ramnit | 2bd49502ee2d70012a56267360a443bddbf6a1d7df2fc1efbf732abb98a4d201

Analysis

max time kernel
121s
max time network
128s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_06357d06f10e33fdded3f39ba1978ab8.dll
Size

252KB
MD5

06357d06f10e33fdded3f39ba1978ab8
SHA1

253acf7de608ea40e83b3a092a6047a547377f0b
SHA256

2bd49502ee2d70012a56267360a443bddbf6a1d7df2fc1efbf732abb98a4d201
SHA512

7f309ddad8daf78916e04a9e4d5c473c0ebf56aca0910a34f79830487cb8ece4a878de4f9865204e32c117e1549dbcffb6e5de8335c8fa2e4eafe19be0a13775
SSDEEP

3072:s7x4qW1ndEuV3dcO3l2egt+6KFeNQR9Myzz65/AiImbWK7M18o7Seux+7I+lJa6r:stW1nTd9ExKpjW/bI4STS1WaL2rFFA

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2508	regsvr32Srv.exe
1832	DesktopLayer.exe

Loads dropped DLL 4 IoCs

pid	Process
2268	regsvr32.exe
2268	regsvr32.exe
2508	regsvr32Srv.exe
2508	regsvr32Srv.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32Srv.exe	regsvr32.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2508-10-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/2508-19-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/1832-21-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/1832-24-0x0000000000400000-0x0000000000439000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	regsvr32Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB07B.tmp	regsvr32Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	regsvr32Srv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441784055"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6288C291-C736-11EF-B7A5-FED808322145} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B14-E59D-11D2-B40B-00A024B9DDDD}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B14-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{0BE5FF71-E7BA-11D2-B40E-00A024B9DDDD}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0BE5FF71-E7BA-11D2-B40E-00A024B9DDDD}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C3C1B17-E59D-11D2-B40B-00A024B9DDDD}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C3C1B17-E59D-11D2-B40B-00A024B9DDDD}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B14-E59D-11D2-B40B-00A024B9DDDD}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.LogServices\ = "SetupLogServices Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.LogServices\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0BE5FF71-E7BA-11D2-B40E-00A024B9DDDD}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\ = "ISetupLogDB"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{0BE5FF71-E7BA-11D2-B40E-00A024B9DDDD}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B14-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C3C1B17-E59D-11D2-B40B-00A024B9DDDD}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0BE5FF71-E7BA-11D2-B40E-00A024B9DDDD}\1.0\ = "InstallShield LogServices 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\ = "ISetupFeatureLog"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\ = "ISetupFeatureLog"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B14-E59D-11D2-B40B-00A024B9DDDD}\ = "ISetupLogService"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C3C1B17-E59D-11D2-B40B-00A024B9DDDD}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_06357d06f10e33fdded3f39ba1978ab8.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\ = "ISetupOpTypes"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0BE5FF71-E7BA-11D2-B40E-00A024B9DDDD}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_06357d06f10e33fdded3f39ba1978ab8.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B14-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{0BE5FF71-E7BA-11D2-B40E-00A024B9DDDD}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B14-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B14-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C3C1B17-E59D-11D2-B40B-00A024B9DDDD}\ProgID\ = "Setup.LogServices.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C3C1B17-E59D-11D2-B40B-00A024B9DDDD}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{0BE5FF71-E7BA-11D2-B40E-00A024B9DDDD}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{0BE5FF71-E7BA-11D2-B40E-00A024B9DDDD}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B14-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C3C1B17-E59D-11D2-B40B-00A024B9DDDD}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{0BE5FF71-E7BA-11D2-B40E-00A024B9DDDD}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{0BE5FF71-E7BA-11D2-B40E-00A024B9DDDD}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{0BE5FF71-E7BA-11D2-B40E-00A024B9DDDD}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C3C1B17-E59D-11D2-B40B-00A024B9DDDD}\VersionIndependentProgID\ = "Setup.LogServices"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\ = "ISetupOpTypes"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B14-E59D-11D2-B40B-00A024B9DDDD}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0BE5FF71-E7BA-11D2-B40E-00A024B9DDDD}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\ = "ISetupOpSequence"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\ = "ISetupOpType"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1832	DesktopLayer.exe
1832	DesktopLayer.exe
1832	DesktopLayer.exe
1832	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2276	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2276	iexplore.exe
2276	iexplore.exe
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 2268	1776	regsvr32.exe	30
PID 1776 wrote to memory of 2268	1776	regsvr32.exe	30
PID 1776 wrote to memory of 2268	1776	regsvr32.exe	30
PID 1776 wrote to memory of 2268	1776	regsvr32.exe	30
PID 1776 wrote to memory of 2268	1776	regsvr32.exe	30
PID 1776 wrote to memory of 2268	1776	regsvr32.exe	30
PID 1776 wrote to memory of 2268	1776	regsvr32.exe	30
PID 2268 wrote to memory of 2508	2268	regsvr32.exe	31
PID 2268 wrote to memory of 2508	2268	regsvr32.exe	31
PID 2268 wrote to memory of 2508	2268	regsvr32.exe	31
PID 2268 wrote to memory of 2508	2268	regsvr32.exe	31
PID 2508 wrote to memory of 1832	2508	regsvr32Srv.exe	32
PID 2508 wrote to memory of 1832	2508	regsvr32Srv.exe	32
PID 2508 wrote to memory of 1832	2508	regsvr32Srv.exe	32
PID 2508 wrote to memory of 1832	2508	regsvr32Srv.exe	32
PID 1832 wrote to memory of 2276	1832	DesktopLayer.exe	33
PID 1832 wrote to memory of 2276	1832	DesktopLayer.exe	33
PID 1832 wrote to memory of 2276	1832	DesktopLayer.exe	33
PID 1832 wrote to memory of 2276	1832	DesktopLayer.exe	33
PID 2276 wrote to memory of 2696	2276	iexplore.exe	34
PID 2276 wrote to memory of 2696	2276	iexplore.exe	34
PID 2276 wrote to memory of 2696	2276	iexplore.exe	34
PID 2276 wrote to memory of 2696	2276	iexplore.exe	34

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06357d06f10e33fdded3f39ba1978ab8.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_06357d06f10e33fdded3f39ba1978ab8.dll
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\regsvr32Srv.exe
    C:\Windows\SysWOW64\regsvr32Srv.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1832
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2276
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2276 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ce6760109bce781f87a1310de27566e

SHA1
cd5ebabbe1082adfec43c0c8a44998c52fc443a5

SHA256
476875ce2de73d0590fccccaa6e56e858f042ae862f24fbd55aa4d702046fb72

SHA512
c8822724f841d16e968aab75efaf499a86d0fcd04b3560b8c9a7ad49f58c58c1a3a5fdc42ee25f33f7827079afa999747c92487b5e05ad7d25ac3d5aee38c2f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
871fcdfe9b466bfbfde275bdc61a56b7

SHA1
bb6e325370e94e567f1ac20c105de966890584e3

SHA256
8bfd4110dddd83e2bf30a1b0bac1c41789cd42b0840b52028a6f3b2d22286dd9

SHA512
fbc659094dfeff9d9e07597bc3f72125e5dbfc4a25e3653c03a02a86e6f61366f86a4245bcbdab40470454f81bae5f3ae5de2b7b547b2c397d25c8c7a2fa5d1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48287e5393e68d8e0b97dbe5ab539bdf

SHA1
d9c1c3fd1b3dc44334353855d606d1aaf35a8a09

SHA256
15e94deb1cb1229b0f55938834d621a90045b046a2c085aeadff0f2a03479a46

SHA512
2273968c2615d2fa3bf13ddcdc08ec0e7e039ab3be60ea501c5f96896e521c73250ba2a285733ef460ae9c56b042a5e49b8cc4bb9f3c59f3047351d23433ca71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5be982185335eb190489139d14998554

SHA1
47549c36ca499dd5727c1fb2918af670afb9496a

SHA256
992e0fb9bff6a90fefcbde33e300bbf88e102cd2cc7e410907e53cc3e7bb26b0

SHA512
f1f1135a62da5d882611961f7f2fae7e70ed89985c4862d566240b6d1c28d3328511a67b3de0255d7a01834fd29d741e819e65f87e7a541903d32cfe9b99ac43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
754f77d358bbd3b623e294caf9548821

SHA1
4513c6b146b83edcbe91d96647d3b6a10ce075ba

SHA256
eb310655b514a8ff86c065dd7c6b2ce07547c3c20f6c48856f7bdbd5326389b6

SHA512
1e9c017db893e1d2e4185aef59efc375e0bbdc9b0216d276a7da2f9252856f3204feef692d1af017054c17e41f7a7afbc42d9b57c008a48764eee0704a1d61ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ddb1eef5eba8046bdef98f9e2530dd41

SHA1
06160499e6464d9200af33f0cc00a0aaed621f20

SHA256
d0dabcf0a1b12855907a5d7b7e3db7aedb90d8efe616173f2bbea73717f0a671

SHA512
75ee46da4ef6d6eb5f149c255dee4c8a148a574ab9b3df42251926a44aba2ef8d4fbea254f5669b26e4fcdfa6534bb589759a6ea273f14aa26b12885d22acc1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
985d1b8d35d93b1ba1a47f3084530517

SHA1
4b11f7efc92ec33ce477d5ff2a527549c7d7e37b

SHA256
d12ba45555b72d92d0f86834d99ba2930473f2cdbfc190e4eff2bf6bcdbfc875

SHA512
9b01dfe65d1808647e252458f4d91262389a486e090dd10db1627926f308b91e962b95729e7e2ed05046d68f6d7a0a4ccc59863d6afb6c949f1ebc466967e312

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48c8e575d1031d53e61aeb7537de1565

SHA1
4d89eaf7cffc75fd924ac527cbbb1c762929a9f3

SHA256
a4f10769221105030799ed5b73c25d56de01368e6a6b1ce55ffef9d0da10533b

SHA512
11dee7179e4102146fc6bcf829e1a8c563cb7818fba8da1418074e030e5ceda0ed4479f040e7fda23d7421e915f11319dc9e3cd89857809787174d7ae4352564

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af9e1a228994b82265a7bcf6f6f798a0

SHA1
a98ac05644b71ce9b84070589d5633b3df21572a

SHA256
d0a611481f92c3d51cc56daf4678eb34a69ab1e909d8c7e8924237f937cd90b1

SHA512
54727d45f08bb7a3f2a04fa6ea3df8cddf794fafe5e13f613a9aa74502a3a04140f59fa2b0c9d4f396f28f065f6ff71165c132e3941269a330c8da44a0692659

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8bbcefb7246115baf95087701e399eca

SHA1
7b142d021da3acc678098e2aa1beae81fbab1046

SHA256
7765b6cdcfe0fafcf3871bb944c0cd18279994533675fb328ef21a5e758ad951

SHA512
d7610a9a1da0eccd4918ad19aeff14f47864f93beb2469e533574371dcd9726a80d67fca7729f3eedf84d1d456439fc10b8a1a4939409c295b9edbe7172eeb1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
70e70fbb91a53304b3b68d72f2bcddb4

SHA1
f56d55a14c0ca0ac297b996d18f6e98a48621b81

SHA256
1c1ceccf2d82aefc5d2fe86a5d927316b90443a4949d3eb368bec74bb883798c

SHA512
fc5e23cbd60fb31489746240ee84b2c29dcfe3d54f531cddf7ae8ab5058a1528b9ab5dfc53315f875aa3492ae305edd867e45e644b87a13108e34c14b5c6d1dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79ab1da753bf4923face72c93aadfe48

SHA1
f311293a9abfb9984cc5e014d5aae92158048a35

SHA256
cfd85e69c669174a46b10036cb26eead817080fe4b19346740fa852556871a0e

SHA512
01f98f480d8bdf1dc3f6a06f92bc4ef8c730a7a538616ce420de16a293ef7431a389bc3e9ea2bccacf6b86272dc08c172f630aadc5db825d8336078d04552022

