Analysis

  • max time kernel
    81s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-06-2024 23:00

General

  • Target

    0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe

  • Size

    166KB

  • MD5

    0fd88cfe1f9c64397fbea129ab06660a

  • SHA1

    681b659890e12af234e38b2e5bb30683bc47218b

  • SHA256

    15b77509dd9a565a94678c590ff9c451df621f8f7ca4ec36534f010c49849665

  • SHA512

    6c729ca31867e08f5c2450cc84e1bea271109048dbf923ba4bd1ebdd6a3d2250e96952e8fb2e07278b64c49b6a1e329297d0880ca65d2fe9a2dd12719593776b

  • SSDEEP

    1536:WNpbWTono2PF9yJH9KBjH7ZoSQoL+Qz6AxAvf/PqhXnzyP5xC1VXfbJpeU4KyQ5V:PdKFOoL16AOHHCRQU4S5GBWVLn

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:756
    • C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe
      C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:1184
      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3812
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\system32\svchost.exe
          4⤵
            PID:4092
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 204
              5⤵
              • Program crash
              PID:2480
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4968
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4968 CREDAT:17410 /prefetch:2
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1392
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1524
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1524 CREDAT:17410 /prefetch:2
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1840
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4092 -ip 4092
      1⤵
        PID:916

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B3922B52-3346-11EF-BCA5-6E6D447F5FDC}.dat

        Filesize

        3KB

        MD5

        f894a8c35e9d0c0457edb2c3b790914a

        SHA1

        5cbbf02e1ade749336b572a9bc9411008393fed9

        SHA256

        c9cd1e6ee66b51661710d93b6cef3b496e681c1f1fa8e28139ef6dd9d18301c8

        SHA512

        a4349da65b233b3e116915e2d694df212d3ebd3a6ce0c75059fbe702b2a990ff4ec6b74bffc88160ba7b2a4d187506641fc7f8bf517f65a63c28d370fdba9e9c

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B3948DFE-3346-11EF-BCA5-6E6D447F5FDC}.dat

        Filesize

        5KB

        MD5

        d74778961790dcad4b1b08bcd92d8c04

        SHA1

        46d2c52a6f465ed1ae7c95207776462d9ca76006

        SHA256

        8adcaa8253624a3f24f9d7c585ac3a4297f3399bdce9280c2b8ffeb5ad68046b

        SHA512

        7e5a3ddb12074c4c14894b0c12e11f3ea8e5c76d4ccfbb8126e1cbb55d6707c9b742f39fcce1b150bb818699599161246d4355d080e245b3eaa155a0d2657dd6

      • C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe

        Filesize

        96KB

        MD5

        8c51fd9d6daa7b6137634de19a49452c

        SHA1

        db2a11cca434bacad2bf42adeecae38e99cf64f8

        SHA256

        528d190fc376cff62a83391a5ba10ae4ef0c02bedabd0360274ddc2784e11da3

        SHA512

        b93dd6c86d0618798a11dbaa2ded7dac659f6516ca4a87da7297601c27f340fffa4126a852c257654d562529273d8a3f639ec020ab54b879c68226deae549837

      • memory/756-0-0x0000000000C40000-0x0000000000C6C000-memory.dmp

        Filesize

        176KB

      • memory/756-4-0x0000000000C40000-0x0000000000C6C000-memory.dmp

        Filesize

        176KB

      • memory/1184-24-0x00000000008B0000-0x00000000008B1000-memory.dmp

        Filesize

        4KB

      • memory/1184-8-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/1184-13-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/1184-12-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/1184-10-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/1184-16-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/1184-9-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/1184-5-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

      • memory/1184-7-0x0000000000401000-0x0000000000402000-memory.dmp

        Filesize

        4KB

      • memory/1184-11-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/3812-25-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

      • memory/3812-29-0x0000000000430000-0x0000000000431000-memory.dmp

        Filesize

        4KB

      • memory/3812-35-0x0000000000070000-0x0000000000071000-memory.dmp

        Filesize

        4KB

      • memory/3812-36-0x00000000775A2000-0x00000000775A3000-memory.dmp

        Filesize

        4KB

      • memory/3812-30-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/3812-31-0x00000000775A2000-0x00000000775A3000-memory.dmp

        Filesize

        4KB

      • memory/3812-40-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4092-34-0x0000000000640000-0x0000000000641000-memory.dmp

        Filesize

        4KB

      • memory/4092-33-0x0000000000660000-0x0000000000661000-memory.dmp

        Filesize

        4KB