Analysis
-
max time kernel
134s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 05:10
Static task
static1
Behavioral task
behavioral1
Sample
f77642870e000628e9e9e57c9414d659_JaffaCakes118.html
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f77642870e000628e9e9e57c9414d659_JaffaCakes118.html
Resource
win10v2004-20241007-en
General
-
Target
f77642870e000628e9e9e57c9414d659_JaffaCakes118.html
-
Size
116KB
-
MD5
f77642870e000628e9e9e57c9414d659
-
SHA1
ded31f6b4e34c67b8d47633d559a2b59345632a7
-
SHA256
b23b12ca5f1ec1c61da0e90d144ab4d34b5c03d9dc7184cb621472580bb49d6e
-
SHA512
96b9986f09bded8244c78390831ab5d80b2dc5564d471b52458ea9d91cd4bd41a3d1cb44f9834cc44f8c967b7e9658cf31058ca98c70f71ff4138a9d9c70c5cb
-
SSDEEP
1536:SxXyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJrusBTOy9dGCsn:SxXyfkMY+BES09JXAnyrZalI+YQ
Malware Config
Signatures
-
Ramnit family
-
Executes dropped EXE 2 IoCs
pid Process 2896 svchost.exe 2720 DesktopLayer.exe -
Loads dropped DLL 2 IoCs
pid Process 2780 IEXPLORE.EXE 2896 svchost.exe -
resource yara_rule behavioral1/files/0x0007000000016cab-2.dat upx behavioral1/memory/2896-7-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2720-15-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2720-21-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2720-18-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2720-20-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\pxF650.tmp svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DesktopLayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000056337e729c0bbe4eb441b43e674268f5000000000200000000001066000000010000200000000266d941110fe4d207eeb78e93b9b0e49fa0b4f992d79170378c3c03e074589c000000000e8000000002000020000000b4025079e6f5efacfdce4e9dcf3c11150c28f56e9e3da690a2accb7d68fbc440200000008e5defd203aa27c2bfdc090d209b48630bae2ddbe3e79533cf2dd3c9f5a2e02240000000df9a6ff6128fe236efe48bf36d10d4fe656ffd3dc242d0432f70e48d80065222700565693dc072b426147b2a151bb0990ea7c444819e6214b79c54350fb07c55 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1C1FB1E1-BB6C-11EF-BBA4-FA59FB4FA467} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 109b09f1784fdb01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000056337e729c0bbe4eb441b43e674268f50000000002000000000010660000000100002000000020f73342d93fce378b913270f02a7e40fd70940688204a20f05463bfc17fc75e000000000e8000000002000020000000b043dc26b4459220b7e8f25208c30afaa39a61c1005b5ff6a2534f852dd9043e900000004b112c94ada2667ae4eaf9d1a619ecbabc19c3dea66d62b06a52f25231c6e2e5abbc92734f6c7a08a8ff8f27e35c87762e7ecd6d1245177b6edc92b885063b61cee97a1349075992e8b70b72aa684b44500404c5009893df48558f615bb9b14ee6d02ec7a74ce512035f9e0c0845fe5c43ab062c2d1874f844d2df2c14b4eac8e85c1c23139fb63eeeb535c3088ca732400000001cc1de1e1395e514f48e4c40786a59fec9a4c2fc56cabd0915920fdf092e60af0ccd1a7532b0bfa96badb27a84b37a6622ab7fa1d5a1bc15effc037da60c4d47 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440487715" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2720 DesktopLayer.exe 2720 DesktopLayer.exe 2720 DesktopLayer.exe 2720 DesktopLayer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2380 iexplore.exe 2380 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2380 iexplore.exe 2380 iexplore.exe 2780 IEXPLORE.EXE 2780 IEXPLORE.EXE 2380 iexplore.exe 2380 iexplore.exe 1912 IEXPLORE.EXE 1912 IEXPLORE.EXE 1912 IEXPLORE.EXE 1912 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2780 2380 iexplore.exe 30 PID 2380 wrote to memory of 2780 2380 iexplore.exe 30 PID 2380 wrote to memory of 2780 2380 iexplore.exe 30 PID 2380 wrote to memory of 2780 2380 iexplore.exe 30 PID 2780 wrote to memory of 2896 2780 IEXPLORE.EXE 31 PID 2780 wrote to memory of 2896 2780 IEXPLORE.EXE 31 PID 2780 wrote to memory of 2896 2780 IEXPLORE.EXE 31 PID 2780 wrote to memory of 2896 2780 IEXPLORE.EXE 31 PID 2896 wrote to memory of 2720 2896 svchost.exe 32 PID 2896 wrote to memory of 2720 2896 svchost.exe 32 PID 2896 wrote to memory of 2720 2896 svchost.exe 32 PID 2896 wrote to memory of 2720 2896 svchost.exe 32 PID 2720 wrote to memory of 2568 2720 DesktopLayer.exe 33 PID 2720 wrote to memory of 2568 2720 DesktopLayer.exe 33 PID 2720 wrote to memory of 2568 2720 DesktopLayer.exe 33 PID 2720 wrote to memory of 2568 2720 DesktopLayer.exe 33 PID 2380 wrote to memory of 1912 2380 iexplore.exe 34 PID 2380 wrote to memory of 1912 2380 iexplore.exe 34 PID 2380 wrote to memory of 1912 2380 iexplore.exe 34 PID 2380 wrote to memory of 1912 2380 iexplore.exe 34
