Analysis

  • max time kernel
    134s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    26-06-2024 00:49

General

  • Target

    102608b8523ba1b517f92ba97fcae12e_JaffaCakes118.dll

  • Size

    576KB

  • MD5

    102608b8523ba1b517f92ba97fcae12e

  • SHA1

    4283e402fb0bc7e02a5152d2a3e1893f0a8cad26

  • SHA256

    2ebeeba37fa2b5d420fa2227cd932f511da532cc52ca54647612beb9bb79bf14

  • SHA512

    8e93f1a23c0367f4b2f0b2c48794fa58be95d4594ffecce311573d320c98a81994fc2d7e4afdcafa197e1556275f6df59fea49a7716df15f8b8925738d010832

  • SSDEEP

    6144:7ZLT3A5Dp0HvFIc5vBlcQGSgS62iiiiiSySYSGS+8c8c8AAANA/AA0fMGrgPhcl5:7ZL7A5l0711g8onrOcWAqVvgkclx

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 1 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\102608b8523ba1b517f92ba97fcae12e_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\102608b8523ba1b517f92ba97fcae12e_JaffaCakes118.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:280
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2368
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2368 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1288
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2716
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2716 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2820
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 280 -s 228
        3⤵
        • Program crash
        PID:2344

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f62c1549ea2047416705d27d8ee37fc2

    SHA1

    4aaf9d3445248f40d734a4076e6fa5ab6fb64e1f

    SHA256

    96475fea751540abad1385b4c5e1e05750c41d7909786a4a1d20f125045d7d8e

    SHA512

    19621fd6e552e7ac90807556c32b91d54da0a35cb16f2db332852184f044d2cf8097821274a235a6761296a7ab9c8d1b4844a5f5665732b0c44ca075151b583e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    22b2d28ddaaa8fd56ec927c80c8dccf7

    SHA1

    bfb1f6b954d2a34f8b30b9c150ba3a2edb8bda33

    SHA256

    8bb1e22c3ce1f31a357597d20fbd3832cead0cef26574702e4a1d59ec3659696

    SHA512

    aeeff77cf0e1ee072f6c5bbc8b2e588a8ea469a950e6e6b55e696c114e9ab55fd923a178bf65b857462df0de837cc9eea6dc2bb1b654709ec1bebd7995ae6c77

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e8bfb3c22453e5d6a518408edfee477a

    SHA1

    ca83ec23a68f2e47ef790886184b602e1c396134

    SHA256

    f2fc273b9c03ca7a7c7d1529b4e04ac981d05d1a8b3ef87720574dca07568483

    SHA512

    8a513f9220842b466fdc578c85c48d493c64b45a6b286a97edf50fa224fb7bb6e59d23259f7ef3a9ce5d205158d172ac852477bbdeb610f96ece1e17ada25bfa

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c0fef639a677d86808d4f017eacdee8d

    SHA1

    83ca8a401caae241ea48a265fada04e850e0cef9

    SHA256

    8501cb7b0fac4509671aeafd271aac57817f924c928b0bb44c5c91b81ef79a23

    SHA512

    34394207c98ffa5defd699e82421e809c82fe5aeb05a3fe26c79ea5783c29124f942fdcd719ee521d2537a11e6f508db2160cd8cd75c5c1d2b0c474a2aa6b692

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    99062d58b764e6f88fe8407bb7bb3032

    SHA1

    92e52f781d50300c36fbb622c0969eaa6581ac9d

    SHA256

    8333d613bb322c5bc811edcfa4f40bbc5de10eec72c308828475dd10f779975c

    SHA512

    6a25157d514d54db5273e8213d2aa7db31c448cc57b667a9ed051f5999c88ea0a5a1944c334db200c6e4eba9c5af8ec1624468d306d2b28ed459b1f165c65841

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    70df0c44db27bdae27008add607a1ed7

    SHA1

    cbcd41dd2c4e33aa89c0a6d331cbec0e0c587e6c

    SHA256

    01033cbd8b343d86ae9169bc6d2f0ca7d6b5c366b7f4bf04ea5362f13b6438ce

    SHA512

    96954d43d913dd026f3f6c1481ad0c6ba9b5bbf034ef607f9c61a8b101944ed7f382ce5d23e2a48f09a2c59e2dc5500bfe2f20aab3429134efc5fb3a4b138ea1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d66926afb89fce4733a5bf4c7c02ee7e

    SHA1

    2b0888e06a41d999a580f9f4c5975d8247ff0ced

    SHA256

    d8e37720778fe9994bfe8796d9ad0ac6292b7584eeae2c06c93475d5ee5c272c

    SHA512

    9bef90828a4e977a38fdfda851cba44064d3681da67575a5868561c639d89e7a067cfe68ba1bfa5c04e75b448e92695a1d85d3ed8e65869fbc6cc46c28b61a79

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    becc0cec6c0f702551cc8e50dbe01b0d

    SHA1

    7109f8b03b44de16338071d8b4ba7dcaea553a4c

    SHA256

    17cbc058485da041feceb8982ef9b38b31c6913f74c42a566beb9aab8fd82b71

    SHA512

    8d2239b48788cf1eb2d7367fb451a10c1abab054aa27f1c17b297b276277979f05c088395009f97a626443bdc88c5988a97ac02b0dff87659e14a4f2e2e749b4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    aee7303ec421d2886600ec52d728f849

    SHA1

    6ca4ef58d59eb3e6ad4c67366e05e3a0f5b85cc1

    SHA256

    c729ad515ef46691c175d61c83de22e6d667f1f2656a9452024f144d29d59f64

    SHA512

    9b52d7adbe8aeb833a7d3f174a9a660c8453fd75e7c863143007ee50622d63a60916f3eafc564003c12d1ee9b8309a7617fc5e1ca8eca9e88475c1f50f893a14

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5f142835e68855f2e91541f66666e0ec

    SHA1

    fd80fbe4c5be8f7a4ab0c8df905f798941092545

    SHA256

    5a700722dccf4fa2bf09d89b58dcbf6a437a06d7f8d30f2a00ee7d35ab3e8746

    SHA512

    d96c30aefe9deb05827ad81c30c32516c55c87a58724645dffe5a950e71698c2f7cfacb3c7d5498a5758ecda55be59c15cb1dc7f3ef708f643682ab8153fb621

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    115fed75ef3aa4ae5900a727b6cc5a71

    SHA1

    bda7a3fda56934fbbb5384f23c912fab2dbc4995

    SHA256

    e535b85ee78d6105cbe3792559d34863dd65374a0d0694043c225874ad8960e5

    SHA512

    a43a65287059126915b2af35e432913013eb82856dfe6e609b9ce08a372d7f55fd98c6cbcb1a95c34c5d949f8e1c6850ed0229805b46214989bc016afecd1edd

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    562d00ac4e4b48dad5111e5dc68b391b

    SHA1

    56c4da6046e24cd8981f472644443cf65e7e0736

    SHA256

    4f444545ffeed0b1b362dea6b98d71fa3ed7f7217c21f1dc4c23e3f30403d88f

    SHA512

    a0da8dd3b9e3587b007c1c0bc3dd701cbff9ab91e146b1c4ceb36b20edfb9a7d8e001e7529c9c78c5fa22da754bcaac5902510e6b50a4dda2beb5331292676f4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    95ffd4fdb2a681c2d61c4c46d5611c2b

    SHA1

    399b6ca7524d640b4f5400a1ccc1f2fca4c83946

    SHA256

    17471d29fc06e1ef383cc3f606e4a53644708ed4956ea2b9c392bfd58ad53d1f

    SHA512

    114d5d939540b0b3db43067fbc7eef55cba3484879c0b1fbd6c9926be05e160ea9104002b6b890a765137e6dee978a84b3aca687ec7327a11346922af2565de6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    34e2e9b06028113bb50e06500d9cacbe

    SHA1

    20faea4709e00dbc570a6356a6b71dca61961aa8

    SHA256

    787c4ebee526522cfb569d1767d7afe4356273febe949850b68b0fa12bbf1aaa

    SHA512

    29d9b75dd3bcb25d6c710e826a66ffb75824e1a9a0da8f61d8fa2324d5f4fab2368db693d4cd5e09e821a741ea979be25561098b494b44f188c0313e42ab4ff3

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c59b9bc1367f4c88c1c71eebd146e417

    SHA1

    a9038e611a00f268d63325619b8baaeb19c44b8c

    SHA256

    3ece3a97648b9b7d4e898f2e5c242a884ef3bd5ebfd5141471415d60a9705787

    SHA512

    209f0d74616740e523117690f558896645537f9535f144e3ec4b31239afe2b2dd4f2b53dfa589b6d65663f32b69da937994b7381868049c847ec1a77a07b699e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fa09991e5ba0fc32b21073b420875109

