Overview

overview

10

Static

static

3

75ee786c8e...18.dll

windows7-x64

10

75ee786c8e...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/07/2024, 22:10

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    75ee786c8eac2a8ed9535fb3cb370302_JaffaCakes118.dll

  • Size

    166KB

  • MD5

    75ee786c8eac2a8ed9535fb3cb370302

  • SHA1

    4a6d663f02c6d03297ab0dbe269ed40aa2f03be3

  • SHA256

    36bf88679617bc147c69bc06ec8bc190c6bd6f76e53ce9540e473b502445164f

  • SHA512

    3513f2e7e72d438c278d677a3a8ee550e52e7b0bba481373bd660387bbb88ccb9f36431e7def85900eba851e099a2cdb1c28492be947a2fd4e90781c65891fab

  • SSDEEP

    1536:Q5lTUKCYmCgV5bT/2d1QYePvaLj30b9KVv6q7pbhD3fdaAsU3wNBz0K9X:uTU56gVxj27NePy330wN6qb3MAxwgK9X

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 50 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\75ee786c8eac2a8ed9535fb3cb370302_JaffaCakes118.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3936
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\75ee786c8eac2a8ed9535fb3cb370302_JaffaCakes118.dll
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3644
      • C:\Windows\SysWOW64\regsvr32mgr.exe
        C:\Windows\SysWOW64\regsvr32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:632
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:2296
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:440
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 84
                6⤵
                • Program crash
                PID:5040
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1064
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1064 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:3360
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2080
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2380
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 440 -ip 440
      1⤵
        PID:3976

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
              Filesize

              471B

              MD5

              39a3aa70f48928596cfcaafd4bbe1148

              SHA1

              ffe5eb6c3cdb6bb13fb80eb5127d37f39bbf8e74

              SHA256

              2b6b8ae7ca7d85d6b3dc6c97ff8f1994b5db0fdfdfc76a9192f24a984f4e1c1f

              SHA512

              c0c9994797329e123ac8b32e5571487a9490f30e4e7bc0083921cfabb0ff7f041a05b80e469be177ae1b5ea665880d6ea07ecfcf59480753557765f008088252

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
              Filesize

              404B

              MD5

              354136d6dbc82558fe6d3dec46af82df

              SHA1

              0dbd1664092673c3fb0677234128d6c0bf7dab47

              SHA256

              286cdff3a4ffb1c477370c091689a3ea0d84fe3c9ec249ac904fc5972d8a94d7

              SHA512

              a96f9ba5b20db6cd8f035c8d77ecb8e21ce58cefe1e640b46c6f38c60a5f3e5f2aa92e29117f8abb9e103ce7e5796b117ccc480102584b7f2410284d68b9ad65

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A497D1F4-4C20-11EF-B355-D63901C91A66}.dat
              Filesize

              3KB

              MD5

              65dfb37773aed515c3c9fda061cb6d4a

              SHA1

              a0cd3e3b3fa85428b3fee7d36ed22319889bd1c5

              SHA256

              3eae574062c17553490446d96757e3514e46d31a8c07f73710845aaf2165efe7

              SHA512

              6c1eadc0392c6f19b84c7a1fbd8e4aa15455d409e953a5a2563fabc9d21034de0e7255a8cea4ccfa11f67f638dfb84b3eabdf7af59d5746d8d51bf06d84c96d7

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A49DDC29-4C20-11EF-B355-D63901C91A66}.dat
              Filesize

              5KB

              MD5

              9b6c507739ef071ec021a0ef2649bfb1

              SHA1

              f774fe053cad6c8e78563c19b8c1ded5dd0443a3

              SHA256

              c97bb7d297f73ca46ac5c37359204a3339c92041920bea6e85bf710d860adbd0

              SHA512

              b2742c3a31bce7efbcfd46dbcd6098d29740cde07afcc5824d5ae5ddacb81c4906948ac9ddadf78ea0db1db1427717cdd9241a65a8967b12c58570ecc1d1494b

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver34E6.tmp
              Filesize

              15KB

              MD5

              1a545d0052b581fbb2ab4c52133846bc

              SHA1

              62f3266a9b9925cd6d98658b92adec673cbe3dd3

              SHA256

              557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

              SHA512

              bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MQYRE6E5\suggestions[1].en-US
              Filesize

              17KB

              MD5

              5a34cb996293fde2cb7a4ac89587393a

              SHA1

              3c96c993500690d1a77873cd62bc639b3a10653f

              SHA256

              c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

              SHA512

              e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

              Download Submit

            • C:\Windows\SysWOW64\regsvr32mgr.exe
              Filesize

              96KB

              MD5

              8c51fd9d6daa7b6137634de19a49452c

              SHA1

              db2a11cca434bacad2bf42adeecae38e99cf64f8

              SHA256

              528d190fc376cff62a83391a5ba10ae4ef0c02bedabd0360274ddc2784e11da3

              SHA512

              b93dd6c86d0618798a11dbaa2ded7dac659f6516ca4a87da7297601c27f340fffa4126a852c257654d562529273d8a3f639ec020ab54b879c68226deae549837

              Download Submit

            • memory/440-35-0x0000000000970000-0x0000000000971000-memory.dmp

              Filesize

              4KB

              Download

            • memory/440-36-0x0000000000950000-0x0000000000951000-memory.dmp

              Filesize

              4KB

              Download

            • memory/632-14-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download

            • memory/632-32-0x0000000000401000-0x0000000000405000-memory.dmp

              Filesize

              16KB

              Download

            • memory/632-16-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download

            • memory/632-19-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download

            • memory/632-15-0x00000000008C0000-0x00000000008C1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/632-10-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download

            • memory/632-9-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download

            • memory/632-8-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download

            • memory/632-7-0x0000000000400000-0x0000000000435000-memory.dmp

              Filesize

              212KB

              Download

            • memory/632-6-0x0000000000401000-0x0000000000405000-memory.dmp

              Filesize

              16KB

              Download

            • memory/632-13-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download

            • memory/632-11-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download

            • memory/632-4-0x0000000000400000-0x0000000000435000-memory.dmp

              Filesize

              212KB

              Download

            • memory/2296-28-0x0000000000400000-0x0000000000435000-memory.dmp

              Filesize

              212KB

              Download

            • memory/2296-38-0x0000000000070000-0x0000000000071000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2296-37-0x0000000077D42000-0x0000000077D43000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2296-41-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download

            • memory/2296-29-0x0000000000400000-0x0000000000421000-memory.dmp

              Filesize

              132KB

              Download

            • memory/2296-31-0x0000000000060000-0x0000000000061000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2296-33-0x0000000077D42000-0x0000000077D43000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3644-0-0x00000000756F0000-0x000000007571C000-memory.dmp

              Filesize

              176KB

              Download