Analysis

  • max time kernel
    129s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-12-2024 02:44

General

  • Target

    f6f0fdc3711ed209c79aa1afad6a004a_JaffaCakes118.html

  • Size

    157KB

  • MD5

    f6f0fdc3711ed209c79aa1afad6a004a

  • SHA1

    145410319ee27062121585b05b7e290c4a929336

  • SHA256

    796134526b8030e5eb0daf3eeb45caaf783178bfcc6bd6c56197b32e99b4331a

  • SHA512

    0359cf4d9aea01ec69be14e400ae55eb6510ff30c642afdecdfe267b15e5d01d0717a2fd649e354df98ec16ddcf4fb5a17da300376dc8f0588ca93a8beea146f

  • SSDEEP

    1536:iqRT6+AHVEFtqyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJruH:ioKMtqyfkMY+BES09JXAnyrZalI+YQ

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\f6f0fdc3711ed209c79aa1afad6a004a_JaffaCakes118.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1852
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1852 CREDAT:275457 /prefetch:2
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1052
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1612
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:636
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
              PID:896
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1852 CREDAT:406539 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2380

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      248ee8089db6fb66a721bcaaedd8ad81

      SHA1

      e5178643d039a7d948a6b7d3f8a6b9aebe3e09c0

      SHA256

      13c269d6d50bd12af4383d4ac39d0fc3def022173aa49f3426d158bdb15cde65

      SHA512

      9a52c97debef876d8d94ae57efbf7339fa595c094bd2968fa9b073a831654d2dce316c2b46570b415ca48a0a45b3a46f687bbbb58b5722c94388c9b8b18e2f71

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      caeeea0baf2a330c016d86cf31fecb23

      SHA1

      6a0ab18fb746a4157f59f72d747d0a9806af741c

      SHA256

      254cd74b8b505cdb825d809de6f3ac9f76d2f9a9c43434f79e25955132ad8169

      SHA512

      e2d827ac9dcff7b18b1810a8b0474735de2e4543a763fbe7cea2dd75e85c3a3bc55302935c24728c4c52a1fe8267bfd3e59281a55a1f3f704b6467a75098e011

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      5bc1c1522332bfe6e08cfaabc5a3f121

      SHA1

      7ffceb04f6e9a370d99d3f4ba9e3e53b44aa1e1a

      SHA256

      6d62c2a4f5cc24b1a55cc26480b4200554437a53ef8018d6359a7de0bdfc7f31

      SHA512

      560bbad29a392277bbb48654a2eea4c712715f6baba25460c46f1083735950c3abe996833b4f7bf0a098e58f465c89886b0f7ad038f1209e760e70102910ad3a

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      de8b48ccaace092e63c1efc60683d0a7

      SHA1

      4e9f02b804bedcce37fd8b86d0393ea998c31695

      SHA256

      6841f3c96dbaf3a9343a1e59cdd33473616280607028ca741f5da0e5b3a0683a

      SHA512

      9b474bafee36ef41229a7fdd1218be138609c743540b4009eb487bb513542e8de4a5e07cb4bb1442081e95959e783c2b87c182678b00652523ad131cdb12b6d4

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      7fcd451d7215157ddadb9fd30910a9c6

      SHA1

      664288686c2f33ae1648321fde0dba874485d225

      SHA256

      969c661c127e18bfbe653b94c45f70a593d4583c28e8c78f544a703196469236

      SHA512

      64e687ecf3f9b15e2053290d5a7ec96fa84daa8806ef671f83f66639dc8ae73331e1ead483d2347ccfb950ef18dcdb092e84ecff8eae729a052e5bf8023a7107

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      14e6306cdf4ea8f706e8e0cacca11540

      SHA1

      e03e1e205fb7feaefff593a12d6bddc04e050ade

      SHA256

      4129176e520042fdf843991d7947c9fb411348479fd4f108bd391527d7041e27

      SHA512

      39ca3cb9d43b0e02320f600f17bea91e1ab06e335d1a51814b3bf37305cd8719a39791191a014b69e3b96b3256b4dc8513d4bfa0dac0599c531bf6681682c1e0

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      602eeef3b01cb12ec7c57a57d9b9a478

      SHA1

      5c874bc14526486587d1b827a77c8de97997a697

      SHA256

      12fa70c287c9236a292b4efa2fc13c174e2b59e007986daf59d58bec4f5f0c20

      SHA512

      cf15df9acd4d3c7cd74f83f640a7b4d197b596b438d0e9544638ee685d86d1dc8505094fbc9664bb4b671a8ff3311974e9716fd6f9ddbf9ce182411802e12c9f

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      6d5f9de12e5fc6366d2ce64be13cd977

      SHA1

      9056ef7c68bf95980cfb22b3b9a0d8411284cb0d

      SHA256

      425f07d80bf0a9e4e35cd80f5e84cccdf92a26679e1a140de8a03040746ac86f

      SHA512

      65e6ddc9f52ab34d613d6f1601adc0b5edbdd9d2bc7704d7255d7cc38de7fa508e2eb617ad2900b9d7ca8fb6e45169ffd18b3bddeeef5a473166e9474d14fe25

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      8520e2b10ef4a9a9448701c1edf996b1

      SHA1

      aad5102367fde19a4225960963fc06e2e9f5cb9d

      SHA256

      c34b48767267cb7cb25e3e04408340bc2dde3d8c8a950fc6c63c6d0fc9fe9257

      SHA512

      15b1b781c1e5ed7eb5a9219647672f15f065d97c7b2fb86657c46edf036a4bea790883dc7e8e2e167aa8363c5713b807c4475c8522f11242111102766ab59954

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      75dd067d31d25ebb94a2ce03f0695c89

      SHA1

      b8cb5e04eb50ae4a4483af86358abbb0b051a837

      SHA256

      b0f63daa65957e1f87315614062d7867f746d03ae0ec7f2f11d69e550dfd0c48

      SHA512

      f6b9c4859b2264254863d38d2f32f766ed5b5307b98797cf98e300f1ed18ca1fb3126393b3c013d8e066aad2f52447b70d9bd2aa05aacde565c7b83fbbb19a68

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      7d102dfa0041412a52abe02ddc0efe0f

      SHA1

      f0f8a002565c8cda14a6391f981d536b0a7b8b33

      SHA256

      f73b528ec8c4e0914a9d1929983d7c084d98ca678cab6a470ec4602cb85ebc88

      SHA512

      81ef6d7ec1ab8888876e66ee854cfaa01c0f2458156f79f28da2371b0fca2d1422ee8cda3e14afb0a6388a50f14f8456e70ea576668fdc50bafc4516f262e800

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      a8e372084ad78347cc5a51bf76853b82

      SHA1

      af7df68498cc5dfb8d7dae7200d95f72a900bc0f

      SHA256

      8b72b4c4682dfaff1fdf197b1dad40f94d1d0bb649c6bcb4c311f51600fa889b

      SHA512

      1eeae47ffa6d0012249d5309303a0c4edde94278aedb67dac096f4ea603ede8143f257b24214460fc6e3c84811f2d41d87e361c4c1adc230620e4b52aa585d65

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      fa8ffae52a4cdb1a4ef49ccc3ebfbf4d

      SHA1

      41fa6eb1b298a261b0da5ceac3138488a2903ef9

      SHA256

      6344917af369af2db5cb274aaecaba2af8f4cdb2f23f96a443f5a026b0e841da

      SHA512

      097ed5f356c7b209c34c55a5116e016b90ad0a8ba631d5829bcc6f8c0f153cb510e76bc09d3cbee3e3e4e22235892095ab82e972f45a74ec1774be59580a4a70

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      2909ecbfc97dbc2c4fde956af71c2c02

      SHA1

      ee333f0bac1fdb476286cd8e257e91e0dbeb56fa

      SHA256

      c0db7b62b4e557906d005a62b69fc76e3889d91a662759971957712cad8eb2be

      SHA512

      2ff14ded77ce969692acd907f86a2b8a65d7291a3ac763a51888e3f5cb4410a57eb6cd8ecb250687fed42d983e847ea1e5f1282addccb5ae3844c930926925bf

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      de8b764a0a2f9d69083dd6c1ea95343d

      SHA1

      822deb72129f1840d197447c53c979a158581c56

      SHA256

      046bf0a9e44fc22f12d389eeb0979830eb033a83843b3ba6145b13e0fc2869cc

      SHA512

      6f4ad0bc358c8a540a1db1dfacd4995a7cf83485a89c053b45b4f252a35187a8952ac243e50d3da54f41e4d4319a0ed3e0659aa53151e1f925125498048675ed

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      8c6b66ec95ee263f2f6e5b29509662f0

      SHA1

      13167c683793ff4fe159228c796e021f2b152e1a

      SHA256

      b0b1faa07d56ece44b9bfe16fda77a2b93daea4eea96e964f0dcdc3fcb8d791f

      SHA512

      a1f247fdf1c6459b9219b789ca759f275c150597f4d818b4ce725011c6b0fb37a9952fdbc5596e94e41c6289e6b472bb7b43e75248edb23513305198d80255d3

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      e8ac7cc75181591b3cf3a49e627b77dc

      SHA1

      5ff6e8cbf651c53094d22b7cb11e039fae4b0acb

      SHA256

      116cb4437a165c1fe2889ce385e027a1f5bcaf2c31ea03d74ac3eccb98a8cffb

      SHA512

      e3cf7517a41186d176bdb2a2305ee2e196b60ac153e53c1c0424354aa785c39f985cf55c2508923d57c04d48237c515574667652e3aafd901cec3f175fff37f6

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      f78a9f3fdfc7be1805452983f8b7ad5d

      SHA1

      e4a7daf49f13e907e74ece5bf0b510005b5f9eef

      SHA256

      92c791050b4401330c3a020f5c17e9a38cc624bfeea37020b5519aa391df8b49

      SHA512

      770afb7c220f0b8a3abf13a038432ea1b2bf9de7005f3e5573a7fcf4679215d1b9aeff2c153053a2a57130a8b4379e0ab851afa1328c89258ffefcfb35eba94d

    • C:\Users\Admin\AppData\Local\Temp\Cab54F5.tmp

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\Local\Temp\Tar55A4.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • \Users\Admin\AppData\Local\Temp\svchost.exe

      Filesize

      55KB

      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    • memory/636-444-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/636-446-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/636-447-0x00000000002C0000-0x00000000002C1000-memory.dmp

      Filesize

      4KB

    • memory/636-448-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/636-449-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/1612-442-0x00000000003D0000-0x00000000003FE000-memory.dmp

      Filesize

      184KB

    • memory/1612-436-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/1612-437-0x00000000001C0000-0x00000000001CF000-memory.dmp

      Filesize

      60KB