    SHA1

    6b610b715b7f0ab2a3024731bc68e8bd26601c82

    SHA256

    d4b0caf869d7479565a56d633f600654cfcc5d040f610f35ac6ea8c076c121c9

    SHA512

    7da1d34e1d9864073e599a69301b949f00401b0295c87d4b14c785e33f256907125794404b8508c9201495860f9a5347f50bc754bbe3ef9faeab493d9ba6f290

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1c0982ad899c045e9314f05d48bac72f

    SHA1

    0ce210ff11349bce303a5dd7548b217191fd7ffe

    SHA256

    13582c5883ec1c8fc9bd9d123d5e1f12aa02ccc1a938908aef446a7841db2467

    SHA512

    13446dc39bbe4262423934f30d474192eb49f17fcfa2b9bd34567e69086bcd0b534dd4c188899093ad4ee4300492d3459d6e97aa5ce8b7fb7e6903c70b8e941d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    bfb3a087446ce4fefd972cc61e785510

    SHA1

    5ce995eb400532d581be5da2fe3653e735cd557a

    SHA256

    6cb0c81718bfb33ca799cf5189275265c298fbada63ac0ea6afb4ea44fd6fe6a

    SHA512

    53bd5663f92ac112db1f96b9d93f091b923d5fd4d52b24ef79e991261ad91c63a66cee558434132fd48d7abf43d391ee0dfe502cf29729a6ee23879012886ced

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c607c4a1974966c82b8f22082c98ec8f

    SHA1

    9a81e815062ff0a323ac49b25e9eaf70309bfd9d

    SHA256

    cffe8b55027dbee13a6a9a14d97420e02cff8484897c3c0a17ce232bab61ca64

    SHA512

    1ea8c75bbbad6f02bdf863fd1f7f8857d4d25538c5ccaaba4ce0020386d8912a400d45af05464d118b3c1a519fbf1aaccdce8af323e0cc0b06c02ffc8b308463

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EE56AFF1-3355-11EF-B082-427DDB91FD53}.dat

    Filesize

    4KB

    MD5

    ce70289135885317699db3177546bcc9

    SHA1

    f12e960c677241005c68461a5eb51c731856dabd

    SHA256

    118dcce6a425ac4f0c56b18500e08b92ca2e36a84eb032c18c69133420f6b0d0

    SHA512

    359ce19af298170763471e69584e1960974de0ac7fefe3a53bfd8a612ba85243622c41bc1894c5ac91cfe0cef6895fe749d5fefd7619333bd2ec2b4f2a1285ed

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EE56D701-3355-11EF-B082-427DDB91FD53}.dat

    Filesize

    5KB

    MD5

    2f16ded811b6f3c57240634be26f34c5

    SHA1

    869bc8b869f47a7cb174a2506653d86269f7a48b

    SHA256

    af00b361e31c80c613bf1d8c1f22059449d86fdb6a3e20addd53e2d4eb5ebfc0

    SHA512

    0e73bf22cfb057986b59e0790fcae3ed802f3b4eb8763b6c8cb0358df9076eaa144d9d074dea92c0366bc710d378ddabf55fa208a6684d6bd9faa380554ca8eb

  • C:\Users\Admin\AppData\Local\Temp\Cab1A95.tmp

    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

  • C:\Users\Admin\AppData\Local\Temp\Cab1B05.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar1B19.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Windows\SysWOW64\rundll32mgr.exe

    Filesize

    105KB

    MD5

    48327ee6dec8ae239eff2ffb30403028

    SHA1

    45e4e5014944e1229c49f9e7ad4d0925d93a55bb

    SHA256

    aa3d7c9d4576ca5b9848306ec5f1e3331d1227c9d1e20d2ea80ba611084bad6a

    SHA512

    1c20199e6726237c47f9bd958e9a135778280a8c0e0a86f8bed05f98d199e1502bb54605b036c6a2a54fbc5c48407afaab1e08730e84f1a18d56f5ad3cb89316

  • memory/280-1-0x0000000010000000-0x0000000010091000-memory.dmp

    Filesize

    580KB

  • memory/280-9-0x0000000010000000-0x0000000010091000-memory.dmp

    Filesize

    580KB

  • memory/280-10-0x0000000000700000-0x0000000000773000-memory.dmp

    Filesize

    460KB

  • memory/280-3-0x0000000010000000-0x0000000010091000-memory.dmp

    Filesize

    580KB

  • memory/2824-13-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2824-14-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2824-12-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2824-15-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

  • memory/2824-17-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

  • memory/2824-16-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2824-18-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

  • memory/2824-21-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB