Analysis
-
max time kernel
135s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
28/10/2024, 20:26
Static task
static1
Behavioral task
behavioral1
Sample
7ab6cfd6c2265d303a4c044d965996d7_JaffaCakes118.html
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
7ab6cfd6c2265d303a4c044d965996d7_JaffaCakes118.html
Resource
win10v2004-20241007-en
General
-
Target
7ab6cfd6c2265d303a4c044d965996d7_JaffaCakes118.html
-
Size
156KB
-
MD5
7ab6cfd6c2265d303a4c044d965996d7
-
SHA1
a6d064adde0d8a576564ee1cc45377bf4615072e
-
SHA256
94034612c569519e203dfa1b8337f3c0acd22dd9e9feafdb173ee3d162c5e247
-
SHA512
2078e82193b111ee6cc68b1a86855fa46e05a78384d21cd3ba6e80d3980d5660d8f08e6075599d2ec87babf6b74dcb6a44981c66849abc86d81321bcf50d64ea
-
SSDEEP
1536:iTRTu/p/vmkXLyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJruH:i9KLyfkMY+BES09JXAnyrZalI+YQ
Malware Config
Signatures
-
Ramnit family
-
Executes dropped EXE 2 IoCs
pid Process 1272 svchost.exe 2992 DesktopLayer.exe -
Loads dropped DLL 2 IoCs
pid Process 2912 IEXPLORE.EXE 1272 svchost.exe -
resource yara_rule behavioral1/files/0x0036000000019490-430.dat upx behavioral1/memory/1272-434-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1272-437-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1272-436-0x0000000000240000-0x000000000024F000-memory.dmp upx behavioral1/memory/2992-447-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2992-445-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2992-451-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2992-449-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\px8585.tmp svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DesktopLayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{27BF4AF1-956B-11EF-A276-7E6174361434} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436309172" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2992 DesktopLayer.exe 2992 DesktopLayer.exe 2992 DesktopLayer.exe 2992 DesktopLayer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2004 iexplore.exe 2004 iexplore.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2004 iexplore.exe 2004 iexplore.exe 2912 IEXPLORE.EXE 2912 IEXPLORE.EXE 2912 IEXPLORE.EXE 2912 IEXPLORE.EXE 2004 iexplore.exe 2004 iexplore.exe 692 IEXPLORE.EXE 692 IEXPLORE.EXE 692 IEXPLORE.EXE 692 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2004 wrote to memory of 2912 2004 iexplore.exe 30 PID 2004 wrote to memory of 2912 2004 iexplore.exe 30 PID 2004 wrote to memory of 2912 2004 iexplore.exe 30 PID 2004 wrote to memory of 2912 2004 iexplore.exe 30 PID 2912 wrote to memory of 1272 2912 IEXPLORE.EXE 35 PID 2912 wrote to memory of 1272 2912 IEXPLORE.EXE 35 PID 2912 wrote to memory of 1272 2912 IEXPLORE.EXE 35 PID 2912 wrote to memory of 1272 2912 IEXPLORE.EXE 35 PID 1272 wrote to memory of 2992 1272 svchost.exe 36 PID 1272 wrote to memory of 2992 1272 svchost.exe 36 PID 1272 wrote to memory of 2992 1272 svchost.exe 36 PID 1272 wrote to memory of 2992 1272 svchost.exe 36 PID 2992 wrote to memory of 2272 2992 DesktopLayer.exe 37 PID 2992 wrote to memory of 2272 2992 DesktopLayer.exe 37 PID 2992 wrote to memory of 2272 2992 DesktopLayer.exe 37 PID 2992 wrote to memory of 2272 2992 DesktopLayer.exe 37 PID 2004 wrote to memory of 692 2004 iexplore.exe 38 PID 2004 wrote to memory of 692 2004 iexplore.exe 38 PID 2004 wrote to memory of 692 2004 iexplore.exe 38 PID 2004 wrote to memory of 692 2004 iexplore.exe 38
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\7ab6cfd6c2265d303a4c044d965996d7_JaffaCakes118.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2004 CREDAT:275457 /prefetch:22⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2272
-
-
-
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2004 CREDAT:472076 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:692
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51a69d2c01494c241fe9deeb78fc306f2
SHA1d23773b27faabfd921b5cddf3c3ff6a15779ee45
SHA256a3b2d18efb03d266e957564e79d6a12a6a29a719caf660b47b3942b0c3494d0e
SHA51286df97810c7d5fbc5dff0125b0cecf9dc59cb89aa93c1e75b04f527d254ed8d45763c1592d248badf0e13eb6db387b40f4dccf2510debebaffb11aad9fb6bb4c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD501bd087af16aad273a4d19bc2ce2d8ca
SHA11a0c73d7fb1339ccf4244cc9d21786f9bd6d8c22
