Malware Analysis Report

2025-01-19 07:06

Sample ID 240626-a6hljawhrk
Target 102608b8523ba1b517f92ba97fcae12e_JaffaCakes118
SHA256 2ebeeba37fa2b5d420fa2227cd932f511da532cc52ca54647612beb9bb79bf14
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2ebeeba37fa2b5d420fa2227cd932f511da532cc52ca54647612beb9bb79bf14

Threat Level: Known bad

The file 102608b8523ba1b517f92ba97fcae12e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Program crash

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 00:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 00:49

Reported

2024-06-26 00:51

Platform

win7-20240419-en

Max time kernel

134s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\102608b8523ba1b517f92ba97fcae12e_JaffaCakes118.dll,#1

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EE56D701-3355-11EF-B082-427DDB91FD53} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EE56AFF1-3355-11EF-B082-427DDB91FD53} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425524831" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2288 wrote to memory of 280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2288 wrote to memory of 280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2288 wrote to memory of 280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2288 wrote to memory of 280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2288 wrote to memory of 280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2288 wrote to memory of 280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 280 wrote to memory of 2824 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 280 wrote to memory of 2824 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 280 wrote to memory of 2824 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 280 wrote to memory of 2824 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 280 wrote to memory of 2344 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 280 wrote to memory of 2344 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 280 wrote to memory of 2344 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 280 wrote to memory of 2344 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2824 wrote to memory of 2368 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2824 wrote to memory of 2368 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2824 wrote to memory of 2368 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2824 wrote to memory of 2368 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2824 wrote to memory of 2716 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2824 wrote to memory of 2716 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2824 wrote to memory of 2716 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2824 wrote to memory of 2716 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2716 wrote to memory of 2820 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2716 wrote to memory of 2820 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2716 wrote to memory of 2820 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2716 wrote to memory of 2820 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2368 wrote to memory of 1288 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2368 wrote to memory of 1288 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2368 wrote to memory of 1288 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2368 wrote to memory of 1288 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\102608b8523ba1b517f92ba97fcae12e_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\102608b8523ba1b517f92ba97fcae12e_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 280 -s 228

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2716 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2368 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/280-3-0x0000000010000000-0x0000000010091000-memory.dmp

\Windows\SysWOW64\rundll32mgr.exe

MD5 48327ee6dec8ae239eff2ffb30403028
SHA1 45e4e5014944e1229c49f9e7ad4d0925d93a55bb
SHA256 aa3d7c9d4576ca5b9848306ec5f1e3331d1227c9d1e20d2ea80ba611084bad6a
SHA512 1c20199e6726237c47f9bd958e9a135778280a8c0e0a86f8bed05f98d199e1502bb54605b036c6a2a54fbc5c48407afaab1e08730e84f1a18d56f5ad3cb89316

memory/280-10-0x0000000000700000-0x0000000000773000-memory.dmp

memory/280-9-0x0000000010000000-0x0000000010091000-memory.dmp

memory/280-1-0x0000000010000000-0x0000000010091000-memory.dmp

memory/2824-12-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2824-14-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2824-13-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2824-15-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2824-17-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2824-16-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2824-18-0x0000000000400000-0x0000000000473000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EE56AFF1-3355-11EF-B082-427DDB91FD53}.dat

MD5 ce70289135885317699db3177546bcc9
SHA1 f12e960c677241005c68461a5eb51c731856dabd
SHA256 118dcce6a425ac4f0c56b18500e08b92ca2e36a84eb032c18c69133420f6b0d0
SHA512 359ce19af298170763471e69584e1960974de0ac7fefe3a53bfd8a612ba85243622c41bc1894c5ac91cfe0cef6895fe749d5fefd7619333bd2ec2b4f2a1285ed

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EE56D701-3355-11EF-B082-427DDB91FD53}.dat

MD5 2f16ded811b6f3c57240634be26f34c5
SHA1 869bc8b869f47a7cb174a2506653d86269f7a48b
SHA256 af00b361e31c80c613bf1d8c1f22059449d86fdb6a3e20addd53e2d4eb5ebfc0
SHA512 0e73bf22cfb057986b59e0790fcae3ed802f3b4eb8763b6c8cb0358df9076eaa144d9d074dea92c0366bc710d378ddabf55fa208a6684d6bd9faa380554ca8eb

memory/2824-21-0x0000000000400000-0x0000000000473000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab1A95.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Cab1B05.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1B19.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 95ffd4fdb2a681c2d61c4c46d5611c2b
SHA1 399b6ca7524d640b4f5400a1ccc1f2fca4c83946
SHA256 17471d29fc06e1ef383cc3f606e4a53644708ed4956ea2b9c392bfd58ad53d1f
SHA512 114d5d939540b0b3db43067fbc7eef55cba3484879c0b1fbd6c9926be05e160ea9104002b6b890a765137e6dee978a84b3aca687ec7327a11346922af2565de6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c607c4a1974966c82b8f22082c98ec8f
SHA1 9a81e815062ff0a323ac49b25e9eaf70309bfd9d
SHA256 cffe8b55027dbee13a6a9a14d97420e02cff8484897c3c0a17ce232bab61ca64
SHA512 1ea8c75bbbad6f02bdf863fd1f7f8857d4d25538c5ccaaba4ce0020386d8912a400d45af05464d118b3c1a519fbf1aaccdce8af323e0cc0b06c02ffc8b308463

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f62c1549ea2047416705d27d8ee37fc2
SHA1 4aaf9d3445248f40d734a4076e6fa5ab6fb64e1f
SHA256 96475fea751540abad1385b4c5e1e05750c41d7909786a4a1d20f125045d7d8e
SHA512 19621fd6e552e7ac90807556c32b91d54da0a35cb16f2db332852184f044d2cf8097821274a235a6761296a7ab9c8d1b4844a5f5665732b0c44ca075151b583e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22b2d28ddaaa8fd56ec927c80c8dccf7
SHA1 bfb1f6b954d2a34f8b30b9c150ba3a2edb8bda33
SHA256 8bb1e22c3ce1f31a357597d20fbd3832cead0cef26574702e4a1d59ec3659696
SHA512 aeeff77cf0e1ee072f6c5bbc8b2e588a8ea469a950e6e6b55e696c114e9ab55fd923a178bf65b857462df0de837cc9eea6dc2bb1b654709ec1bebd7995ae6c77

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e8bfb3c22453e5d6a518408edfee477a
SHA1 ca83ec23a68f2e47ef790886184b602e1c396134
SHA256 f2fc273b9c03ca7a7c7d1529b4e04ac981d05d1a8b3ef87720574dca07568483
SHA512 8a513f9220842b466fdc578c85c48d493c64b45a6b286a97edf50fa224fb7bb6e59d23259f7ef3a9ce5d205158d172ac852477bbdeb610f96ece1e17ada25bfa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0fef639a677d86808d4f017eacdee8d
SHA1 83ca8a401caae241ea48a265fada04e850e0cef9
SHA256 8501cb7b0fac4509671aeafd271aac57817f924c928b0bb44c5c91b81ef79a23
SHA512 34394207c98ffa5defd699e82421e809c82fe5aeb05a3fe26c79ea5783c29124f942fdcd719ee521d2537a11e6f508db2160cd8cd75c5c1d2b0c474a2aa6b692

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 99062d58b764e6f88fe8407bb7bb3032
SHA1 92e52f781d50300c36fbb622c0969eaa6581ac9d
SHA256 8333d613bb322c5bc811edcfa4f40bbc5de10eec72c308828475dd10f779975c
SHA512 6a25157d514d54db5273e8213d2aa7db31c448cc57b667a9ed051f5999c88ea0a5a1944c334db200c6e4eba9c5af8ec1624468d306d2b28ed459b1f165c65841

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 70df0c44db27bdae27008add607a1ed7
SHA1 cbcd41dd2c4e33aa89c0a6d331cbec0e0c587e6c
SHA256 01033cbd8b343d86ae9169bc6d2f0ca7d6b5c366b7f4bf04ea5362f13b6438ce
SHA512 96954d43d913dd026f3f6c1481ad0c6ba9b5bbf034ef607f9c61a8b101944ed7f382ce5d23e2a48f09a2c59e2dc5500bfe2f20aab3429134efc5fb3a4b138ea1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d66926afb89fce4733a5bf4c7c02ee7e
SHA1 2b0888e06a41d999a580f9f4c5975d8247ff0ced
SHA256 d8e37720778fe9994bfe8796d9ad0ac6292b7584eeae2c06c93475d5ee5c272c
SHA512 9bef90828a4e977a38fdfda851cba44064d3681da67575a5868561c639d89e7a067cfe68ba1bfa5c04e75b448e92695a1d85d3ed8e65869fbc6cc46c28b61a79

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 becc0cec6c0f702551cc8e50dbe01b0d
SHA1 7109f8b03b44de16338071d8b4ba7dcaea553a4c
SHA256 17cbc058485da041feceb8982ef9b38b31c6913f74c42a566beb9aab8fd82b71
SHA512 8d2239b48788cf1eb2d7367fb451a10c1abab054aa27f1c17b297b276277979f05c088395009f97a626443bdc88c5988a97ac02b0dff87659e14a4f2e2e749b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aee7303ec421d2886600ec52d728f849
SHA1 6ca4ef58d59eb3e6ad4c67366e05e3a0f5b85cc1
SHA256 c729ad515ef46691c175d61c83de22e6d667f1f2656a9452024f144d29d59f64
SHA512 9b52d7adbe8aeb833a7d3f174a9a660c8453fd75e7c863143007ee50622d63a60916f3eafc564003c12d1ee9b8309a7617fc5e1ca8eca9e88475c1f50f893a14

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5f142835e68855f2e91541f66666e0ec
SHA1 fd80fbe4c5be8f7a4ab0c8df905f798941092545
SHA256 5a700722dccf4fa2bf09d89b58dcbf6a437a06d7f8d30f2a00ee7d35ab3e8746
SHA512 d96c30aefe9deb05827ad81c30c32516c55c87a58724645dffe5a950e71698c2f7cfacb3c7d5498a5758ecda55be59c15cb1dc7f3ef708f643682ab8153fb621

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 115fed75ef3aa4ae5900a727b6cc5a71
SHA1 bda7a3fda56934fbbb5384f23c912fab2dbc4995
SHA256 e535b85ee78d6105cbe3792559d34863dd65374a0d0694043c225874ad8960e5
SHA512 a43a65287059126915b2af35e432913013eb82856dfe6e609b9ce08a372d7f55fd98c6cbcb1a95c34c5d949f8e1c6850ed0229805b46214989bc016afecd1edd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 562d00ac4e4b48dad5111e5dc68b391b
SHA1 56c4da6046e24cd8981f472644443cf65e7e0736
SHA256 4f444545ffeed0b1b362dea6b98d71fa3ed7f7217c21f1dc4c23e3f30403d88f
SHA512 a0da8dd3b9e3587b007c1c0bc3dd701cbff9ab91e146b1c4ceb36b20edfb9a7d8e001e7529c9c78c5fa22da754bcaac5902510e6b50a4dda2beb5331292676f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34e2e9b06028113bb50e06500d9cacbe
SHA1 20faea4709e00dbc570a6356a6b71dca61961aa8
SHA256 787c4ebee526522cfb569d1767d7afe4356273febe949850b68b0fa12bbf1aaa
SHA512 29d9b75dd3bcb25d6c710e826a66ffb75824e1a9a0da8f61d8fa2324d5f4fab2368db693d4cd5e09e821a741ea979be25561098b494b44f188c0313e42ab4ff3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c59b9bc1367f4c88c1c71eebd146e417
SHA1 a9038e611a00f268d63325619b8baaeb19c44b8c
SHA256 3ece3a97648b9b7d4e898f2e5c242a884ef3bd5ebfd5141471415d60a9705787
SHA512 209f0d74616740e523117690f558896645537f9535f144e3ec4b31239afe2b2dd4f2b53dfa589b6d65663f32b69da937994b7381868049c847ec1a77a07b699e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fa09991e5ba0fc32b21073b420875109
SHA1 6b610b715b7f0ab2a3024731bc68e8bd26601c82
SHA256 d4b0caf869d7479565a56d633f600654cfcc5d040f610f35ac6ea8c076c121c9
SHA512 7da1d34e1d9864073e599a69301b949f00401b0295c87d4b14c785e33f256907125794404b8508c9201495860f9a5347f50bc754bbe3ef9faeab493d9ba6f290

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c0982ad899c045e9314f05d48bac72f
SHA1 0ce210ff11349bce303a5dd7548b217191fd7ffe
SHA256 13582c5883ec1c8fc9bd9d123d5e1f12aa02ccc1a938908aef446a7841db2467
SHA512 13446dc39bbe4262423934f30d474192eb49f17fcfa2b9bd34567e69086bcd0b534dd4c188899093ad4ee4300492d3459d6e97aa5ce8b7fb7e6903c70b8e941d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bfb3a087446ce4fefd972cc61e785510
SHA1 5ce995eb400532d581be5da2fe3653e735cd557a
SHA256 6cb0c81718bfb33ca799cf5189275265c298fbada63ac0ea6afb4ea44fd6fe6a
SHA512 53bd5663f92ac112db1f96b9d93f091b923d5fd4d52b24ef79e991261ad91c63a66cee558434132fd48d7abf43d391ee0dfe502cf29729a6ee23879012886ced

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 00:49

Reported

2024-06-26 00:51

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\102608b8523ba1b517f92ba97fcae12e_JaffaCakes118.dll,#1

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2464 wrote to memory of 2296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2464 wrote to memory of 2296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2464 wrote to memory of 2296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2296 wrote to memory of 372 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 2296 wrote to memory of 372 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 2296 wrote to memory of 372 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\102608b8523ba1b517f92ba97fcae12e_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\102608b8523ba1b517f92ba97fcae12e_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2296 -ip 2296

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 372 -ip 372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2296-0-0x0000000010000000-0x0000000010091000-memory.dmp

C:\Windows\SysWOW64\rundll32mgr.exe

MD5 48327ee6dec8ae239eff2ffb30403028
SHA1 45e4e5014944e1229c49f9e7ad4d0925d93a55bb
SHA256 aa3d7c9d4576ca5b9848306ec5f1e3331d1227c9d1e20d2ea80ba611084bad6a
SHA512 1c20199e6726237c47f9bd958e9a135778280a8c0e0a86f8bed05f98d199e1502bb54605b036c6a2a54fbc5c48407afaab1e08730e84f1a18d56f5ad3cb89316

memory/372-4-0x0000000000400000-0x0000000000473000-memory.dmp

memory/372-6-0x0000000000590000-0x0000000000591000-memory.dmp

memory/372-8-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2296-9-0x0000000010000000-0x0000000010091000-memory.dmp