Analysis Overview
SHA256
d20a579372296b75b32ccf99834bead302951598eb209df5e4e073924cffb875
Threat Level: Known bad
The file 16001725169ca21396b2b16ababbf08a_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Ramnit
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in System32 directory
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-05 03:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-05 03:33
Reported
2024-10-05 03:36
Platform
win7-20240903-en
Max time kernel
133s
Max time network
127s
Command Line
Signatures
Ramnit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\rundll32mgr.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434261094" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A164A111-82CA-11EF-B895-D686196AC2C0} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A15D7CF1-82CA-11EF-B895-D686196AC2C0} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\16001725169ca21396b2b16ababbf08a_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\16001725169ca21396b2b16ababbf08a_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 224
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2776 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Windows\SysWOW64\rundll32mgr.exe
| MD5 | f4334cf7fe43a953091dc12bf138e6b9 |
| SHA1 | 11fd2e978e72ce11f4adbd0099a03b4d62a4bb6b |
| SHA256 | 65beee6c24cc857cd4c4cff9643b1166acf21a36eba76540681e2fe63ea47a40 |
| SHA512 | ebfcd45ce20f1a5d0132daac759b2e118c02985636cad32d329643fda1687d2bbb5938c5cf8572f7d31455e6f77ab2f5bbc9052821cb8b9494d66b182e3b40d6 |
memory/1284-1-0x000000006D140000-0x000000006D16F000-memory.dmp
memory/2416-12-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2416-13-0x0000000000320000-0x0000000000321000-memory.dmp
memory/2416-15-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2416-14-0x0000000000330000-0x0000000000331000-memory.dmp
memory/2416-16-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2416-11-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2416-10-0x0000000000400000-0x0000000000467000-memory.dmp
memory/1284-9-0x0000000000330000-0x0000000000397000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A15D7CF1-82CA-11EF-B895-D686196AC2C0}.dat
| MD5 | 13134e30d64caf5d5a0660f74d791637 |
| SHA1 | 73cdce29d2546c05e9adab25a16ec4aba65ec491 |
| SHA256 | a586920f1186cad85b82fc8319271fcdd7dbca8faf49c07ead370fe9b317472e |
| SHA512 | ac30221f6afda57d9a25f4885397fef8f3168d061af8452fa8de38418d44009a085515bd63c465b39361d44ec6c49f33506dcdfd5751f4e5823bec5fb1245e68 |
memory/2416-18-0x0000000000400000-0x0000000000467000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab8D04.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar8D57.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 610651129dd7858be62bff060d183690 |
| SHA1 | 04dd89292bbb304bee48c6edbad45f7e57b39cb4 |
| SHA256 | 3a9449cc5ed943e31fc0d806eb8ed86f098a9fc8f9492049e24584eb0c5b7f57 |
| SHA512 | 4e2ae760a14409c01d461ba1557b9d11fb8f771ba7220b0919c663426593941f841e7e07b1deb220225dd4f8a2112878ae99fdacd57861276f558a5f091a8269 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 884d3bd717aca4acc0901cec85453bb8 |
| SHA1 | 58bee24ef0e6aed266cae1887d8a45ab6215f8aa |
| SHA256 | df2c9d50d76f4de553a52dd9a052c09a4f6e6599c393fba9722339963b2f925a |
| SHA512 | a2dbd391815e94b009b1d7373179545ad8f6419e99830ce1f2f195b1007ea2afd4ce6108500a0d67f2ccb95d271d842a6776ed025c1d67dd34b56930942cd142 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2ae5a82e66324726345ee358b707ac00 |
| SHA1 | 0d5f84b4b4e212319c5a0bed5df1ad7e9e661ef1 |
