Analysis
-
max time kernel
133s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
28-09-2024 06:25
General
-
Target
fbb0940e730b68b1df95b2ff165003fa_JaffaCakes118.html
-
Size
194KB
-
MD5
fbb0940e730b68b1df95b2ff165003fa
-
SHA1
d83f700743da4bc170a1f167b814203e49436eb3
-
SHA256
51bef8f8135b454d7c51fa8902690004f15fae152d147a99a0d0147996cda624
-
SHA512
60d7021a0b83c7ebd3bc13d3a4e6c3b3f097fe2de165b7967ca68da2c7cc5dfdb58e8bf6d288d1bcfc09ca1af49514057065010d15846bb83c8f5692ebec0598
-
SSDEEP
3072:iyfkMY+BES09JXAnyrZalI+Y6XXI6EyA8:nsMYod+X3oI+YS1tA8
Malware Config
Signatures
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: MapViewOfSection 25 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\fbb0940e730b68b1df95b2ff165003fa_JaffaCakes118.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1564 CREDAT:275457 /prefetch:23⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5219aa9abfdfc7b301c147518c018d122
SHA1b0bc355f34fc2c5b92893411228696140d1a7dac
SHA2562f834aff81bcaa81819bec86c951e246ca45a305d89510f03ff9ce0cc8612df0
SHA5123ae024ab33e6adaae6dedc6c91146f9273943e939592574d74d25e97f39cb6e6483f033b46d3e9208ec0d9fd908b6065a10d4b4887a9d3e1237924dbcd792d06
-
Filesize
342B
MD5f683d3bb4eb1b8da8da3b671c35c5e26
SHA114535b7fc07bad81d7c8846bf03aac1f23f84207
SHA2564bf2ea1396284d13a493dd1912b54477d57f09dc4f145dd704c5ee97f3e1fdb3
SHA512104660bdbfa7a7598114a40aada7a6371c62f0f21a7114b90a706406063e559a4f59b6cfba02727e70774a3708b9b50388ea2f0b50188ff620d61c3f3786974f
-
Filesize
342B
MD54896642cf040b44380f05cdeff4e3421
SHA18c318a061800004f5be4c6c89a08400d18d24af2
SHA2568f175a7328fe510f22955e9e3bcf1040bc4582e8855712577cfb84a30c8d4f03
SHA5127e6bb48a60cc1bc01809e6140e862d4499aa8f08fc090a54a1268162fd03f084c57e1525cebad7cc4cc24ba2bccf2f6f6709cc25b3decb3111ee1779d71dd96a
-
Filesize
342B
MD5c834bf963efc05b9553f9006ebdf4af5
SHA1d91d7ae5d7682ef8e3d6e42d80ee82ee6362f1ad
SHA256247788ba5e77dd00a1df1dbeeabaec073f3903c3ad649ea2089830218cd61e39
SHA512f4fe26647ed848aa825bff2201f1f10de7d9ad5a27f7e455d29b8efda01aa8456cd7422e4a4335b9ef4731f4b021a4bc9b56b0629eaa354c8097362622ad97a4
-
Filesize
342B
MD536e396186517eca7cd179c20b7467a57
SHA11f987a8b91d8eeaf569c0f5ef91f8f3c470b651c
SHA2568fb34fde9859f3c4e86649653dd8c53f508f4f0a1dddb8b61111eb695aa184aa
SHA51233c0d6c879e8b4c1e37e44651ff4459fd189cb808ea8870e06325bc463dab8a0a3c506c72698986d0663f050a82474554d9f4af30338235b57d57c24b8709603
-
Filesize
342B
MD57b815ef9d605dd204a91c665835fcfa2
SHA10b34eda369e1dd97c9a1b70499bd21a28865739f
SHA25653866b6f039a6898ce779638874af3c2e62c13cb417adb4fa30d1073200b2370
SHA5129fc9ff69c07f99ffc145c1c8e4c12b1bef765458ba88e41b215c014c94e3e5dd757573abf038f611fc28bea4a52971711b5e589f2bf16d60e02cebeef1016bdb
-
Filesize
342B
MD5232966e4f935e8db70947c579eb41e7f
SHA10d1902c77b6774e280948f1631c00b70857888ac
SHA256b0cde9b7a21e083201733e22c50b9325eef32ef7543417ab767d313cd7d9a4ab
SHA512d54e40cd0b848cd57391f3726c33ba1782590b43a1497c9aedd297df7766bb526563903ba26edf36304ab9862eb12700baa49d5d32484911f2d6da55b8c3bd93
-
Filesize
342B
MD5390f119c5d1935208f77645c906498ec
SHA1daeb535fba0d1f25c6927c3b212f9d90abd6c59c
SHA2562486e547f4e9746316fc63072145f2885a9dd117c9d0d80309bc1b8b4be31097
SHA512ae956b171489aac10c663a8ae15e40f7f17487674d3eba5a6f80c04377848460da5e94998b5afb46c98ab8f6a2564c1dbda6fda91eab3b4cddb85d0fb115a94f
-
Filesize
342B
MD5ea4280e236427751ca14492fe76a9019
SHA18fc7ec253eab1f56051f1f68b257835f92019027
SHA2560248039f6e706fd358fa57029f908803dcbe15f64a06a21bb5ed21c1b1c9d1c6
SHA51286de85e4067351a21040dee48175922c3d4ee7dc3b2dcb5b6d260369a179fa4b176b021d90549ef0b3073a203f544381b4bfb2a753a6ba95c9f3664f4c840175
-
Filesize
342B
MD5a2ba6260891faf25dd11a880c9f6afe5
SHA15d026c2fcde480078290911a959bd3eac958f0b3
SHA25678cfe9000ce36fffb23d06d746ec3e202536a03acef677aa00eb4adfd97f87e3
SHA512553252b517ce48d4c72c911f9372eb19296007dd310fc67ab7415ffcc23b344372c88e6bf27b8f2b839959df3ff9a584f138a6a956f9c3ad2cc8da8aae3b3d11
-
Filesize
342B
MD590e61edaab0e14e4e6bdf9f55b9e794b
SHA16329fddad1fe7ceddf9ad7c185b30d6f949e83c5
SHA2566bf6d9d84e873be585cbca592f68eba75b091e23405d2462024e9a4357807d4b
SHA512d649d6dca776b321e1f95185a2ad9e37f80d0d1139edfa2d0e836da48e52fcdb1a6e0e9f3022a7eab9af8b6840b495ffe368561fbe485060484aab2798bd7b22
-
Filesize
342B
MD5dcb3f5bda28ecef589424407019ea29b
SHA11095577419bc19043e3c2c852ad3dc74c72cc9bb
SHA2560f68f5b200e37dd5437e9b81a0bbf2d6ecf05eef82a493c51105f36029f12c79
SHA512a7653fc535cac6a8125509610a58677b9c56578482619232a16e442dce474cf02107f46f53316595628e0871902b6100e9e2e75577bd4813b055f9508c0602e7
-
Filesize
342B
MD5f115daf52372e174a05f643a18bcaeaf
SHA1f06e7ce2063d777e92b3e11a3c8d479242648182
SHA256b7ca75f43e042a2a846cf229d77938c8e479403f2d1949719ebb948a1b018275
SHA5124fdbc4c6ecc92e97186bfd3e575a35f836b4015c7ca8a5fc2b135dd4123ffc9a772eea6f738abd363b343ea3b1ac4edaa019e553754a532a43bfb90bb730bdda
-
Filesize
342B
MD5c53c3ceb5055f5078452025707a23672
SHA1fd9b15030fa95b7c527595dc611b9ad6393a1516
SHA256c0b8bd908ad9d287c7e49b47b7aef7c48d215c2fd3a6adcab6d0066534eb42ce
SHA512213fd86336efb1264a8b575a57b92b54adec8e4c68007453a4cc18db6b5921dfec771c2afe330944afc440d97dc55498a9f7a6184c155ca6265dec1426821ec3
-
Filesize
342B
MD54a62865e43385c0a44d4e68a622919d5
SHA1d363658ddd3920830299667a4cd5fdf0f245d808
SHA25630178225fd3598b42a7eeaf6603a548efc74d821aa0f74eeb510e1b42bf9500a
SHA51256ffe1584600b59f6bc6fbeb50dd3f46d66c7f44ff85d33c38b46e6cbfb49d3c4a913ea3c61bc3ba2e5c3a25e6c6e477cbc6fd0d7b34e94393ef1c0590f0ecd0
-
Filesize
342B
MD55c2f7ac4fcca342c937237f389bbde38
SHA17166b403ab088c38ceac1e79fdcccce8bff2a1b0
SHA2561191712403f70e5aac2033f6a45bef474b3d6335111237076fcf61bee228a9a6
SHA5122425d14864515ec7e9d7ee70138ed081f5a0c7b46a336ca4cbf5b9b057c99ac5c257603ce496e9617f00c349b1c6b6d70c6e8f9643013ed27c0c57087e93062d
-
Filesize
342B
MD59bf482397d82ff6ee1465e5a9c67f850
SHA1baec6e4219f6823d3c4de9ef878590f23f330094
SHA256146da06a338d3511758a90facfda819386920d8e8cdfff0664b622f5bb9f3735
SHA51266a17051872e71ee269f92b21573b7dfd7e751af3c0c0d0bd01196fc2aacb1b2057df111e39f13010e30ab13c43678fbf84690fd7ca6b407a79791d29b76a2ec
-
Filesize
342B
MD5aaff2d2a8176e44f9485f6dd0dd1b7f5
SHA15214f81e0062ec907d8da565824aa6c56a81e3f5
SHA256aa002dbe670b64e34992585eb8795ea100ff982d8258e8183c4efa09904b9400
SHA512742070964c5401328cea52b3c0b6a2439366971e8e0ace12a81e7a4abf08acfa1de68547d1e49307ff9fda673fc29b5242db40550fd90cf8528a3ae60c2af0bb
-
Filesize
342B
MD5df62c5ac51455a894d8edacac8ae783f
SHA18a4ed5260d284056050e54a88b620e2406ccce93
SHA25601d80053cbcd167e76c68cf566f11f56e89284f995dfd828786dbf4e2d03a1bc
SHA5124b71dc70d6f16081d9a3d23455100b959f41946f386e204322df0f24ae288506afb50ca0e9fce597462ce03325887365af5934263e2e5cd5f9e3b03654b45be3
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
84KB
MD5df455f0fa8fb3fa4e6699ad57ef54db6
SHA151a06248c251d614d3a81ac9d842ba807204d17c
SHA25615068b86edc0473a4f96f109830318e0540af348197e2b65f2e90ff32cfb14a1
SHA512f69dea5b68e4fc8737fc0e6ef48476d3ed0a5ebd2f9dccc9d966df137f9ffdbb51e413a0852c22399afab53ea8a2755664afdcee6897a1cf387a9a620481b2a6
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
60KB
-
Filesize
4KB
-
Filesize
4KB