SHA256eb3a5114fce892dd1d541ef248ae1e01e25be7608523570dd7ebbf760187ba99
SHA5127d01c141e8259b9b7ecb6006ac8d2e3ad7b3ce7b8e859fd4ec83023be813bd1be790b371f428e7889bc4ab6c8fdcc08039d81a4ca084fe779f39682c7335d340
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55e07c93c492bb3797d61f2e548216d72
SHA106668330266450364b4b816884d42de0f0aa8070
SHA256b53d47f2c179101c673d9727e1d13d95e2cd33acf3a8b1486a5927bb5ec08643
SHA512d6f60c554069d891348015a9fee834fdde19d93aae260131d8a3bc719a74d20e21742f8a61af63b3fcc67318b1b750024923271d7d997f44493d8b1da079d58e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5da0e2a0d35702a6e3aa60ba9fc477370
SHA16c5fe999eca8974eeef787c8b63dce52541c2664
SHA25693ead3a4312f9414ba4d0c4385af0fb0529247cc0b23c4fe450d4ebbeac2d64b
SHA512911a31c2983a382584755b571642a10a43354904aa337a24d7e5ac1b77effec77309696275754148da7510430cb2467655378d8f98c3eb443a74c4ef13848d38
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50a60701e5630e118c19dee0ba41f8fab
SHA110725cc8fbc264b032357e06c0237f26ce93eb00
SHA2569423356bbda5c3e937bf250b0e0861d8c9ceb66d5924cae58855d22e529ca29d
SHA512333d2b738642007745957c24818a53334cbc164c93fe2e556094fcfa2e75c4ce6e46b10668671c8fe8f2639e9ef5ef9ed78a7bf1d64ddae337468058358eec25
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50aae2d7006a40c0d09dd143d48aacaf1
SHA1c72cb269fb918f3ab549b6c846dde142e0cbefd3
SHA256a6035070247bd6279788372d599e93750b57b7cf8e65dc80821b1568e82871e8
SHA5126a24fac3c38e2d020f2bcac158614d01bd418320dc9387053424415ed3bec17b1e65f6d02982e9a3cd0a4317e6234025b3c4f9daee668ecb528eee559d08da87
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57b9a574655b7f731dc76c99282d36f9c
SHA10cb2a69aa499e3a8e6a8561d6ef2a96d0b7d8b43
SHA256bcd3d7d11e782dcb9f2115984e3c834e6a6150c8b3918e335ab92fe10dd22a8f
SHA51239e0ecc4d224bfaba91aec270aee66d6adf839962626041945ab703b959071b320fd7b037e2514943311b49ffac5b069de41642f0b6959f9216ea73685577dd4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58d988a7be12cc59b5262b6496e392ccf
SHA1b94e2d1f2b5bd8a42fd246141214e003172e6246
SHA2562d5ee1cfd3e990e8de10c4f097ab98f3ad4296d453bd603ac2f7017ebaa2f6e6
SHA512b8326e5d0c7d7aff12075e1697d7c59a9f439c08c1f90b29f1ce7d7a3c50dd3ecc9b0de3780879f02dce95aba148015ad42c1c6220cef22cff67b289a9cc5bdd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c9ff7a2422dcc51ebc8707166602d0ed
SHA1afd19b917de3332b2f46993aee65e087d08b9f35
SHA2569f3093bd72adc27636e73fce79ff4208989e537aa8906d9332fa78edd5d326c5
SHA512659388e6d268cdb15da4454a9d2da75c61d67b7aa51e70f6e6ab7c9eb271b4a6a18a3f1b076e46f6e0744c3a2085b72f73ee1c9da857d8ad6d6ae545d9c93cc5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b3456685ed8b9d0fc79fc9580d9db281
SHA1b617956355c05f82d7ab00396ba0eae1afc0da0e
SHA25633395dacdc2d17014c6aabce93e5c82f83ffffea95703a02aa66ce61f7cacef3
SHA512884a469ad7eb9f7c639249a4838175c366de2686b5b9a4cc3f03f051ee4851f32101769dfc3bf0f2c0e79ec653f2995d88a82c5efcca72f1c6832960909f8a77
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c227eaf66360c0b8848a08918dbc205c
SHA14111f9293319d1529199bfce80fd6f8ef69ad28e
SHA256b2948a719858eb841593cd56f41b5811c44d1305b59bdf8c863439bdc3c58c8a
SHA5125668871e6d373b8a7648820cef07ff7fa7cafdaa62c7c32a74b20740e997ee197be3bc8458af2f1f6ed79e59d4ffa5477d11f17bcbc7f250a97de287b5924ea2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54881560aa5e03343199347eed8c1fb90
SHA1ccc8d6289bba6299c9e2fbc52e327c6ded494f53
SHA25617078a3f8a02b30db9c39ab790d55e017ca64a8c2b780dffaab019d8d961f0d4
SHA5126f114af7773091a779dacf17c25ffae6954140c066e2827fad53ff40285e4f94e51face4d4efdf8329cdd75d1bed30c0edcea9a6cf5f0c99df785cef63ff704a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58aef254bef7fa24f1880b8a5f5edc64e
SHA1a8f11293f2ef91529014d365653e6b62975d3d3b
SHA25622a2fff24c997809339beee7c2b03f580f2233157e81cb7f77d73b32303ef487
SHA5125c92f3984e6d5bdccab588cb97c94f26705c6256751083a6c2d575f5b93fbd65ba8a57b5af1870084aede31f4e8178640acf86ccfbe62750952c708a56cbb8ee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fde5806cc86c1a59667f209687fbac58
SHA16c3b8141c4f71a35d77ae8e5055540bbabd9c364
SHA256e6686ff6c957b292f9d24710220fa617d47d75a869408e6f3bd522bc316b73b9
SHA512a339c29cc7af149e7b7b4ff9aa3273016babe3d4c6da5f2454ea50b950a99ae92dd124a71db106543d178ce472789fff6c6d9e51a6be6e5eb04f447f5462c935
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a