Overview

overview

10

Static

static

3

fc7011e1a7...18.exe

windows7-x64

10

fc7011e1a7...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-09-2024 13:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fc7011e1a7b68a722cd0ffcfdad958aa_JaffaCakes118.exe

  • Size

    167KB

  • MD5

    fc7011e1a7b68a722cd0ffcfdad958aa

  • SHA1

    d763006ea0dc38328200f0ca19c62e4a7244290f

  • SHA256

    0ee11c69b43ff9285b9e3b3dc133179f67e4a7b8f6babe97f5060d773441b3e2

  • SHA512

    40421b6a9373e681d8a3e5e5d50fd8fb2e73dc131446c68a167f05326b8ad95c1f51fe1c07fa1da458d67922e561953506a88b1537b23d8012b18a79eb71cc71

  • SSDEEP

    1536:4NpbWTono2PF9yJH9KBjH7ZoSQoL+Qz6AxAvf/PqhXnzyP5xC1VXfbJpeU4KyQ5z:BdKFOoL16AOHHCRQU4S5GBWVLt

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 55 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fc7011e1a7b68a722cd0ffcfdad958aa_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fc7011e1a7b68a722cd0ffcfdad958aa_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4180
    • C:\Users\Admin\AppData\Local\Temp\fc7011e1a7b68a722cd0ffcfdad958aa_JaffaCakes118mgr.exe
      C:\Users\Admin\AppData\Local\Temp\fc7011e1a7b68a722cd0ffcfdad958aa_JaffaCakes118mgr.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:3916
      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3876
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\system32\svchost.exe
          4⤵
            PID:1172
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 84
              5⤵
              • Program crash
              PID:4204
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4196
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4196 CREDAT:17410 /prefetch:2
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:4472
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2160
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2160 CREDAT:17410 /prefetch:2
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2956
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1172 -ip 1172
      1⤵
        PID:3384

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        e81809e35464c6a8ccffb00fa7424f8a

        SHA1

        aca926d8ab54a834b33db7c5fb4355287d2cd2a7

        SHA256

        01c74bfb667bcffad25fd994026261a336a8e8dcf85ad629a75c87e838fcf744

        SHA512

        d807413cf4356a8861ae6bbfe5fd2792bdb5b81ec9fe64f6d567e505d001c847d8eeb4bc730599a5428afcf561d35ddf022d1d3079036d65a0e382d4737d5c28

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        9c3cd9c06638684855f5181f13becb86

        SHA1

        08d02e1fda3cd49894c34ee788b1647a6c377812

        SHA256

        441feaaa951784cf991757edbe825fec6ccdfe6afe88b5ff4cd0c77cea86d091

        SHA512

        7c8368469e5f41f9dd03ca0f0e8aa09e370b60014646b7262d8f19b4517cf590e6e882857bd2110aa396f11c26100658dbf395fc821a695b7703f0a1263aac44

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        a026c683b87069c2d8cc87a3296b2482

        SHA1

        fc5c6f8afad8fa3c7fb1aa7b86f2e5179234e5dc

        SHA256

        fda83daa69109368a6db12d2413f4a51270401d22f9c63911cc1def38bd287e8

        SHA512

        0896f0e94dd0631f81e0e392b4d5de98c23a655ced59f3332d8057ae0f3c6bf6e4f71ce0e7adb2aa9977db0bcf48a3c4fd36319700991116d94017f7cbcb8fb9

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{449CF370-7DA1-11EF-BFD9-76E8F1516C8A}.dat
        Filesize

        5KB

        MD5

        fdc62de1ff6f15601d42211bb50f9229

        SHA1

        b641629bc5745e9ab38dcc6b0f54be34ae4cd3b0

        SHA256

        80d9b4605f9c1f807bb8b3db66d058e2a8736d5b950efb696517cabac778039a

        SHA512

        9cee48213598168a11fe70f8cc25ec8c1fb756696143b9109b1a0b9bcb6e207bfe71b67b8a22af1672e5f7eff4a48ef60003c2b726e799d3c15e0f2fc70488a0

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{449F5647-7DA1-11EF-BFD9-76E8F1516C8A}.dat
        Filesize

        3KB

        MD5

        73627a39946bd60485a3054d487bf4c2

        SHA1

        a1a492036dcc67ee4fe3bf835ce8580af8fdc568

        SHA256

        3620a884145e483a086fd1f755a8935b4a46498e7b32e1aa97b36a244080d9a6

        SHA512

        f1fc003998dbe53378317a7d3276e0411144356cc8a72027bde1a0a6d2b2ee715a9cc7ffe2b62b17e7c2b9a2dc865117cd6d5a6110731724b0cefcb63a0fe52a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver50C.tmp
        Filesize

        15KB

        MD5

        1a545d0052b581fbb2ab4c52133846bc

        SHA1

        62f3266a9b9925cd6d98658b92adec673cbe3dd3

        SHA256

        557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

        SHA512

        bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLXU5DI6\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\fc7011e1a7b68a722cd0ffcfdad958aa_JaffaCakes118mgr.exe
        Filesize

        96KB

        MD5

        8c51fd9d6daa7b6137634de19a49452c

        SHA1

        db2a11cca434bacad2bf42adeecae38e99cf64f8

        SHA256

        528d190fc376cff62a83391a5ba10ae4ef0c02bedabd0360274ddc2784e11da3

        SHA512

        b93dd6c86d0618798a11dbaa2ded7dac659f6516ca4a87da7297601c27f340fffa4126a852c257654d562529273d8a3f639ec020ab54b879c68226deae549837

        Download Submit

      • memory/1172-37-0x0000000000490000-0x0000000000491000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1172-38-0x0000000000470000-0x0000000000471000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3876-34-0x0000000000430000-0x0000000000431000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3876-39-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/3876-46-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3876-45-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3876-42-0x0000000077C72000-0x0000000077C73000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3876-24-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/3876-29-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3876-32-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3876-40-0x0000000000070000-0x0000000000071000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3876-33-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3876-35-0x0000000077C72000-0x0000000077C73000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3876-41-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/3916-14-0x00000000014C0000-0x00000000014C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3916-15-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3916-13-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3916-4-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/3916-10-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3916-16-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3916-12-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3916-8-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/3916-9-0x0000000000400000-0x0000000000435000-memory.dmp

        Filesize

        212KB

        Download

      • memory/3916-18-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3916-11-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3916-7-0x0000000000401000-0x0000000000402000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4180-6-0x0000000000140000-0x000000000016C000-memory.dmp

        Filesize

        176KB

        Download

      • memory/4180-0-0x0000000000140000-0x000000000016C000-memory.dmp

        Filesize

        176KB

        Download