| SHA256 | e4255e30a31d5bb864086ff00a61eec5bdcf4b81893a3e6b14f36b401ad76558 |
| SHA512 | ef10cc244c8d2510da6a90a0a15fda03b266f17024ace4174c6ed35a90d1bd753724e05534adb11576844e99674f270295b1bdcbcbfc6757006e6af8fc3ac8f1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2ff1e673868a21a0ec750a49145fa60e |
| SHA1 | 26108f8c768f064c07dc542c831600965d4ff685 |
| SHA256 | 49262265d1644d7ec7d4841555c286d7aefb480c999d37cbbdef0d06839d42d8 |
| SHA512 | 802698339cb4cfbc77a256814b5a4ec39f4f7458d18f74633f7c3c070cda80e3e90c8b1a34276ca6e0a723306ebc68dc904f77b07904a0cfbad496d383c56a6f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 02c8e8d2b330453174644fa222d772b0 |
| SHA1 | 01ec2154a076fd928a4ab7fb1fd95596090741f0 |
| SHA256 | a17c841858af9a90f45636dab79480ce63df5b80b86fd249f398988e59962bd6 |
| SHA512 | f16f709c8c2d1b83d41a7501bf12741371817143420e26155c3303a20f9b0ab7cd4721a96a7e5a31e0e62dfff71a83f98f94342450767086258d77f8e8ab3878 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4bc575c597fe42f5fabdb437fab197a7 |
| SHA1 | 78f6fab3cececc79594e5ffd4bc687a033233434 |
| SHA256 | cc23114241c1d03efe5aad7a327d0e0f29f0a92e6be3b6edc4374e15ebd58c30 |
| SHA512 | 01ff4cbc9e3a0bb35aed9603152dedf2678aaf65dfb35b762cd5d42ed5e690a249a54f6deb0e0efd7d33c641c1f99a345c44c1cce303bde79b6dc0756090156a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 768c026d9d91d3e20385910cb96cff49 |
| SHA1 | a8719a1fd441b2499053d4501a0ec1076139529c |
| SHA256 | 7c79f9595de3b6e56abdb54ff81b3a5fe3b884a03bc06707fbde0ff5d71297f4 |
| SHA512 | cd6206f048402205b34dfbb553fe51a7f61722b39343eeb7c0449253c77026046e1932982eada9086f8869067dbe33b84d0a337eacfedb46555c8d69bd786006 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c16cabb41d843a44c46d578f3a3b70e1 |
| SHA1 | 6aee1c43d103e29825fe81adf253757f1cc74b9f |
| SHA256 | 2469c0bfdb0ac290f88a369efbcef44e381b5d6cd760b09935cacc45e49ed963 |
| SHA512 | 4cf6ec2dfe7f4854409abd617efa7ad3c4f0b399d63a9d1103f4fee7961c6bab5744bee4211ba165c69c047862eeeb571e6d74c990ece78fd487fa3c060a21e5 |
memory/1284-339-0x0000000000330000-0x0000000000397000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 37d41ff396100ccd37cdbdd842d49a84 |
| SHA1 | b96593832b802a71c8d7d5d1242c3e50e6a9c3f0 |
| SHA256 | c741f7a629678746dcddd14d101bc35f04c2c24425b168474ac533a8c79d2fb6 |
| SHA512 | a046cf28874f77c6ec686af20f39be821dc84a8dd501d7a0120edd87f3750c123c94e4f07e69a48dedc8f2d78e594df6b9789ce0d1093fb127807d172779d461 |
memory/1284-448-0x000000006D140000-0x000000006D16F000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2637146a923a0cb737dfa5a176c688d8 |
| SHA1 | 53bf0db6e7170a533816e1fd8eeb6862d99b57bf |
| SHA256 | 9f15358a1d31db7aff573b17e04962656f87cf7fc29c44f835fe4684c3255763 |
| SHA512 | 7f8557551d78daa637af3f35a04957c9a3beee76bea0862dd8a24923571a6d37b6f12fb3e652b5d9ae9465f0b15b6e8e3219f88697e9561a12df46fba2ebda44 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0ab839856adad4d1a1fb0246774ce5ed |
| SHA1 | 9276e97dba0cfd7a50e2fcd86eb250825cd23aba |
| SHA256 | 823baf034368c59af4c70ffe15a7ab406dbd8711194cce81c411d52890591aa1 |
| SHA512 | db08ecf35b1a68296e1c62ad05f4e6635b6bc30d5951f10950dbbd6f0956fa46691b6f496cbca28cc0472a8eaf19fcf771e3fe5fe48e7a96897f1f996d3604ae |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 762ac9e3c2d7cbd9d59d235ede51a387 |
| SHA1 | feb14c5ae60c3b6e840085cefd5e1c7428e24d76 |
| SHA256 | e1a9efd4e65a70a80878f3e4485aec7665ded41d747b18b70fdc399f76e50adf |
| SHA512 | 739b8d76159f6c9789931a74231e0e69409babfbb08aab6f5d32e87fa69e373e2587c5c398503629a1eb28387cf878c66a4080c3e0a29e0b75e3b766caf2728d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ee8fd8205c24bfc4096bc32116778613 |
| SHA1 | d260639c6119225a07e263f1fcd0abc3adb19212 |
| SHA256 | cc8f17074e0be91b9bb0676b6e5dd94b768d6f1535eb7b377535f96b9dad000e |
| SHA512 | 45f4d5ccccc317c2e6fa8963887b5ded762a46bf136b2c3e1640844f39f35f8ad2a4398b624d46537e476ae958c1f810e6b745d9394a47402ee929d5c62cded9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9ee6ebf0c3198ea21211f5dd9a0d153b |
| SHA1 | feb34a6bd977d65e76972c126e72a1b0c5c9d7ab |
| SHA256 | e0df3a73a31831656e324141e416b4c32cf175a1229b0fd254844eb63e5df22a |
| SHA512 | ec3f77123e1e1c13ff2f6beb1ead9ca2b93cd4878ee7499042259630e021067b0f67d384d81726176f998b5299e7235f9fcdf0e147105cbb9936a49db82b51a4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8cf9d24713295792f9a8dbe6576092a3 |
| SHA1 | 8b2a5020ef86182dc8395f7a475dff1b63a9a0d3 |
| SHA256 | 8e516d9fd7931bc65808ccda7374eea58cced02b2450b5ecb82460d01efafcf5 |
| SHA512 | 4c36905f1c7a9263aa9bb530f981476e61f242c93d99eedb7782ff486c863bebd9eaaf57667378aad08d22b9206381b659ca69896e911184fbe6dd26ac231b7d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3decd2d76d73722dee894c382daacbd5 |
| SHA1 | 589d1cdc91bd529bb4c49144a612a7c8f89a0be7 |
| SHA256 | e2b4a93b2c6ad89b86b0bd61a73ef1568283fc9afc675a03ae0d49d99ac08de1 |
| SHA512 | f69d30f42434f2dcd977846baf2ce7c333b720266c883b8aa977a5a2faa0b5e1ed39a1a207375fa5e3e34635dd9482a5ec1a8f720fa3af4685868295fa79d235 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-05 03:33
Reported
2024-10-05 03:36
Platform
win10v2004-20240910-en
Max time kernel
134s
Max time network
131s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\rundll32mgr.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32mgr.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32mgr.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1400 wrote to memory of 4956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1400 wrote to memory of 4956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1400 wrote to memory of 4956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4956 wrote to memory of 2968 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32mgr.exe |
| PID 4956 wrote to memory of 2968 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32mgr.exe |
| PID 4956 wrote to memory of 2968 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32mgr.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\16001725169ca21396b2b16ababbf08a_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\16001725169ca21396b2b16ababbf08a_JaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2968 -ip 2968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4956 -ip 4956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 264
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 608
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/4956-0-0x000000006D140000-0x000000006D16F000-memory.dmp
C:\Windows\SysWOW64\rundll32mgr.exe
| MD5 | f4334cf7fe43a953091dc12bf138e6b9 |
| SHA1 | 11fd2e978e72ce11f4adbd0099a03b4d62a4bb6b |
| SHA256 | 65beee6c24cc857cd4c4cff9643b1166acf21a36eba76540681e2fe63ea47a40 |
| SHA512 | ebfcd45ce20f1a5d0132daac759b2e118c02985636cad32d329643fda1687d2bbb5938c5cf8572f7d31455e6f77ab2f5bbc9052821cb8b9494d66b182e3b40d6 |
memory/2968-5-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2968-6-0x00000000006D0000-0x00000000006D1000-memory.dmp
memory/4956-7-0x000000006D140000-0x000000006D16F000-memory.dmp
memory/2968-8-0x0000000000400000-0x0000000000467000-memory.dmp