Analysis

  • max time kernel
    133s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2024, 17:00

General

  • Target

    0fbf6aebb7abe0cf6397511870b68341_JaffaCakes118.dll

  • Size

    264KB

  • MD5

    0fbf6aebb7abe0cf6397511870b68341

  • SHA1

    4ade45cb13aaff6812047d68bb6c4c9caa20694b

  • SHA256

    b2f2278e08e7948fdadb10567269e42b9afe2922e650d5e5bee2990432386370

  • SHA512

    a4a519b441bafd41c354cdd80d41ddacc9150325988628994943c0dde939c40c5410e4b3a4ffb3cac96e23da7e0771a668b7a17c62d28ba9a0065231c487fd6b

  • SSDEEP

    3072:n4vRJRkTcZ7fcxdl5CTdBoEBClwrnfJMtZbzOPrLToxdv0/pMBLCAivV+8KjvYfC:nXHngrXV6L/0cPjMN/m+POz

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0fbf6aebb7abe0cf6397511870b68341_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\0fbf6aebb7abe0cf6397511870b68341_JaffaCakes118.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2080
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2696
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2688
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2688 CREDAT:275457 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1056
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2672
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2672 CREDAT:275457 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2548

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          7d774856207913b8610616e239829e7b

          SHA1

          cde6900caa24f688edee457e044a14153f507cef

          SHA256

          3771fa7d61ca669f2faabe1784e1663061f1b14984dce864fb8c9cc7923f802c

          SHA512

          ff00488a586419c69e84f1391160d7086d6f329a89bcd71d5e5014fb773fbfc08cd9dc9e7ad0758aef1852e8ebd0acd5894a864d584388a2280ffca6605ddcda

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          e1b0349afeaf57cd638f77f92e5b12b6

          SHA1

          a01d0d829b021f15a709078088fb2d664dab14a2

          SHA256

          e76b0d0c24d69b1f1bb7e5047ee0fb586a2f51c7a70d99ebd94f2d2b6b124523

          SHA512

          b84921a9825544e8073533fcc85e5f3f0158f71d1bec5c5a5a5ceeb399aea4e136c841b871a1f23535b319f9c2ce95670c7e1eb738f7bb85fdefa7b9d14c09f8

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          f9f486e4160e3fc8967c8d6d300ccb06

          SHA1

          32a86d7044dbb5865d0a1ea341a3b5c2e2e50f5d

          SHA256

          033a44e9f239903143511f5a5e30208135cf3bafff7d453ac230c7fd2b736baa

          SHA512

          abec50aba7e672d494fef2d115642652844f4b31bc4877a738a47d48ab03a717a44f588da0e2b2ec5c1b8570e7c8c43ce074bb886fcdcbc8d403e3d58a51f796

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          9a108d63bc312ec8674986e7431cf383

          SHA1

          da04c698db44efa86ba4e85b4e1230ce6c056c31

          SHA256

          c65ebea509b9d0401d216b1e6bbe7800e86343bf77549b0e985a1b87c153b792

          SHA512

          be6a4eda04fefaa8d3c40d306df3a13313207355ffe03c43c0c7d150dacac65776f4d7a9d8029999bf8343986996fea296dd6dbabe39acff9b60a3b5a0bc1be4

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          3f1a67b8990b55e6fa10a3667d7beec1

          SHA1

          95481e3cb7a323e548bf727de79b3eeb6642650e

          SHA256

          f40fa4fa29b09d5aa934c9305da9ba78ce1f341b506e67c1e8a9c5725287e358

          SHA512

          7b5984b5c981a0136a7e9055abd077b8d4408c3f47e72d3d0c7a16ea5c2c6a4245d13babec3715ddc88b79609be775412c0618e3ef2d97173cf4b88dea7e6930

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          d875baaca08e268821cd6e2961a511e9

          SHA1

          d32289978c7ebf6b65f088433a9c8e625213a6af

          SHA256

          de1935c0666759bece01103473083e4f05d2dfafd9bbf9bb847d2945c1ac9359

          SHA512

          eb8b41caa0979837e2a78ddc97ae53a46101878143b1e9a438ac78b2b90845209a1feb65ba5bcd31f3925a3e13df37e420aabf0cb555491dad477c61d6340e9f

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          b1038a8e6b279f70121538ddb5ca62b1

          SHA1

          808922c4a596afb49b78825638c11fe6b847b6a2

          SHA256

          000a1bb2496d1e6ce8700a85ce285647ba1099728432afd094e332fb57f6e860

          SHA512

          85ac8fc944c1e5b1775e29f22d1690ddbeadd6326c64512c8a0338901ecf0aa1369f5b9ba963a323efcce3fc57ed0b17925171c04b1637b3cd5daf77a62133f7

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          855873b7a985a97a141e25fc6b757e25

          SHA1

          c40a6044bf1ae82c59bba31938b5920b48c2f341

          SHA256

          191d6376a337396e9ca79f4ba318a75c04fc289ec230864d91cd4a9ccb407259

          SHA512

          cb0d6f7d873cdd1c0268a227519b1d06d1f89ac4077c95ecffee44d0f7029b341e901b03990f4b2d66e83a4cd2a047748c75effe50915338127a3187f5948f05

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          181b08c81536c069806f5078a4e31129

          SHA1

          9e5985b55fc4e037cc6799d1a2cea414d8c6cfbb

          SHA256

          c9c42466a21a34a4a553f0ea27f612b72fd1ea7f50d9b07b4b9b28f654ccc6a8

          SHA512

          edfb57d0292616a091456e73400e5ee60ceedcd6cf6fa7336a630b311fa424a40f0c3a226f1d3888c82fa1a0b5eb4866b3c8d668bb306847b3cd0e142cd3719c

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          868d278cd59c30404a7aec1523b61e42

          SHA1

          63634f75f1070439c853e7b30de9056c69fbfd57

          SHA256

          4503402354f1d9aa9e58d9d0aa789bf7fd9799c717a806d947e5e4acc21ff74e

          SHA512

          aea4fe2fbf17f57224078101d78f548ad6754b9fb9bb46de03ce2af572b5917e3088ec36b9b8a00ee59cb652b1abe2043b7c2e679f43fd8e9da50d2ef5c5181f

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          fb1df31d104d2ff16ce41cc16e40cf75

          SHA1

          2135ebb996644ef0fc9434c6fd62590c48262631

          SHA256

          b748b04c5d9d9bbd6d590979842d74e9a4b57fdc6169a22d4706e4674b6fd667

          SHA512

          49eb431fa8997bbc5f8a89976cf4a0571e20d2c6689ada2ed42770704c3309a655719362d293f457c0bd504c8a6b16c61b6ac476e286c959aa89f9fb5786e131

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          e3ee9f543fa9b58c0d689a5dffec8210

          SHA1

          0f4247a55b8525ca6cd54abc68d3ac0d6244e4b8

          SHA256

          6d94c2951b1ad1943617c57a0e2875349567c470ab59c8cd4689bd009bd3fe72

          SHA512

          9bdda7e279c40c4b68da9900b945c3bb79fe143ecf02e159ea3163efe204373e297292179a1c0fa663d6137df13a5a4526fd0b40539918cd256fd813ff26ffd2

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          4d9c2160a351ae1822af7dd7d9683e18

          SHA1

          de6ee383bb9ce66fcc1f27c559025a03ee010bef

          SHA256

          32f32cc53542f5d6aed2f2f825024471d16cfa2080ba623702af9975af830f9f

          SHA512

          f827394d74fcef725edf67c017f7916317c973b18339f666ca3c07ac9227f7b286d14478b0e95165fac5ffa7cf0034e046112eae89f1f5489ba10ec875c033ef

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          36d4f43d6614ef7e95e535a19dbd33c9

          SHA1

          b0034a03939b827effaf500038c7be458f91b11c

          SHA256

          1b8c3cbd6d93a7baf6d661b69fb21bc3c9ea1be2f67f64ae2535b5206d907337

          SHA512

          c5f15b816fd6a431812c83d9ea8aed3ea9200bb57c727f8098d9c81168da2306c3e60e90f28a5a2715553f313655553f8e8b11845b872a16ab02484c302ff5ba

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          ac8312f1a35b3748d85b293602728a14

          SHA1

          cf2b12f5226f9a6d237f88b8bb55f8a88fc04ec6

          SHA256

          02f54086771fdeb66c8dbfda978288fbd700383a7df86731970381525ed89c9f

          SHA512

          909eb1df2e04c05b561bd80db0b36fde29dc5fbe7ce59462e35b773f58b83f60eaeaef07a225466e18edf26fb9710697573e18e70149914be9395778a9b025d7

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          b38e6ad741c2636e167bd6d57d588df3

          SHA1

          978691fe95cc281c45db2c5c5629a63f4f711b25

          SHA256

          d2cb1fa6b1ac3c1b916a2886e3104b0e1a1c042a64aeee69b7c684c2a46fe305

          SHA512

          011673878a676b53658c9f675c75003a5d5b4eaf63751d6486e8726d99773bee248da6990cb80fd257d60cd2a6674ca1eaf83b4afc5c3e6e84f74057f629f56f

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          ab32c52f650de65d1f798535d02581bc

          SHA1

          560ff62490b04611d62856941ece4f6221855fef

          SHA256

          5845fe10fa2daa884e507924876e3780b4985b7577ca00b44914ac2407453697

          SHA512

          54e05b1b955e0532b6c19f0bd4fdce803291937b0aec7f2769e7098bc6ea4491a15dc74790e02aff24686c09059dd589f5f7000191ed8a27f11b4fb412b5dc65

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          8533753f57e87bf5f84c2989826ee620

          SHA1

          7e7f009c405a92da50f997f3a63bb71c178110d4

          SHA256

          bed12e13208716643acf722de66696e6a086e8cd5a048018f1cb5bc4f6c07c79

          SHA512

          e42cc885241bc1564ca71f2af8947c560523cc15607da4c254d7a1bf5365b1e36743c721aaa65853a53071dd500f7929b282fab3ac6e0451d8d84735b17ea2fd

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          3ee7fce5d04aeb70ec7ac289fe8fc740

          SHA1

          b2ab06d334ff9a9fb6ce1a3b79f5d06dfeccbb74

          SHA256

          91f07dad2b49179b6018889d9c523b46595613964662d57770958f340f5af6d7

          SHA512

          81bf84e74950fa522c12205ffcd6dfe34274cadd9c0591afffbab87350bc1fc9c028f05bb1d955abe8042ab672d14d895b31b2f7d7b1da9b66fee7797e5d8c8d

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0D5D57E1-81A9-11EF-846E-46BBF83CD43C}.dat

          Filesize

          3KB

          MD5

          0ea7f9439bccad284264d0fbc6cb6b94

          SHA1

          36ecdbe89afd864212f73672870a168435025337

          SHA256

          3b54081a0233e835db490c4431363ff50abdd47b64499b22b65925ebeef8ae0f

          SHA512

          7fe8eccfd5d62a98503ee8192ca13352d4f4e71b4d2dd952edd9b9c16f506cec1d869e8e783974dc740bac8de816a7840f530dfcd43480d2e7512385a23876c4

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0D5FB941-81A9-11EF-846E-46BBF83CD43C}.dat

          Filesize

          5KB

          MD5

          2e9b818441aac3c64545cbc237aff351

          SHA1

          a05bfc442bda12c3d1db995f49e208f38f47f282

          SHA256

          e82195188b0ad494f006328e0284ded1da6f5a54dd599af200a50e369e40ed1b

          SHA512

          a08df7d564badd4a649581251e8ad28068f1b759ab3a33a4783284f31c10c2ec8946c182d8deba41b4b5d88eb1de36577cf74bda91e3a870f57f8de8dd0e67d8

        • C:\Users\Admin\AppData\Local\Temp\Cab253F.tmp

          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • C:\Users\Admin\AppData\Local\Temp\Tar25CF.tmp

          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        • \Windows\SysWOW64\rundll32mgr.exe

          Filesize

          105KB

          MD5

          1713dcea0892955ae4ad238bf4b9a34d

          SHA1

          172c10720153e717402654f97ad56516f43705bf

          SHA256

          e4cbc03a8bea10728e756b7187435b3675af2d45ace12e6b6641e44b25d54b23

          SHA512

          e0a0a1ec9e9380bcc1692016dcadb6b794ef13e3a49b9709799c8b281401cd0faa0b63b0aa0fa750820cdec674f7c6e02e259e66cf843975fcbd49e9c1be021c

        • memory/2080-15-0x0000000000700000-0x000000000075B000-memory.dmp

          Filesize

          364KB

        • memory/2080-2-0x0000000074A20000-0x0000000074A64000-memory.dmp

          Filesize

          272KB

        • memory/2080-1-0x0000000074A00000-0x0000000074A44000-memory.dmp

          Filesize

          272KB

        • memory/2080-11-0x0000000000700000-0x000000000075B000-memory.dmp

          Filesize

          364KB

        • memory/2080-10-0x0000000074A00000-0x0000000074A44000-memory.dmp

          Filesize

          272KB

        • memory/2080-9-0x00000000749D0000-0x0000000074A14000-memory.dmp

          Filesize

          272KB

        • memory/2696-19-0x00000000002B0000-0x00000000002B1000-memory.dmp

          Filesize

          4KB

        • memory/2696-14-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

        • memory/2696-18-0x0000000000400000-0x000000000045B000-memory.dmp

          Filesize

          364KB

        • memory/2696-16-0x0000000000400000-0x000000000045B000-memory.dmp

          Filesize

          364KB

        • memory/2696-17-0x00000000002A0000-0x00000000002A1000-memory.dmp

          Filesize

          4KB

        • memory/2696-13-0x0000000000400000-0x000000000045B000-memory.dmp

          Filesize

          364KB

        • memory/2696-20-0x0000000000400000-0x000000000045B000-memory.dmp

          Filesize

          364KB

        • memory/2696-23-0x0000000000400000-0x000000000045B000-memory.dmp

          Filesize

          364KB