ramnit | add2d1002877576d121bc281d1b5b4f9939e1ed17932ba48220a1a299d77dbc2

Analysis

max time kernel
136s
max time network
130s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c105951a368d0bb7e220849c7855b1e2_JaffaCakes118.html
Size

366KB
MD5

c105951a368d0bb7e220849c7855b1e2
SHA1

1e53e48e65a0e69172ae0ecdf92f83cccfa25476
SHA256

add2d1002877576d121bc281d1b5b4f9939e1ed17932ba48220a1a299d77dbc2
SHA512

26132fe92dcf2207beb681db0c340e6e36f4e32de61727f9c6fc4eb46745662bd805120c5a676df89aa3e0f60b62c86bf273df7eb4649d871b7a5f5043e3b69b
SSDEEP

6144:CIsMYod+X3oI+YIsMYod+X3oI+YSsMYod+X3oI+YE:t5d+X3k5d+X3K5d+X3G

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 8 IoCs

pid	Process
2608	FP_AX_CAB_INSTALLER64.exe
888	svchost.exe
2748	DesktopLayer.exe
1824	FP_AX_CAB_INSTALLER64.exe
1632	svchost.exe
2332	DesktopLayer.exe
2120	svchost.exe
1664	DesktopLayer.exe

Loads dropped DLL 6 IoCs

pid	Process
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
888	svchost.exe
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2748-318-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2748-316-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2748-315-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x00070000000194e5-313.dat	upx
behavioral1/memory/888-280-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/888-277-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/888-284-0x00000000001D0000-0x00000000001FE000-memory.dmp	upx
behavioral1/memory/2332-635-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1664-643-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px3092.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px30C1.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2AD8.tmp	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\SET3055.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\INF\setupapi.app.log	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SET29A0.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SET29A0.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\swflash64.inf	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SET3055.tmp	IEXPLORE.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FP_AX_CAB_INSTALLER64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FP_AX_CAB_INSTALLER64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043174f1aa2314a47aa677ebd5ad1f6c700000000020000000000106600000001000020000000225c0587ef8bc0e8db051883cf6223315b7c58a02b9ed7a7e4403602ed405705000000000e8000000002000020000000675b623bde940b0ed7e6322e2882cc7fb9faf27db6fbd7a20034f61c58142e3420000000ec1ed84dc5057c8d98bff87ec2e6b8d69c5aabeeeb96a08753704c8dcc8ea1064000000089c67adcbec241117236fea09d463f1f069b38d6706abde4e2b60969f71c4d7255df6ed670d07c98386d657360de0259197655a8139dc25128b13a98bb9ce960	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430761129"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00163d6802f7da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043174f1aa2314a47aa677ebd5ad1f6c700000000020000000000106600000001000020000000eb290e21f2176d4153bc49a4f12293073748dac717b6c567cd53c633557bc98a000000000e80000000020000200000007001a74fd2ec209387cc19904c28efeac0aa46142f7b32f53e272eda844c12b5900000001468783c97250bb8d55babe885bc58b6f465096a3a90de3f42133acb406998d80c4da429f586102546fe78e27f1793d43413acea7d59cc557655de49d28db26b6cddef06bfef29d435f9e9df6e7d5e1b36766add6dc88caaf3011efd4decb81aba6402ed0b57ae217b3d8d2c110b18f11097ccf1ba1c28f88c805730931b450058e01eeac4ab85591e386dd432371251400000006c4e7e85b09be8194f31997a9afd6252878cef166deb8a8834e75900f5ae2d34655e7bdd74e4b99ee58b76ea231d2c3113953c9119321f10c428921a19454941	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A394CBD1-62F5-11EF-AB3C-C2666C5B6023} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2608	FP_AX_CAB_INSTALLER64.exe
2748	DesktopLayer.exe
2748	DesktopLayer.exe
2748	DesktopLayer.exe
2748	DesktopLayer.exe
1824	FP_AX_CAB_INSTALLER64.exe
2332	DesktopLayer.exe
2332	DesktopLayer.exe
2332	DesktopLayer.exe
2332	DesktopLayer.exe
1664	DesktopLayer.exe
1664	DesktopLayer.exe
1664	DesktopLayer.exe
1664	DesktopLayer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2752	IEXPLORE.EXE
Token: SeRestorePrivilege	2752	IEXPLORE.EXE
Token: SeRestorePrivilege	2752	IEXPLORE.EXE
Token: SeRestorePrivilege	2752	IEXPLORE.EXE
Token: SeRestorePrivilege	2752	IEXPLORE.EXE
Token: SeRestorePrivilege	2752	IEXPLORE.EXE
