Analysis Overview
SHA256
03a2c1ce541195a79d2b313a6598e3f6c5d45d0d32e563d3e913f0367d14c758
Threat Level: Known bad
The file 0d1888d8cf25c90916c9894de5a888ac_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
UAC bypass
Ramnit
Executes dropped EXE
Checks computer location settings
Drops startup file
Checks BIOS information in registry
Impair Defenses: Safe Mode Boot
Loads dropped DLL
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious behavior: LoadsDriver
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-25 06:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-25 06:40
Reported
2024-06-25 06:43
Platform
win7-20240508-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\wotooris\\fuleyurj.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
Ramnit
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fuleyurj.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fuleyurj.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wajybwtpugdrdwch.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Windows\SysWOW64\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\FulEyurj = "C:\\Users\\Admin\\AppData\\Local\\wotooris\\fuleyurj.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\rundll32mgr.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\wajybwtpugdrdwch.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\wajybwtpugdrdwch.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0d1888d8cf25c90916c9894de5a888ac_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0d1888d8cf25c90916c9894de5a888ac_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 268
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Users\Admin\AppData\Local\Temp\wajybwtpugdrdwch.exe
"C:\Users\Admin\AppData\Local\Temp\wajybwtpugdrdwch.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | qdfgqwiovjlfegdcepm.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | gqmrhecnntccmawclmq.com | udp |
| US | 8.8.8.8:53 | ouwwtmcnuiudw.com | udp |
| US | 8.8.8.8:53 | vxpxgorqkihafv.com | udp |
| US | 8.8.8.8:53 | anxpepxpukbfmh.com | udp |
| US | 8.8.8.8:53 | mstwcsnvylmullkqh.com | udp |
| US | 8.8.8.8:53 | ihoxyanyker.com | udp |
| US | 8.8.8.8:53 | vlupfbsuppipkrvbsdy.com | udp |
| US | 8.8.8.8:53 | oaifpapl.com | udp |
| US | 8.8.8.8:53 | fssuatmti.com | udp |
| US | 8.8.8.8:53 | hetjymgiddyamqq.com | udp |
| US | 8.8.8.8:53 | cpmsussgpibatpmswq.com | udp |
| US | 8.8.8.8:53 | qfitnlxp.com | udp |
| US | 8.8.8.8:53 | gkusimsgjcauehgdjn.com | udp |
| US | 8.8.8.8:53 | jktlguslfhcwqkmai.com | udp |
| US | 8.8.8.8:53 | fidjlfphserhycexjhf.com | udp |
| US | 8.8.8.8:53 | vyibjxjnshtry.com | udp |
| US | 8.8.8.8:53 | wgkyyalemnvhdrai.com | udp |
| US | 8.8.8.8:53 | secdfbpyopjhyhuw.com | udp |
| US | 8.8.8.8:53 | hxpgffdwbevww.com | udp |
| US | 8.8.8.8:53 | bing.com | udp |
| US | 8.8.8.8:53 | sliokrvnkjenhwgpjl.com | udp |
| US | 8.8.8.8:53 | prcgijpwvrl.com | udp |
| US | 8.8.8.8:53 | uxlyihgvfnqcrfcf.com | udp |
| US | 8.8.8.8:53 | jexgpprgph.com | udp |
| US | 8.8.8.8:53 | awckeliqcherasntmin.com | udp |
| US | 8.8.8.8:53 | mavjlatqkpuban.com | udp |
| US | 8.8.8.8:53 | pvbmlrybufe.com | udp |
| US | 8.8.8.8:53 | byraiyodqfdx.com | udp |
| US | 8.8.8.8:53 | edqmjbyjcxyjqnjjodh.com | udp |
| US | 8.8.8.8:53 | umiuqmrmvsuiscitx.com | udp |
| US | 8.8.8.8:53 | kqrkegigdtjxxcrvl.com | udp |
| US | 8.8.8.8:53 | hhowujyrcvdrwpdvsck.com | udp |
