Analysis
-
max time kernel
133s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 07:32
Static task
static1
Behavioral task
behavioral1
Sample
f7f448f2f50db769822c718d2e0e7720_JaffaCakes118.html
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
f7f448f2f50db769822c718d2e0e7720_JaffaCakes118.html
Resource
win10v2004-20241007-en
General
-
Target
f7f448f2f50db769822c718d2e0e7720_JaffaCakes118.html
-
Size
160KB
-
MD5
f7f448f2f50db769822c718d2e0e7720
-
SHA1
d89882d27e0e5751f3bbbe99e4cc8f4ce5da9e45
-
SHA256
6a6cc901f755baa1e4020e532f17f1761ac1827a8739dbb84b09ed00523cbf69
-
SHA512
ac7bfd2f406e4e79b9054bf10847172c4eefe86fe8767ea087c41d00c1063089dc7ccff9d8b0b470db596cf7b087bb3fdeabbc0945727c6024dba793fcbcd301
-
SSDEEP
1536:iDRT7jOOuqAscXNbTE0yLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXu:itHgXtY0yfkMY+BES09JXAnyrZalI+YQ
Malware Config
Signatures
-
Ramnit family
-
Executes dropped EXE 2 IoCs
pid Process 1620 svchost.exe 3040 DesktopLayer.exe -
Loads dropped DLL 2 IoCs
pid Process 284 IEXPLORE.EXE 1620 svchost.exe -
resource yara_rule behavioral1/files/0x002f00000001930d-430.dat upx behavioral1/memory/1620-434-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1620-436-0x0000000000230000-0x000000000023F000-memory.dmp upx behavioral1/memory/1620-437-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/3040-448-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/3040-447-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/3040-445-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\pxCA03.tmp svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DesktopLayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E4BB0061-BB7F-11EF-8659-F6D98E36DBEF} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440496212" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3040 DesktopLayer.exe 3040 DesktopLayer.exe 3040 DesktopLayer.exe 3040 DesktopLayer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2420 iexplore.exe 2420 iexplore.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2420 iexplore.exe 2420 iexplore.exe 284 IEXPLORE.EXE 284 IEXPLORE.EXE 284 IEXPLORE.EXE 284 IEXPLORE.EXE 2420 iexplore.exe 2420 iexplore.exe 652 IEXPLORE.EXE 652 IEXPLORE.EXE 652 IEXPLORE.EXE 652 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2420 wrote to memory of 284 2420 iexplore.exe 31 PID 2420 wrote to memory of 284 2420 iexplore.exe 31 PID 2420 wrote to memory of 284 2420 iexplore.exe 31 PID 2420 wrote to memory of 284 2420 iexplore.exe 31 PID 284 wrote to memory of 1620 284 IEXPLORE.EXE 36 PID 284 wrote to memory of 1620 284 IEXPLORE.EXE 36 PID 284 wrote to memory of 1620 284 IEXPLORE.EXE 36 PID 284 wrote to memory of 1620 284 IEXPLORE.EXE 36 PID 1620 wrote to memory of 3040 1620 svchost.exe 37 PID 1620 wrote to memory of 3040 1620 svchost.exe 37 PID 1620 wrote to memory of 3040 1620 svchost.exe 37 PID 1620 wrote to memory of 3040 1620 svchost.exe 37 PID 3040 wrote to memory of 1652 3040 DesktopLayer.exe 38 PID 3040 wrote to memory of 1652 3040 DesktopLayer.exe 38 PID 3040 wrote to memory of 1652 3040 DesktopLayer.exe 38 PID 3040 wrote to memory of 1652 3040 DesktopLayer.exe 38 PID 2420 wrote to memory of 652 2420 iexplore.exe 39 PID 2420 wrote to memory of 652 2420 iexplore.exe 39 PID 2420 wrote to memory of 652 2420 iexplore.exe 39 PID 2420 wrote to memory of 652 2420 iexplore.exe 39
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\f7f448f2f50db769822c718d2e0e7720_JaffaCakes118.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:275457 /prefetch:22⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:284 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:1652
-
-
-
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:209939 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:652
