Analysis

  • max time kernel
    119s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2024, 22:08

General

  • Target

    10af840c6fab21d128bd3358c3d8b567_JaffaCakes118.dll

  • Size

    120KB

  • MD5

    10af840c6fab21d128bd3358c3d8b567

  • SHA1

    5d714652d10aca293787fbc250c5d4bad14f292c

  • SHA256

    d07b6e32b5993974c5662dbfa6dae23a623cf5f824451336facba3776d1be5bb

  • SHA512

    9db089422b24d5d72662f74a44fe71c31b4c71e14571bd820b427015f16f646c0e2e0ff954581d578d0afac97a8ab46478cab1b29c58bc781c930990e6f0fc05

  • SSDEEP

    3072:N61Ye3TaEu2CoCcn3zO7A4D8Xzd125+kV4m13EaOlfBL:sTa12CoCckAe8jd12FmL

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\10af840c6fab21d128bd3358c3d8b567_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\10af840c6fab21d128bd3358c3d8b567_JaffaCakes118.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2172
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3028
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2340
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2396
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2396 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2664
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 224
        3⤵
        • Program crash
        PID:2200

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe

          Filesize

          56KB

          MD5

          83f5a64a268f21c7c6d6dd54ce8a88c2

          SHA1

          61376a625d7d389c5c1646aa534f1ef3135da2f4

          SHA256

          c0b96c44a00557b60df0fa0ac9b129ac07d5b93c669f4a3c98276d113ff6962c

          SHA512

          4cddbd07e10c93d23efd1560084f0482520f90f252d6e90380222f0d13ac3bf3587fbddb3033a6b06d550838731db072001197cb3283e4686f5b8bd5b6d894f1

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          309169894c830ed6fb64ebc85c18492f

          SHA1

          e436ecbf5fb3a2428976aa066755b1f38abc9d9a

          SHA256

          7f207c9d2cfee045196a287fa5a8274a6e4be9e23a6afdb0c23b6e7612ecc9de

          SHA512

          08580d75f9b838d38c40ca3a190445bf9de22f648eafe846c59e4d71b23a108702309a48feba8c2bb0b44e9da616f876e784c038ce14c443d0bae4bde366c2f1

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          9974d336ef117b5cbcbb8b37b2cacf7a

          SHA1

          0036f0e55c1753d47e4ae1813a3788f884d0dee5

          SHA256

          f7177d6690379f41505d8eba942439ae4d25f095186a7cbc775aa419243e01cc

          SHA512

          6af3241f08761f6778a0811ef1d1ab9c7546febea9e9829e1842915569af6f693f1e62cf597551cf119104fc5ced02992023192ea04c4858fbbf613523babb1b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          791d58fde355e361eebb34558823f0f4

          SHA1

          38f236e3c2e8c1f26fb5876bf3bc0e7b016065e9

          SHA256

          4c2a5b5f6449d7410a62909648b41cc55f4b7e0b634148214965a0a9734ff466

          SHA512

          3c902d54e7957e83e34c0736a06b74586fbffcbcdaaba92f8dad91b9dca58b1e72102fed554905fea5f50f2397e8bd6f134d0fccc320d6279733fa6c0a5c7df6

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          1580179cfa11a5ea4248ddd8eed36fb0

          SHA1

          6f58c54ee20209ddcb0beb9635369f6dcf64f48f

          SHA256

          144035a95c5cef1e31eed814a6631ec4d7aa0e7bcc7aca5c7f721ea4485cdac8

          SHA512

          95cb626ebc7ab6ffcb56974826304072d26fd648fae3f9a5655f7b0644e499f809d18a3b4626c2aa0b788368c8a262d62c420aeed519ff9e7d6249d203421052

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          9449fd0439af3c5694858b01da66b4ae

          SHA1

          095395c01bca329d08f1a602d34f3543883b5dde

          SHA256

          53fdca380a0f5b360f2534683e77a4e4abfd088ace768777021ca19a91123785

          SHA512

          8dc26eb9e1688360bdee371c41ff52d4305035c8ab9f7176f5468d228372d8b4b997cb92d6fb850c30ce72425f334e1cedf2164f43183befc1b2f7fa06f9d9ed