| US | 8.8.8.8:53 | wxurahlisqbmppqss.com | udp |
| US | 8.8.8.8:53 | ppwnhnvwnvtggifhbv.com | udp |
| US | 8.8.8.8:53 | rtcocsaitmadupgl.com | udp |
| US | 8.8.8.8:53 | udvnniovrov.com | udp |
| US | 8.8.8.8:53 | kjjeuhhqiwvfnuvvtkd.com | udp |
| US | 8.8.8.8:53 | oxjlrgepfnkvdprbr.com | udp |
| US | 8.8.8.8:53 | vmdgwbenh.com | udp |
| US | 8.8.8.8:53 | tvxwdutxo.com | udp |
| US | 8.8.8.8:53 | yahoo.com | udp |
| US | 8.8.8.8:53 | bllkuhftropiwymr.com | udp |
| US | 8.8.8.8:53 | rapbmprhwwm.com | udp |
| US | 8.8.8.8:53 | pdcdcwjwrqsq.com | udp |
| US | 8.8.8.8:53 | mjuqovvuruldy.com | udp |
| US | 8.8.8.8:53 | ykesfabqxbvmns.com | udp |
| US | 8.8.8.8:53 | kmyxdodog.com | udp |
| US | 8.8.8.8:53 | xsredbpaef.com | udp |
| US | 8.8.8.8:53 | oukicfldnvxhrtxvuqr.com | udp |
| US | 8.8.8.8:53 | cqlmxlukplhlfdo.com | udp |
| US | 8.8.8.8:53 | fxkapveygtffbkv.com | udp |
| US | 8.8.8.8:53 | dykxkasesippbsjb.com | udp |
| US | 8.8.8.8:53 | haqkwkokaigcdslnrlr.com | udp |
| US | 8.8.8.8:53 | mggtqypybfts.com | udp |
| US | 8.8.8.8:53 | ohpmyviumie.com | udp |
| US | 8.8.8.8:53 | nbvhroptghtmsydrfq.com | udp |
| US | 8.8.8.8:53 | yicgycrtyoxaiu.com | udp |
| US | 8.8.8.8:53 | mcchphgndpadclga.com | udp |
| US | 8.8.8.8:53 | jxnbdfwh.com | udp |
| US | 8.8.8.8:53 | hgubujdad.com | udp |
| US | 8.8.8.8:53 | arhpgoeeasi.com | udp |
| US | 8.8.8.8:53 | ticfmjsce.com | udp |
| US | 8.8.8.8:53 | dlsvfpmniphnmxnvoeo.com | udp |
| US | 8.8.8.8:53 | expecvmanfaydv.com | udp |
| US | 8.8.8.8:53 | egcftpguclkoi.com | udp |
| US | 8.8.8.8:53 | snpltixygwcpifp.com | udp |
| US | 8.8.8.8:53 | rkxukunrgvpkgmc.com | udp |
| US | 8.8.8.8:53 | ojvpkaohbddmbfac.com | udp |
| US | 8.8.8.8:53 | uigwsscasowqdiyp.com | udp |
| US | 8.8.8.8:53 | rsmhdfgpgw.com | udp |
| US | 8.8.8.8:53 | wwgxwnil.com | udp |
| US | 8.8.8.8:53 | nwetlnpjovgxmj.com | udp |
| US | 8.8.8.8:53 | qsrywodlwhorwibvy.com | udp |
| US | 8.8.8.8:53 | jabdfnuridle.com | udp |
| US | 8.8.8.8:53 | xqdrbrjiqwwpahhk.com | udp |
| US | 8.8.8.8:53 | tuisyirhweflhvqyxh.com | udp |
| US | 8.8.8.8:53 | dpjbclufd.com | udp |
| US | 8.8.8.8:53 | tnueoqahys.com | udp |
| US | 8.8.8.8:53 | tfgixgmqhdowexm.com | udp |
| US | 8.8.8.8:53 | fdkasoupvgxigejgdfb.com | udp |
| US | 8.8.8.8:53 | irfldtfkhgyrpsarcje.com | udp |
| US | 8.8.8.8:53 | amobragjgge.com | udp |
| US | 8.8.8.8:53 | rgcdictp.com | udp |
| US | 8.8.8.8:53 | jfvxpfbgo.com | udp |
| US | 8.8.8.8:53 | adhcssvuayv.com | udp |
| US | 8.8.8.8:53 | wvogkbbapujp.com | udp |
| US | 8.8.8.8:53 | hfegocufjkndwc.com | udp |
| US | 8.8.8.8:53 | xeucibnop.com | udp |
| US | 8.8.8.8:53 | qbpcpmcijn.com | udp |
| US | 8.8.8.8:53 | ilasqwag.com | udp |
| US | 8.8.8.8:53 | uxqbewwdunihwscfl.com | udp |
| US | 8.8.8.8:53 | xxkoixiiiqpyecxoaka.com | udp |
| US | 8.8.8.8:53 | btfkjkqv.com | udp |
| US | 8.8.8.8:53 | dfyxptqjxwtdkjjbiu.com | udp |
| US | 8.8.8.8:53 | lvmrpvkyo.com | udp |
| US | 8.8.8.8:53 | erfhytwpgitkpgudo.com | udp |
| US | 8.8.8.8:53 | lyghwyciguta.com | udp |
| US | 8.8.8.8:53 | laiotlboxklvpcdfhu.com | udp |
| US | 8.8.8.8:53 | kiiwacbehxexixl.com | udp |
| US | 8.8.8.8:53 | njqvexdhwhutar.com | udp |
| US | 8.8.8.8:53 | lnjrtxcjbiaov.com | udp |
| US | 8.8.8.8:53 | ntohnxgjijsgi.com | udp |
| US | 8.8.8.8:53 | ojmitlcyjsuyb.com | udp |
| US | 8.8.8.8:53 | ntnwcxtwgxwecrdxr.com | udp |
| US | 8.8.8.8:53 | ykkcsanct.com | udp |
| US | 8.8.8.8:53 | gjvhfiouvwiqvtewbu.com | udp |
| US | 8.8.8.8:53 | suhfvuljuihmevldp.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | bklerdwiadlxxbjunwu.com | udp |
| US | 8.8.8.8:53 | rxckgnatt.com | udp |
| US | 8.8.8.8:53 | bxnrxuyjcytf.com | udp |
| US | 8.8.8.8:53 | pbwjbkgdo.com | udp |
| US | 8.8.8.8:53 | tfpohsjc.com | udp |
| US | 8.8.8.8:53 | fkcxdfiv.com | udp |
| US | 8.8.8.8:53 | iljmekbkcukps.com | udp |
| US | 8.8.8.8:53 | mefqtfwlxrfhguru.com | udp |
| US | 8.8.8.8:53 | dgrdrqkpmggukqo.com | udp |
| US | 8.8.8.8:53 | qxdfhujechixcrgdb.com | udp |
| US | 8.8.8.8:53 | fsksblipt.com | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp |
Files
memory/2056-3-0x0000000010000000-0x000000001005E000-memory.dmp
memory/2056-1-0x0000000010000000-0x000000001005E000-memory.dmp
memory/2056-11-0x00000000001D0000-0x0000000000208000-memory.dmp
memory/1184-16-0x0000000000310000-0x0000000000311000-memory.dmp
memory/1184-17-0x0000000000400000-0x0000000000437D4C-memory.dmp
memory/2640-34-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2640-62-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2640-61-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2640-56-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2640-53-0x0000000020010000-0x0000000020023000-memory.dmp
memory/2640-54-0x0000000020010000-0x0000000020023000-memory.dmp
memory/1184-49-0x000000007745F000-0x0000000077460000-memory.dmp
memory/1700-48-0x0000000000090000-0x0000000000091000-memory.dmp
memory/1700-47-0x0000000000080000-0x0000000000081000-memory.dmp
memory/1700-46-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/2640-40-0x0000000020010000-0x0000000020023000-memory.dmp
memory/1700-31-0x0000000020010000-0x000000002001C000-memory.dmp
memory/1700-30-0x0000000020010000-0x000000002001C000-memory.dmp
memory/1700-29-0x0000000020010000-0x000000002001C000-memory.dmp
memory/1700-26-0x0000000020010000-0x000000002001C000-memory.dmp
memory/1700-21-0x0000000000080000-0x0000000000081000-memory.dmp
memory/1700-19-0x0000000020010000-0x000000002001C000-memory.dmp
memory/1184-14-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1184-13-0x0000000000400000-0x0000000000437D4C-memory.dmp
C:\Windows\SysWOW64\rundll32mgr.exe
| MD5 | a06539e080f0796c507ea485effbc8b0 |
| SHA1 | c31d586000b50ec398b1e1dcfecbc31382449db4 |
| SHA256 | f5204dc271e72770b75fff3703d4c3f48011807a21816a8b2f82efe69ab28626 |
| SHA512 | 30c4250ccdf2a5df73688285253f9f476da9f9d6517539e6db951c8cd3de9819b2fa040093fc36d24aaf0a5e23c78abfce1cb693c21bcfb3ab9e4fd0385e1b59 |
memory/2056-4-0x00000000001D0000-0x0000000000208000-memory.dmp
memory/1184-95-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1184-94-0x0000000000400000-0x0000000000437D4C-memory.dmp
memory/1600-93-0x0000000000400000-0x0000000000437D4C-memory.dmp
memory/1600-87-0x0000000000400000-0x0000000000437D4C-memory.dmp
memory/1184-86-0x00000000026B0000-0x00000000026E8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-25 06:40
Reported
2024-06-25 06:43
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Ramnit
