Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/10/2024, 05:20

General

  • Target

    1651bcc888424d427c01013e8e798903_JaffaCakes118.dll

  • Size

    178KB

  • MD5

    1651bcc888424d427c01013e8e798903

  • SHA1

    9c41ee9dcfc7aef934bda221c5713598a8353107

  • SHA256

    c13d67f1836cacca25cf768824de9f481d6cc3e862bcae2bb0e086189cecd03d

  • SHA512

    89e3953e7de2f82182ce485d6840693591235bf9a4d58f558d0fee992d74c9ffe8dbf4154f80ad85a19702181475eb478c90f3eb29c345070ebacead6bb9e997

  • SSDEEP

    3072:x4yriLc3IcqB0NljYUvfT/SmNp94Z7yifCKXZ5q1n3hApWQrIcH2zAn:1uLRcZBPvukp4lCKXZ5q1Rqr

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 7 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 51 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SetWindowsHookEx 42 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1651bcc888424d427c01013e8e798903_JaffaCakes118.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4936
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\1651bcc888424d427c01013e8e798903_JaffaCakes118.dll
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Users\Admin\AppData\Local\Temp\p7q0EPZi
        "p7q0EPZi"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4344
        • C:\Users\Admin\AppData\Local\Temp\p7q0EPZi
          C:\Users\Admin\AppData\Local\Temp\p7q0EPZi
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:216
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:2484
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 204
                6⤵
                • Program crash
                PID:1376
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1616
              • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:184
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:184 CREDAT:17410 /prefetch:2
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:1892
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:184 CREDAT:17416 /prefetch:2
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:3452
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:184 CREDAT:17422 /prefetch:2
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:4144
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:184 CREDAT:17428 /prefetch:2
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:5072
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:184 CREDAT:17438 /prefetch:2
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:2988
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              5⤵
                PID:5008
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 204
                  6⤵
                  • Program crash
                  PID:4928
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                5⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4544
                • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                  6⤵
                  • Modifies Internet Explorer settings
                  PID:3224
              • C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe
                "C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe" elevate
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3624
                • C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe
                  C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1344
                  • C:\Windows\SysWOW64\svchost.exe
                    C:\Windows\system32\svchost.exe
                    7⤵
                      PID:1944
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 204
                        8⤵
                        • Program crash
                        PID:4796
                    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                      7⤵
                      • System Location Discovery: System Language Discovery
                      PID:2636
                      • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                        8⤵
                        • Modifies Internet Explorer settings
                        PID:1556
                    • C:\Windows\SysWOW64\svchost.exe
                      C:\Windows\system32\svchost.exe
                      7⤵
                        PID:2932
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 216
                          8⤵
                          • Program crash
                          PID:1552
                      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                        7⤵
                        • System Location Discovery: System Language Discovery
                        PID:2412
                        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                          "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                          8⤵
                          • Modifies Internet Explorer settings
                          PID:3104
                      • C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe
                        "C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe" elevate
                        7⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • System Location Discovery: System Language Discovery
                        PID:4388
                        • C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe
                          C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe
                          8⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4468
                          • C:\Windows\SysWOW64\svchost.exe
                            C:\Windows\system32\svchost.exe
                            9⤵
                              PID:4376
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 204
                                10⤵
                                • Program crash
                                PID:2900
                            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                              9⤵
                              • System Location Discovery: System Language Discovery
                              PID:3900
                              • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                                "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                                10⤵
                                • Modifies Internet Explorer settings
                                PID:1752
                            • C:\Windows\SysWOW64\svchost.exe
                              C:\Windows\system32\svchost.exe
                              9⤵
                                PID:2080
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 208
                                  10⤵
                                  • Program crash
                                  PID:332
                              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                                9⤵
                                • System Location Discovery: System Language Discovery
                                PID:1944
                                • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                                  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                                  10⤵
                                  • Modifies Internet Explorer settings
                                  PID:4584
                              • C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe
                                "C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe" elevate
                                9⤵
                                • Executes dropped EXE
                                • Suspicious use of SetThreadContext
                                • System Location Discovery: System Language Discovery
                                PID:4812
                                • C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe
                                  C:\Users\Admin\AppData\Local\Temp\iivydijocjbosbgc.exe
                                  10⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1472
                                  • C:\Windows\SysWOW64\svchost.exe
                                    C:\Windows\system32\svchost.exe
                                    11⤵
                                      PID:1096
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 204
                                        12⤵
                                        • Program crash
                                        PID:4940
                                    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                                      11⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:3904
                                      • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                                        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                                        12⤵
                                        • Modifies Internet Explorer settings
                                        PID:60
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2484 -ip 2484
                  1⤵
                    PID:1576
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5008 -ip 5008
                    1⤵
                      PID:4136
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1944 -ip 1944
                      1⤵
                        PID:4268
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2932 -ip 2932
                        1⤵
                          PID:3360
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4376 -ip 4376
                          1⤵
                            PID:4576
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2080 -ip 2080
                            1⤵
                              PID:4172
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1096 -ip 1096
                              1⤵
                                PID:788

