Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-06-2024 02:23

General

  • Target

    10686f63d7d573fc32ea32515050610c_JaffaCakes118.dll

  • Size

    138KB

  • MD5

    10686f63d7d573fc32ea32515050610c

  • SHA1

    96d4016d1c24e48871262067023195f2258e3fb1

  • SHA256

    4c94988ce5410f5fa622242b0c939946ef3d30ad72f5fa5b1fb0fb2d8f2a6e6b

  • SHA512

    291b3df439b1866608be3893b13f622a4b19f21de1794e8eb6642dda0b791b82c0494d428b6aa6fe2414195c6e875e59e406bbbad724ed38783384cf46f69d99

  • SSDEEP

    3072:lRB6igBt/cwP9aAnI0wtFEQLOiib3wEzR4rUjS:DXgBlVpnuIwSRq

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\10686f63d7d573fc32ea32515050610c_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4228
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\10686f63d7d573fc32ea32515050610c_JaffaCakes118.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4608
      • C:\Users\Admin\AppData\Local\Temp\798kOP3
        "798kOP3"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1544
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\system32\svchost.exe
          4⤵
            PID:3940
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 196
              5⤵
              • Program crash
              PID:3480
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3352
            • C:\Program Files\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4704
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4704 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1772
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4704 CREDAT:17416 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4792
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            4⤵
              PID:4088
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 208
                5⤵
                • Program crash
                PID:1900
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2808
              • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                5⤵
                • Modifies Internet Explorer settings
                PID:4040
            • C:\Users\Admin\AppData\Local\Temp\rekdojcrsytlhvaw.exe
              "C:\Users\Admin\AppData\Local\Temp\rekdojcrsytlhvaw.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1364
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3940 -ip 3940
        1⤵
          PID:848
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4088 -ip 4088
          1⤵
            PID:3440

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\798kOP3

            Filesize

            95KB

            MD5

            47a8ed36d375f91a1b750411d92ead7f

            SHA1

            b46c4f789f25a704169a21b4b7e4d4ecdda62a5d

            SHA256

            7e1f885a67c2b64aa4549a564f1008f4e96f1a2cd351cd62b6d2b44a8dd03626

            SHA512

            c3f43e560d3b499ab3d0444cfc21a18eb0451aff7466760c0719feadeb4d47445af13968b108cd89fc36e619b9297240075f5a1eec6f6319a88c589a4bc872f7

          • memory/1364-34-0x0000000000400000-0x000000000043A0DC-memory.dmp

            Filesize

            232KB

          • memory/1364-40-0x0000000000400000-0x000000000043A0DC-memory.dmp

            Filesize

            232KB

          • memory/1364-41-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/1364-37-0x0000000000400000-0x000000000043A0DC-memory.dmp

            Filesize

            232KB

          • memory/1364-35-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/1544-10-0x00000000007D0000-0x00000000007D1000-memory.dmp

            Filesize

            4KB

          • memory/1544-23-0x0000000000400000-0x000000000043A0DC-memory.dmp

            Filesize

            232KB

          • memory/1544-7-0x0000000000400000-0x000000000043A0DC-memory.dmp

            Filesize

            232KB

          • memory/1544-12-0x0000000000400000-0x000000000043A0DC-memory.dmp

            Filesize

            232KB

          • memory/1544-16-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/1544-21-0x0000000077952000-0x0000000077953000-memory.dmp

            Filesize

            4KB

          • memory/1544-20-0x0000000000400000-0x000000000043A0DC-memory.dmp

            Filesize

            232KB

          • memory/1544-6-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/1544-24-0x0000000077952000-0x0000000077953000-memory.dmp

            Filesize

            4KB

          • memory/1544-9-0x00000000005C0000-0x00000000005C1000-memory.dmp

            Filesize

            4KB

          • memory/1544-32-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/1544-5-0x0000000000400000-0x000000000043A0DC-memory.dmp

            Filesize

            232KB

          • memory/3940-14-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

            Filesize

            4KB

          • memory/3940-13-0x0000000000A80000-0x0000000000A81000-memory.dmp

            Filesize

            4KB

          • memory/4608-0-0x0000000059FA0000-0x0000000059FC6000-memory.dmp

            Filesize

            152KB