Analysis

  • max time kernel
    133s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/10/2024, 03:33

General

  • Target

    16001725169ca21396b2b16ababbf08a_JaffaCakes118.dll

  • Size

    188KB

  • MD5

    16001725169ca21396b2b16ababbf08a

  • SHA1

    0cf98dae59054dbe17ce52d0a9dca136367c9881

  • SHA256

    d20a579372296b75b32ccf99834bead302951598eb209df5e4e073924cffb875

  • SHA512

    c6e3223d0db321acc07ce9d01df57d06e23d9142e8dad4be02dcc1c247403244d908aad70ef67aa57cb0b5a747fe6f677dd232801593067278793bbb6fcc6013

  • SSDEEP

    3072:4FVd8No9EzfVakCpIUZV+NInROITg2b+lXbqWokZc:4HdEaEzfHOjRO2b+JqWO

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\16001725169ca21396b2b16ababbf08a_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\16001725169ca21396b2b16ababbf08a_JaffaCakes118.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1284
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2416
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2776
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2776 CREDAT:275457 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2636
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2968
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:275457 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2488
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 224
        3⤵
        • Program crash
        PID:2100

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          2ae5a82e66324726345ee358b707ac00

          SHA1

          0d5f84b4b4e212319c5a0bed5df1ad7e9e661ef1

          SHA256

          e4255e30a31d5bb864086ff00a61eec5bdcf4b81893a3e6b14f36b401ad76558

          SHA512

          ef10cc244c8d2510da6a90a0a15fda03b266f17024ace4174c6ed35a90d1bd753724e05534adb11576844e99674f270295b1bdcbcbfc6757006e6af8fc3ac8f1

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          2ff1e673868a21a0ec750a49145fa60e

          SHA1

          26108f8c768f064c07dc542c831600965d4ff685

          SHA256

          49262265d1644d7ec7d4841555c286d7aefb480c999d37cbbdef0d06839d42d8

          SHA512

          802698339cb4cfbc77a256814b5a4ec39f4f7458d18f74633f7c3c070cda80e3e90c8b1a34276ca6e0a723306ebc68dc904f77b07904a0cfbad496d383c56a6f

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          02c8e8d2b330453174644fa222d772b0

          SHA1

          01ec2154a076fd928a4ab7fb1fd95596090741f0

          SHA256

          a17c841858af9a90f45636dab79480ce63df5b80b86fd249f398988e59962bd6

          SHA512

          f16f709c8c2d1b83d41a7501bf12741371817143420e26155c3303a20f9b0ab7cd4721a96a7e5a31e0e62dfff71a83f98f94342450767086258d77f8e8ab3878

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          4bc575c597fe42f5fabdb437fab197a7

          SHA1

          78f6fab3cececc79594e5ffd4bc687a033233434

          SHA256

          cc23114241c1d03efe5aad7a327d0e0f29f0a92e6be3b6edc4374e15ebd58c30

          SHA512

          01ff4cbc9e3a0bb35aed9603152dedf2678aaf65dfb35b762cd5d42ed5e690a249a54f6deb0e0efd7d33c641c1f99a345c44c1cce303bde79b6dc0756090156a

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          768c026d9d91d3e20385910cb96cff49

          SHA1

          a8719a1fd441b2499053d4501a0ec1076139529c

          SHA256

          7c79f9595de3b6e56abdb54ff81b3a5fe3b884a03bc06707fbde0ff5d71297f4

          SHA512

          cd6206f048402205b34dfbb553fe51a7f61722b39343eeb7c0449253c77026046e1932982eada9086f8869067dbe33b84d0a337eacfedb46555c8d69bd786006

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          c16cabb41d843a44c46d578f3a3b70e1

          SHA1

          6aee1c43d103e29825fe81adf253757f1cc74b9f

          SHA256

          2469c0bfdb0ac290f88a369efbcef44e381b5d6cd760b09935cacc45e49ed963

          SHA512

          4cf6ec2dfe7f4854409abd617efa7ad3c4f0b399d63a9d1103f4fee7961c6bab5744bee4211ba165c69c047862eeeb571e6d74c990ece78fd487fa3c060a21e5

