Analysis Overview
SHA256
0a0f7f83fee9778a35af0d7ecc3ff7ecd99d365a659c1ed8da4804467f780a48
Threat Level: Known bad
The file 109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Ramnit
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-03 21:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-03 21:45
Reported
2024-10-03 21:47
Platform
win7-20240729-en
Max time kernel
120s
Max time network
127s
Command Line
Signatures
Ramnit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\px1B9C.tmp | C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434153781" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C5D63811-81D0-11EF-85F9-DEBA79BDEBEA} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe"
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2800 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/2188-0-0x0000000000230000-0x0000000000239000-memory.dmp
memory/2188-2-0x0000000000400000-0x0000000000413000-memory.dmp
\Program Files (x86)\Microsoft\DesktopLayer.exe
| MD5 | 109cfc09fd1bf2dd9c1e05c681e5a7f7 |
| SHA1 | 9c5d91f9ad9e1d14676e7ad194a72d9077d2ee77 |
| SHA256 | 0a0f7f83fee9778a35af0d7ecc3ff7ecd99d365a659c1ed8da4804467f780a48 |
| SHA512 | 8012e00d69acaf133aed58033bc1815650cab3330464fc7eab2f034bedb10110210bd6e23cb30af822c46038d08d39e993cf15f3a1a3b81a03cfb27963f77157 |
memory/2188-9-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2384-13-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2384-12-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2384-15-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2384-14-0x0000000000240000-0x0000000000241000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab30F2.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar3153.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1eaa53742a4056a8003bfa8af37671a9 |
| SHA1 | 865146df1be18053bee6c5c42d5b86dcb4bac800 |
| SHA256 | fef5f359c6fbe13379bb2549aa24d89d245c14faef570c7e03a1e1b3e9fec532 |
| SHA512 | 35aad28a76453ed59cbebd38d56d34ecc0759eb5f23e65e594ab3ea22ffd574e46633619c5a5e8903bebb9effed5a05041b6a639abee3fba5ce317410a8cc362 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ee10e5444cf855a9086d79e09959b65c |
| SHA1 | c2d8718fb3456c2563acf147ccf7038139b2a0c6 |
| SHA256 | 2328931f8980bc3473a7ae4dda8eaa2e550aaa2d0b03d40af51447ab98e47867 |
| SHA512 | 122f723fdced89b308b3d0a275362e398826291d4b5a952fa14be976890dfd0b53c0673fcfd7039c6b663268c6c57b8afff5ecd1981e9ea5e8019cc46262ff43 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b2898ab9b6f96df84dbb70e1bf88b7c5 |
| SHA1 | 2cf7ca36d6299fcd47c96418d0294de92612ae99 |
| SHA256 | a5a9a5de3b139d3eda9ab02c931f47a189fec16e1b988f3a0cc7377db91a94f8 |
| SHA512 | 016ee3f21ded906b0ed5ca2e089939b0acfadf0e585fc874bb0e9672f8696bd727cc3fa2c71f8fc09eb334b68e11406599e360945ad45decff1a037e5f52ac16 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 29f1312c0be075ddc3c991c22a492aae |
| SHA1 | 643e0edf1f5b14309d4d8eeef4fd7c2f810e39be |
| SHA256 | 2c67f7bab9b74a96eab556062c8e7cb1d07915775ba7fbc3494d54cf2b386892 |
| SHA512 | a94c577f73489d8a0f66302f704730b14bc1b90eea0d272cf6c7173bb36c1ecb8db2ccb586a56d081c8ea9b8bff732862a88288b4c26a8fb4282c718ad4213a3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fd233bb6bdf173dbe6264654a6c99165 |
| SHA1 | 1b32df3154eddb83dfb80447ffab195ddfad9bef |
| SHA256 | 2d00c58e6fa6beca0372d5a06f3f8fb7484ecc83b45b2154ca73d23f0cd905d7 |
| SHA512 | 42e2b7633a7743af8db780d0a142d35108b6d2cd90b5c9d45beb79eb871aecceac9b571bb8cbbf1f42453611face43e0b3c1e748364b84ac4acabe3ae90405b6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e6385b707fce884a78997f34460da587 |
| SHA1 | ec473b75894c598db49f1f23ed141a05a1a990ff |
| SHA256 | 4f0da0e014be72461bd5ab3dc0d08e4b1a8b2b003c5de9471ae276e53e11aea4 |
| SHA512 | 3099be575f612ff879964e0d332a110f8969a014a17d03c7823b1058454ed1f83fffa13c77cf14a91e33cf8f5dca2c43e8e55938cd520bc26d1b90bc92cb7506 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 884f85d025f1d4fa6796f5f561e1af11 |
| SHA1 | e464963254688b6a5d1e32cdc073f3da178b5744 |
| SHA256 | bbec41a65b90bc96fb1886bc8e9087ae2725e268eacbeb84c0cc873982b60fea |
| SHA512 | 176dead7b21b4fabafa2333027083bb48be32edfd3c9e5522d90f8c7dbd62528c2d44c8315c7f2b6a36bcda1dbd00be025a8e29e1c1da53da4f3b74919188a0e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7664851570469169fc4195249f942fc4 |
| SHA1 | 54cfae2195321a2e0eaf2b19db1819291b019225 |
| SHA256 | ed6d52621056bdf245cb8712460cd9eaa2573cdf15fb941f4a829f43289609e3 |
| SHA512 | 5dc821a33660342d7162bef38722ca724f2cb5b889be3d972fbf86612fbc1f7fa6982170018e3c5dced699ff746377dff690d1569012360d0b940245b19f1f63 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 10cebf3c4d602b154678e1bbf1a886da |
| SHA1 | 32ad3739c183dc5825e2af298c1f50e570b05df3 |
| SHA256 | f2bcfc34078a684720b27e247e3103204ac0af90015e6680a640f65d8889c59d |
| SHA512 | c6b503de0adfaae044b9df4293158aac91168e1ae9a7e74dc4289a8e88b62d1a2cdf1d401a4d9dd06219dde51fde34f2b394669c902f46e44f3857e3e9194090 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a67b579449260c27d7e984b718bc184a |
| SHA1 | d965c0b6daa4de99127d8f98a96b1da9912074d6 |
| SHA256 | b3ff5628152cca2dc6d0dfd53426017c6f509307e678405311e3f4a68d6d7ed2 |
| SHA512 | 76ac9d6cddd3f0d9b708bd09eebfd3fa5b14d561e0ae4883043cc5817825d2797acaf69dc0f1e55743409d4e4ff00239eb63f2637f3ee35029045193a1c90ede |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 453376b070da362609b639b4dd56b55a |
| SHA1 | 105b257a1fcecff3ce49595bd93fa14383b52215 |
| SHA256 | 0b0ead55b11fd65b79e0d3a23d472a674fbfcc56bf30d48185f2e0dedfdc47ee |
| SHA512 | 2784b38983130de87a09b63259bae6068143ee08af445039094d595983dac288f5bc5763880b53ea055ae439d4841285ab944f1e9215a9b446d9649a42a4491f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 61bc83f00c113adce140f4324d0ca828 |
| SHA1 | 8e299246997188cd94211642cca8b876c7f9fd94 |
| SHA256 | 50df069606739003bdc4f3d443d2e6fde0df0244f41ba496569458e296c3492f |
| SHA512 | 398fafbf27c7fc6dcf86757c59ea04ffd1e53c6b73b52fea2aa841f481887765979ef7d7b62b7bf94ee2aec3f769397c24bafbaa43935db18bd3121b23eb99fd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | adae2902f4c9292d4c0040e6aff4851a |
| SHA1 | d1739791f6a52dfa339b64fb40a3131f04c42caa |
| SHA256 | 2936762ff5cadd0e2effd8ef1b65aadb6dc0cda92ee05e10f61bf8cf504c399b |
| SHA512 | da83213c82128a92d97fae5504bc0bcca39f61dd50520db923770279c19d76d95c433a596a3b57fba9c5ac6d28450b9aa8c59ab4e6701587f107cfda53f3ef24 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fd286439db4e9dd098bb2b3d7111db89 |
| SHA1 | 7ff88eed8566f09ec1fa371caae11252d90202c5 |
| SHA256 | cd989b09554c6e47f4f29b22bf465ddafb98e2ed213c2b394c576f113b28d83e |
| SHA512 | ea75b652cd24c371bdd02186a2a654eb07fc28da1dac416bd856d613b3b992cf854837ac6cc5feb153a93422528be47a335a45b5a343a9485cdccd1d6af0ea8d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8dbcebabdef361ca063349ea1767368e |
| SHA1 | 1a2f17d23e45056468cd6acaaf1c7bd76756cd9e |
| SHA256 | d260ddb55da4d2c4239c74b6e1fd0ce6065f834c61a60b3765f50db634879caf |
| SHA512 | 5c20ed654e3492b89a666fa95247d25daa65e4770f444c6fb637d05aa162579a80530c2522eff5de9e1549bd2b0248282c13756dbc69ccf54da3cdbddb4c72f8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2d82b30a6286e2508f9513a3bdf5f544 |
| SHA1 | f1dc1b1356a430833c8adf4b259d7ed1adbcfe5f |
| SHA256 | 28fc682522cad5f975fc111f9b17bc15fae51bd18f6d63523fce001db762691a |
| SHA512 | e804383abdb93792a1689129d6033094445266ae2e3e94d65e2e12eeabf4abafaf9a649526fccf1db119863492b319fbc6317bf98b56b6bfa4df9a9b2ad06ec7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6593c60b7dc3225fb1a8f001c677aef3 |
| SHA1 | 11f83db994c7392363155b6ec6132f7f4d6d066b |
| SHA256 | 0fc5cc2ff6ac6900496f5599cb818bf3ed5afac4a41211df6eb4874b15b9811f |
| SHA512 | 787cecbc6d4a849551645ff73b004856a749f69b004ad261b06372bf4051b6534c2711f2c5f349f5d8b4f73f622c7fd22c51536f68e01987d6e9792ec370713b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 42a85491986d2f49f051b7cbde15a9d1 |
| SHA1 | 097a33aae10ccf7bf99daa1e7207af737e322dbb |
| SHA256 | 8fdad219767dce223c6fcab79684bfe433279dd4885c184393f4ac7a1acd04aa |
| SHA512 | aa1ef728d4287ced8d014be8c83e471dded0fbfbdaa63fbb193b23a5a78d60169106ce3384e6c7fbd3e1c3572528fbe9c0290fb9bf31c0b6c32b37c803d7d31a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c5c162c09ff8c1754124ff852c27d5a1 |
| SHA1 | b70a4650401e7e4f4368cbf617a66c38b1b9598b |
| SHA256 | bb965ace63da5cef8e803157509498d022741491f27707ae818d7a3b04afc225 |
| SHA512 | 8183660e21f9462041ad468170c60282429f29f2338304837932e71ede3e4fce40ba5104f95387e59b8b72d8db42f740e3d75d17ca315bff5b780eb35fad68b4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-03 21:45
Reported
2024-10-03 21:47
Platform
win10v2004-20240802-en
Max time kernel
94s
Max time network
143s
Command Line
Signatures
Ramnit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\px7B4A.tmp | C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C671ED26-81D0-11EF-BFD9-76E8F1516C8A} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135197" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135197" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135197" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2598699413" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2598699413" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2601199461" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434756890" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe"
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1992 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.11.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/3996-0-0x0000000002170000-0x0000000002179000-memory.dmp
memory/3996-1-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
| MD5 | 109cfc09fd1bf2dd9c1e05c681e5a7f7 |
| SHA1 | 9c5d91f9ad9e1d14676e7ad194a72d9077d2ee77 |
| SHA256 | 0a0f7f83fee9778a35af0d7ecc3ff7ecd99d365a659c1ed8da4804467f780a48 |
| SHA512 | 8012e00d69acaf133aed58033bc1815650cab3330464fc7eab2f034bedb10110210bd6e23cb30af822c46038d08d39e993cf15f3a1a3b81a03cfb27963f77157 |
memory/3996-5-0x0000000000400000-0x000000000041E000-memory.dmp
memory/3996-7-0x0000000000400000-0x0000000000413000-memory.dmp
memory/848-9-0x0000000000400000-0x000000000041E000-memory.dmp
memory/848-8-0x0000000000400000-0x000000000041E000-memory.dmp
memory/848-10-0x0000000002040000-0x0000000002041000-memory.dmp
memory/848-11-0x0000000000400000-0x000000000041E000-memory.dmp
memory/848-12-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 6de4427d02d49cee2c46a8fead1fafa8 |
| SHA1 | bee49bf0e4452ca72442face8e655bf4a8c3af17 |
| SHA256 | 46d5cd7ff558e5c788807eb674587359c6a660cef091eb420676977e49833d53 |
| SHA512 | c80311bb92f9f49de96d06e9a76a3ef0310365999f00f401fd003d438b66744a88f093b5887e1723c6b8179798697ec24c4b2bda489323337f6cec6d28ef6434 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 302b76c575bbef3233c4669a4d3a92a9 |
| SHA1 | c955f832c55c0d097f7706b6f8bed8ab0b57d228 |
| SHA256 | 220b62706230f7067f46990d53ff3049f68fa203e353658ef8ac642e00e60a8a |
| SHA512 | e1c6d04c0c94f36b3de57ccac272015b17f40d468253c0511aa4f18e6ff5a9e6b40ef30d4961aba764d0c55618eb4c8b64907400eba3ab2ab27a525b9efdf27c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLXU5DI6\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |