Analysis
-
max time kernel
132s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 03:17
Static task
static1
Behavioral task
behavioral1
Sample
f9e298abc693fd9f8af9b412aed0b29d_JaffaCakes118.html
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f9e298abc693fd9f8af9b412aed0b29d_JaffaCakes118.html
Resource
win10v2004-20241007-en
General
-
Target
f9e298abc693fd9f8af9b412aed0b29d_JaffaCakes118.html
-
Size
158KB
-
MD5
f9e298abc693fd9f8af9b412aed0b29d
-
SHA1
a4e5d349e687fa64bde8ebec790c3bcd0be20db0
-
SHA256
6825515c53cadc0be5c8637ac39f8221b036cb925f28d3d893ae8262347e27a9
-
SHA512
29a6ed4b94f5193fececcef1a3ae6783a986eab20b6c5611b982b21dec7103e9c176bfb8884bd452d40a7c38c80b36220bc38e3f613ae68c9e323bf5c474e335
-
SSDEEP
1536:iTRT2OicT9QA/Bk4gNwyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXu:i9zRQbwyfkMY+BES09JXAnyrZalI+YQ
Malware Config
Signatures
-
Ramnit family
-
Executes dropped EXE 2 IoCs
pid Process 2056 svchost.exe 3016 DesktopLayer.exe -
Loads dropped DLL 2 IoCs
pid Process 2548 IEXPLORE.EXE 2056 svchost.exe -
resource yara_rule behavioral1/files/0x0037000000016d27-430.dat upx behavioral1/memory/2056-437-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2056-434-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2056-443-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/3016-448-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/3016-446-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\px8F54.tmp svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DesktopLayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9EBC17A1-BCEE-11EF-BEB7-46BBF83CD43C} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440653723" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3016 DesktopLayer.exe 3016 DesktopLayer.exe 3016 DesktopLayer.exe 3016 DesktopLayer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2100 iexplore.exe 2100 iexplore.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2100 iexplore.exe 2100 iexplore.exe 2548 IEXPLORE.EXE 2548 IEXPLORE.EXE 2548 IEXPLORE.EXE 2548 IEXPLORE.EXE 2100 iexplore.exe 2100 iexplore.exe 2072 IEXPLORE.EXE 2072 IEXPLORE.EXE 2072 IEXPLORE.EXE 2072 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2548 2100 iexplore.exe 30 PID 2100 wrote to memory of 2548 2100 iexplore.exe 30 PID 2100 wrote to memory of 2548 2100 iexplore.exe 30 PID 2100 wrote to memory of 2548 2100 iexplore.exe 30 PID 2548 wrote to memory of 2056 2548 IEXPLORE.EXE 35 PID 2548 wrote to memory of 2056 2548 IEXPLORE.EXE 35 PID 2548 wrote to memory of 2056 2548 IEXPLORE.EXE 35 PID 2548 wrote to memory of 2056 2548 IEXPLORE.EXE 35 PID 2056 wrote to memory of 3016 2056 svchost.exe 36 PID 2056 wrote to memory of 3016 2056 svchost.exe 36 PID 2056 wrote to memory of 3016 2056 svchost.exe 36 PID 2056 wrote to memory of 3016 2056 svchost.exe 36 PID 3016 wrote to memory of 548 3016 DesktopLayer.exe 37 PID 3016 wrote to memory of 548 3016 DesktopLayer.exe 37 PID 3016 wrote to memory of 548 3016 DesktopLayer.exe 37 PID 3016 wrote to memory of 548 3016 DesktopLayer.exe 37 PID 2100 wrote to memory of 2072 2100 iexplore.exe 38 PID 2100 wrote to memory of 2072 2100 iexplore.exe 38 PID 2100 wrote to memory of 2072 2100 iexplore.exe 38 PID 2100 wrote to memory of 2072 2100 iexplore.exe 38
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\f9e298abc693fd9f8af9b412aed0b29d_JaffaCakes118.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2100 CREDAT:275457 /prefetch:22⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:548
-
-
-
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2100 CREDAT:668680 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2072
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a64fede3f19715900b7717f94f9942e8
SHA11200dc9e465c472d77bc6b3ecb9299f2a8e3d33b
SHA256de730fefd4a349d7f45b9a18c7d38f0aafecef43cdf5a84343cd935b4b3389fe
SHA512aa3420744fbbc33bf7753835b1f903f5afb30e9f92b14767ab7c02cf188b62e092af8a89af58f1ebc4e56c52c0d5345cba60e4720669be8701946a4896b2ec10
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56f55e89753cc2f912c1a3a4de9dfac88
SHA1dded62cf47c950cbd3c5b01e46fac6a6e7e223b9
SHA256c8ac4556db0e623f8a08381d43b868fbdab3af57f405dc130d93fd5eb8f09adb
SHA512a0410d79131d201e833bc1d1f1feeea031fab13c741408f4b9e8dd1cf5972ad6a96c7531614eb1590b2854424f72132adf11d115b332bd8bea1ad995d9c69d5e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b10ae0eb4b12c5060aa2b3469bb4039f
SHA1740e98a95ef9ea2adaebca700880a4436923f749
SHA256de158c9acd0f4c834d01a1e2a5c086f46db01ba904894b217abea699ec868968
SHA512b234042e175b7dd8e1c16b550927c20891bd22844921eb5bd6d0280ee3344abdcf1845d490ea8b7349d7718d663e86a2a8098d24cde1c97ead2e8f4312391bd9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5187245f18ae32f837a3ecd142b8f6c30
SHA1cc903c446bb6c2b783f7829975a3754c31223ecc
SHA25621ab644053694117a5df1b0df3b3be1f07e7c52a8a2ed07e8deb1225de593648
SHA512d22d07e6357cbc3ec3af10421cd7af69d3444ac3003616d78826d110a55dea53596d3b0d2d7a809af489ec50d07924f4b3187d88819f88bd8f50aa663f38d461
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a4a448275f538c48f35b8129bae7300e
SHA1eab42b17d3233743d5cc37225e1370aaca009b51
SHA256e824ccb0aa220bcfab2ca7f756221171ab333ee422724ce21cff8ee7a5b8a3a8
SHA51281b338d7c9afb13c110f95aeaca09c0f07d163e83b3c584d783368e2b6cd3636bbfb9c1addbd26629471aca217d03f7ebfb47fb27a544d6940693a0f54de39cb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5800728feac24f258f54f4e1031a74b1f
SHA14b542b78a33b52f5ce82b5521e04369767756d6e
SHA25685a831e321f38e7667e7566470597da133ac1e2deb27458cb5f930c9cf2b7252
SHA5129ae81a93e70e294e907df46f87f2f0370e03e6ff4f15bd7af75198116657f418e63484380394b4d2b2d38254d9bd366e5b54018136d3de6d9b03fc55b70d5d89
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50b75cd09aaf8415cf969894870742b0a
SHA1a01c7d0c085fbef7b4f94e5c233545ee8560b50b
SHA256b16acfd8f942b7f02916947bace4a097be4bf1a30ab81cc12d47d84378d21b37
SHA51204734135e9680f2b38ea113b419c866dbd0d288e752760c2a5d223201fac853dd4a4fb88825f36028f36f0ab39d6fa16a95c96a1f309e9a7d0a7e93119cffbac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55da362e5a0fe04e806a03f31ad6dd0b9
SHA14a90fae4d7c83c896be72adbff356dc46573e0db
SHA256eed8fce228db5b0a42a8dde3d99524342cc0b871a65d482bf503c0da63f59e8d
SHA51269b949fa53921dc603b2d2ea744a20b0daef919e81c35503717caef65de1ee2eaf5d4b4db2d9e495983b495659745f1f56cf907763441e21b9d783618fec235d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51047036394517b3e43eb4595c5718481
SHA1f8e9f30f7f13763254e15a73debc46850860905c
SHA2563b38dfb667301aa7df34a3614d0f309268aa302728e13c022868eda1c786e255
SHA51243ed9dfa2beecb5a8e3e85c93f449588fbbb75d36c83610151e17ff811f2feeae96b924417bfe6392c54ca9204d1faae1fa78f85fdc1eb5935d19633664111b3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55ac0c3f9b0813190dbef7ecb57cfd694
SHA17fb64f32694bb13dda275c08e10411132e97f66f
SHA256bf5cc21e0c5b86ddafa1543a8e0c954eb76f9663ad38d479f94469c7c3b90c48
SHA51200514894cf049df560499aa5d9cee9ed829f057a1efde6b169382806ffae8bb35c19a041226ace789d42dc26ea739d66d9ab20e9862f16f37b4c0cde265f5a9b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5242a60829824159c932f3ca7d7dc0ec2
SHA1d4df6c019859e5a09d7de0f5a927157b6e5c2df0
SHA25612cbe3f4e6e89ce261527a50633c9d1674a2d0e45b75b258e4f61c017d131d55
SHA512a14645bd3bc5c8c695488468d80530132596f9289687bf5e35153ff298250b22a00ca91d5b91d7b97efca4bd0da3d0943ad79c780b5354e8769e0f20d4b00194
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a