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          37d41ff396100ccd37cdbdd842d49a84

          SHA1

          b96593832b802a71c8d7d5d1242c3e50e6a9c3f0

          SHA256

          c741f7a629678746dcddd14d101bc35f04c2c24425b168474ac533a8c79d2fb6

          SHA512

          a046cf28874f77c6ec686af20f39be821dc84a8dd501d7a0120edd87f3750c123c94e4f07e69a48dedc8f2d78e594df6b9789ce0d1093fb127807d172779d461

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          2637146a923a0cb737dfa5a176c688d8

          SHA1

          53bf0db6e7170a533816e1fd8eeb6862d99b57bf

          SHA256

          9f15358a1d31db7aff573b17e04962656f87cf7fc29c44f835fe4684c3255763

          SHA512

          7f8557551d78daa637af3f35a04957c9a3beee76bea0862dd8a24923571a6d37b6f12fb3e652b5d9ae9465f0b15b6e8e3219f88697e9561a12df46fba2ebda44

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          0ab839856adad4d1a1fb0246774ce5ed

          SHA1

          9276e97dba0cfd7a50e2fcd86eb250825cd23aba

          SHA256

          823baf034368c59af4c70ffe15a7ab406dbd8711194cce81c411d52890591aa1

          SHA512

          db08ecf35b1a68296e1c62ad05f4e6635b6bc30d5951f10950dbbd6f0956fa46691b6f496cbca28cc0472a8eaf19fcf771e3fe5fe48e7a96897f1f996d3604ae

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          610651129dd7858be62bff060d183690

          SHA1

          04dd89292bbb304bee48c6edbad45f7e57b39cb4

          SHA256

          3a9449cc5ed943e31fc0d806eb8ed86f098a9fc8f9492049e24584eb0c5b7f57

          SHA512

          4e2ae760a14409c01d461ba1557b9d11fb8f771ba7220b0919c663426593941f841e7e07b1deb220225dd4f8a2112878ae99fdacd57861276f558a5f091a8269

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          762ac9e3c2d7cbd9d59d235ede51a387

          SHA1

          feb14c5ae60c3b6e840085cefd5e1c7428e24d76

          SHA256

          e1a9efd4e65a70a80878f3e4485aec7665ded41d747b18b70fdc399f76e50adf

          SHA512

          739b8d76159f6c9789931a74231e0e69409babfbb08aab6f5d32e87fa69e373e2587c5c398503629a1eb28387cf878c66a4080c3e0a29e0b75e3b766caf2728d

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          ee8fd8205c24bfc4096bc32116778613

          SHA1

          d260639c6119225a07e263f1fcd0abc3adb19212

          SHA256

          cc8f17074e0be91b9bb0676b6e5dd94b768d6f1535eb7b377535f96b9dad000e

          SHA512

          45f4d5ccccc317c2e6fa8963887b5ded762a46bf136b2c3e1640844f39f35f8ad2a4398b624d46537e476ae958c1f810e6b745d9394a47402ee929d5c62cded9

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          9ee6ebf0c3198ea21211f5dd9a0d153b

          SHA1

          feb34a6bd977d65e76972c126e72a1b0c5c9d7ab

          SHA256

          e0df3a73a31831656e324141e416b4c32cf175a1229b0fd254844eb63e5df22a

          SHA512

          ec3f77123e1e1c13ff2f6beb1ead9ca2b93cd4878ee7499042259630e021067b0f67d384d81726176f998b5299e7235f9fcdf0e147105cbb9936a49db82b51a4

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          8cf9d24713295792f9a8dbe6576092a3

