Analysis

  • max time kernel
    93s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2024, 19:12

General

  • Target

    10337612da603f1161073c76d05d688f_JaffaCakes118.dll

  • Size

    200KB

  • MD5

    10337612da603f1161073c76d05d688f

  • SHA1

    25f1156fc48b4e228e5b82ae3a5abbb3b488daa1

  • SHA256

    ced6fbce9082d81bfcd1667693a93057a0a19c00af72d6d797681fd84b9ee54a

  • SHA512

    f8927557114c81163a2261fcc42d92f771de1143e709b7e112b3daaf3ec152db89d2941686e575035316c1d2846d19f2a3642c16c2ddd779276e574d6bf8ecc9

  • SSDEEP

    3072:fNEqkap78EQfA32wSYHj7oJjKetpsHV0l3LSIVJxb/ymJywQyis:FEqkE4uHholKetpsWk+b/pywQyP

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 4 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\10337612da603f1161073c76d05d688f_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4540
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\10337612da603f1161073c76d05d688f_JaffaCakes118.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5048
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3496
        • C:\Windows\SysWOW64\rundll32Srvmgr.exe
          C:\Windows\SysWOW64\rundll32Srvmgr.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:4900
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 10176
            5⤵
            • Program crash
            PID:4928
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4028
          • C:\Program Files (x86)\Microsoft\DesktopLayermgr.exe
            "C:\Program Files (x86)\Microsoft\DesktopLayermgr.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:776
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 10176
              6⤵
              • Program crash
              PID:392
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3472
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3472 CREDAT:17410 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:4480
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4900 -ip 4900
    1⤵
      PID:4176
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 776 -ip 776
      1⤵
        PID:4152

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Microsoft\DesktopLayermgr.exe

              Filesize

              94KB

              MD5

              f8434f362add5334f4f050f4b4b373a7

              SHA1

              f5915cb0d72c8faffe11126bc29da1b1db8092bc

              SHA256

              d34b378ede04c585c2bff8cf32112904e8512ee80c5a9fbb34ba224d8dbc868b

              SHA512

              6c6b4ea2b0e37a346145ee2814789d9da4c2688aff1c3e1cced16a620e8dc81566670336a3fe8a510b1754bbac6c3c6ac20aa7e20359b9c322bb220b50ac30b9

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

              Filesize

              471B

              MD5

              6de4427d02d49cee2c46a8fead1fafa8

              SHA1

              bee49bf0e4452ca72442face8e655bf4a8c3af17

              SHA256

              46d5cd7ff558e5c788807eb674587359c6a660cef091eb420676977e49833d53

              SHA512

              c80311bb92f9f49de96d06e9a76a3ef0310365999f00f401fd003d438b66744a88f093b5887e1723c6b8179798697ec24c4b2bda489323337f6cec6d28ef6434

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

              Filesize

              404B

              MD5

              1c22da1a91e0cea40d82919c5a90295d

              SHA1

              9671b1b0f396b0f81893ad3a3b72a3293f4a43b6

              SHA256

              d55e46eda70ab824d5f036793f9876c69828adffd3dc51d3688198abf42c46d3

              SHA512

              cf8d01819f2cd00c20c8b57631b403b44683703c9592486e82380794e0261af337727cdf9202032d53cd6cece9fec463287c8b47be6827b934e67745638bc4e4

            • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver2035.tmp

              Filesize

              15KB

              MD5

              1a545d0052b581fbb2ab4c52133846bc

              SHA1

              62f3266a9b9925cd6d98658b92adec673cbe3dd3

              SHA256

              557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

              SHA512

              bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLXU5DI6\suggestions[1].en-US

              Filesize

              17KB

              MD5

              5a34cb996293fde2cb7a4ac89587393a

              SHA1

              3c96c993500690d1a77873cd62bc639b3a10653f

              SHA256

              c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

              SHA512

              e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

            • C:\Users\Admin\AppData\Local\Temp\~TM8D4C.tmp

              Filesize

              1.6MB

              MD5

              4f3387277ccbd6d1f21ac5c07fe4ca68

              SHA1

              e16506f662dc92023bf82def1d621497c8ab5890

              SHA256

              767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

              SHA512

              9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

            • C:\Windows\SysWOW64\rundll32Srv.exe

              Filesize

              152KB

              MD5

              2c60a0eb60587e6e9dbd389576a30d91

              SHA1

              9fc335861b437bb6cb3079fb07e420d8f39a4b12

              SHA256

              e8452f0b8c328b8737d3244729cfb9b5e4295167bfda075b2679c0c9978ab631

              SHA512

              10f7f201c1c6a36d23df72bf333663de844b7dc1b7ab7cdfeb787e66bff2bc47cda3dbe96db2d6ecb2b33364923c8334310ba1a00937e7de3e1cf8e4869e3697

            • memory/3496-11-0x00000000005A0000-0x00000000005AF000-memory.dmp

              Filesize

              60KB

            • memory/3496-13-0x0000000000400000-0x0000000000447000-memory.dmp

              Filesize

              284KB

            • memory/3496-4-0x0000000000400000-0x0000000000447000-memory.dmp

              Filesize

              284KB

            • memory/4028-26-0x00000000004B0000-0x00000000004B1000-memory.dmp

              Filesize

              4KB

            • memory/4028-19-0x0000000000400000-0x0000000000447000-memory.dmp

              Filesize

              284KB

            • memory/4900-28-0x0000000000400000-0x000000000042A000-memory.dmp

              Filesize

              168KB

            • memory/4900-20-0x0000000000400000-0x000000000042A000-memory.dmp

              Filesize

              168KB

            • memory/5048-1-0x000000006D040000-0x000000006D072000-memory.dmp

              Filesize

              200KB