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          92463c7b709217a25d4dd6d7e84a5d9c

          SHA1

          4f51ac8a7a91c78ca07985ca5517618e4ef6ab82

          SHA256

          d222d30bd9c6189585b6087bdfca30c3eff00f11add8e14c01b2cbf8f0107dd0

          SHA512

          f3ea7aaf6ca1fd17021ee45b9aa4917a7461b8279bb36b097392c114e3c344658f04fc499bd7f160f9398f74b60af7396280bb3806a6d87af8353720aa4898a3

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          7d0b3126898d2eed414650b8f6bab41c

          SHA1

          d9431b7a3b66bdde2ba5d48aaf296e7c1c62c0cc

          SHA256

          3c4109b19a0b8a85b0ac8a6eb1d208bb4d03f7996b0b61f031624a96aba2ba25

          SHA512

          144b3a152884e3c755397703e6d9615cafc2a4036d080f76d384b526465928aedd9f28f381da48a5fdb11292af6619dc55647f467c12772db8dd70470ead18bd

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          562bafbc0a1dff46a7f6f37af3a3b9cd

          SHA1

          43b501b9484f7ebe6a59c61e18a22dba15849294

          SHA256

          be4703f7d85c8ee538b0bf2465f2cc13c3216c57e643399410a42d77cf36024e

          SHA512

          6df8682b9636c32d6d2ebf9a531a328db5f10d5ece99e8e9e736fcaad24b99e0fed11651c4a3a232721ad8312739b6f074d7e5a49c41e607f1cec5d65f9825e4

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          55e6e63895f7a7952f2a6c9997bae7cc

          SHA1

          37ff66299d6609949f1be24e74ec770c088ca886

          SHA256

          69e9a468e954cfe10abc7b522e77acb547c849ac2614f641e58582bebb06b1a1

          SHA512

          7a3d646490db4b4e899c69a0828620a35df608a52efc7d161a60abc004d97efda9edd21d4e8c76df6e973d377af3ad8196bc858971eb8379b6bf691e74bf4f6b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          99f670a11990697fd1c7b65059eca2b3

          SHA1

          ed674e52d86d1d641a47cd6046c4ced66587320a

          SHA256

          7a91e6f9c947573f515689dbb68641a064d675df15551b4d047a3290033c37c5

          SHA512

          5ba864df72f0a91ca912fc812fc295159f35b940d1867e418e59549379daeabe41c5fc464836ae4957caaf3569bfde4fe7e6c67151035154528601be9b6170c2

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          604f99bf902a12f730c73e3252968ca2

          SHA1

          860be4fab8f90fe5ec0495c2a5a33875ba969c0f

          SHA256

          fff264ba0336981d4988337fde9f7b1944c5f9545c1d36488725148794d1b393

          SHA512

          ff50f2a2e4239b5905b9ac2de2e00ab1e04b8cdee000cce64b3c5e964b4b9b8f1c58df85c28ddf9058515910a8e0557ce4da9e956499b2f72292df77d236b200

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          d2666768f469fac3e52a74c67057dbbf

          SHA1

          2f45d29ac335025fe97c2752a01c7c065260998d

          SHA256

          638aa4bc2cd8450ca8f194080e26e1afeb29164c1b8f888c58d1e958709ab5cd

          SHA512

          84b0096413e2b6cdfbb95238ad1dcf8339251e545cc552175c0c7d7f8bf3e4f1e01d09f744484b9dcfd1ec181fde7c83c3e7f311ccab7fab4d8d87eb734e1d35

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          702330b0ebfdc0000a1b5275b951dd01

          SHA1

          785b86ae19e4d3b3aea888391b37145e403b9896

          SHA256

          ce7297b0198d69e3b2fa5fa7b626837fc7c31b7e8fb298785c5c7a0ee16e9ce9

          SHA512

          99acfcf6022b9993c9952258afe7fb214ae78674cd9110e9d3c714b1254a50513e855b0eec5e9888166956212404c2527a0baa84ef9157959b7e984d03d47c33

