Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2024 07:23

General

  • Target

    9346471e3b4106f54d20f2c167c193e7_JaffaCakes118.exe

  • Size

    64KB

  • MD5

    9346471e3b4106f54d20f2c167c193e7

  • SHA1

    2e151b1db2a91d08d4f03f31a19d07acaa78f1f7

  • SHA256

    ef6dd6131521b34ab9898d602c4d32740c078e34857d7fc766d2d1e88f0f1291

  • SHA512

    b4cd4909308dd1c2c533dc1da9b44cf220eb641501821ea348bf1d2a83fe1f5dd140ef3974866fa2c79961d31a021420be931d3ce9565c6d6ccd7f6b8df9f204

  • SSDEEP

    768:2cmBsIqHpm/zP4axYXeW3yWanZ12cDsldKM6cMfdutNYZV5JAmL7VWMXAfTK9rxP:pazpPGdKMrMZP6qZWD6N7gx/m5

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 45 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9346471e3b4106f54d20f2c167c193e7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9346471e3b4106f54d20f2c167c193e7_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3764
    • C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:736
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:2368
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 204
            4⤵
            • Program crash
            PID:1856
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4160
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4160 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:4220
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4824
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4824 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:844
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2368 -ip 2368
      1⤵
        PID:2824

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe

        Filesize

        64KB

        MD5

        9346471e3b4106f54d20f2c167c193e7

        SHA1

        2e151b1db2a91d08d4f03f31a19d07acaa78f1f7

        SHA256

        ef6dd6131521b34ab9898d602c4d32740c078e34857d7fc766d2d1e88f0f1291

        SHA512

        b4cd4909308dd1c2c533dc1da9b44cf220eb641501821ea348bf1d2a83fe1f5dd140ef3974866fa2c79961d31a021420be931d3ce9565c6d6ccd7f6b8df9f204

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

        Filesize

        471B

        MD5

        7fecd001d472e28495336306d3e0b570

        SHA1

        7dabf5687a11d1d8f92f8ffd348fb73bf077e960

        SHA256

        d3b1b54dfa02ea5cf017cd692023d382defa55e40749816bbddcc3e8ef5e9bff

        SHA512

        5255e2e7897f3abc246464dacea7d32b54a8bdb88806e9d0f54a3d23e76074e2a88adaa35789c32b68d0ca8d6f67726c9ceec31597f3b05628b29cd52af613db

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

        Filesize

        404B

        MD5

        828d71f2f4309e570725f356a2dc9c44

        SHA1

        dbf713ed72faa4794d44294efae8107219455c9f

        SHA256

        3ab2df122d80f4b99e8d7420d32d31b949cbaecadffb3ff11f8ca4c183643f54

        SHA512

        d68098a66ff23a4441021c83528928490a4c61ffd86cdb80541414193ce39341d9248f3e86beec74f8b469808964bcf6bf8da6bd0cb09c516a2af1864adb8d84

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0DD894AC-AA35-11EF-B9B6-EE81E66BE9E9}.dat

        Filesize

        3KB

        MD5

        542dba324b7886e4b6f7321d16a7483f

        SHA1

        13d6290aa9c8ff1ab6790b8f37561ece02fec431

        SHA256

        db52534e371e3d648b4013cc67e4ac2233c090f19a0dfaaae29c35597d2d8c52

        SHA512

        ea16b309c4bad6b2e9c8636c2e2ff7b9740cafa94ebd4861619d546ad406c6a404a26dcb86d4b129f876eacf0c4c68c17804c039cae495ed91535b0325d6e51b

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0DDAF6F0-AA35-11EF-B9B6-EE81E66BE9E9}.dat

        Filesize

        5KB

        MD5

        8175b4c14447815ae8d7193ca1c516fe

        SHA1

        b21be623e753cf0e6b5967792a36fc9dd18a6126

        SHA256

        8fbefa3d9a3505c500cb8ccbea13391b3435e035575df054dbf6a4442720c974

        SHA512

        0375da8d1376b273ff3143701037b45c5844acd24acad079bf1bcb89f9e5522591cffd9a5488677965d3ff6e5c5ba4f36343ecc642197eb973fce42aba87b7db

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver69.tmp

        Filesize

        15KB

        MD5

        1a545d0052b581fbb2ab4c52133846bc

        SHA1

        62f3266a9b9925cd6d98658b92adec673cbe3dd3

        SHA256

        557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

        SHA512

        bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9MFSIIMR\suggestions[1].en-US

        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      • memory/736-7-0x00000000005D0000-0x00000000005D1000-memory.dmp

        Filesize

        4KB

      • memory/736-12-0x00000000005E0000-0x00000000005E1000-memory.dmp

        Filesize

        4KB

      • memory/736-13-0x0000000076ED2000-0x0000000076ED3000-memory.dmp

        Filesize

        4KB

      • memory/736-14-0x0000000076ED2000-0x0000000076ED3000-memory.dmp

        Filesize

        4KB

      • memory/736-17-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/736-19-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/736-8-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/736-6-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/2368-10-0x0000000000B40000-0x0000000000B41000-memory.dmp

        Filesize

        4KB

      • memory/2368-11-0x0000000000B20000-0x0000000000B21000-memory.dmp

        Filesize

        4KB

      • memory/3764-0-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/3764-4-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB