Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 06:44
Static task
static1
Behavioral task
behavioral1
Sample
f7c8005fb863f420f97b1447f57efb1d_JaffaCakes118.html
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f7c8005fb863f420f97b1447f57efb1d_JaffaCakes118.html
Resource
win10v2004-20241007-en
General
-
Target
f7c8005fb863f420f97b1447f57efb1d_JaffaCakes118.html
-
Size
155KB
-
MD5
f7c8005fb863f420f97b1447f57efb1d
-
SHA1
5daefcfca000e13ee774d3bce9c2be0aad019487
-
SHA256
8c858ef0191437cef0aeab642bac8302acde3efa3447c20d7f105730782d951e
-
SHA512
50344e65b065271e236beb1898fdd121efcb3dcf50441c6e63bf248da6d1cdf0ffbc4b6c6653fc0f66c02bb4113802f0bb77a0a47f5e6e85b8235d7c1af48a48
-
SSDEEP
3072:i7NrMIxa1EyfkMY+BES09JXAnyrZalI+YQ:iBMIY1JsMYod+X3oI+YQ
Malware Config
Signatures
-
Ramnit family
-
Executes dropped EXE 2 IoCs
pid Process 2388 svchost.exe 2276 DesktopLayer.exe -
Loads dropped DLL 2 IoCs
pid Process 2864 IEXPLORE.EXE 2388 svchost.exe -
resource yara_rule behavioral1/files/0x00310000000174a6-430.dat upx behavioral1/memory/2388-436-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2276-443-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2276-445-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2276-448-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2276-447-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\pxEED2.tmp svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DesktopLayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2E435BD1-BB79-11EF-8778-C60424AAF5E1} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440493329" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2276 DesktopLayer.exe 2276 DesktopLayer.exe 2276 DesktopLayer.exe 2276 DesktopLayer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1448 iexplore.exe 1448 iexplore.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1448 iexplore.exe 1448 iexplore.exe 2864 IEXPLORE.EXE 2864 IEXPLORE.EXE 2864 IEXPLORE.EXE 2864 IEXPLORE.EXE 1448 iexplore.exe 1448 iexplore.exe 748 IEXPLORE.EXE 748 IEXPLORE.EXE 748 IEXPLORE.EXE 748 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1448 wrote to memory of 2864 1448 iexplore.exe 30 PID 1448 wrote to memory of 2864 1448 iexplore.exe 30 PID 1448 wrote to memory of 2864 1448 iexplore.exe 30 PID 1448 wrote to memory of 2864 1448 iexplore.exe 30 PID 2864 wrote to memory of 2388 2864 IEXPLORE.EXE 35 PID 2864 wrote to memory of 2388 2864 IEXPLORE.EXE 35 PID 2864 wrote to memory of 2388 2864 IEXPLORE.EXE 35 PID 2864 wrote to memory of 2388 2864 IEXPLORE.EXE 35 PID 2388 wrote to memory of 2276 2388 svchost.exe 36 PID 2388 wrote to memory of 2276 2388 svchost.exe 36 PID 2388 wrote to memory of 2276 2388 svchost.exe 36 PID 2388 wrote to memory of 2276 2388 svchost.exe 36 PID 2276 wrote to memory of 2440 2276 DesktopLayer.exe 37 PID 2276 wrote to memory of 2440 2276 DesktopLayer.exe 37 PID 2276 wrote to memory of 2440 2276 DesktopLayer.exe 37 PID 2276 wrote to memory of 2440 2276 DesktopLayer.exe 37 PID 1448 wrote to memory of 748 1448 iexplore.exe 38 PID 1448 wrote to memory of 748 1448 iexplore.exe 38 PID 1448 wrote to memory of 748 1448 iexplore.exe 38 PID 1448 wrote to memory of 748 1448 iexplore.exe 38
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\f7c8005fb863f420f97b1447f57efb1d_JaffaCakes118.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1448 CREDAT:275457 /prefetch:22⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2440
