Analysis
-
max time kernel
150s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
29/09/2024, 04:26
General
-
Target
fdcb8216e9c6763907ccf52effdebd9f_JaffaCakes118.exe
-
Size
226KB
-
MD5
fdcb8216e9c6763907ccf52effdebd9f
-
SHA1
94a6b4810b321ee70bd7540fbe58d26cde1e07ef
-
SHA256
f7a84da4c7b62341792dba8083827f0b573e0c1aabf5f7786fab2215c82372e8
-
SHA512
0e32a961cccbc214dd3eaf32cc5c3fe80eacc291919544fce1dd5e6a6a48d1334c28ce62cfc7f4490ad3d082fdc46eab9fa954cf5d169bcc539ca98e88ef043f
-
SSDEEP
6144:4h5kT3r2Dnua7TK3XCk6+oGMJEEoPNbsTUfL36AK:4Hkj0ECkkGmEDUUfL3HK
Malware Config
Signatures
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
UPX packed file 18 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fdcb8216e9c6763907ccf52effdebd9f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fdcb8216e9c6763907ccf52effdebd9f_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fdcb8216e9c6763907ccf52effdebd9f_JaffaCakes118mgr.exeC:\Users\Admin\AppData\Local\Temp\fdcb8216e9c6763907ccf52effdebd9f_JaffaCakes118mgr.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 101683⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\fdcb8216e9c6763907ccf52effdebd9f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\fdcb8216e9c6763907ccf52effdebd9f_JaffaCakes118.exe2⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SystemProc\lsass.exe"C:\Users\Admin\AppData\Roaming\SystemProc\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SystemProc\lsassmgr.exeC:\Users\Admin\AppData\Roaming\SystemProc\lsassmgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 101685⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\SystemProc\lsass.exeC:\Users\Admin\AppData\Roaming\SystemProc\lsass.exe4⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3580 -ip 35801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2232 -ip 22321⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD52fa89bb5ec500c62cc40d5a46a6a8cd3
SHA1ab2c5fed92fb203ff7ca8b3353a9e086377afebd
SHA256bbcea744c5edfaf49d50a046051338c2fc75fd12247ae5997b9967fe3f454543
SHA51241299af72f3f78bd1d82423e36272bcde20441254402b5776537de2d5061d125f80f65bbee07bf5d1609003a784f85caf0e4cadbf91782737ea4aa58a0c51e59
-
Filesize
1KB
MD5888536379d53c4a65132ce4732bd35bc
SHA14f92d7d3f9b4ad25bd63310ef6cacda73e5212e5
SHA256bd2361e7e843948b144686f021e0b08c88d41d4305365b88119f68685a9f9e55
SHA512f2c1022d0a094f1ba8940661d2cba128ec0df3de5159c309f6703e3db7fba49310e70553ea88c5c7dd561d74796cac0a78b077a790f0e287897d51f301900380
-
Filesize
773B
MD5f3551a2c70b1a421f0ddf9306d92a1a0
SHA10dd06c1df1152d7e89eb01651c7fa705f1a40b68
SHA256e963dd65572b7d222abeae3e4829aaa771705ed81d5698262b57453b8e71967c
SHA512abfbe2583cfd003f63140fcd1a32c30923fc0be92e0d57f2207e2788f165f5f27003ea7d08ed5ca9b3cf47c27ee162ca5145dd23cfc85d30a062352210be0098
-
Filesize
145KB
MD5e48d2ddcc94662f0f2c9b755ff3cdbbf
SHA1e8f2ac27485f14f71de0ca89cab37d13cfbef312
SHA2565515536ad41cbb569c64a68afe33357a496fac3951fa13ee61d235d9ebe4aceb
SHA512e49f9546620713440b1f7b7ada543334d4ee9cdd908ce90a040c0670cc80299b32de45e46dc78d79aeec85cfadbb7a0a87835444919b39324b3644e02476ccaa
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
Filesize
226KB
MD5fdcb8216e9c6763907ccf52effdebd9f
SHA194a6b4810b321ee70bd7540fbe58d26cde1e07ef
SHA256f7a84da4c7b62341792dba8083827f0b573e0c1aabf5f7786fab2215c82372e8
SHA5120e32a961cccbc214dd3eaf32cc5c3fe80eacc291919544fce1dd5e6a6a48d1334c28ce62cfc7f4490ad3d082fdc46eab9fa954cf5d169bcc539ca98e88ef043f
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
268KB
-
Filesize
268KB
-
Filesize
384KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
268KB