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ece341e43d7ed6e1ddee6e0f57a74dff

SHA1
0c89c2503d35a590f55f5664b04abab3a5689b22

SHA256
688aab5ba40eb6a609284df106f596efce1236b66cabc3dc31905884c7d8a434

SHA512
599aabad41346df753929184d2b392572f838e7a24869c8f4ff5bb9fad3e00152efea1544ebc9338c049beece1b3224571fef5400a87843f056106546bdb33d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f6e8c8dbae6d4a9a712eec6e2a996af

SHA1
5776a760f5d221b2f1c81aaba073a84450d70962

SHA256
27778b1fd576f3e16f2a3c72ab5a645a95351ae916db10eca3c4c5702fcba5a1

SHA512
98565cf46cf84d16e85a2288bbb25706930590447b843eb13ae85b6bf3397c5e4c3c66e4cd383815aaac5cc7799ac5fa5f7c449fe1cc10411151d4d416ad15e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
221a6d02504fed8a8aca66c54ff37c53

SHA1
002d6eaf2fb0eebc430e603191969affa5117c9c

SHA256
842a6f86bb9fd79a8f0ec63c1b6018b55266e017db7fafe4ca22f886e31bfa5a

SHA512
b1ce7be892cfdc470475c8ee2b2bd4704ebd23f7bd277f18564cd6e56dd08ad2c99670b98a9a6d0115f36cf124315765f50266be910254d58b637c69bae39ccd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d55cd177d39d26b66c4c6b2ecf0db123

SHA1
16fa575b5ae35d061197944bbfbe42c33fc75c19

SHA256
dc39bd26ae725a5e3cc48d7a80611d50cfc48e475044555492d482d97ecd0176

SHA512
9b08ca449ad8f11c3ed39b57fecc1a6d2920871773b1fb975a69a4ec7f6b86d58bce191d29bdbe271569d542f25ecd484bace0d484696df6a8245a183493dbaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74bc444eab7be86a62f3e788b971ae1d

SHA1
f9b1a90fe077a44fca5fa3ddf0d94cb594b9c5ae

SHA256
218720e9d9efbe845f8634c98961ccb8ab721dbadda74a949141b8ca03dea07a

SHA512
c9dde04fa17b8580f907fda512df1cfed5fa74ded93324605efcbcbd486ec8d12f87ea1903bffff7df6c87a6e28c0392f8705cba03c34834565d50d802bc491b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14ae93851d760d01fc227eb983b9bad3

SHA1
453abb3de1698632228ecc784a534b02a05f022e

SHA256
f8edbb704c52b7096282969c3d4a8bf55a81201e3a8a5686c571fc9489e4691f

SHA512
018e928d9c3904dc9706864ed94c81b2ad178b36c74c6139591a193fbd957e85b6abccfcbef536f49d8b5aa724ced3e248db5c1a0c2feea2c9a4d6cbd369a822

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7013fe33eb7fc40212e321390b7e3a2b

SHA1
b26320adaeb7e84eca8c9835d21841a59835a00a

SHA256
a7c70ac7e41b3c28c4c4830afbbd650acec062712aaf17ac9a1f6082f6e6fd79

SHA512
6c107d164e26ecf860531beec1d0709e4fdbd2559f7c0d4533f7ba7fd5027642a1f7534755ea7499ee41b352d2f5fd43ffbb236182a421599a44ed61d91663b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD27C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD35C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Windows\SysWOW64\regsvr32Srv.exe

Filesize
39KB

MD5
7b9c72733b615919a28f1011958b818f

SHA1
de615eab8b5e75719cb4054c61fe32413a1d33b9

SHA256
c8112bf0a8b70ffae2ef6061c06422d897022e353949dbf6ba071e6167c9298b

SHA512
ed6dd3a5173a8e479ef68dda1b33e8b386efc0a5fe193be3b7f0ddbd984ab741dc9efa2b1e5149e0ed7d94bd99e7ea47e6f988da9314515f1c41589ee146437f

Download Submit
memory/1832-24-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1832-21-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1832-22-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2268-1-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2508-10-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2508-19-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download