Overview

overview

10

Static

static

3

0ff33c146f...18.dll

windows7-x64

10

0ff33c146f...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-06-2024 23:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0ff33c146ff7c55fb3b95f35c0f3f265_JaffaCakes118.dll

  • Size

    135KB

  • MD5

    0ff33c146ff7c55fb3b95f35c0f3f265

  • SHA1

    82064ad8019338464a4163fc639f20ecc4c6b3f3

  • SHA256

    30a595af4395567d2b78f969b94e183a1a989f470aa373b8ac96320933e7df6a

  • SHA512

    7f562d5924b98842396947b8f1b895413c1b5bda9a65165172778a5e9281a2b4baee36175cd0b5ec993a4ed32788c2b5e8d43c4bea797a11c59fc501e8d4361c

  • SSDEEP

    3072:aUIZOm2MxCIL9jXQPtZsk4Ul2pLwAxG1wdwtv/y5l:qOm2OCI9SLsk4Ulp1wdqH6

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ff33c146ff7c55fb3b95f35c0f3f265_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3160
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ff33c146ff7c55fb3b95f35c0f3f265_JaffaCakes118.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4604
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:4528
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:1180
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:460
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 204
                6⤵
                • Program crash
                PID:4764
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4496
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4496 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2604
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1532
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1532 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1924
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 460 -ip 460
      1⤵
        PID:2980

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{07464806-334C-11EF-BCA5-DAA7D34B912A}.dat
        Filesize

        3KB

        MD5

        9d93af859b454b6b9234f1fbf1a4849d

        SHA1

        740c031341b17638d49daa1875b5042e2226dca0

        SHA256

        38e7c11e7e662903a7a7aa347bb9b839f4b7f3c326baa61fb4af28bb29fca427

        SHA512

        0cbbdead52d026302a6856ba17c569d993c63cff3f90b63d694ed3d19fddecb847e5d298b8cb2f89ce8dbab85eece5c9c61ae572fab8e7969e104597647f1249

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0748AA69-334C-11EF-BCA5-DAA7D34B912A}.dat
        Filesize

        5KB

        MD5

        cb9fd615434666aa98ad3afa272687af

        SHA1

        fe8a1407065b3de36e093d81a9c5719c1acd4e22

        SHA256

        4f25550fea9bbe5a9bb5e8ada680ddd2543dd361618357eeb812e2c60b30dd54

        SHA512

        9347251fd037e5e51d6e4b4607dd7d16c542af1545f2ac7512b6932e577b312402841833201e5641deac7839b0dcaa81d3369da3d9dd4fcdbf3d82fd336a34c4

        Download Submit

      • C:\Windows\SysWOW64\rundll32mgr.exe
        Filesize

        119KB

        MD5

        9d5d609dc8e2554054733d19eed45c5c

        SHA1

        ce72453fca9f477940a9def32bd8463549c6e1e4

        SHA256

        7a85b3db04beb0c4b6a8929fdf79726bcf1084efab0a9f04a8ebaa0a2bc9e0b1

        SHA512

        012cabde17ed1c1d1a48b5bc136591ff9c8e261e5da8bc7f67d0bd235a32150f63274362cdeef2376d2d5a38dfb0c9acc7cd3aa5244c1858b88b183f8cbe550b

        Download Submit

      • memory/460-32-0x0000000000450000-0x0000000000451000-memory.dmp

        Filesize

        4KB

        Download

      • memory/460-31-0x0000000000470000-0x0000000000471000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1180-37-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1180-34-0x0000000077162000-0x0000000077163000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1180-33-0x0000000000070000-0x0000000000071000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1180-26-0x0000000000890000-0x0000000000891000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1180-23-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

        Download

      • memory/1180-27-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1180-30-0x0000000077162000-0x0000000077163000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1180-29-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4528-9-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4528-22-0x00000000008B0000-0x00000000008B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4528-14-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4528-10-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4528-6-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4528-11-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4528-8-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4528-7-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4528-4-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

        Download

      • memory/4604-0-0x0000000010000000-0x0000000010026000-memory.dmp

        Filesize

        152KB

        Download