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          dd9436410d93142bcecdf6ac45acf2b0

          SHA1

          2f8c3ae1fd9237ff5ba87969a22df45c726bbe31

          SHA256

          fd4830b2a477a18327c7d383b10eda55d7a0af05ae1b672fc4322705598c3b56

          SHA512

          2815924320aaab5183fc051470649cbf15a643205c640cb41642dde4f7ee0ee21697b197883d5eaf87ca0cc6eb84285e40ee9ccfd8f57c2ab2ce9cfc158385fc

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          22e1cde03bb37d433ab551e164fdd588

          SHA1

          bbff722901a2f1057c5f359da791227093c2377d

          SHA256

          1a45442a0c4a54203285e0d75a5b34bd35959bfea42d3280d93c6f1bec316435

          SHA512

          fe29d5f1bd2055943dff481f1d0883c5e0239408075fb843465bfae4d194a0bd7355c0d798730abc080cb74fe7515910144f5c2eb0c8fac0d17c3a0c07c82807

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          455c3e4d619e61c49b4547b8167c40a4

          SHA1

          a00b868d9429dee292593f879c8e44d3ecd44852

          SHA256

          060124ee8fba1c16ef7380b120fbb05122e0948751daf263b0255f1fb767dac1

          SHA512

          3465135d89d2cab6c94f6316504e77f85a5b0a6c79d663c106b4be4a2831a582ea528f0c3ae10aac7ae4c0745f213d9e520530b7b886b27d7625ee07ba3f3f19

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          0687570c16bf6481048ebf4589a8fbf7

          SHA1

          06a439746355f3ccbe4ec0dbbcfcb11134e4232c

          SHA256

          9bd33f62e543571aecb1848c138f7761731b52da3c894c28f774c6c6c1e592d3

          SHA512

          41f093df8339f584c7b5aff04e5f8b6875d61ad71f7dc5f378f46ba459312aae20546959581785d8ef0542972a4ed450fc9299372e86248026f523dd3056cf5e

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          3ea598a1bbb0c970977dcf698792e3b4

          SHA1

          8618b297b703ef90d533420cf6c911a9a784d88a

          SHA256

          4408913d599c6d9f8676dae94f5da8082badda14a8e5a9e5f749fce7d2ec5ff0

          SHA512

          b1f77670801d2d349a9acd9ccb0c49ade1f54c98b5058e3e08a8cd692d131d0c7480e54198b7ad253589cabcc916491175404e3bd8c96f94e36b57288f1e1deb

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          c9a63928539edfec08cbaf08dc61a9e7

          SHA1

          ca8683d101e714f37666c3c25dc3f6fce7e476b0

          SHA256

          bf3c552372dc93fd64bc01d3ce0e1295affe1ca401ef9239473c586dc518bae7

          SHA512

          c48f6ad2fbaa2bdeae8c2b7a6dc5e577499f67236468df0f1b4f1015c44019f7a0a2e3bc21015002dc7c3780315dac4eabddee22cb168f44c350780df8efb907

        • C:\Users\Admin\AppData\Local\Temp\CabFC0D.tmp

          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • C:\Users\Admin\AppData\Local\Temp\TarFCBC.tmp

          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        • memory/2172-10-0x000000006D100000-0x000000006D11E000-memory.dmp

          Filesize

          120KB

        • memory/2172-13-0x00000000000C0000-0x00000000000EC000-memory.dmp

          Filesize

          176KB

        • memory/2172-21-0x000000006D100000-0x000000006D11E000-memory.dmp

          Filesize

          120KB

        • memory/2340-15-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

        • memory/2340-19-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

        • memory/2340-18-0x00000000001C0000-0x00000000001D1000-memory.dmp

          Filesize

          68KB

        • memory/2340-17-0x0000000000260000-0x0000000000261000-memory.dmp

          Filesize

          4KB

        • memory/3028-12-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB