498fa6c1c528af0 |
| SHA512 | 683635b3841763e9787b3bfe2c1eee8edb7047be8587dfd319377875d96d3151cf338e312e62c77185a1a05d9639244d194e02ea7ec8167e6cbef3d667130a62 |
memory/1556-449-0x0000000001310000-0x0000000001356000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d2c532c65c705e477ba3f629c9222ee2 |
| SHA1 | fbecdc7c26a8836bf441a48f1f7a09b4930f8657 |
| SHA256 | dee1924b72e5f54ef001fe76678909f128f80638b5d448ef840410df02487e3c |
| SHA512 | 80f5ef59891926eec48d0a0816404a14bf98d33cc5a266d59165a826ba6db656c1b4690b4ad134eca35950afe04f2cf18417a2681780e5455a1fa4f15ffb9802 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d4f26aba756a61b7eca071a5f0b801d7 |
| SHA1 | 8bce0bf9a3078129cad00b16be5aab205738cd92 |
| SHA256 | f721a84e1c749fdd32f33e42d1556d75a4bb2f8057935a4005f6e81d504e5631 |
| SHA512 | 964130610d0e3dad8bf63bf09f598f32602baa0ca5b2bdcc9854f65fb2f823290668e6a109fe0d71394d961dc8cd3a81042dd593cf99d7f157f52bf7e0544c32 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 77f5c9db10183626eabc5aeb738b17f8 |
| SHA1 | 5992d56dc4b022a97ab0fddc12cd3c2372080fb2 |
| SHA256 | 71db413654eab198e2f4c47e7ad46fca34d8be167a3b881260e7e489eaf5313f |
| SHA512 | 23fd2ae518ef765b2d0516d82124cf11f2dc64ce4f18f71ff57994439f75f1d7dff4d84a362c82a142b7d86a477b627f972e356b55f36d2249afe1c810a000bd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e4504ee1a5855facd6a366ce41ac4c4f |
| SHA1 | c7a8840525c6d1566ffa4e72123765b689b9a2a3 |
| SHA256 | e72a656dbaed79ae5cb9fecfdf3df4f584021e5855c7ca2fb8edc8b50b85530a |
| SHA512 | a8c1d5b1bd046c3f693c6b11697d9352cee171fd0b9ca7fa3b154a9997a93448d817392fa85271457b97e1f3d3a24f4fc0107d1ce67605860f9f9a5369445fd8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ca038f8fc8606b162cece44e3066d330 |
| SHA1 | 0e7a9d1c78d99ce5bbcb1e200f226f5bed1573c2 |
| SHA256 | 905399fea3b95892d0bc2688d7dfc7d66631bf2a5bba373a2b0fb7c1d66e35d5 |
| SHA512 | 1865637ff106539bc66b6e25b6a2c2f8a95a53cd849374ec3bd8ed1f42339f1ab3a62510503d0a2b1e2e55b26c435f90d418384b52d2ef2eabecbf4e77d24c09 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 318ea7badccf7f54dd2d1521da56da6f |
| SHA1 | 5908f9a6f3db57e3eedc99dc3dbadaf9453a5629 |
| SHA256 | 6734e374faa7a1dde03110ac6e2e1330bc01e383e2c79aabcf23bf49a6447f16 |
| SHA512 | d6f15d7f41d24860ed206eff471978936fe2d548131ecf4fb58358031e656a02454fb250aa813742b62c35a21e27fda539fe6f3f5388eb589d44d92ccc539c15 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fc2316290ee85c73c9ba50a25f3cd438 |
| SHA1 | 670a3f865d95a8a354efe868806962f6a1a496fb |
| SHA256 | ff698eac82181d87b0f98e7c7a2059d0613698a4a6fb42bc9cf332f38e3e1a69 |
| SHA512 | ddc691d898e0a5b0366e77d4cd3ea47b9b2a72b2884e5c8efa91285eb1f104bf0a0c48a071f359a1abe64a7057826ac20e1651abad9adc568d8f2910b3e941cb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c9a7731bc521b2c8dc911adbc61d2d89 |
| SHA1 | aeca56f2fab4f9839907a54ab3a8f36160ae74d9 |
| SHA256 | 421e0c84602ad89280a2e69fa82bb3bdfa1f00616c9dcbe9abd93140b287f933 |
| SHA512 | f5cd156a59402eda02824de579226af3a8e615649213dc320574cbe800acbdf7b40bf77af6e29a569c2f4faba2ba4df8adc4e2d2b3392143fabb2293d3590291 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 790e643854ce33e7baeaabd84d2c738e |
| SHA1 | ab9b63e9dd895b9eee2984bab81402095679601c |
| SHA256 | 0d08637dac9560ba0deee45426146afd0ff8489d4d2666f336e0c68e2dce206c |
| SHA512 | 84fbaf950059386ce02d9bc28d197b607bf3753a22a07c495c2b6ed948f047e09ce2f4426a08f10b8f0e19783debb89ac4cb042d207ba8e85c5a7efe1e0c293f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3172fa92721c51a7cf2079478272d05d |
| SHA1 | 12971a9dc2fd0532b83f08783bf0830221042cc4 |
| SHA256 | d750b33dc1660954c9292173e25edd5c1c198ceeb736c1f45c9a09b29f87e34b |
| SHA512 | a3cbfa5975d8221f990257eef83ef88a2ebbf6828a6204d0e017194877a91b4586da1f03b4401c30d299bbc686878ecd43fdc0a436361715b101c34b7424fab3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 03:32
Reported
2024-06-26 03:35
Platform
win10v2004-20240508-en
Max time kernel
77s
Max time network
93s
Command Line
Signatures
Ramnit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\109501687d7ed43ba97699f19ce50b45_JaffaCakes118Srv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\px47E6.tmp | C:\Users\Admin\AppData\Local\Temp\109501687d7ed43ba97699f19ce50b45_JaffaCakes118Srv.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\109501687d7ed43ba97699f19ce50b45_JaffaCakes118Srv.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\109501687d7ed43ba97699f19ce50b45_JaffaCakes118Srv.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B8502EDC-336C-11EF-BA70-D64620966489} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425534629" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\109501687d7ed43ba97699f19ce50b45_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\109501687d7ed43ba97699f19ce50b45_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\109501687d7ed43ba97699f19ce50b45_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\109501687d7ed43ba97699f19ce50b45_JaffaCakes118Srv.exe
C:\Users\Admin\AppData\Local\Temp\109501687d7ed43ba97699f19ce50b45_JaffaCakes118Srv.exe
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4452 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
Files
memory/2324-1-0x0000000000CA0000-0x0000000000CE6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\109501687d7ed43ba97699f19ce50b45_JaffaCakes118Srv.exe
| MD5 | ff5e1f27193ce51eec318714ef038bef |
| SHA1 | b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6 |
| SHA256 | fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320 |
| SHA512 | c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a |
memory/116-4-0x0000000000400000-0x000000000042E000-memory.dmp
memory/116-7-0x0000000000400000-0x000000000042E000-memory.dmp
memory/116-5-0x0000000000480000-0x000000000048F000-memory.dmp
memory/4864-14-0x0000000000400000-0x000000000042E000-memory.dmp
memory/4864-13-0x0000000000400000-0x000000000042E000-memory.dmp
memory/4864-12-0x0000000000570000-0x0000000000571000-memory.dmp
memory/4864-16-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2324-18-0x0000000000CA0000-0x0000000000CE6000-memory.dmp
memory/2324-19-0x0000000000CA0000-0x0000000000CE6000-memory.dmp