Malware Analysis Report

2025-08-06 01:41

Sample ID 241005-d4k6esshrq
Target 16001725169ca21396b2b16ababbf08a_JaffaCakes118
SHA256 d20a579372296b75b32ccf99834bead302951598eb209df5e4e073924cffb875
Tags
ramnit banker discovery spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d20a579372296b75b32ccf99834bead302951598eb209df5e4e073924cffb875

Threat Level: Known bad

The file 16001725169ca21396b2b16ababbf08a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker discovery spyware stealer trojan upx worm

Ramnit

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-05 03:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-05 03:33

Reported

2024-10-05 03:36

Platform

win7-20240903-en

Max time kernel

133s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\16001725169ca21396b2b16ababbf08a_JaffaCakes118.dll,#1

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32mgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434261094" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A164A111-82CA-11EF-B895-D686196AC2C0} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A15D7CF1-82CA-11EF-B895-D686196AC2C0} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1868 wrote to memory of 1284 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1868 wrote to memory of 1284 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1868 wrote to memory of 1284 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1868 wrote to memory of 1284 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1868 wrote to memory of 1284 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1868 wrote to memory of 1284 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1868 wrote to memory of 1284 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1284 wrote to memory of 2416 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 1284 wrote to memory of 2416 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 1284 wrote to memory of 2416 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 1284 wrote to memory of 2416 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 1284 wrote to memory of 2100 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 1284 wrote to memory of 2100 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 1284 wrote to memory of 2100 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 1284 wrote to memory of 2100 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2416 wrote to memory of 2776 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2416 wrote to memory of 2776 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2416 wrote to memory of 2776 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2416 wrote to memory of 2776 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2416 wrote to memory of 2968 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2416 wrote to memory of 2968 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2416 wrote to memory of 2968 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2416 wrote to memory of 2968 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2776 wrote to memory of 2636 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2776 wrote to memory of 2636 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2776 wrote to memory of 2636 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2776 wrote to memory of 2636 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2968 wrote to memory of 2488 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2968 wrote to memory of 2488 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2968 wrote to memory of 2488 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2968 wrote to memory of 2488 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\16001725169ca21396b2b16ababbf08a_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\16001725169ca21396b2b16ababbf08a_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 224

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2776 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Windows\SysWOW64\rundll32mgr.exe

MD5 f4334cf7fe43a953091dc12bf138e6b9
SHA1 11fd2e978e72ce11f4adbd0099a03b4d62a4bb6b
SHA256 65beee6c24cc857cd4c4cff9643b1166acf21a36eba76540681e2fe63ea47a40
SHA512 ebfcd45ce20f1a5d0132daac759b2e118c02985636cad32d329643fda1687d2bbb5938c5cf8572f7d31455e6f77ab2f5bbc9052821cb8b9494d66b182e3b40d6

memory/1284-1-0x000000006D140000-0x000000006D16F000-memory.dmp

memory/2416-12-0x0000000000400000-0x0000000000467000-memory.dmp

memory/2416-13-0x0000000000320000-0x0000000000321000-memory.dmp

memory/2416-15-0x0000000000400000-0x0000000000467000-memory.dmp

memory/2416-14-0x0000000000330000-0x0000000000331000-memory.dmp

memory/2416-16-0x0000000000400000-0x0000000000467000-memory.dmp

memory/2416-11-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2416-10-0x0000000000400000-0x0000000000467000-memory.dmp

memory/1284-9-0x0000000000330000-0x0000000000397000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A15D7CF1-82CA-11EF-B895-D686196AC2C0}.dat

MD5 13134e30d64caf5d5a0660f74d791637
SHA1 73cdce29d2546c05e9adab25a16ec4aba65ec491
SHA256 a586920f1186cad85b82fc8319271fcdd7dbca8faf49c07ead370fe9b317472e
SHA512 ac30221f6afda57d9a25f4885397fef8f3168d061af8452fa8de38418d44009a085515bd63c465b39361d44ec6c49f33506dcdfd5751f4e5823bec5fb1245e68

memory/2416-18-0x0000000000400000-0x0000000000467000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab8D04.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar8D57.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 610651129dd7858be62bff060d183690
SHA1 04dd89292bbb304bee48c6edbad45f7e57b39cb4
SHA256 3a9449cc5ed943e31fc0d806eb8ed86f098a9fc8f9492049e24584eb0c5b7f57
SHA512 4e2ae760a14409c01d461ba1557b9d11fb8f771ba7220b0919c663426593941f841e7e07b1deb220225dd4f8a2112878ae99fdacd57861276f558a5f091a8269

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 884d3bd717aca4acc0901cec85453bb8
SHA1 58bee24ef0e6aed266cae1887d8a45ab6215f8aa
SHA256 df2c9d50d76f4de553a52dd9a052c09a4f6e6599c393fba9722339963b2f925a
SHA512 a2dbd391815e94b009b1d7373179545ad8f6419e99830ce1f2f195b1007ea2afd4ce6108500a0d67f2ccb95d271d842a6776ed025c1d67dd34b56930942cd142

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ae5a82e66324726345ee358b707ac00
SHA1 0d5f84b4b4e212319c5a0bed5df1ad7e9e661ef1
SHA256 e4255e30a31d5bb864086ff00a61eec5bdcf4b81893a3e6b14f36b401ad76558
SHA512 ef10cc244c8d2510da6a90a0a15fda03b266f17024ace4174c6ed35a90d1bd753724e05534adb11576844e99674f270295b1bdcbcbfc6757006e6af8fc3ac8f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ff1e673868a21a0ec750a49145fa60e
SHA1 26108f8c768f064c07dc542c831600965d4ff685
SHA256 49262265d1644d7ec7d4841555c286d7aefb480c999d37cbbdef0d06839d42d8
SHA512 802698339cb4cfbc77a256814b5a4ec39f4f7458d18f74633f7c3c070cda80e3e90c8b1a34276ca6e0a723306ebc68dc904f77b07904a0cfbad496d383c56a6f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 02c8e8d2b330453174644fa222d772b0
SHA1 01ec2154a076fd928a4ab7fb1fd95596090741f0
SHA256 a17c841858af9a90f45636dab79480ce63df5b80b86fd249f398988e59962bd6
SHA512 f16f709c8c2d1b83d41a7501bf12741371817143420e26155c3303a20f9b0ab7cd4721a96a7e5a31e0e62dfff71a83f98f94342450767086258d77f8e8ab3878

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4bc575c597fe42f5fabdb437fab197a7
SHA1 78f6fab3cececc79594e5ffd4bc687a033233434
SHA256 cc23114241c1d03efe5aad7a327d0e0f29f0a92e6be3b6edc4374e15ebd58c30
SHA512 01ff4cbc9e3a0bb35aed9603152dedf2678aaf65dfb35b762cd5d42ed5e690a249a54f6deb0e0efd7d33c641c1f99a345c44c1cce303bde79b6dc0756090156a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 768c026d9d91d3e20385910cb96cff49
SHA1 a8719a1fd441b2499053d4501a0ec1076139529c
SHA256 7c79f9595de3b6e56abdb54ff81b3a5fe3b884a03bc06707fbde0ff5d71297f4
SHA512 cd6206f048402205b34dfbb553fe51a7f61722b39343eeb7c0449253c77026046e1932982eada9086f8869067dbe33b84d0a337eacfedb46555c8d69bd786006

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c16cabb41d843a44c46d578f3a3b70e1
SHA1 6aee1c43d103e29825fe81adf253757f1cc74b9f
SHA256 2469c0bfdb0ac290f88a369efbcef44e381b5d6cd760b09935cacc45e49ed963
SHA512 4cf6ec2dfe7f4854409abd617efa7ad3c4f0b399d63a9d1103f4fee7961c6bab5744bee4211ba165c69c047862eeeb571e6d74c990ece78fd487fa3c060a21e5

memory/1284-339-0x0000000000330000-0x0000000000397000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 37d41ff396100ccd37cdbdd842d49a84
SHA1 b96593832b802a71c8d7d5d1242c3e50e6a9c3f0
SHA256 c741f7a629678746dcddd14d101bc35f04c2c24425b168474ac533a8c79d2fb6
SHA512 a046cf28874f77c6ec686af20f39be821dc84a8dd501d7a0120edd87f3750c123c94e4f07e69a48dedc8f2d78e594df6b9789ce0d1093fb127807d172779d461

memory/1284-448-0x000000006D140000-0x000000006D16F000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2637146a923a0cb737dfa5a176c688d8
SHA1 53bf0db6e7170a533816e1fd8eeb6862d99b57bf
SHA256 9f15358a1d31db7aff573b17e04962656f87cf7fc29c44f835fe4684c3255763
SHA512 7f8557551d78daa637af3f35a04957c9a3beee76bea0862dd8a24923571a6d37b6f12fb3e652b5d9ae9465f0b15b6e8e3219f88697e9561a12df46fba2ebda44