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\arloksdywidumyga.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\rundll32mgr.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31114954" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3151728285" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114954" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3350322109" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426062643" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31114954" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E75EEF9F-32BD-11EF-8383-4E0B5964A968} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114954" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114954" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3150009276" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3150009276" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3151728285" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\arloksdywidumyga.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\arloksdywidumyga.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0d1888d8cf25c90916c9894de5a888ac_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0d1888d8cf25c90916c9894de5a888ac_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4408 -ip 4408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 204
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4836 CREDAT:17410 /prefetch:2
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2932 -ip 2932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 212
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4836 CREDAT:17416 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\arloksdywidumyga.exe
"C:\Users\Admin\AppData\Local\Temp\arloksdywidumyga.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/4408-1-0x0000000010000000-0x000000001005E000-memory.dmp
C:\Windows\SysWOW64\rundll32mgr.exe
| MD5 | a06539e080f0796c507ea485effbc8b0 |
| SHA1 | c31d586000b50ec398b1e1dcfecbc31382449db4 |
| SHA256 | f5204dc271e72770b75fff3703d4c3f48011807a21816a8b2f82efe69ab28626 |
| SHA512 | 30c4250ccdf2a5df73688285253f9f476da9f9d6517539e6db951c8cd3de9819b2fa040093fc36d24aaf0a5e23c78abfce1cb693c21bcfb3ab9e4fd0385e1b59 |
memory/1692-6-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1692-5-0x0000000000400000-0x0000000000437D4C-memory.dmp
memory/1692-8-0x00000000005A0000-0x00000000005A1000-memory.dmp
memory/1692-10-0x0000000000400000-0x0000000000437D4C-memory.dmp
memory/5084-12-0x00000000003E0000-0x00000000003E1000-memory.dmp
memory/5084-11-0x0000000000600000-0x0000000000601000-memory.dmp
memory/4408-13-0x0000000010000000-0x000000001005E000-memory.dmp
memory/1692-15-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1692-19-0x0000000077B92000-0x0000000077B93000-memory.dmp
memory/1692-18-0x0000000000400000-0x0000000000437D4C-memory.dmp
memory/1692-21-0x0000000000400000-0x0000000000437D4C-memory.dmp
memory/1692-22-0x0000000077B92000-0x0000000077B93000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verD551.tmp
| MD5 | 1a545d0052b581fbb2ab4c52133846bc |
| SHA1 | 62f3266a9b9925cd6d98658b92adec673cbe3dd3 |
| SHA256 | 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1 |
| SHA512 | bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d |
memory/1124-38-0x0000000000400000-0x0000000000437D4C-memory.dmp
memory/1124-40-0x0000000000400000-0x0000000000437D4C-memory.dmp
memory/1124-39-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1124-45-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1124-44-0x0000000000400000-0x0000000000437D4C-memory.dmp
memory/1692-47-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\REQ5K173\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |