Malware Analysis Report

2025-01-19 07:09

Sample ID 240625-bv146swfnr
Target 0bcb10eb7cd8759964f97fb269276091_JaffaCakes118
SHA256 71c4cba0f7cab0e8780786d4951974ba46e8140b5bcc00d0eaa08d63506951e3
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

71c4cba0f7cab0e8780786d4951974ba46e8140b5bcc00d0eaa08d63506951e3

Threat Level: Known bad

The file 0bcb10eb7cd8759964f97fb269276091_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 01:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 01:28

Reported

2024-06-25 01:31

Platform

win7-20240221-en

Max time kernel

117s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px1796.tmp C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425440789" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{41E90151-3292-11EF-B5E8-DE62917EBCA6} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe
PID 2940 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe
PID 2940 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe
PID 2940 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe
PID 3048 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3048 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3048 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3048 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2544 wrote to memory of 2824 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2544 wrote to memory of 2824 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2544 wrote to memory of 2824 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2544 wrote to memory of 2824 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2824 wrote to memory of 2816 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2824 wrote to memory of 2816 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2824 wrote to memory of 2816 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2824 wrote to memory of 2816 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe

C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2824 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2940-1-0x0000000000400000-0x000000000044B000-memory.dmp

\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe

MD5 17efb7e40d4cadaf3a4369435a8772ec
SHA1 eb9302063ac2ab599ae93aaa1e45b88bbeacbca2
SHA256 f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386
SHA512 522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

memory/2940-4-0x00000000003D0000-0x00000000003E3000-memory.dmp

memory/3048-11-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2940-10-0x00000000003D0000-0x00000000003E3000-memory.dmp

memory/3048-15-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/3048-23-0x0000000000400000-0x0000000000413000-memory.dmp

memory/3048-12-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2544-27-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2544-29-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2D78.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar2E5B.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f54e748e018c975cbf3cd0fbac771b3a
SHA1 f24d3eeaf142775ae7ce9f87fb64d2088ea05ae0
SHA256 61210ea1cc676b3420b400ca38c70fa7735f77e3abd91fd30ebb8467895b3c2d
SHA512 3f5603c38413c341d02eaee33d79d10a467f7616025425ef08799d06cc7ecf34acf465dc39ff06a53241c1ed1c1a3d95a44e0a63202fe320e2d3f5451b8e5bce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 45d426dfda48b4369a9d8b5d9fe32ea9
SHA1 959c2037028082e9b1571c71fb715ecac51d6e54
SHA256 e4e71f975017804fec4dd138649131f8d7aef5e3423792a28319d4b2d2e192ce
SHA512 81a06f615b8b3d59f9a2419f1ff6d9911778164079c69a88db288518bcba28524889fe31acd7280e607d2e5c4d5d7d2739be5b84809e9b4389149bcc8adddf50

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0605ee60ddbff8225ab11af6b34784d6
SHA1 2557afd312d5416926ef3cced84da2130f93d169
SHA256 a4bb453675b0e512f4b4ea6c423919f3337bf614b77b3c9c82a5f0481a7c1336
SHA512 b5a0de115f267d0f2696d6c2f411a08aa56e88e45202f0c86dccd5459a070cfd434b2c6e104bd5962f884eedff3f7821347f5ea9612ea93fbb1795b9f0602c0e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 437d6f84cf0587037daab68cdea9c9b5
SHA1 c7743a500cb8325c92644faf00ee22b7ddc03b08
SHA256 39ea0e55d3d0e0b8aa949bf38ee8e01b6e4f904dfcd82859dc237678d32f4b90
SHA512 88b846b977191ff48ef78fea67f8e90ff09f9038e715f355e12d287613a86749ee7f7a7963d92669c7b00cc34fae4ab8b82b9b98def3cb966fc3617e476e8267

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7125a9d9cb1ae2df410e09b27c5fdcba
SHA1 bdfa6ab3b62464ea49e636121e8c99a4184fc19f
SHA256 cf45c63ddb4f74b19a6465563c408bffe176dc7f9fb010c74213a0c58bf7b674
SHA512 83049c7a338b4227335b1bf9f2fface26b7b59d316d0ee18762c47586a4e5582060e7ce636cd639a1572756969c5506c82421450de7175567c2bc0d8b6251f66

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27a80fb32aa3a5da0fbfe97c3fa36548
SHA1 c37d8e3f17d8109b84ed7549cf75459fe61f3172
SHA256 fac3b84b044ad5bcd24f735672720ad8fd6d7220d034628f074ec20b8ec5bdcd
SHA512 820435e2a18600a55a9764f362cbd052f168d9fce313f18a4a97f6a06a1e5bca3726d96f9f2d00e76c971757e85f915de7c9dbd5d5e8f40957168ad65fa4d168

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8c344de883c94e363af240108a53b30f
SHA1 c900c488741960be0b863a7de18d11dcce7ece6b
SHA256 bb5874db3133851d31af8f7002504055e181182324e130526978273bfc787e72
SHA512 b3f7dc3614c1098dafb8f6bff2755743715ba5973fed51d35ebd4c150466e1f521a9f880530878531e8bf380aed96ffd054ae2c76e9fcb8c50015c7ce42e6c55

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c24edc84c8bbad46b6fd83bbc89c0f5b
SHA1 a27aee6242ff657d70a986bc2b93af1713c51690
SHA256 8d7136e4952c7196c0d295e550cc1b5ae0d806734bad013344b7b434f4d3f355
SHA512 120879c4932c6eaa0532ae197b499c1bc4f93d5f2867d4d4a98bdda5e2713be4e4a44ab25128870857b5c8850286de5ff4a2bb888f7c2ded22da68aee2c8d79e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e885060caa03c85aff2d42ccf4a55c94
SHA1 b4bc75c77c54ec8476ed55d55cf97fd6646f9398
SHA256 87fe9602afe84db02d76786e8a0a3918ecacdd2ce7f66f3b9bb35c5447c4f557
SHA512 80de2706aab7bc521721b5e8601be8bc5856299a9dec83f43a3d2d363960dccec5efdb02f2d71e1a7883a035231ba69bf3ce87328fab9a57a95a157d7058e1d0

memory/2940-504-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2940-505-0x00000000003D0000-0x00000000003E3000-memory.dmp

memory/2940-506-0x00000000003D0000-0x00000000003E3000-memory.dmp

memory/2940-507-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2940-508-0x00000000003D0000-0x00000000003D2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d8ba3376097a725de2b8ec7ec09f3cbc
SHA1 dcbb632710a3fd47e877a386291fdadd61ae1f77
SHA256 20aa059142b4704675036cb3eabaa5f34c9a88f10896525cad4139f353d6bc07
SHA512 c4dd5d98c07ce879198c95028485c4fc936d8babed5a9955beeb2de93a0b28140ec121c030c23ffdb8e9fa9eeae5c5c58e5276981d6e78e38a910fc870199ade

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 05d1af165470230344e113adbff43156
SHA1 a2a2b190c5ec89d88abd13a4f55caa7ccae49b6e
SHA256 7645cb51a14cf50387b0b973d4286f5b9e5c46ae20d6dd84d9a74fbdcd1b8823
SHA512 e9a13634858af8b3c68c3b12973a0a78a33f4b22b3c8a1167d4e718528550e68f461772f17764dd579858925cb529214e6337413b7f75837f5ec7cabd2751912

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a2fe199fe7ff8b93a58c5f5f0d2db8e6
SHA1 04cf4ff188aa61f5f8a29e10ed992f71f11317af
SHA256 f3d663a7d9e2000d821c904dcfff35f6912db42355534dd5862620cfc7886a9d
SHA512 5dddb1316d31d96c84d1d5eb235e78bff5484507227a0d246dca53f383e0fa5f52162c99dffbfbfdc8ab2cfe15f1ef7428fb25906b49c91241230039ce2cc379

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9dbbd06737ae85111360f93ec48c850d
SHA1 982b0230d10fc9e41fe4d1c35a1dc3b8d6f1f770
SHA256 a33a1aebf9208f3a3978e8e93a67aed2c27e950f19d33229dcce8e4d0c197a81
SHA512 cfc30904186dd788676f6def1063dda1f2c1de14e336871bebcc570ea6d67267dd44d49b54f386b9f6495a32b1295d9d1257a0a758ec0c8222ba0bccc76e08e1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ab343071181a2645ccfb5cb78814e55d
SHA1 4aa7dc70b4510f46b3e60e865e49fdb982d36c78
SHA256 fabd76dc3b614cedf063c20678fc3a45d873d0d6dd98f181fe5c13eedbb9b930
SHA512 f5fbf867e6f921640097657eac8a243dd8f544c8fdc61471aeed2075510ff1e521be440d813895ee959f4ccf31b400951bd9599c2ce0a4ad79f4c5eca6504465

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 212891b3d32ea74d0febdff58e509f8f
SHA1 f461dab49b064a45111c12c2eac5eb87a0cc978b
SHA256 af5ad4e201d55524f6642784832c7cca4fca98db859ae517a2d43e1cb96c767b
SHA512 d04fb34276046936c5614fb5f14a4890b8b90e19ad79038c5b670072d76a654eee957811170c6cc7ae70f1ce39c05bc84f0b353b1c5b4f0a90ecdc0feb02c9ba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1262de72bd56acd518c6fa3af3cb7342
SHA1 6a9d8cb4d8a4b72fbd3388a3c6838282ddab9ea0
SHA256 e9fa16752b9c7d3b6a33b6dd7268bd44f4a17c79d118bcb5c83ba8d066957296
SHA512 e9439bcf0e7ca2359fd56e36c5671e3bb7771583055e5339b54a4717754f2d48f05724e2a94b2fa5bd336b2df2ac7f0118a24ae8af737b8162c6afc38c2f57dd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d8f822afa45b74ea363765a82b0e11b1
SHA1 eff05dcc7f14d0b9b071bb5f2e13cc57edb67435
SHA256 be8cb93af8f2560b2625d51641976df36322a708ba612981701e860b77dfe81a
SHA512 2038f97e34107520758794bf6093347bb993bc333a0dca8b77420f8456dcec91ff7df3b1811d763048d23b6e5f5a5d11981ab19df7d2bd688f30ffc6112971ad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dd0cfb8c2e33213226dbae80e2a2aa9e
SHA1 814aea9320f5ec6b9b449384745b386c78a59abe
SHA256 cdf7bb670352bcaea0dda87bfc7cc561448b9dc88a4ae77f78b3587151ca87f3
SHA512 50a7dbd2b98e5d2def7303219bb3a9fe42dae445d6834e5d89a4600a46f9cb1ae5fea429b000422c064c5d824c2f742f7b0f66dd9328ea13cb59bebd406ad0ec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d0f711bb219a057223f887591aa1bae0
SHA1 6b3d143b920cced4c5508247532e76fdf48dfe0a
SHA256 15361160680fcc76f156359c61cf9679255c88370ec7b4b814e64f2f8b1d30c3
SHA512 8d3127cb8a5a0f413964634015dae15b7d7102c940b9a99f68b536a5c46775a9f33a93fe0b506152861bf52748e8ae56e749109bc1d5b59644dc8b5611670ec8

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 01:28

Reported

2024-06-25 01:31

Platform

win10v2004-20240226-en

Max time kernel

137s

Max time network

170s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px55BC.tmp C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114911" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5A3F37B1-3292-11EF-B9F7-C2C57F2727CB} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31114911" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5A3F37B3-3292-11EF-B9F7-C2C57F2727CB}.dat = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "712812359" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "712812359" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1188 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe
PID 1188 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe
PID 1188 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe
PID 672 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 672 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 672 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 908 wrote to memory of 3808 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 908 wrote to memory of 3808 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3808 wrote to memory of 100 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3808 wrote to memory of 100 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3808 wrote to memory of 100 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe

C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3808 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4264 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.180.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 227.162.46.104.in-addr.arpa udp

Files

memory/1188-0-0x0000000000400000-0x000000000044B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0bcb10eb7cd8759964f97fb269276091_JaffaCakes118Srv.exe

MD5 17efb7e40d4cadaf3a4369435a8772ec
SHA1 eb9302063ac2ab599ae93aaa1e45b88bbeacbca2
SHA256 f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386
SHA512 522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

memory/672-4-0x0000000000400000-0x0000000000413000-memory.dmp

memory/672-6-0x0000000000580000-0x0000000000582000-memory.dmp

memory/672-7-0x0000000000400000-0x0000000000413000-memory.dmp

memory/672-8-0x0000000000400000-0x0000000000413000-memory.dmp

memory/908-16-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1188-15-0x0000000000400000-0x000000000044B000-memory.dmp

memory/908-18-0x0000000000400000-0x0000000000413000-memory.dmp

memory/908-19-0x0000000000460000-0x0000000000461000-memory.dmp

memory/908-20-0x0000000000400000-0x0000000000413000-memory.dmp

memory/908-22-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1188-24-0x0000000000400000-0x000000000044B000-memory.dmp