Overview

overview

10

Static

static

3

fbf13e3855...18.dll

windows7-x64

7

fbf13e3855...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-04-2024 04:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fbf13e38558108839059a6df1a214d03_JaffaCakes118.dll

  • Size

    942KB

  • MD5

    fbf13e38558108839059a6df1a214d03

  • SHA1

    e070d3aeb6b50ae7dde84ecda504aedb2d284125

  • SHA256

    1fa242ce013b13eccbf6adeaeec9c1c42bcc23fd2a96351e43eceb39d1408475

  • SHA512

    9b95c6c7165e6c45aa66d31ea1d3dec0ea45e518c72e78dc750a86b157b1bc58c8a9c84516491ea55c6b97d6d292290185ef441c3871d7e00147d94c8a172cbb

  • SSDEEP

    24576:5hTSqs13avB+054QYuNVGvogaiXK0xb7ZivKLVg:5hEIQQYYiXnRivKK

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 4 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\fbf13e38558108839059a6df1a214d03_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4528
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\fbf13e38558108839059a6df1a214d03_JaffaCakes118.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1764
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2336
        • C:\Windows\SysWOW64\rundll32Srv.exe
          "C:\Windows\SysWOW64\rundll32Srv.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious use of WriteProcessMemory
          PID:4560
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3964
            • C:\Program Files (x86)\Microsoft\WaterMark.exe
              "C:\Program Files (x86)\Microsoft\WaterMark.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3160
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\system32\svchost.exe
                7⤵
                  PID:688
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 216
                    8⤵
                    • Program crash
                    PID:3768
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe"
                  7⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:1716
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1716 CREDAT:17410 /prefetch:2
                    8⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:2076
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 648
          3⤵
          • Program crash
          PID:3564
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1764 -ip 1764
      1⤵
        PID:4816
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 688 -ip 688
        1⤵
          PID:3720

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UM8YFV59\suggestions[1].en-US
          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          Download Submit
        • C:\Windows\SysWOW64\rundll32Srv.exe
          Filesize

          69KB

          MD5

          3284b0d95ae1f80355da5e04e79a6be1

          SHA1

          642bbb026f238a4eed9931772869b637621d98c8

          SHA256

          f2cf33052bb9ed658351e1ff0687d0602a1f619e0976cd45852d3eb109aacf60

          SHA512

          13712a19409818ecb66ecb2bb045a5800e4362f0ff0e9b2d158590fd501c35861ceae195f8171301ef6e72dd3b6f28184af31188836d92c171bfa6bedeb98547

          Download Submit
        • memory/688-36-0x0000000001260000-0x0000000001261000-memory.dmp
          Filesize

          4KB

          Download
        • memory/688-37-0x0000000001240000-0x0000000001241000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1764-38-0x00000000623F0000-0x00000000624E1000-memory.dmp
          Filesize

          964KB

          Download
        • memory/1764-0-0x00000000623F0000-0x00000000624E1000-memory.dmp
          Filesize

          964KB

          Download
        • memory/2336-16-0x0000000000400000-0x0000000000459000-memory.dmp
          Filesize

          356KB

          Download
        • memory/2336-6-0x00000000001C0000-0x00000000001C3000-memory.dmp
          Filesize

          12KB

          Download
        • memory/2336-4-0x0000000000400000-0x0000000000459000-memory.dmp
          Filesize

          356KB

          Download
        • memory/3160-40-0x0000000077CD2000-0x0000000077CD3000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3160-39-0x0000000000400000-0x0000000000418000-memory.dmp
          Filesize

          96KB

          Download
        • memory/3160-32-0x0000000000530000-0x0000000000531000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3160-33-0x0000000000400000-0x0000000000418000-memory.dmp
          Filesize

          96KB

          Download
        • memory/3160-35-0x0000000077CD2000-0x0000000077CD3000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3964-23-0x0000000000400000-0x0000000000459000-memory.dmp
          Filesize

          356KB

          Download
        • memory/3964-31-0x0000000000400000-0x0000000000459000-memory.dmp
          Filesize

          356KB

          Download
        • memory/4560-15-0x0000000000400000-0x0000000000418000-memory.dmp
          Filesize

          96KB

          Download
        • memory/4560-19-0x0000000000400000-0x0000000000418000-memory.dmp
          Filesize

          96KB

          Download
        • memory/4560-14-0x0000000000400000-0x0000000000418000-memory.dmp
          Filesize

          96KB

          Download
        • memory/4560-13-0x0000000000400000-0x0000000000418000-memory.dmp
          Filesize

          96KB

          Download
        • memory/4560-9-0x0000000000400000-0x0000000000418000-memory.dmp
          Filesize

          96KB

          Download