Overview

overview

10

Static

static

3

0e0b392d51...18.exe

windows7-x64

10

0e0b392d51...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/06/2024, 12:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e0b392d511d9c14d51fff720b3f3d9e_JaffaCakes118.exe

  • Size

    255KB

  • MD5

    0e0b392d511d9c14d51fff720b3f3d9e

  • SHA1

    a7e78a574012637e6c300dba2f482a94e6ecfb65

  • SHA256

    c774f3dca844e6fc31b1b23328fcc10860f30d2fccab118bea20d601779ae112

  • SHA512

    d003310d9ece75978b4c18f5f735da935db4411df3898a6d2df0289260780d1116347ebd186951d052fd25b18e61bf4c50777d8e559584651cff210932a4cbad

  • SSDEEP

    3072:HunxwgxgfR/DVG7wBpErzWRVoYc0WnqAdelWGPRSOLjK+ca1x:G+xDVG0BpE+lAvepSOLjAMx

Score
10/10
ramnitsalitybackdoorbankerevasionspywarestealertrojanupxworm

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

http://klkjwre77638dfqwieuoi888.info/

Signatures

  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 50 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\fontdrvhost.exe
    "fontdrvhost.exe"
    1⤵
      PID:796
    • C:\Windows\system32\fontdrvhost.exe
      "fontdrvhost.exe"
      1⤵
        PID:800
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
          PID:388
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
            PID:2544
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
            1⤵
              PID:2648
            • C:\Windows\system32\taskhostw.exe
              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
              1⤵
                PID:2872
              • C:\Windows\Explorer.EXE
                C:\Windows\Explorer.EXE
                1⤵
                  PID:3484
                  • C:\Users\Admin\AppData\Local\Temp\0e0b392d511d9c14d51fff720b3f3d9e_JaffaCakes118.exe
                    "C:\Users\Admin\AppData\Local\Temp\0e0b392d511d9c14d51fff720b3f3d9e_JaffaCakes118.exe"
                    2⤵
                    • Modifies firewall policy service
                    • UAC bypass
                    • Windows security bypass
                    • Disables RegEdit via registry modification
                    • Windows security modification
                    • Checks whether UAC is enabled
                    • Drops file in Program Files directory
                    • Drops file in Windows directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of UnmapMainImage
                    • Suspicious use of WriteProcessMemory
                    • System policy modification
                    PID:4720
                    • C:\Program Files (x86)\Microsoft\WaterMark.exe
                      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                      3⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of UnmapMainImage
                      • Suspicious use of WriteProcessMemory
                      PID:1012
                      • C:\Windows\SysWOW64\svchost.exe
                        C:\Windows\system32\svchost.exe
                        4⤵
                          PID:4080
                        • C:\Program Files\Internet Explorer\iexplore.exe
                          "C:\Program Files\Internet Explorer\iexplore.exe"
                          4⤵
                          • Modifies Internet Explorer settings
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SetWindowsHookEx
                          • Suspicious use of WriteProcessMemory
                          PID:4392
                          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4392 CREDAT:17410 /prefetch:2
                            5⤵
                            • Modifies Internet Explorer settings
                            • Suspicious use of SetWindowsHookEx
                            PID:4776
                        • C:\Program Files\Internet Explorer\iexplore.exe
                          "C:\Program Files\Internet Explorer\iexplore.exe"
                          4⤵
                          • Modifies Internet Explorer settings
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SetWindowsHookEx
                          • Suspicious use of WriteProcessMemory
                          PID:2504
                          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2504 CREDAT:17410 /prefetch:2
                            5⤵
                            • Modifies Internet Explorer settings
                            • Suspicious use of SetWindowsHookEx
                            PID:2392

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Program Files (x86)\Microsoft\WaterMark.exe
                    Filesize

                    255KB

                    MD5

                    0e0b392d511d9c14d51fff720b3f3d9e

                    SHA1

                    a7e78a574012637e6c300dba2f482a94e6ecfb65

                    SHA256

                    c774f3dca844e6fc31b1b23328fcc10860f30d2fccab118bea20d601779ae112

                    SHA512

                    d003310d9ece75978b4c18f5f735da935db4411df3898a6d2df0289260780d1116347ebd186951d052fd25b18e61bf4c50777d8e559584651cff210932a4cbad

                    Download Submit

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                    Filesize

                    471B

                    MD5

                    b9b9f42ce6d2b20bf169d05480d239d4

                    SHA1

                    32b094cc2ff79f07fcd68d585846b919bc350e4d

                    SHA256

                    4d16bb8c9a34d4de9d39bb5f0e87095617b5ad551112db17b38b6cb752fbdae4

                    SHA512

                    36b45c544439c6b1fab4c2fa58712475a65ad467e3da61086c4a953d6587d35f5c6ae7de740863295ae0d3534cbf67d0bed6843d95b6786b50431bfeebcf1010

                    Download Submit

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                    Filesize

                    404B

                    MD5

                    e4d1807ec461b54cbe1a9e89279159ce

                    SHA1

                    6a49612b815b5c5e658f5a8e7118dcca078905fb

                    SHA256

                    3ddaba87242701d8328097672c75ed59f9a36a1449225a682c3e41d945580ca0

                    SHA512

                    b6cdd9184ba99ba7286c7d3514bacf6949bfaa4e8095e2b1336707844bdd0b489a4dfcc97b9d1de293d67e2bfeeb1ca21d75df92144a2c505ba1c5ec53be2ed1

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{29E36570-32ED-11EF-B1BA-7AB36BF646CA}.dat
                    Filesize

                    5KB

                    MD5

                    c5d1e0ee09398a15c728414f5257a09b

                    SHA1

                    0132550cb03cdd3ef2c82640db3446f49117ce73

                    SHA256

                    3d870ec6ec7f9b24f863bd7fe937cbcd30dc470d7d8b246e20c5bf2fa8f7097c

                    SHA512

                    c191354161e3dd64d9f590750280cfbe83725e4ae1e18d962138db022077736db744607fbef93629400faf45daf05c42da5e71cd0343e2632ecc3295ab862fa3

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{29E5C7B0-32ED-11EF-B1BA-7AB36BF646CA}.dat
                    Filesize

                    3KB

                    MD5

                    9a9ec7a6029bf6ca7de23837470cc91c

                    SHA1

                    576cf0705ea0db893f82d713191b5e6984fc5f60

                    SHA256

                    74709942fa37d9d615062c7d6161f4a1f0413d45fd181de095beef6bd86de239

                    SHA512

                    2c52d121413102ee33531b94bb692ac8692deccac23ef123b43f46647d25fcedb8d246aaff4db5acbb56b74a0abe551756941da78a9c8543543eb3de3b57ed4e

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verE3F7.tmp
                    Filesize

                    15KB

                    MD5

                    1a545d0052b581fbb2ab4c52133846bc

                    SHA1

                    62f3266a9b9925cd6d98658b92adec673cbe3dd3

                    SHA256

                    557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

                    SHA512

                    bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4NMOWK91\suggestions[1].en-US
                    Filesize

                    17KB

                    MD5

                    5a34cb996293fde2cb7a4ac89587393a

                    SHA1

                    3c96c993500690d1a77873cd62bc639b3a10653f

                    SHA256

                    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                    SHA512

                    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                    Download Submit

                  • memory/1012-45-0x0000000000400000-0x0000000000421000-memory.dmp

                    Filesize

                    132KB

                    Download

                  • memory/1012-41-0x0000000000070000-0x0000000000071000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1012-29-0x0000000000400000-0x000000000044A000-memory.dmp

                    Filesize

                    296KB

                    Download

                  • memory/1012-36-0x0000000000430000-0x0000000000431000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1012-40-0x00000000774B2000-0x00000000774B3000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1012-39-0x0000000000400000-0x0000000000421000-memory.dmp

                    Filesize

                    132KB

                    Download

                  • memory/1012-37-0x0000000000400000-0x0000000000421000-memory.dmp

                    Filesize

                    132KB

                    Download

                  • memory/1012-42-0x00000000774B2000-0x00000000774B3000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4720-15-0x00000000009C0000-0x00000000009C1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4720-14-0x0000000000400000-0x0000000000421000-memory.dmp

                    Filesize

                    132KB

                    Download

                  • memory/4720-9-0x0000000000400000-0x0000000000421000-memory.dmp

                    Filesize

                    132KB

                    Download

                  • memory/4720-8-0x0000000000400000-0x0000000000421000-memory.dmp

                    Filesize

                    132KB

                    Download

                  • memory/4720-2-0x00000000031B0000-0x000000000423E000-memory.dmp

                    Filesize

                    16.6MB

                    Download

                  • memory/4720-3-0x0000000000400000-0x000000000044A000-memory.dmp

                    Filesize

                    296KB

                    Download

                  • memory/4720-7-0x0000000000400000-0x0000000000421000-memory.dmp

                    Filesize

                    132KB

                    Download

                  • memory/4720-16-0x0000000000400000-0x0000000000421000-memory.dmp

                    Filesize

                    132KB

                    Download

                  • memory/4720-0-0x0000000000400000-0x000000000044A000-memory.dmp

                    Filesize

                    296KB

                    Download

                  • memory/4720-5-0x00000000031B0000-0x000000000423E000-memory.dmp

                    Filesize

                    16.6MB

                    Download

                  • memory/4720-17-0x0000000000400000-0x0000000000421000-memory.dmp

                    Filesize

                    132KB

                    Download

                  • memory/4720-23-0x0000000000400000-0x0000000000421000-memory.dmp

                    Filesize

                    132KB

                    Download

                  • memory/4720-20-0x00000000031B0000-0x000000000423E000-memory.dmp

                    Filesize

                    16.6MB

                    Download

                  • memory/4720-11-0x00000000031B0000-0x000000000423E000-memory.dmp

                    Filesize

                    16.6MB

                    Download

                  • memory/4720-6-0x00000000031B0000-0x000000000423E000-memory.dmp

                    Filesize

                    16.6MB

                    Download

                  • memory/4720-1-0x0000000000401000-0x0000000000402000-memory.dmp

                    Filesize

                    4KB

                    Download