          SHA1

          8b2a5020ef86182dc8395f7a475dff1b63a9a0d3

          SHA256

          8e516d9fd7931bc65808ccda7374eea58cced02b2450b5ecb82460d01efafcf5

          SHA512

          4c36905f1c7a9263aa9bb530f981476e61f242c93d99eedb7782ff486c863bebd9eaaf57667378aad08d22b9206381b659ca69896e911184fbe6dd26ac231b7d

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          3decd2d76d73722dee894c382daacbd5

          SHA1

          589d1cdc91bd529bb4c49144a612a7c8f89a0be7

          SHA256

          e2b4a93b2c6ad89b86b0bd61a73ef1568283fc9afc675a03ae0d49d99ac08de1

          SHA512

          f69d30f42434f2dcd977846baf2ce7c333b720266c883b8aa977a5a2faa0b5e1ed39a1a207375fa5e3e34635dd9482a5ec1a8f720fa3af4685868295fa79d235

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          884d3bd717aca4acc0901cec85453bb8

          SHA1

          58bee24ef0e6aed266cae1887d8a45ab6215f8aa

          SHA256

          df2c9d50d76f4de553a52dd9a052c09a4f6e6599c393fba9722339963b2f925a

          SHA512

          a2dbd391815e94b009b1d7373179545ad8f6419e99830ce1f2f195b1007ea2afd4ce6108500a0d67f2ccb95d271d842a6776ed025c1d67dd34b56930942cd142

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A15D7CF1-82CA-11EF-B895-D686196AC2C0}.dat

          Filesize

          5KB

          MD5

          13134e30d64caf5d5a0660f74d791637

          SHA1

          73cdce29d2546c05e9adab25a16ec4aba65ec491

          SHA256

          a586920f1186cad85b82fc8319271fcdd7dbca8faf49c07ead370fe9b317472e

          SHA512

          ac30221f6afda57d9a25f4885397fef8f3168d061af8452fa8de38418d44009a085515bd63c465b39361d44ec6c49f33506dcdfd5751f4e5823bec5fb1245e68

        • C:\Users\Admin\AppData\Local\Temp\Cab8D04.tmp

          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • C:\Users\Admin\AppData\Local\Temp\Tar8D57.tmp

          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        • C:\Windows\SysWOW64\rundll32mgr.exe

          Filesize

          145KB

          MD5

          f4334cf7fe43a953091dc12bf138e6b9

          SHA1

          11fd2e978e72ce11f4adbd0099a03b4d62a4bb6b

          SHA256

          65beee6c24cc857cd4c4cff9643b1166acf21a36eba76540681e2fe63ea47a40

          SHA512

          ebfcd45ce20f1a5d0132daac759b2e118c02985636cad32d329643fda1687d2bbb5938c5cf8572f7d31455e6f77ab2f5bbc9052821cb8b9494d66b182e3b40d6

        • memory/1284-448-0x000000006D140000-0x000000006D16F000-memory.dmp

          Filesize

          188KB

        • memory/1284-339-0x0000000000330000-0x0000000000397000-memory.dmp

          Filesize

          412KB

        • memory/1284-9-0x0000000000330000-0x0000000000397000-memory.dmp

          Filesize

          412KB

        • memory/1284-1-0x000000006D140000-0x000000006D16F000-memory.dmp

          Filesize

          188KB

        • memory/2416-18-0x0000000000400000-0x0000000000467000-memory.dmp

          Filesize

          412KB

        • memory/2416-10-0x0000000000400000-0x0000000000467000-memory.dmp

          Filesize

          412KB

        • memory/2416-11-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

        • memory/2416-16-0x0000000000400000-0x0000000000467000-memory.dmp

          Filesize

          412KB

        • memory/2416-14-0x0000000000330000-0x0000000000331000-memory.dmp

          Filesize

          4KB

        • memory/2416-15-0x0000000000400000-0x0000000000467000-memory.dmp

          Filesize

          412KB

        • memory/2416-13-0x0000000000320000-0x0000000000321000-memory.dmp

          Filesize

          4KB

        • memory/2416-12-0x0000000000400000-0x0000000000467000-memory.dmp

          Filesize

          412KB