Token: SeRestorePrivilege	2752	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2152	iexplore.exe
2152	iexplore.exe
2152	iexplore.exe
2152	iexplore.exe
2152	iexplore.exe
2152	iexplore.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
2152	iexplore.exe
2152	iexplore.exe
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2152	iexplore.exe
2152	iexplore.exe
2876	IEXPLORE.EXE
2876	IEXPLORE.EXE
2152	iexplore.exe
2152	iexplore.exe
272	IEXPLORE.EXE
272	IEXPLORE.EXE
2152	iexplore.exe
2152	iexplore.exe
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
2152	iexplore.exe
2152	iexplore.exe
2152	iexplore.exe
2152	iexplore.exe
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2440	IEXPLORE.EXE
2440	IEXPLORE.EXE
2440	IEXPLORE.EXE
2440	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 2752	2152	iexplore.exe	30
PID 2152 wrote to memory of 2752	2152	iexplore.exe	30
PID 2152 wrote to memory of 2752	2152	iexplore.exe	30
PID 2152 wrote to memory of 2752	2152	iexplore.exe	30
PID 2752 wrote to memory of 2608	2752	IEXPLORE.EXE	31
PID 2752 wrote to memory of 2608	2752	IEXPLORE.EXE	31
PID 2752 wrote to memory of 2608	2752	IEXPLORE.EXE	31
PID 2752 wrote to memory of 2608	2752	IEXPLORE.EXE	31
PID 2752 wrote to memory of 2608	2752	IEXPLORE.EXE	31
PID 2752 wrote to memory of 2608	2752	IEXPLORE.EXE	31
PID 2752 wrote to memory of 2608	2752	IEXPLORE.EXE	31
PID 2608 wrote to memory of 2800	2608	FP_AX_CAB_INSTALLER64.exe	32
PID 2608 wrote to memory of 2800	2608	FP_AX_CAB_INSTALLER64.exe	32
PID 2608 wrote to memory of 2800	2608	FP_AX_CAB_INSTALLER64.exe	32
PID 2608 wrote to memory of 2800	2608	FP_AX_CAB_INSTALLER64.exe	32
PID 2152 wrote to memory of 2876	2152	iexplore.exe	33
PID 2152 wrote to memory of 2876	2152	iexplore.exe	33
PID 2152 wrote to memory of 2876	2152	iexplore.exe	33
PID 2152 wrote to memory of 2876	2152	iexplore.exe	33
PID 2752 wrote to memory of 888	2752	IEXPLORE.EXE	34
PID 2752 wrote to memory of 888	2752	IEXPLORE.EXE	34
PID 2752 wrote to memory of 888	2752	IEXPLORE.EXE	34
PID 2752 wrote to memory of 888	2752	IEXPLORE.EXE	34
PID 888 wrote to memory of 2748	888	svchost.exe	35
PID 888 wrote to memory of 2748	888	svchost.exe	35
PID 888 wrote to memory of 2748	888	svchost.exe	35
PID 888 wrote to memory of 2748	888	svchost.exe	35
PID 2748 wrote to memory of 1656	2748	DesktopLayer.exe	36
PID 2748 wrote to memory of 1656	2748	DesktopLayer.exe	36
PID 2748 wrote to memory of 1656	2748	DesktopLayer.exe	36
PID 2748 wrote to memory of 1656	2748	DesktopLayer.exe	36
PID 2152 wrote to memory of 272	2152	iexplore.exe	37
PID 2152 wrote to memory of 272	2152	iexplore.exe	37
PID 2152 wrote to memory of 272	2152	iexplore.exe	37
PID 2152 wrote to memory of 272	2152	iexplore.exe	37
PID 2752 wrote to memory of 1824	2752	IEXPLORE.EXE	39
PID 2752 wrote to memory of 1824	2752	IEXPLORE.EXE	39
PID 2752 wrote to memory of 1824	2752	IEXPLORE.EXE	39
PID 2752 wrote to memory of 1824	2752	IEXPLORE.EXE	39
PID 2752 wrote to memory of 1824	2752	IEXPLORE.EXE	39
PID 2752 wrote to memory of 1824	2752	IEXPLORE.EXE	39
PID 2752 wrote to memory of 1824	2752	IEXPLORE.EXE	39
PID 1824 wrote to memory of 588	1824	FP_AX_CAB_INSTALLER64.exe	40
PID 1824 wrote to memory of 588	1824	FP_AX_CAB_INSTALLER64.exe	40
PID 1824 wrote to memory of 588	1824	FP_AX_CAB_INSTALLER64.exe	40
PID 1824 wrote to memory of 588	1824	FP_AX_CAB_INSTALLER64.exe	40
PID 2152 wrote to memory of 2852	2152	iexplore.exe	41
PID 2152 wrote to memory of 2852	2152	iexplore.exe	41
PID 2152 wrote to memory of 2852	2152	iexplore.exe	41
PID 2152 wrote to memory of 2852	2152	iexplore.exe	41
PID 2752 wrote to memory of 1632	2752	IEXPLORE.EXE	42
PID 2752 wrote to memory of 1632	2752	IEXPLORE.EXE	42
PID 2752 wrote to memory of 1632	2752	IEXPLORE.EXE	42
PID 2752 wrote to memory of 1632	2752	IEXPLORE.EXE	42
PID 1632 wrote to memory of 2332	1632	svchost.exe	43
PID 1632 wrote to memory of 2332	1632	svchost.exe	43
PID 1632 wrote to memory of 2332	1632	svchost.exe	43
PID 1632 wrote to memory of 2332	1632	svchost.exe	43
PID 2332 wrote to memory of 2148	2332	DesktopLayer.exe	44
PID 2332 wrote to memory of 2148	2332	DesktopLayer.exe	44
PID 2332 wrote to memory of 2148	2332	DesktopLayer.exe	44
PID 2332 wrote to memory of 2148	2332	DesktopLayer.exe	44
PID 2752 wrote to memory of 2120	2752	IEXPLORE.EXE	45
PID 2752 wrote to memory of 2120	2752	IEXPLORE.EXE	45

