Malware Analysis Report

2025-08-10 14:19

Sample ID 241003-1l5hnsyapl
Target 109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118
SHA256 0a0f7f83fee9778a35af0d7ecc3ff7ecd99d365a659c1ed8da4804467f780a48
Tags
ramnit banker discovery spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0a0f7f83fee9778a35af0d7ecc3ff7ecd99d365a659c1ed8da4804467f780a48

Threat Level: Known bad

The file 109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker discovery spyware stealer trojan upx worm

Ramnit

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-03 21:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-03 21:45

Reported

2024-10-03 21:47

Platform

win7-20240729-en

Max time kernel

120s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px1B9C.tmp C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434153781" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C5D63811-81D0-11EF-85F9-DEBA79BDEBEA} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2188 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2188 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2188 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2384 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2384 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2384 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2384 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2800 wrote to memory of 2896 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2800 wrote to memory of 2896 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2800 wrote to memory of 2896 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2800 wrote to memory of 2896 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2800 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2188-0-0x0000000000230000-0x0000000000239000-memory.dmp

memory/2188-2-0x0000000000400000-0x0000000000413000-memory.dmp

\Program Files (x86)\Microsoft\DesktopLayer.exe

MD5 109cfc09fd1bf2dd9c1e05c681e5a7f7
SHA1 9c5d91f9ad9e1d14676e7ad194a72d9077d2ee77
SHA256 0a0f7f83fee9778a35af0d7ecc3ff7ecd99d365a659c1ed8da4804467f780a48
SHA512 8012e00d69acaf133aed58033bc1815650cab3330464fc7eab2f034bedb10110210bd6e23cb30af822c46038d08d39e993cf15f3a1a3b81a03cfb27963f77157

memory/2188-9-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2384-13-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2384-12-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2384-15-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2384-14-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab30F2.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar3153.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1eaa53742a4056a8003bfa8af37671a9
SHA1 865146df1be18053bee6c5c42d5b86dcb4bac800
SHA256 fef5f359c6fbe13379bb2549aa24d89d245c14faef570c7e03a1e1b3e9fec532
SHA512 35aad28a76453ed59cbebd38d56d34ecc0759eb5f23e65e594ab3ea22ffd574e46633619c5a5e8903bebb9effed5a05041b6a639abee3fba5ce317410a8cc362

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee10e5444cf855a9086d79e09959b65c
SHA1 c2d8718fb3456c2563acf147ccf7038139b2a0c6
SHA256 2328931f8980bc3473a7ae4dda8eaa2e550aaa2d0b03d40af51447ab98e47867
SHA512 122f723fdced89b308b3d0a275362e398826291d4b5a952fa14be976890dfd0b53c0673fcfd7039c6b663268c6c57b8afff5ecd1981e9ea5e8019cc46262ff43

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2898ab9b6f96df84dbb70e1bf88b7c5
SHA1 2cf7ca36d6299fcd47c96418d0294de92612ae99
SHA256 a5a9a5de3b139d3eda9ab02c931f47a189fec16e1b988f3a0cc7377db91a94f8
SHA512 016ee3f21ded906b0ed5ca2e089939b0acfadf0e585fc874bb0e9672f8696bd727cc3fa2c71f8fc09eb334b68e11406599e360945ad45decff1a037e5f52ac16

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 29f1312c0be075ddc3c991c22a492aae
SHA1 643e0edf1f5b14309d4d8eeef4fd7c2f810e39be
SHA256 2c67f7bab9b74a96eab556062c8e7cb1d07915775ba7fbc3494d54cf2b386892
SHA512 a94c577f73489d8a0f66302f704730b14bc1b90eea0d272cf6c7173bb36c1ecb8db2ccb586a56d081c8ea9b8bff732862a88288b4c26a8fb4282c718ad4213a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fd233bb6bdf173dbe6264654a6c99165
SHA1 1b32df3154eddb83dfb80447ffab195ddfad9bef
SHA256 2d00c58e6fa6beca0372d5a06f3f8fb7484ecc83b45b2154ca73d23f0cd905d7
SHA512 42e2b7633a7743af8db780d0a142d35108b6d2cd90b5c9d45beb79eb871aecceac9b571bb8cbbf1f42453611face43e0b3c1e748364b84ac4acabe3ae90405b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e6385b707fce884a78997f34460da587
SHA1 ec473b75894c598db49f1f23ed141a05a1a990ff
SHA256 4f0da0e014be72461bd5ab3dc0d08e4b1a8b2b003c5de9471ae276e53e11aea4
SHA512 3099be575f612ff879964e0d332a110f8969a014a17d03c7823b1058454ed1f83fffa13c77cf14a91e33cf8f5dca2c43e8e55938cd520bc26d1b90bc92cb7506

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 884f85d025f1d4fa6796f5f561e1af11
SHA1 e464963254688b6a5d1e32cdc073f3da178b5744
SHA256 bbec41a65b90bc96fb1886bc8e9087ae2725e268eacbeb84c0cc873982b60fea
SHA512 176dead7b21b4fabafa2333027083bb48be32edfd3c9e5522d90f8c7dbd62528c2d44c8315c7f2b6a36bcda1dbd00be025a8e29e1c1da53da4f3b74919188a0e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7664851570469169fc4195249f942fc4
SHA1 54cfae2195321a2e0eaf2b19db1819291b019225
SHA256 ed6d52621056bdf245cb8712460cd9eaa2573cdf15fb941f4a829f43289609e3
SHA512 5dc821a33660342d7162bef38722ca724f2cb5b889be3d972fbf86612fbc1f7fa6982170018e3c5dced699ff746377dff690d1569012360d0b940245b19f1f63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 10cebf3c4d602b154678e1bbf1a886da
SHA1 32ad3739c183dc5825e2af298c1f50e570b05df3
SHA256 f2bcfc34078a684720b27e247e3103204ac0af90015e6680a640f65d8889c59d
SHA512 c6b503de0adfaae044b9df4293158aac91168e1ae9a7e74dc4289a8e88b62d1a2cdf1d401a4d9dd06219dde51fde34f2b394669c902f46e44f3857e3e9194090

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a67b579449260c27d7e984b718bc184a
SHA1 d965c0b6daa4de99127d8f98a96b1da9912074d6
SHA256 b3ff5628152cca2dc6d0dfd53426017c6f509307e678405311e3f4a68d6d7ed2
SHA512 76ac9d6cddd3f0d9b708bd09eebfd3fa5b14d561e0ae4883043cc5817825d2797acaf69dc0f1e55743409d4e4ff00239eb63f2637f3ee35029045193a1c90ede

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 453376b070da362609b639b4dd56b55a
SHA1 105b257a1fcecff3ce49595bd93fa14383b52215
SHA256 0b0ead55b11fd65b79e0d3a23d472a674fbfcc56bf30d48185f2e0dedfdc47ee
SHA512 2784b38983130de87a09b63259bae6068143ee08af445039094d595983dac288f5bc5763880b53ea055ae439d4841285ab944f1e9215a9b446d9649a42a4491f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 61bc83f00c113adce140f4324d0ca828
SHA1 8e299246997188cd94211642cca8b876c7f9fd94
SHA256 50df069606739003bdc4f3d443d2e6fde0df0244f41ba496569458e296c3492f
SHA512 398fafbf27c7fc6dcf86757c59ea04ffd1e53c6b73b52fea2aa841f481887765979ef7d7b62b7bf94ee2aec3f769397c24bafbaa43935db18bd3121b23eb99fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 adae2902f4c9292d4c0040e6aff4851a
SHA1 d1739791f6a52dfa339b64fb40a3131f04c42caa
SHA256 2936762ff5cadd0e2effd8ef1b65aadb6dc0cda92ee05e10f61bf8cf504c399b
SHA512 da83213c82128a92d97fae5504bc0bcca39f61dd50520db923770279c19d76d95c433a596a3b57fba9c5ac6d28450b9aa8c59ab4e6701587f107cfda53f3ef24

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fd286439db4e9dd098bb2b3d7111db89
SHA1 7ff88eed8566f09ec1fa371caae11252d90202c5
SHA256 cd989b09554c6e47f4f29b22bf465ddafb98e2ed213c2b394c576f113b28d83e
SHA512 ea75b652cd24c371bdd02186a2a654eb07fc28da1dac416bd856d613b3b992cf854837ac6cc5feb153a93422528be47a335a45b5a343a9485cdccd1d6af0ea8d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8dbcebabdef361ca063349ea1767368e
SHA1 1a2f17d23e45056468cd6acaaf1c7bd76756cd9e
SHA256 d260ddb55da4d2c4239c74b6e1fd0ce6065f834c61a60b3765f50db634879caf
SHA512 5c20ed654e3492b89a666fa95247d25daa65e4770f444c6fb637d05aa162579a80530c2522eff5de9e1549bd2b0248282c13756dbc69ccf54da3cdbddb4c72f8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d82b30a6286e2508f9513a3bdf5f544
SHA1 f1dc1b1356a430833c8adf4b259d7ed1adbcfe5f
SHA256 28fc682522cad5f975fc111f9b17bc15fae51bd18f6d63523fce001db762691a
SHA512 e804383abdb93792a1689129d6033094445266ae2e3e94d65e2e12eeabf4abafaf9a649526fccf1db119863492b319fbc6317bf98b56b6bfa4df9a9b2ad06ec7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6593c60b7dc3225fb1a8f001c677aef3
SHA1 11f83db994c7392363155b6ec6132f7f4d6d066b
SHA256 0fc5cc2ff6ac6900496f5599cb818bf3ed5afac4a41211df6eb4874b15b9811f
SHA512 787cecbc6d4a849551645ff73b004856a749f69b004ad261b06372bf4051b6534c2711f2c5f349f5d8b4f73f622c7fd22c51536f68e01987d6e9792ec370713b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 42a85491986d2f49f051b7cbde15a9d1
SHA1 097a33aae10ccf7bf99daa1e7207af737e322dbb
SHA256 8fdad219767dce223c6fcab79684bfe433279dd4885c184393f4ac7a1acd04aa
SHA512 aa1ef728d4287ced8d014be8c83e471dded0fbfbdaa63fbb193b23a5a78d60169106ce3384e6c7fbd3e1c3572528fbe9c0290fb9bf31c0b6c32b37c803d7d31a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5c162c09ff8c1754124ff852c27d5a1
SHA1 b70a4650401e7e4f4368cbf617a66c38b1b9598b
SHA256 bb965ace63da5cef8e803157509498d022741491f27707ae818d7a3b04afc225
SHA512 8183660e21f9462041ad468170c60282429f29f2338304837932e71ede3e4fce40ba5104f95387e59b8b72d8db42f740e3d75d17ca315bff5b780eb35fad68b4

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-03 21:45

Reported

2024-10-03 21:47

Platform

win10v2004-20240802-en

Max time kernel

94s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px7B4A.tmp C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C671ED26-81D0-11EF-BFD9-76E8F1516C8A} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135197" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135197" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135197" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2598699413" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2598699413" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2601199461" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434756890" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\109cfc09fd1bf2dd9c1e05c681e5a7f7_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1992 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 110.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/3996-0-0x0000000002170000-0x0000000002179000-memory.dmp

memory/3996-1-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

MD5 109cfc09fd1bf2dd9c1e05c681e5a7f7
SHA1 9c5d91f9ad9e1d14676e7ad194a72d9077d2ee77
SHA256 0a0f7f83fee9778a35af0d7ecc3ff7ecd99d365a659c1ed8da4804467f780a48
SHA512 8012e00d69acaf133aed58033bc1815650cab3330464fc7eab2f034bedb10110210bd6e23cb30af822c46038d08d39e993cf15f3a1a3b81a03cfb27963f77157

memory/3996-5-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3996-7-0x0000000000400000-0x0000000000413000-memory.dmp

memory/848-9-0x0000000000400000-0x000000000041E000-memory.dmp

memory/848-8-0x0000000000400000-0x000000000041E000-memory.dmp

memory/848-10-0x0000000002040000-0x0000000002041000-memory.dmp

memory/848-11-0x0000000000400000-0x000000000041E000-memory.dmp

memory/848-12-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 6de4427d02d49cee2c46a8fead1fafa8
SHA1 bee49bf0e4452ca72442face8e655bf4a8c3af17
SHA256 46d5cd7ff558e5c788807eb674587359c6a660cef091eb420676977e49833d53
SHA512 c80311bb92f9f49de96d06e9a76a3ef0310365999f00f401fd003d438b66744a88f093b5887e1723c6b8179798697ec24c4b2bda489323337f6cec6d28ef6434

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 302b76c575bbef3233c4669a4d3a92a9
SHA1 c955f832c55c0d097f7706b6f8bed8ab0b57d228
SHA256 220b62706230f7067f46990d53ff3049f68fa203e353658ef8ac642e00e60a8a
SHA512 e1c6d04c0c94f36b3de57ccac272015b17f40d468253c0511aa4f18e6ff5a9e6b40ef30d4961aba764d0c55618eb4c8b64907400eba3ab2ab27a525b9efdf27c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLXU5DI6\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee