Overview

overview

10

Static

static

3

dc94d88ee9...18.dll

windows7-x64

10

dc94d88ee9...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-09-2024 16:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dc94d88ee916de48153c4ce1944495ff_JaffaCakes118.dll

  • Size

    200KB

  • MD5

    dc94d88ee916de48153c4ce1944495ff

  • SHA1

    210675e4bb0eedf2d927330c0d41e2cd37a4215f

  • SHA256

    fede4c902d9c0333b30d24922c4c504704c4a8dfad5f7acf24ffd37076d03fca

  • SHA512

    68dfc69c88c0a9d3441fbd268800ded716e6bcda767c5ce5a7b34c39055cda0decc008b247f6720950352a75259013ed226910f52c4eb1ec66ccf80acf796623

  • SSDEEP

    3072:wXh8VGYR5ASPRElbLwOKKmRVQhOcAhYKMcgwgXFu7GqaX:wXCVGrS5iLwOrUVQscARUw8Fu76

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc94d88ee916de48153c4ce1944495ff_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc94d88ee916de48153c4ce1944495ff_JaffaCakes118.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1504
      • C:\Users\Admin\AppData\Local\Temp\h5qF0t8aD
        "h5qF0t8aD"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:804
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\system32\svchost.exe
          4⤵
            PID:2108
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 204
              5⤵
              • Program crash
              PID:2900
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4036
            • C:\Program Files\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2004
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2004 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1652
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2004 CREDAT:17416 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2616
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            4⤵
              PID:1572
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 208
                5⤵
                • Program crash
                PID:1788
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3600
              • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                5⤵
                • Modifies Internet Explorer settings
                PID:2472
            • C:\Users\Admin\AppData\Local\Temp\yjopxopvgmooihwk.exe
              "C:\Users\Admin\AppData\Local\Temp\yjopxopvgmooihwk.exe"
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2308
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2108 -ip 2108
        1⤵
          PID:1744
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1572 -ip 1572
          1⤵
            PID:5068

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            471B

            MD5

            2f8846f8a108fd0d20fee7d431aa16f0

            SHA1

            b14aa84a60e9d582a2332d085938efba97193eec

            SHA256

            97de568fb14eb627a9999cb64dfae568cdd6fadf1718ec67b14082588445f531

            SHA512

            c718a566b155af6d078f45c632184d8cfed5d2a42e633f6b22dbbb02d887c539cdcf78baec47d9d99e0905b4c6a60fa57f3edc3deaf1389a37f9d63bda1322f8

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            404B

            MD5

            77e94a9a9a42b5b1a0d26b533b6df07a

            SHA1

            a200ca40a5172d42697fc01eadcc3414615237a0

            SHA256

            24ba24d36563b6acd40ff2e2537753e50c9779d11a0ab21f86ebda78c1fc2bcf

            SHA512

            744c84fefd3e4658b02cc1a682a58a7eb818f63a225b8acc6caabe4816ecc6492c373fb6be8b40979a5c1f2aa071e48b8f3cc7c23daaf25ef41751e8b0f06fed

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BRZNMQLE\suggestions[1].en-US
            Filesize

            17KB

            MD5

            5a34cb996293fde2cb7a4ac89587393a

            SHA1

            3c96c993500690d1a77873cd62bc639b3a10653f

            SHA256

            c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

            SHA512

            e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\h5qF0t8aD
            Filesize

            95KB

            MD5

            728a53df2a3d2f5307fe1cc77179d2a5

            SHA1

            a3c9de63748878de218c872e97eef0de767df853

            SHA256

            d9ee5d0e2dd387be3a501cc88cb2b2b310016cdedd7a83be402c203e4dc76e9e

            SHA512

            7496a435296ca0b08b554fb779ab3eb6709064a480a93e6f948f14a072cfbc1fe7e7ac8a31ea572b7a9910ad6b3d6e2019993bfd609d199cefd61c609c7fe893

            Download Submit

          • memory/804-12-0x0000000000400000-0x0000000000439F6C-memory.dmp

            Filesize

            231KB

            Download

          • memory/804-24-0x0000000000400000-0x0000000000439F6C-memory.dmp

            Filesize

            231KB

            Download

          • memory/804-4-0x0000000000400000-0x0000000000439F6C-memory.dmp

            Filesize

            231KB

            Download

          • memory/804-9-0x00000000005A0000-0x00000000005A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/804-43-0x0000000000400000-0x000000000043A000-memory.dmp

            Filesize

            232KB

            Download

          • memory/804-5-0x0000000000400000-0x000000000043A000-memory.dmp

            Filesize

            232KB

            Download

          • memory/804-15-0x0000000000400000-0x000000000043A000-memory.dmp

            Filesize

            232KB

            Download

          • memory/804-16-0x0000000000400000-0x0000000000439F6C-memory.dmp

            Filesize

            231KB

            Download

          • memory/804-22-0x0000000077E52000-0x0000000077E53000-memory.dmp

            Filesize

            4KB

            Download

          • memory/804-19-0x0000000000400000-0x0000000000439F6C-memory.dmp

            Filesize

            231KB

            Download

          • memory/804-23-0x0000000000400000-0x0000000000439F6C-memory.dmp

            Filesize

            231KB

            Download

          • memory/804-10-0x00000000005B0000-0x00000000005B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/804-25-0x0000000077E52000-0x0000000077E53000-memory.dmp

            Filesize

            4KB

            Download

          • memory/804-7-0x0000000000400000-0x0000000000439F6C-memory.dmp

            Filesize

            231KB

            Download

          • memory/1504-0-0x0000000010000000-0x0000000010036000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2108-14-0x00000000009E0000-0x00000000009E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2108-13-0x0000000000C40000-0x0000000000C41000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2308-44-0x0000000000400000-0x000000000043A000-memory.dmp

            Filesize

            232KB

            Download

          • memory/2308-45-0x0000000000400000-0x0000000000439F6C-memory.dmp

            Filesize

            231KB

            Download

          • memory/2308-50-0x0000000000400000-0x0000000000439F6C-memory.dmp

            Filesize

            231KB

            Download

          • memory/2308-49-0x0000000000400000-0x000000000043A000-memory.dmp

            Filesize

            232KB

            Download