ramnit | 57f139c1799239e4bde2588dc2375cf30be9d3008b27e216c1e02ee3185d36a0

General

Target

fae9a9201c43ac34543f6917558e0565_JaffaCakes118.exe
Size

185KB
MD5

fae9a9201c43ac34543f6917558e0565
SHA1

0981d1a529d13eab3a151ed231c94f6aacfaef8b
SHA256

57f139c1799239e4bde2588dc2375cf30be9d3008b27e216c1e02ee3185d36a0
SHA512

d131df39d3e65bfca7d646519251d8317736d26e62192d6d4445b1766420d2466973cd1c81d7e45ca5d28761d96876987f035d4774d668c7befcdf6839cd2e20
SSDEEP

3072:+6lXhN336MdMfLirVQW0/nyypWE32BJ8q9kPKlhf8a7:rXHqqULirVT012BSiX8c

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fae9a9201c43ac34543f6917558e0565_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	fae9a9201c43ac34543f6917558e0565_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

fae9a9201c43ac34543f6917558e0565_JaffaCakes118mgr.exeWaterMark.exe

pid process

668 fae9a9201c43ac34543f6917558e0565_JaffaCakes118mgr.exe
1924 WaterMark.exe

pid	process
668	fae9a9201c43ac34543f6917558e0565_JaffaCakes118mgr.exe
1924	WaterMark.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/668-6-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/668-8-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/668-10-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/668-11-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/668-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/668-15-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/668-18-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1924-32-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1924-42-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1924-43-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

fae9a9201c43ac34543f6917558e0565_JaffaCakes118mgr.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	fae9a9201c43ac34543f6917558e0565_JaffaCakes118mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px6CB4.tmp	fae9a9201c43ac34543f6917558e0565_JaffaCakes118mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	fae9a9201c43ac34543f6917558e0565_JaffaCakes118mgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4496 2248 WerFault.exe svchost.exe

pid	pid_target	process	target process
4496	2248	WerFault.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 45 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3879234084"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3879234084"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31101576"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31101576"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3891265425"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3891265425"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31101576"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3881577975"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31101576"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3881421988"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31101576"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419713811"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1233E7BB-FE7C-11EE-8A9B-FEF12A1805AF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31101576"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{123B0D78-FE7C-11EE-8A9B-FEF12A1805AF} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

WaterMark.exe

pid	process
1924	WaterMark.exe
1924	WaterMark.exe
1924	WaterMark.exe
1924	WaterMark.exe
1924	WaterMark.exe
1924	WaterMark.exe
1924	WaterMark.exe
1924	WaterMark.exe
1924	WaterMark.exe
1924	WaterMark.exe
1924	WaterMark.exe
1924	WaterMark.exe
1924	WaterMark.exe
1924	WaterMark.exe
1924	WaterMark.exe
1924	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WaterMark.exe

description pid process

Token: SeDebugPrivilege 1924 WaterMark.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

5040 iexplore.exe
2748 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	1924	WaterMark.exe

pid	process
5040	iexplore.exe
2748	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
2748	iexplore.exe
5040	iexplore.exe
2748	iexplore.exe
5040	iexplore.exe
4412	IEXPLORE.EXE
4412	IEXPLORE.EXE
1252	IEXPLORE.EXE
1252	IEXPLORE.EXE
4412	IEXPLORE.EXE
4412	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

Processes:

fae9a9201c43ac34543f6917558e0565_JaffaCakes118mgr.exeWaterMark.exe

pid process

668 fae9a9201c43ac34543f6917558e0565_JaffaCakes118mgr.exe
1924 WaterMark.exe

pid	process
668	fae9a9201c43ac34543f6917558e0565_JaffaCakes118mgr.exe
1924	WaterMark.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

fae9a9201c43ac34543f6917558e0565_JaffaCakes118.exefae9a9201c43ac34543f6917558e0565_JaffaCakes118mgr.exeWaterMark.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 3220 wrote to memory of 668	3220	fae9a9201c43ac34543f6917558e0565_JaffaCakes118.exe	fae9a9201c43ac34543f6917558e0565_JaffaCakes118mgr.exe
PID 3220 wrote to memory of 668	3220	fae9a9201c43ac34543f6917558e0565_JaffaCakes118.exe	fae9a9201c43ac34543f6917558e0565_JaffaCakes118mgr.exe
PID 3220 wrote to memory of 668	3220	fae9a9201c43ac34543f6917558e0565_JaffaCakes118.exe	fae9a9201c43ac34543f6917558e0565_JaffaCakes118mgr.exe
PID 668 wrote to memory of 1924	668	fae9a9201c43ac34543f6917558e0565_JaffaCakes118mgr.exe	WaterMark.exe
PID 668 wrote to memory of 1924	668	fae9a9201c43ac34543f6917558e0565_JaffaCakes118mgr.exe	WaterMark.exe
PID 668 wrote to memory of 1924	668	fae9a9201c43ac34543f6917558e0565_JaffaCakes118mgr.exe	WaterMark.exe
PID 3220 wrote to memory of 2156	3220	fae9a9201c43ac34543f6917558e0565_JaffaCakes118.exe	setup_wm.exe
PID 3220 wrote to memory of 2156	3220	fae9a9201c43ac34543f6917558e0565_JaffaCakes118.exe	setup_wm.exe
PID 3220 wrote to memory of 2156	3220	fae9a9201c43ac34543f6917558e0565_JaffaCakes118.exe	setup_wm.exe
PID 1924 wrote to memory of 2248	1924	WaterMark.exe	svchost.exe
PID 1924 wrote to memory of 2248	1924	WaterMark.exe	svchost.exe
PID 1924 wrote to memory of 2248	1924	WaterMark.exe	svchost.exe
PID 1924 wrote to memory of 2248	1924	WaterMark.exe	svchost.exe
PID 1924 wrote to memory of 2248	1924	WaterMark.exe	svchost.exe
PID 1924 wrote to memory of 2248	1924	WaterMark.exe	svchost.exe
PID 1924 wrote to memory of 2248	1924	WaterMark.exe	svchost.exe
PID 1924 wrote to memory of 2248	1924	WaterMark.exe	svchost.exe
PID 1924 wrote to memory of 2248	1924	WaterMark.exe	svchost.exe
PID 1924 wrote to memory of 5040	1924	WaterMark.exe	iexplore.exe
PID 1924 wrote to memory of 5040	1924	WaterMark.exe	iexplore.exe
PID 1924 wrote to memory of 2748	1924	WaterMark.exe	iexplore.exe
PID 1924 wrote to memory of 2748	1924	WaterMark.exe	iexplore.exe
PID 2748 wrote to memory of 1252	2748	iexplore.exe	IEXPLORE.EXE
PID 2748 wrote to memory of 1252	2748	iexplore.exe	IEXPLORE.EXE
PID 2748 wrote to memory of 1252	2748	iexplore.exe	IEXPLORE.EXE
PID 5040 wrote to memory of 4412	5040	iexplore.exe	IEXPLORE.EXE
PID 5040 wrote to memory of 4412	5040	iexplore.exe	IEXPLORE.EXE
PID 5040 wrote to memory of 4412	5040	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\fae9a9201c43ac34543f6917558e0565_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fae9a9201c43ac34543f6917558e0565_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3220

C:\Users\Admin\AppData\Local\Temp\fae9a9201c43ac34543f6917558e0565_JaffaCakes118mgr.exe
C:\Users\Admin\AppData\Local\Temp\fae9a9201c43ac34543f6917558e0565_JaffaCakes118mgr.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:668

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 204
5⤵
- Program crash
PID:4496

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5040

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5040 CREDAT:17410 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4412

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2748 CREDAT:17410 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1252

C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Users\Admin\AppData\Local\Temp\fae9a9201c43ac34543f6917558e0565_JaffaCakes118.exe"
2⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2248 -ip 2248
1⤵
PID:2164

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1233E7BB-FE7C-11EE-8A9B-FEF12A1805AF}.dat
Filesize
5KB

MD5
12b1732e5923b91c7b6f906d03fa0c9c

SHA1
14a9955a22ca1c092f96e003681d9d17fa0b8b65

SHA256
a1e6361119ef22267ebb6747e29b157d402f9a244f00fb199e95a3a1bc6b4eb3

SHA512
6a665da3862d5889e4edc3779c63d34feb009a82bd63c763663189888e9400c4a52c687cad5c447074f2734120da7a17fb49aa0561b45580082c047ca6d42d23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{123B0D78-FE7C-11EE-8A9B-FEF12A1805AF}.dat
Filesize
3KB

MD5
008e28a064edc786f2492484f21c4614

SHA1
ca5ad04c8035bf485fb6de2e97de97fc2c9faf25

SHA256
73fd6ba8d666f9ca052ce2e0886b8ba6eba75bf0cbc1adc3c17932ec635a3190

SHA512
67ce07d997e6daf46a530b72eca0b70300e59985de88b9d1e83b5cceca68b36729dc94eb097fc11d72c659249917ac0e852106a26bd7610bc147489ab727657b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verF415.tmp
Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fae9a9201c43ac34543f6917558e0565_JaffaCakes118mgr.exe
Filesize
119KB

MD5
6ccc1cdfb26daeb170fe75a4a476d30b

SHA1
00cb344695ad75cb667c1335d92f87ed8e7250a3

SHA256
5128c0d27138fa7f11f79bc77f5d8f6e585b13a92ea582114a4e7a57922eac06

SHA512
3f922709b0c1a83247e78ccf7e5c52fba6b2a9c4f6daf7382f8889c4571dbf89bf44bee487ff0954a02df07cdbc480e73a75d9bff2409cf1c44397853405046a

Download Submit
memory/668-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/668-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/668-12-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/668-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/668-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/668-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/668-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/668-6-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/668-8-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1924-33-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1924-34-0x00000000777A2000-0x00000000777A3000-memory.dmp

Filesize
4KB

Download
memory/1924-32-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1924-39-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/1924-38-0x00000000777A2000-0x00000000777A3000-memory.dmp

Filesize
4KB

Download
memory/1924-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1924-42-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1924-43-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2248-37-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/2248-36-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/3220-0-0x0000000000070000-0x00000000000A2000-memory.dmp

Filesize
200KB

Download
memory/3220-24-0x0000000000070000-0x00000000000A2000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads