Analysis

  • max time kernel
    92s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2024, 21:20

General

  • Target

    108bdf02c9eef1175ea53df02020ac7a_JaffaCakes118.dll

  • Size

    432KB

  • MD5

    108bdf02c9eef1175ea53df02020ac7a

  • SHA1

    4a19e66696c5e9a6f53dd5536c3608f9d485f0c9

  • SHA256

    a1d33cfc2c83a6b6a7a30966f9b90be161bf62c99879567888432a62a17d27ae

  • SHA512

    ca04b04affb68c3e5141504a499c34e7187fbe4dae3dc248d129e6e20f901de5d05f12a2ee5bc813ba2b17dd0d7fe38824e5a49a7eca3391f45399607a726ce5

  • SSDEEP

    6144:Hl9XgnzxOP/sFR2h+9q1kih6ibUxrp3/vIyReNMMXUOVEqx4eKhN02DKOMby89VP:HlCzcMg+9YkDiQ3/QjFXUje+hNF4VETK

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 10 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of UnmapMainImage 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\108bdf02c9eef1175ea53df02020ac7a_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\108bdf02c9eef1175ea53df02020ac7a_JaffaCakes118.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4296
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:1536
        • C:\Windows\SysWOW64\rundll32mgrmgr.exe
          C:\Windows\SysWOW64\rundll32mgrmgr.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:2076
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:2892
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              6⤵
                PID:608
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 608 -s 212
                  7⤵
                  • Program crash
                  PID:1232
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4464
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4464 CREDAT:17410 /prefetch:2
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:1008
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:3120
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3120 CREDAT:17410 /prefetch:2
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:3248
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:2248
            • C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
              "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
              5⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of UnmapMainImage
              • Suspicious use of WriteProcessMemory
              PID:1792
              • C:\Program Files (x86)\Microsoft\WaterMark.exe
                "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                6⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of UnmapMainImage
                • Suspicious use of WriteProcessMemory
                PID:1676
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\system32\svchost.exe
                  7⤵
                    PID:4208
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 212
                      8⤵
                      • Program crash
                      PID:1988
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    7⤵
                    • Modifies Internet Explorer settings
                    PID:4876
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    7⤵
                    • Modifies Internet Explorer settings
                    PID:3604
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\system32\svchost.exe
                5⤵
                  PID:980
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 204
                    6⤵
                    • Program crash
                    PID:2312
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe"
                  5⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  PID:2772
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2772 CREDAT:17410 /prefetch:2
                    6⤵
                    • System Location Discovery: System Language Discovery
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:768
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe"
                  5⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  PID:3592
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3592 CREDAT:17410 /prefetch:2
                    6⤵
                    • System Location Discovery: System Language Discovery
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:3036
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 612
              3⤵
              • Program crash
              PID:5060
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4296 -ip 4296
          1⤵
            PID:3652
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 980 -ip 980
            1⤵
              PID:1184
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 608 -ip 608
              1⤵
                PID:4192
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4208 -ip 4208
                1⤵
                  PID:1148

                Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

                        Filesize

                        471B

                        MD5

                        6de4427d02d49cee2c46a8fead1fafa8

                        SHA1

                        bee49bf0e4452ca72442face8e655bf4a8c3af17

                        SHA256

                        46d5cd7ff558e5c788807eb674587359c6a660cef091eb420676977e49833d53

                        SHA512

                        c80311bb92f9f49de96d06e9a76a3ef0310365999f00f401fd003d438b66744a88f093b5887e1723c6b8179798697ec24c4b2bda489323337f6cec6d28ef6434

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

                        Filesize

                        404B

                        MD5

                        e644088496fb4209f36ab9a39b932882

                        SHA1

                        9b0319b50185345b8fe26aae6d4b9abd7dca7b94

                        SHA256

                        c3a268110545fbd7f8f4b2e284fc90d7d7a4ba58ddfd43403dbc49cf7cf5e3b2

                        SHA512

                        a05a60e90f07503bc02428c7a46201acb5f6594c6636ab7562f1febd3a4b59b1b7b6a30c4fe499d792281ba1d6c0f8e4968e96cb993429cf6fefeeed252de400

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

                        Filesize

                        404B

                        MD5

                        4074aac51971ff9dc04d1992e47c2d34

                        SHA1

                        f61a9a101bac19e1a2939f4295ae859be7298034

                        SHA256

                        3e8d9dad5b32fbe8e1d18db92837aff7030ed6fec7e5d84d99937bb801b134e4

                        SHA512

                        764b02cbe121ba905aad359660ea6da1569ba35df90b61a093112d6ce2724c021f711ca47f323d5b6275162f3334a0aebdce6602cf0649f9808cee897c6bb6c4

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

                        Filesize

                        404B

                        MD5

                        43292c52c02bad43207ab69552a2b9f9

                        SHA1

                        9d98b405517edca62683c02e13038bd0ebbd7d30

                        SHA256

                        a20e436e6eafba59c5c173d9945d470ca893f8eba266cc925f14089014c78119

                        SHA512

                        63e6447d9e70776f1fa7b3827b46f5bc4771e37249077a52ae3ce9ea9eeefc1b16300787ec4a44ea84ad2cec6e1ae465818a8e1ff6c503bf8f2a6477a64245a1

                      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5D61AF5A-81CD-11EF-84CD-562BAB028465}.dat

                        Filesize

                        3KB

                        MD5

                        835161b283033c9a1e7aab24cf6b353b

                        SHA1

                        bc54a9d73ba6c6a522a13e0c12819f127567f892

                        SHA256

                        2b891e89eae1f38cc5e1977bd00d60453cb318272569141a33642143a0b6dfaf

                        SHA512

                        d7fa0257f7c29f1cdd80091036bc587264ef26b37e857864c11aa4b41417638e95d8273e0019c05bf7fc11d5dac7fe6a25113a8978035e6c2632e1e9f8d378a7

                      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5D6673B4-81CD-11EF-84CD-562BAB028465}.dat

                        Filesize

                        3KB

                        MD5

                        558c59697cce69b4ed4fe44cc84b4130

                        SHA1

                        7cfb90c3ed098869d8a2552289ca61001fefbb1e

                        SHA256

                        a8de6cece70f0745b13e1ee6ee041ac6a5f2069c3f437ed70adc79ae2051e284

                        SHA512

                        d69057d2e1607d25d444f51e44578fb8728a2f6c00498b4bf4dee4ddd8392bdf8df5103e1f1b048b38eb966d8aa6dec8a25c2f9c9ae01712d27998fd73597c98

                      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5D6673B4-81CD-11EF-84CD-562BAB028465}.dat

                        Filesize

                        5KB

                        MD5

                        836f342e272dab8c471bfa5d462a2c9d

                        SHA1

                        04e0da20247df075feb144208445b4c53f0c4116

                        SHA256

                        619c6b74650b5f053096c17546b15a8b8e4467e5a8f7ce2e00fd034b171112e4

                        SHA512

                        0caae8073aa3c18464fba2e844d051ad28783eb1055878733dae848adfb63538bea7354b045373561cccf0574fa9628e9ee71b5a23fc2ecf71f7c828ae123c95

                      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5D68FD53-81CD-11EF-84CD-562BAB028465}.dat

                        Filesize

                        5KB

                        MD5

                        2820c23b8ce9cd08735bac8bbf66bdb8

                        SHA1

                        d185bc2a788fcfa7d1340cd2117cb2847a9b9167

                        SHA256

                        a23656ebdf635d512f1c008563070dcee7684fb680fdca65e7f4d264a5899136

                        SHA512

                        d4151990975d8b2dac54a97242fe09d5ace7ceeab4b7d7e2caddd347e50925f3f9aef0136d7157d960b8b82dee1b4c24f4ea2147d71bf51923c1e77e961fbed8

                      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver3FA5.tmp

                        Filesize

                        15KB

                        MD5

                        1a545d0052b581fbb2ab4c52133846bc

                        SHA1

                        62f3266a9b9925cd6d98658b92adec673cbe3dd3

                        SHA256

                        557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

                        SHA512

                        bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JACP9GNT\suggestions[1].en-US

                        Filesize

                        17KB

                        MD5

                        5a34cb996293fde2cb7a4ac89587393a

                        SHA1

                        3c96c993500690d1a77873cd62bc639b3a10653f

                        SHA256

                        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                        SHA512

                        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                      • C:\Windows\SysWOW64\rundll32mgr.exe

                        Filesize

                        193KB

                        MD5

                        b80ba009ada99611fb0f58a874e2a2c6

                        SHA1

                        233a75da371c7de9d55b6e69a11b1520d4d4758b

                        SHA256

                        cde713c433fff87c62831354e844a867acd211c14ff314589526ea4488c4b0db

                        SHA512

                        9097abf9565ed788ab781758a27b5552b0d847fcbb7c6fb8cf312efd6d640bcb0fc79a9798b0ea39a71f3fa126bb366947b33a4b8656c1a0743e33186ac761a2

                      • C:\Windows\SysWOW64\rundll32mgrmgr.exe

                        Filesize

                        95KB

                        MD5

                        6bde351c18bbc50d5131f901df12e0ae

                        SHA1

                        f6f3aa982d86f8756db87772da94f8d8ad0bbdfe

                        SHA256

                        1f1b20a143a5cc4d1c103453b7c0f465f6cf1e1ae20425f416480c6fc968d9de

                        SHA512

                        da954bb740377e5ecbb74f227453ccefc68d0ac55deeb800dd6d3939765b34cfcb46fd3dfff1fea68b5ded09c310409f0d2f628dd2bfe35f20e6d22c321be4dc

                      • memory/1536-21-0x0000000000400000-0x0000000000421000-memory.dmp

                        Filesize

                        132KB

                      • memory/1536-12-0x0000000000400000-0x0000000000421000-memory.dmp

                        Filesize

                        132KB

                      • memory/1536-11-0x0000000000400000-0x0000000000421000-memory.dmp

                        Filesize

                        132KB

                      • memory/1536-10-0x0000000000400000-0x0000000000421000-memory.dmp

                        Filesize

                        132KB

                      • memory/1536-13-0x0000000000400000-0x0000000000421000-memory.dmp

                        Filesize

                        132KB

                      • memory/1536-33-0x0000000000400000-0x000000000043C000-memory.dmp

                        Filesize

                        240KB

                      • memory/1536-24-0x0000000000400000-0x0000000000421000-memory.dmp

                        Filesize

                        132KB

                      • memory/1536-22-0x0000000000400000-0x0000000000421000-memory.dmp

                        Filesize

                        132KB

                      • memory/1536-14-0x00000000001A0000-0x00000000001A1000-memory.dmp

                        Filesize

                        4KB

                      • memory/1536-4-0x0000000000400000-0x000000000043C000-memory.dmp

                        Filesize

                        240KB

                      • memory/1676-87-0x0000000000400000-0x000000000043C000-memory.dmp

                        Filesize

                        240KB

                      • memory/1676-73-0x0000000000430000-0x0000000000431000-memory.dmp

                        Filesize

                        4KB

                      • memory/1792-49-0x0000000000400000-0x0000000000423000-memory.dmp

                        Filesize

                        140KB

                      • memory/1792-61-0x0000000000400000-0x0000000000421000-memory.dmp

                        Filesize

                        132KB

                      • memory/2076-9-0x0000000000400000-0x0000000000423000-memory.dmp

                        Filesize

                        140KB

                      • memory/2076-28-0x0000000000400000-0x0000000000421000-memory.dmp

                        Filesize

                        132KB

                      • memory/2076-23-0x0000000000400000-0x0000000000421000-memory.dmp

                        Filesize

                        132KB

                      • memory/2248-63-0x0000000000400000-0x0000000000421000-memory.dmp

                        Filesize

                        132KB

                      • memory/2248-79-0x0000000000400000-0x000000000043C000-memory.dmp

                        Filesize

                        240KB

                      • memory/2248-76-0x0000000000070000-0x0000000000071000-memory.dmp

                        Filesize

                        4KB

                      • memory/2248-86-0x0000000000400000-0x0000000000421000-memory.dmp

                        Filesize

                        132KB

                      • memory/2248-88-0x0000000000400000-0x0000000000421000-memory.dmp

                        Filesize

                        132KB

                      • memory/2248-59-0x0000000000060000-0x0000000000061000-memory.dmp

                        Filesize

                        4KB

                      • memory/2892-62-0x0000000000400000-0x0000000000421000-memory.dmp

                        Filesize

                        132KB

                      • memory/2892-80-0x0000000000400000-0x000000000043C000-memory.dmp

                        Filesize

                        240KB

                      • memory/2892-85-0x0000000000400000-0x0000000000421000-memory.dmp

                        Filesize

                        132KB

                      • memory/4296-0-0x0000000074F20000-0x0000000074F8C000-memory.dmp

                        Filesize

                        432KB

                      • memory/4296-75-0x0000000074F20000-0x0000000074F8C000-memory.dmp

                        Filesize

                        432KB