Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 22:28
Static task
static1
Behavioral task
behavioral1
Sample
fd5dce661f86eb344e1891b34bf4d86e_JaffaCakes118.html
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fd5dce661f86eb344e1891b34bf4d86e_JaffaCakes118.html
Resource
win10v2004-20241007-en
General
-
Target
fd5dce661f86eb344e1891b34bf4d86e_JaffaCakes118.html
-
Size
157KB
-
MD5
fd5dce661f86eb344e1891b34bf4d86e
-
SHA1
ff69b357a91baa555af817094fe7a94fbcd3ec7e
-
SHA256
1567123e7b860e3a17bf4d962f89d3adf2efb0d05ac2bc8a38d9fd007057101f
-
SHA512
653ecea1bc66411a2f814f354eb0b5554706e753c075686cc42694084d8a747efdcb83542b885f5e28e3b048f032b869ceac43e9b71cfe7fbf269f7a11a8a605
-
SSDEEP
3072:iz1jiP2AiyfkMY+BES09JXAnyrZalI+YQ:i8PlnsMYod+X3oI+YQ
Malware Config
Signatures
-
Ramnit family
-
Executes dropped EXE 2 IoCs
pid Process 1752 svchost.exe 2156 DesktopLayer.exe -
Loads dropped DLL 2 IoCs
pid Process 2700 IEXPLORE.EXE 1752 svchost.exe -
resource yara_rule behavioral1/files/0x0030000000019397-430.dat upx behavioral1/memory/1752-434-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1752-437-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1752-436-0x00000000001C0000-0x00000000001CF000-memory.dmp upx behavioral1/memory/2156-447-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\pxCBB8.tmp svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DesktopLayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{662B85A1-BD8F-11EF-97FC-EA7747D117E6} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440722787" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2156 DesktopLayer.exe 2156 DesktopLayer.exe 2156 DesktopLayer.exe 2156 DesktopLayer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3052 iexplore.exe 3052 iexplore.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3052 iexplore.exe 3052 iexplore.exe 2700 IEXPLORE.EXE 2700 IEXPLORE.EXE 2700 IEXPLORE.EXE 2700 IEXPLORE.EXE 3052 iexplore.exe 3052 iexplore.exe 1824 IEXPLORE.EXE 1824 IEXPLORE.EXE 1824 IEXPLORE.EXE 1824 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 3052 wrote to memory of 2700 3052 iexplore.exe 31 PID 3052 wrote to memory of 2700 3052 iexplore.exe 31 PID 3052 wrote to memory of 2700 3052 iexplore.exe 31 PID 3052 wrote to memory of 2700 3052 iexplore.exe 31 PID 2700 wrote to memory of 1752 2700 IEXPLORE.EXE 36 PID 2700 wrote to memory of 1752 2700 IEXPLORE.EXE 36 PID 2700 wrote to memory of 1752 2700 IEXPLORE.EXE 36 PID 2700 wrote to memory of 1752 2700 IEXPLORE.EXE 36 PID 1752 wrote to memory of 2156 1752 svchost.exe 37 PID 1752 wrote to memory of 2156 1752 svchost.exe 37 PID 1752 wrote to memory of 2156 1752 svchost.exe 37 PID 1752 wrote to memory of 2156 1752 svchost.exe 37 PID 2156 wrote to memory of 2288 2156 DesktopLayer.exe 38 PID 2156 wrote to memory of 2288 2156 DesktopLayer.exe 38 PID 2156 wrote to memory of 2288 2156 DesktopLayer.exe 38 PID 2156 wrote to memory of 2288 2156 DesktopLayer.exe 38 PID 3052 wrote to memory of 1824 3052 iexplore.exe 39 PID 3052 wrote to memory of 1824 3052 iexplore.exe 39 PID 3052 wrote to memory of 1824 3052 iexplore.exe 39 PID 3052 wrote to memory of 1824 3052 iexplore.exe 39
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\fd5dce661f86eb344e1891b34bf4d86e_JaffaCakes118.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3052 CREDAT:275457 /prefetch:22⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2288
-
-
-
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3052 CREDAT:209945 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1824
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b67c9aee441be52abb3f9e04daa672b3
SHA1024bcb0bbfd3e8b3c1368cc32ef3e78bb60007c9
SHA256f08553dc1102913b25c670ca0e261235aa2bd041c4d3c88ce0ccf15916a913f7