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\f77642870e000628e9e9e57c9414d659_JaffaCakes118.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2380 CREDAT:275457 /prefetch:22⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2568
-
-
-
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2380 CREDAT:5911555 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1912
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD552ff1c3b1c7f47fb0fdc447af159efb0
SHA12148f60d80105155f84635ce28a9963fc5ceff6c
SHA2562ed5f9236079b6b8c0bc8f359d8cc98cf28f041b4480d3c6144e60122fe76c85
SHA5128770b9e97b7b1f6a655807caba8f0500feb23e94f9a596d6cd6f475d8afa58aaef76b27bc6f70328711cb536a7173d0e9e8c065db00144be84cab86b9d23c62d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bfdbdca3e5b19de986ea52b1d07bd52c
SHA1121e265c421564aa48224632b3cf50334693a0b0
SHA256acd9d827561404375a5067371ab44ce2b1cdd39b3824cbba6b9e5d23060b8819
SHA512682e135ae85ed2958cdf83e36a455c58c0752e1e41ec2e217422bd5393917bd2750b18a2f251d738cc5e8491c1d72b200b0a42c889241c7fee0151be27057b4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD507b02bbb17d7c823d77004d588e2340a
SHA1e5d71e540140906166d7456180959828a95782f5
SHA256423efedd1839f0b0d531e800137c697eefeaccb890b04a199fd526bb63017a9c
SHA512e460683894d9b51e696f5bd94710e0f9b2fb4134cb0b92010c4b59a79b4b2acec3b9b1a8d4a29d0f0f8fad45bcae39ad4f1f17ea2e013ef9ca15388329c12448
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54df67f685d6308d74a85c4cebe5e0068
SHA14b3b64b7da558b00b9c2fe4bac684cd60c1cdda7
SHA2564808f1e8a42f9d625309efc064b8607ca165fe50da69b285ca0c8a84cf0ad069
SHA512e216fa3f1673ed9474950d1007ed161866527c72fdf9fb3b1aa34e10b99bb5ab4ad2fa69bfed783d36eb578aadadde47d47cdd81d3c3d1ba357bedbb1d154e62
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fbf595e64f9fc6250cae04a42bf088bd
SHA18048f2c3589c26035750a640d19615350e6f225b
SHA256b535d8612956b5c0344f3a544fcc31fc8d3d3b0a846db7415ce9acce09453a97
SHA51201967426e40ff5c836b70af6e25cf2b6bc2d90ba5bec3a3d5eb9f5ada2e21e3f111a0261a3eee4a2541a59d52505b253901cae6c9387785ef39a19447cbe72c3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f5b0dda31d01f8e29771970c2322c8b8
SHA15f4706b0cf50434930810ef7b27c8db410ef004c
SHA256ae7d652af5869eb3b4c881fe49ec6405229e0b4bef2009aa89698efe91facc71
SHA5126cdbd174bc6b217c738f1c802c88dec1690915c11f55508cf9733af2630f1a6b04b5510b85989110f114992fb71e5621005dc3b73b593ef1da5bfcfa65787c79
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a744116ea0b16032d2cd62798ad1b2f7
SHA193336f6944ac3bff08686496fc94bc5ab3b775f3
SHA256a00895f8303b78f3730feeb21063d003f4a9db87ab4eb87053f0dea425fd54a1
SHA5128135ea1fe7955a6e9d0e1f42304d01a1d71bbc35db49cb79a28450cc0a08272bb44a121e80f30a99b5f71c872cf4533e4aa84c2460bbce969714b612cc91f1e6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55891e83489b66d8794b87ef8057b9079
SHA1888d55ff6d0e39df3a36ba389fa4f56974714f53
SHA256c4e6230016e761961bc67e7fa6f9035f78a6fa0d68fbad2ba247c85cba913158
SHA512d31ae371bdc5de4cf2b5a039e90b120b02700eaea5c28ddc89953f3d4d898c146db07dacd8d29b5aeb3e2aada7ba414b3e597659deb530668d7b85effc100bbf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e3572c40eabe39aaaadf1540024753bd
SHA15fe5fb51c891e945eb49eef3389e72918d62ac1c
SHA256a717b7d7097f81afec3c8abfd656d8a0409250db014a57737e973c0f3b94ef32
SHA512ecb7893771c15bf33897ae550c71665ae6c308074ad35390e3582190aa89db7ffe77d1684859bc4a325070bb21ccc06a1bdb15f48a28ca3eed67e976a92c2f34
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a