                              Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

                                      Filesize

                                      471B

                                      MD5

                                      db7c83e09ebc4317f2bf2df7f66b8513

                                      SHA1

                                      29d58ef43f72ce7cf79ce6109d038a6c9b4873f0

                                      SHA256

                                      1ae4c8aa37bf433bc5b3b45e017c95bf843c7dbbe348c78c7ab6f3cad0fda4b8

                                      SHA512

                                      6eb46ae0c3e091ba13b1c0e3fb6de568882940df7968d0e1297568ea5356a4691f2a869c7c9ac9e9642bcc2e4e1388d00b15c663276143e8cb5015ab89c27867

                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

                                      Filesize

                                      404B

                                      MD5

                                      bff60abf95b9474e77f9c49f0cb4f16c

                                      SHA1

                                      a6e465103aceb723bef8eafa7882092643599339

                                      SHA256

                                      7dcee6f463200b34291e580b32a6063a7e83c600f1e8569611d7d7aadeec040a

                                      SHA512

                                      4ef58f36b16500731683eb6a5038257c6e301adcfcefad6ca173dd25bb1c869e7fc50ac7ff282f3f8d9a11921b598bc88578f212fcf9c7511c9cda52f3705e13

                                    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver16DE.tmp

                                      Filesize

                                      15KB

                                      MD5

                                      1a545d0052b581fbb2ab4c52133846bc

                                      SHA1

                                      62f3266a9b9925cd6d98658b92adec673cbe3dd3

                                      SHA256

                                      557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

                                      SHA512

                                      bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLXU5DI6\suggestions[1].en-US

                                      Filesize

                                      17KB

                                      MD5

                                      5a34cb996293fde2cb7a4ac89587393a

                                      SHA1

                                      3c96c993500690d1a77873cd62bc639b3a10653f

                                      SHA256

                                      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                                      SHA512

                                      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                                    • C:\Users\Admin\AppData\Local\Temp\p7q0EPZi

                                      Filesize

                                      169KB

                                      MD5

                                      8d7fffdc5fa650429e06d7d7f9b9e639

                                      SHA1

                                      f072366e3522f1ae05704410af710f95daab57a9

                                      SHA256

                                      6f64930ab0dae493aa7adce4f1b8687b99d3b4a57b52f760acd1de61ce12a8e3

                                      SHA512

                                      91c4a6760117be43ecf73e035e1a07009af82a81aafe8f78f86938c341018b49e8f20a7ec71a27882ca31719d42ca764702e0be13a378d53fbc2f4bb910da8cf

                                    • memory/216-28-0x0000000000400000-0x0000000000434000-memory.dmp

                                      Filesize

                                      208KB

                                    • memory/216-9-0x0000000000400000-0x0000000000434000-memory.dmp

                                      Filesize

                                      208KB

                                    • memory/216-17-0x0000000000400000-0x0000000000434000-memory.dmp

                                      Filesize

                                      208KB

                                    • memory/216-14-0x00000000006A0000-0x00000000006A1000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/216-6-0x0000000000400000-0x0000000000434000-memory.dmp

                                      Filesize

                                      208KB

                                    • memory/216-15-0x00000000007B0000-0x00000000007B1000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/216-10-0x0000000000400000-0x0000000000434000-memory.dmp

                                      Filesize

                                      208KB

                                    • memory/216-20-0x0000000000400000-0x0000000000434000-memory.dmp

                                      Filesize

                                      208KB

                                    • memory/216-22-0x0000000000400000-0x0000000000434000-memory.dmp

                                      Filesize

                                      208KB

                                    • memory/216-25-0x0000000077C52000-0x0000000077C53000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/216-27-0x0000000000400000-0x0000000000434000-memory.dmp

                                      Filesize

                                      208KB

                                    • memory/216-12-0x0000000000400000-0x0000000000434000-memory.dmp

                                      Filesize

                                      208KB

                                    • memory/216-29-0x0000000077C52000-0x0000000077C53000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/1344-78-0x0000000000400000-0x0000000000434000-memory.dmp

                                      Filesize

                                      208KB

                                    • memory/1344-61-0x0000000000400000-0x0000000000434000-memory.dmp

                                      Filesize

                                      208KB

                                    • memory/1344-59-0x00000000005B0000-0x00000000005B1000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/1344-58-0x00000000005A0000-0x00000000005A1000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/1344-66-0x0000000000400000-0x0000000000434000-memory.dmp

                                      Filesize

                                      208KB

                                    • memory/1472-110-0x00000000004D0000-0x00000000004D1000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/1472-116-0x0000000000400000-0x0000000000434000-memory.dmp

                                      Filesize

                                      208KB

                                    • memory/1472-111-0x00000000004E0000-0x00000000004E1000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/2484-19-0x0000000000620000-0x0000000000621000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/2484-18-0x0000000000640000-0x0000000000641000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/2640-3-0x000000004B5A1000-0x000000004B5A2000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/2640-0-0x00000000010C0000-0x00000000010C1000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/4468-88-0x0000000002060000-0x0000000002061000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/4468-101-0x0000000000400000-0x0000000000434000-memory.dmp

                                      Filesize

                                      208KB

                                    • memory/4468-97-0x0000000000400000-0x0000000000434000-memory.dmp

                                      Filesize

                                      208KB

                                    • memory/4468-93-0x0000000000400000-0x0000000000434000-memory.dmp

                                      Filesize

                                      208KB

                                    • memory/4468-87-0x0000000002050000-0x0000000002051000-memory.dmp

                                      Filesize

                                      4KB