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\c105951a368d0bb7e220849c7855b1e2_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2152 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
    C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
      4⤵
      PID:2800
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:888
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1656
- - C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe
    C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1824
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
      4⤵
      PID:588
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2148
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2120
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1664
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2492
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2152 CREDAT:275464 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2876
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2152 CREDAT:1717255 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:272
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2152 CREDAT:1913871 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2852
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2152 CREDAT:1782817 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
55060055194985121279a6e59825d68a

SHA1
3fa01c15bdff8bbb464351dbe597e6c6b3549007

SHA256
fac8519c394467021ce0d083b80c7fea41902263dce7e9c2e26d763ac9203ef5

SHA512
35683493d97c22a3306cba7de5879e2230bdea32dc11b33529a2d692db3c377bbf39607c06c6376543d10a45ebeaad17f4caabc25d084d083dbce84acce476e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae43b56377cd3e7381e791273e3b30dc

SHA1
5e97355cb98d7f950ff05966f65b94858c62ff2b

SHA256
d051647647ab150cb38d6322426238edfdf5f2d7dda57813f93b2fd9d7ff8338

SHA512
d06248ba5069b16dfcbc1d190d6d42d4084b11f35ced746be0b71db540b98cbddb1c93a6b956b451b3d5b898765f1032c1a3cff18e997030da70d01b7bc47bae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f94008f645ff448b3b37ac5633b6bbc