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a224a0bbd1eedf7234b8675bf1fb1d80
SHA12efb82a56bb299d1372a90f4f9aec1853188c657
SHA256ebd5f5f62fca9a1685256b4eec9c5d1101abd0ec6d7551a1c376149eef8b0654
SHA5121efbe5495065c0662dae3a26b95103c3cd7257affe05eaf09a94544077d66b4ea6636a72d3974e9f1f606a408dfa2ae0a596a3ef95181f75d559f852f437c8a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e9ceffca015b2e5a0e07d98fcb626115
SHA14550c283eabd101fe79f3e7980a2e55696e68f8b
SHA2568d9628ad4e15edc97150a78d3e047a54ab84206ac874034bea739f11e920b4b3
SHA512e9e50bb57dd25fb396a2be4fa33ece5d09f88fc048eb5d6269c4e457493171778fc9d6178754943139231c12c09b8378f8ede5a862aa2231cd20b21f6f10f5dd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5157956a8d0f1afbd31e6f158af1f5a48
SHA17f6954314299040f3782a72ca229d6a83bd51008
SHA25631034e525a894ae7dbb7cce68856fe00254fb8e68bc4e17f37a13f2c360c413f
SHA512b101ad23ffa7ef37ff661492451df5d10e76286347caf8494e6476cef2b452f44d92ff5ee8c886c9d1f3356613608f8c5ab24a3108dae20ecdb8dcf6c9ab9a76
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c1c41c9f10dd1da576be33ca1b860567
SHA197cdd5c3a80369c88da0e2f435c09ea6027e4b11
SHA256cb846cc5aa4eff9210c6e8298e6973dd58e19dc52e98a368a47f31903032e1cb
SHA5128d8377bd09841363bd20f24969d8f787cb956406e4f8897aeb5c23edd5f0a13a8fbe33acbc05080e38c7a22159bb7fdcf41c4009200195cbda73d7efd71b564b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c73ff44ade8afc03ac3c3a651a257ce0
SHA1bf9c5ea141c064d2f209a4db1704915a0589de38
SHA2560b74aea48e7e27b3b3f7d848ce1cc8f75e655b559ea2d28fe768cb8893a31999
SHA512056c76de6e9f860ef10fea30c502c67db77d9ad4c0d1a30472ca5aec073d3e9a1b9b946887c3fbc9e43cb9c661b01f7702e4d27103df232c15db7995549ed882
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a5ce0a005fee3d32f7c05f4b6e2d8eb6
SHA12b29f01b559b79f15659c9e46ca9442fb70681f6
SHA2563060b03bacde5640c27267d50517300e35cfad335ea28d5263d1872cf44343e0
SHA51235214b825ddec2eed6caf6c54ce430207b972f3430cd5d55fafd81086ec634844ab6defc4ec348d88ccd66c26c8201da8b4e3d406fbd1eb8867a7e59439c4d96
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5aa09ac640900a44d3aed3c01c653311d
SHA19f728609d52f336d302f58a7a367cebb1dce1561
SHA2569ecb764bf15a20e0691771289384d6f46a8a6652add8b1015183ba263f6cbda0
SHA512fb1e54e797c055d2e81de3eaa84fa37000b53de5c3035e6df72d0e362594ea6956277ab15f451a20e4e490e9a1ef3e426acfce3790ec89c101cc9951e4ac8568
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59577a0e7d4fdc551e838c419ff304c52
SHA16e69834435349e478b8ae4f3bffb3b34a06a0c74
SHA256bb71665e14c353a861e4eb9c62a3a97e723e0e718008cf750788c860bc89907d
SHA512ebe2ffc6ae68eba2be92dc984e46f54d10581eb4a17505cde2de2cd383858be143565b43b088b9acadc8b2c31bc73f451c08866c00c4ff58558962e40c4b3312
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55f103f31b7b00631c5e5a891922e30b5
SHA1ad21008310b2d096d0a8ffc094d40333e61a61f8
SHA25613dc7d73614241fd1a964e5023c4c6f6ddea0cdc40e6df978d9628c08faf0f01
SHA51207c44866918a365e4823dcdd8bb6215eb56e0cb2092b6e7fb51e864a482997ff79a4b6857558d2898f7424411317c898d62b3edef2922fde7cc81d334624f4d5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57c68cd28a89d87a258d4308e7d5599d1
SHA15b5014985806e5cb7858ee71d3c76b7e30c8d2bb
SHA2560d517cfa34b5f25dc1651615a6b77abbfc33a7de0bd5f35f10d49072f2e1ffb9
SHA512b482cbcc4a58134f934ca0e2d9fd21cb6ec2c2a34a27b06f6a0c7bd6185e338d422e77b796d9217fee04f69fd300ddcce5a207629d93ec56969e0878904d3852
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD593da29357a95fc82eed0de0034af9303
SHA1b51fecb8141c870345b705a8b8ed2232808976d7
SHA2560b329449cc2656e408dcac59ca56fd24f86439757d95eb74e4a11251967d6e00
SHA5126dcc2f6201dfd9137129affa87a4bf2a0d7cca993dd9ccc6a34ef671e50e204b944125ddfc92977e2270108f34af36e6eb6b684ed159d1dd378ebe95450d518f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a