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ab839856adad4d1a1fb0246774ce5ed
SHA1 9276e97dba0cfd7a50e2fcd86eb250825cd23aba
SHA256 823baf034368c59af4c70ffe15a7ab406dbd8711194cce81c411d52890591aa1
SHA512 db08ecf35b1a68296e1c62ad05f4e6635b6bc30d5951f10950dbbd6f0956fa46691b6f496cbca28cc0472a8eaf19fcf771e3fe5fe48e7a96897f1f996d3604ae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 762ac9e3c2d7cbd9d59d235ede51a387
SHA1 feb14c5ae60c3b6e840085cefd5e1c7428e24d76
SHA256 e1a9efd4e65a70a80878f3e4485aec7665ded41d747b18b70fdc399f76e50adf
SHA512 739b8d76159f6c9789931a74231e0e69409babfbb08aab6f5d32e87fa69e373e2587c5c398503629a1eb28387cf878c66a4080c3e0a29e0b75e3b766caf2728d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee8fd8205c24bfc4096bc32116778613
SHA1 d260639c6119225a07e263f1fcd0abc3adb19212
SHA256 cc8f17074e0be91b9bb0676b6e5dd94b768d6f1535eb7b377535f96b9dad000e
SHA512 45f4d5ccccc317c2e6fa8963887b5ded762a46bf136b2c3e1640844f39f35f8ad2a4398b624d46537e476ae958c1f810e6b745d9394a47402ee929d5c62cded9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ee6ebf0c3198ea21211f5dd9a0d153b
SHA1 feb34a6bd977d65e76972c126e72a1b0c5c9d7ab
SHA256 e0df3a73a31831656e324141e416b4c32cf175a1229b0fd254844eb63e5df22a
SHA512 ec3f77123e1e1c13ff2f6beb1ead9ca2b93cd4878ee7499042259630e021067b0f67d384d81726176f998b5299e7235f9fcdf0e147105cbb9936a49db82b51a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8cf9d24713295792f9a8dbe6576092a3
SHA1 8b2a5020ef86182dc8395f7a475dff1b63a9a0d3
SHA256 8e516d9fd7931bc65808ccda7374eea58cced02b2450b5ecb82460d01efafcf5
SHA512 4c36905f1c7a9263aa9bb530f981476e61f242c93d99eedb7782ff486c863bebd9eaaf57667378aad08d22b9206381b659ca69896e911184fbe6dd26ac231b7d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3decd2d76d73722dee894c382daacbd5
SHA1 589d1cdc91bd529bb4c49144a612a7c8f89a0be7
SHA256 e2b4a93b2c6ad89b86b0bd61a73ef1568283fc9afc675a03ae0d49d99ac08de1
SHA512 f69d30f42434f2dcd977846baf2ce7c333b720266c883b8aa977a5a2faa0b5e1ed39a1a207375fa5e3e34635dd9482a5ec1a8f720fa3af4685868295fa79d235

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-05 03:33

Reported

2024-10-05 03:36

Platform

win10v2004-20240910-en

Max time kernel

134s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\16001725169ca21396b2b16ababbf08a_JaffaCakes118.dll,#1

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32mgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1400 wrote to memory of 4956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1400 wrote to memory of 4956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1400 wrote to memory of 4956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4956 wrote to memory of 2968 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 4956 wrote to memory of 2968 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 4956 wrote to memory of 2968 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\16001725169ca21396b2b16ababbf08a_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\16001725169ca21396b2b16ababbf08a_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2968 -ip 2968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4956 -ip 4956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 608

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/4956-0-0x000000006D140000-0x000000006D16F000-memory.dmp

C:\Windows\SysWOW64\rundll32mgr.exe

MD5 f4334cf7fe43a953091dc12bf138e6b9
SHA1 11fd2e978e72ce11f4adbd0099a03b4d62a4bb6b
SHA256 65beee6c24cc857cd4c4cff9643b1166acf21a36eba76540681e2fe63ea47a40
SHA512 ebfcd45ce20f1a5d0132daac759b2e118c02985636cad32d329643fda1687d2bbb5938c5cf8572f7d31455e6f77ab2f5bbc9052821cb8b9494d66b182e3b40d6

memory/2968-5-0x0000000000400000-0x0000000000467000-memory.dmp

memory/2968-6-0x00000000006D0000-0x00000000006D1000-memory.dmp

memory/4956-7-0x000000006D140000-0x000000006D16F000-memory.dmp

memory/2968-8-0x0000000000400000-0x0000000000467000-memory.dmp