SHA1
a8e96bf2776e4ff7d678517648bff37a4b910d9a

SHA256
5299d3ca0568e811c3f505ce2f84c902062721de1552693b7cb74d7c7e5ccb79

SHA512
783d90fc5585bcffc1cbf81960cb2d96e0d720d292b841757a7e77952981f7d1a42d1d4f9d7f82718400314a2a4eb06786dbc21b2c2a0052fe444eea72616dbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
178ac6a44871af547b6cc186b919ae98

SHA1
77787335c7e37dcbbc9030dcd73dd701ac6343c2

SHA256
3514accd7cc9bd5e410c929048cefc57f63654e817407825b40dbc7652fd1779

SHA512
04a55afbe12d4b215580a3ae64088709b5cb7ae18e3ca141fc1c310ee249199960bc6042571062c69a2a60a9bd1a47544b871af889a1c171020f70691af3fbd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7eadddaf7d7f7c5702454d1653e80539

SHA1
550174c64eb48122472e987e36a8a5fbe6959956

SHA256
90682f8b48481865482d8204be680777f30ecc259c04b3a8494c8e3bcdc608d5

SHA512
b6ae52badb72fe95410c5fd70b6d6c88e177252591a02dfdfcf8dc6a3021d8767a9df9c7e725569898e2a159e91fdc3a7435329deb06906737971e185cbd8cdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
725dcd275dd76dd24da343a82cffe6a6

SHA1
94ff32285008435372563df8c0890f9a07877c52

SHA256
6ac0b7b7400033fee633db3796e5675386f2b68c956758f970a71ed4c636ca34

SHA512
efafddb7eac66ad6ca69b944372ffbec7b90d4f890a785ac4afa489f0fe1e1b0b302edfdf420b9cc25f104655407e12d6806cc955ad7b50deb75a9a4635af364

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11ba03e6db54f492e1e455184d333136

SHA1
872308cfa31bec350a5d6d0e366ffffdd4e8d9ab

SHA256
b6bc7a6e3c7d12e39849589d887b2c48677b2eddbc73d1c50a116f4cbffaf256

SHA512
a28c44561bbe51908fbb51880bdcb84dbbbf2e0b25868d75784ca3b8060ba7e8974fdc066395fb67ac3d6b424cef7dd21e080d895a69ad80d00ebaed2c65e6e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61b8e663ad58956ff69a682293e9d48f

SHA1
eff0d62be37455c36ce3020cda6674ed45e5e59c

SHA256
aaeb5e2f27fad7a5df1325602e39ee6945f6ea6025e3d70dd41cb841864017de

SHA512
cddc5d6ce8a5ff39bd9fa2c2e19ffb5928ac341b22f0e1889286d33ade59a478b530141ee548692585ae1ad1d803163dfa5c52bc943cf615186d5b1ebb4df6b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f72819803aa842f1683336350631715d

SHA1
74f8f9183d1b1e74a35f3a059cdb994c52893867

SHA256
d9df1dfee3084bff58f73218dce94f8aacec7f021a72ae6cc1667d7ebac13218

SHA512
cc37b5c13fcef887bcc30c4da17b98a4036c3c8b88d75b717193c9400b54702c1c8d8c5c0888ba3a46a7afe91edb45d6b38460f1e46448c85e388a088fe26a33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2caf3981c8424c8d6e416f0588e5044

SHA1
cc556462acef3cd8961ab155ec207036c7b6fc70

SHA256
e82d7a74527c0e47b91c51a3c8cc9197baeb86da7d30d473ce38629a9e54b7e6

SHA512
05cb8aeab5fc4d1c094bd06cb6cdb398b56f95f661c94b9e8d9fcc12cc652b19f25c736354cbd62fd60a71ea3c03f7a9128fbb379dc62b9e30ea02875e035e0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74690ee936a71c2734209e04bf7d9818

SHA1
592a589ce09cab5f69234ab9cea7595dbbb2eadf

SHA256
74cff0bfe39159db7940f440d9ac49adbd756e593441b2da2d4b5c88147275d2

SHA512
753549160497f95e510cbe47a0def7154e354ac194d938c1537dabd425fd69f54a29c249e37e7950f6eddfb5c20080489f668a78e1b75dfcfe21cf77fa5b34bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1cf85a95d3260346668f73315e0df501

SHA1
22a22ca8753c7c39c6d1eeea9ccd81291800dc53

SHA256
8b8f013c663d6e32f9af7faaddbeea843c818c0cc92ed264efd3a33ece2750e0

SHA512
5bad163115e65ad8bfc2ad487c41cc59d839c9b8b0e624f514c6ba0254a7ff3dca7d742a65ca7b9eaa0bb0e43b110f59ad834a1d27bb2ea6a2e4d018c9eca4e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d963fbe7689e2a8ac5e9efa28e7e627

SHA1
94b5a8839d50d79a69d5b0c85516a3f6a24fbf77

SHA256
347d18114d0d12085429dcdb45d65c5992e776edabf0c9c32479011ab724de74

SHA512
35719bd282e5b7545cc7b121bade3936214168940b50b596439ee34f82c85e8dd2ea03f067059135c83e6fdb68782cf8d04afe375376b4257ad2d49ffbceec17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
a9e677501b1537dc15f6bdd0a904459b

SHA1
be9259ba9df581d7a789ba01a3f500fa7e4a0b78

SHA256
14933fd7bc747c581ab908c11814d890ad69a48c65367aebe82d1c843730ca93

SHA512
d7c62bf96bcd6141529175a834913b2fc37e256f8cb156b7fc96be6bdf3595ec5e6952360296e6e8713d3fec1f441e36d0c9d75b950c94e24381d51f0742601e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
9ae28b0c41d48542fe9fc9d563379ca4

SHA1
02acf53b9e4fc421c7289ab1b7052e4dadabb2ce

SHA256
0fc6c59b18637e0814c88b1560342200f4b938f6cdba64f80756b00997376803

SHA512
e49ae4ad60b46deba51ce7fb3a06cb26e00394648dd8182663f0f9f761c4ff5ad24b878c857fb8d54fb2de681cb571c68ed9f85dc95dcb228a9dae3305baf99d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WNZH54VQ\swflash[1].cab

Filesize
225KB

MD5
b3e138191eeca0adcc05cb90bb4c76ff

SHA1
2d83b50b5992540e2150dfcaddd10f7c67633d2c

SHA256
eea074db3f86fed73a36d9e6c734af8080a4d2364e817eecd5cb37cb9ec9dc0b

SHA512
82b4c76201697d7d25f2e4f454aa0dd8d548cdfd3ebfa0dd91845536f74f470e57d66a73750c56409510d787ee2483839f799fef5d5a77972cd4435a157a21a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab257D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe

Filesize
757KB

MD5
47f240e7f969bc507334f79b42b3b718

SHA1
8ec5c3294b3854a32636529d73a5f070d5bcf627

SHA256
c8c8cff5dc0a3f205e59f0bbfe30b6ade490c10b9ecc7043f264ec67ef9b6a11

SHA512
10999161970b874db326becd51d5917f17fece7021e27b2c2dfbee42cb4e992c4d5dbeac41093a345ad098c884f6937aa941ec76fb0c9587e9470405ecb67161

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\swflash64.inf

Filesize
218B

MD5
60c0b6143a14467a24e31e887954763f

SHA1
77644b4640740ac85fbb201dbc14e5dccdad33ed

SHA256
97ac49c33b06efc45061441a392a55f04548ee47dc48aa8a916de8d13dabec58

SHA512
7032669715c068de67d85d5d00f201ee84bb6edac895559b2a248509024d6ce07c0494835c8ee802dbdbe1bc0b1fb7f4a07417ef864c04ebfaa556663dfd7c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar25FD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/888-284-0x00000000001D0000-0x00000000001FE000-memory.dmp

Filesize
184KB

Download
memory/888-277-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/888-279-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/888-280-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1664-643-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2332-635-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2332-634-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2748-315-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2748-318-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2748-316-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2748-314-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download