SHA512abf61135d63cdb61434cc605248db045515d0bb09c0da101c8402855f0c053c8eb78fae0483e0207477ef256be82d326affd8394473869f11ecc8c21f9f125fa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD568ce5269f7ab7436587fc1df1e24e872
SHA1ce851b273418868471b0e09bca0bf2c1cfa63d52
SHA25654a946a8ba2ad28fd074401aba15ef0fb228eba4b66c6dc5ec049e721440c4f2
SHA5126af301e0e46fb4b064a299bcc56ad39f33c560aae704eaf478c49fe6b9043e1ea2c5ce460f55cee827a3346c65a015f6474c7f71e6a7910263290e56427ec4b2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bd4a717521bc49d21dc401d1a211bca4
SHA1f55a8025407696260476ff50b9bba2b6354b46f4
SHA256fbe7fdb7d27331cd8f103a95ad462ae48e55c2d0c9ba9cd4ba8359f5b2d3d71a
SHA512331d1922202f7a6c1583d929fa9ffc11b989595b6fcabcd933bc982e6ee9cc999dfaf694db4faec1bc0ae093c041365dfe68075291b58f6f582be9cc26087b24
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD548a7215006e7428da2193f7490080144
SHA17714e45245a8688e44aaec1e91cbcc9132879cc8
SHA256f697beddb3b2776d47118ee99cf1b109e51516b9f8a9219d4ab85e31f858c48a
SHA512087e332e74bf4ba9e587431942d05a9b45a6f984c0d302e8816259ce4e9f1f6c92512bcc9eb1a3ec4159e5154e04a9c6fd23f4cc1d2a3f89e77f8e94ebb95a89
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD547fd19de83e8b5ec64132d4a541b43fc
SHA1d0adda570e3218aca33f7d07ebb0d8b4f7ae5d58
SHA2568b5f3d8a6c2a77a2fe328619e5a50e74858cce2526167b568286d4784a40e4e5
SHA512231f33264ed4b3107200f84510103da6d659ede726d7e5cf32f333d559430ae912c2a90e001eec201ccdb3283bdcf13d26e7c9a121036f359302a0bb307ecaca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56061c128c5ca3400d85155ef259cdea5
SHA10c73be993a9cc20d840d53e975ffefd01e9eda67
SHA25689e107298394ed876e7a682ea3f1df3c1687ac0ba313216a80f49fdc9ba03daa
SHA512a2667f266ffab02ee1ff108e382906892269f869d7b639d78c9469f65fcd62fbe3bd31bc8217c9efcae0cf5521418c887507f43db08c0230db7ccdcb74d74a75
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bdb1d3365db99a2f57b81d7c4edc3e31
SHA172ea03165e8f037f41f0117655590445011154f8
SHA2560b7abf9c03c453e60885ef4a6471bf63bb847e5f849b2ca40bd621512435110c
SHA51277284a45cab38f3700e67e401d243db1c978608d067a46359c86e2dd36945913e797280a724b017f5a6d976f295cf22200dfe731fdfc7370e677b9f2e8cad5a2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD574bdfa91c260b21ade9bdc72f798b327
SHA1fbf0e83045b0b89eaa2535c26598afb68bcac1e9
SHA25662856386a594fb453e7733a3fce45a25c9572a63db34d05058e5049baab76749
SHA51273a2504d582df97e9fef829e21542170c5290880425712b6393e799d558fac84c87de93f2f8456e49e41c65c746895725e9df175754d056a5d859fce92cd6083
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a3881aef1e0386fea49e14c3bb74ca92
SHA128c80ed02969858b294a4e3f024db516203812b2
SHA2562513b84fec892698f1e27eea7cb9655d74e9ab1f25d21c06507d1e7dd0bcabfb
SHA512c801c2652aa40116c77940c1d562a9f2fb59f19e791d6538b653f17432ae2de65940839b90a93ec7283ea294079591ff10d1293bcea924c49be179a454d9b6e6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58e7208cfce0328d31b438747f97f5399
SHA1c2afebafbbe02544cfee6de4949262f8008d62bc
SHA25656dac452654ed9469e9f69144965a61a15629f3822644af70a8e3ecf72973222
SHA5120f5b1db9fe7869d73cdbccd757d9d4fddd041f7371c9b5a84011b725e476b02c47939139ca93ff7b50cfba0aaea9a744bf78fabd7e106790acef512a4cc93919
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5234fa360784d0959de4acab1eec38385
SHA1ab4e897e3894b8ba052f6ba15f655061108c9823
SHA2569f5c94d98276c2fbfefcb8fee848b52ee86706094162324990312ca7cc292b83
SHA512e83221de73f2dd4fb1700e880636e96a5d7d803ce7cc8b98115470aaf1f472af0ad5d32e68e8fd8469b4014f3001c94a38daa5ed759182031912b48f24869627
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD547077342755858e9dfffbba2d3819900
SHA119885a270e57c31af86e8d6aa0ea1a54ac233c51
SHA2562695991404ae215740a7cb475b8e604f0d33e5a8ab408d183a71b5227770e414
SHA5122a35f89ccc1299b9b98b21d0539943bd5d0ee3aec0488ff9f12985ea51945dd15edcab05eabdfe881e7fb803b6edaec7abb838d6762b058fb276a33c19595a12
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a