-
-
-
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1448 CREDAT:3421206 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:748
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD573a09ed99ec4f9bad0f6f97b1d4de400
SHA190154066c9e814546cba8c04530749adda5dad59
SHA25667b4343317fa8ca5383d112d24005a6793a631125cbf3587dab57ec4e4392a67
SHA51276d599c38e999d1532203cc7f91d8bdcc8944c610b9f8531e2894e2bd67e909d29037261aa90c0012d90cfe9333ae53be6452a8da5efddcfb166666fcb5e9cb5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e3fa648bf99d51784cec75a3830ee77e
SHA162bcb73908fc6f7e6065d2445963489905bf1a9a
SHA25624f8fec0a38d973b585f206c8774666ae3c218010935a993c7f78c41957d0630
SHA512045cd9ab55e1a5d603b7ea3a1e01bd94a4e204e69afb5de600d7b0bfbd370eb57e02fcdb162b53dcc20c28ad1342c5174dc9ab49fdfd554125afeb1fd1dad9e0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57b576ed69d6303d5edeb79f7751ef33f
SHA19b73d70929e54587ba87e8c8f65473210bc8d9c4
SHA2567579e1e41d2240e6e9de161eed83ac881d39fe6d1f8ed09e70225edc08956b1b
SHA512c0a9c30f31d4ffd2172627dd3e41f6df5e2eb46208ff2aaf8e6879e79e99e90e5766fde6e9ec370cab8dbb7e709bdcabf2469c86ea9207ac2eb4828ca3219197
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50a11c549f5c49eb4c25a8e216c1cff4f
SHA1d6104b1c6e04ee6d334de3cc1afcb483a7df1930
SHA256e0a7b32b9c23de87dd35e86361b1b66814521074bd9134514bb332a7cd97a7d4
SHA512f989937b1b0e1465c7ec1014cbd35b476486c53877f76ac3c381cb18ef49c63d7d7b023bbbdc6cb784c9ea4403e1c1498dec2e19cbca88781819f42f95fefc36
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5668999b75c5a6f23582223ee5c9c904b
SHA117370d4f169a3277e3e812db1b3e06d20804c720
SHA256065aae467ff314a4f8249b5fea2de727705d921bdea865e2d981ef05472e4af9
SHA51242f763942cf8bb34ade91da740869749460b1b04a6afa651e94249c4d36888c8b6faa681e2e122d2ff260e843bba3450a4369918673a961b60166f1fbd646d7f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5afa5d45f9de7dac8137f1121eb682f6b
SHA18aacade995193bf134e1a9a724a780aeae556a0b
SHA2568316f2844484ed7f2d81afc22e1fe509cd377f211c18256f709d9fe47fad6f17
SHA5121e475e2c4945239da56dc123d6699fd593da59e93d360b440413ae2a5a2ef9435676f676a88b29e6d361db2c8ea64a37fb07c728bbae418fb5c17e7d2bef7569
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5347f8c36a37b00562be57efef6f7d9d4
SHA14d2c866c0cca69d4acb7aad6ccd4b875f74f4ad7
SHA256c1804dbfeac44a74ff0db13102a3c870870a9d2ede1666e58f579fb0da34fe0e
SHA5123a37f51b79c1cfa49cbc19594f8c294c3477da6493b88f41bc43d18a55ead99de18f2ab6901db0390abcde5185928ffa005e9600472987bee881318f4f9d9e4b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5acc70bfa23792bd81a9e2843c9d3b2cf
SHA113b2112ea3c3ad2bdae9250525eef8f3e26fc7b7
SHA256fcf9b93bccad10ad249e05682cd9b20bb4b14f56af4b1e53db6194c73555f586
SHA512a219bcf2cc35cd2f86ee5ff2d9c79cbc7405fd280abc87668560f1a34fa67c40d9f86b173e34614933834fefee20577fc4e5d43d956ab339a5ff0640f497f252
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f46165b31bc016d0ed8b7686e4592072
SHA1cd3f2bfbcd69aab3dfb045f46a53bf54a1ad208e
SHA256ba86d0dae136229d8ab05536d0fa4e7551d38db9a3eefee24d045e669ca3fad9
SHA51211543c04a3cfa97775cd3b74b98a3ec874e1fecd4c7a2883e4f23b7bb8624fa3abb610246d1ff6b35555f8047ba35c088abe9d729ad8cf9656ac2b195564d194
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a