Analysis

  • max time kernel
    93s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2024 01:08

General

  • Target

    984c8e7ac695f9968bcc99bbee6bc344_JaffaCakes118.dll

  • Size

    272KB

  • MD5

    984c8e7ac695f9968bcc99bbee6bc344

  • SHA1

    08d56c10e70bdf6c2c88b50a76c281ea141b56c3

  • SHA256

    a862ceb0054409b5bdd7dce8ee74a98b4d81d1c3d910596ddb8eeb06922724a8

  • SHA512

    04cb464cfa10f96cd62701c7a054ca657ecc1839cf580f99164342d2b6a95a80c136b7e91af9b5e7216146cb1feea627855071065a6aae6a710ba1f8bcc196f2

  • SSDEEP

    3072:Z3BWcSZ2ShqnTTHQ+4+lB66EdOuqzsi/I14FI+fbeNUJRQ:Z3BWc7nb436EdOzsi/ZI+KNb

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 10 IoCs
  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Modifies registry class 19 IoCs
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 22 IoCs
  • Suspicious use of UnmapMainImage 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\984c8e7ac695f9968bcc99bbee6bc344_JaffaCakes118.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4012
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\984c8e7ac695f9968bcc99bbee6bc344_JaffaCakes118.dll
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4564
      • C:\Windows\SysWOW64\regsvr32mgr.exe
        C:\Windows\SysWOW64\regsvr32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:1784
        • C:\Windows\SysWOW64\regsvr32mgrmgr.exe
          C:\Windows\SysWOW64\regsvr32mgrmgr.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:4580
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:2652
            • C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
              "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of UnmapMainImage
              • Suspicious use of WriteProcessMemory
              PID:4596
              • C:\Program Files (x86)\Microsoft\WaterMark.exe
                "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                7⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of UnmapMainImage
                • Suspicious use of WriteProcessMemory
                PID:216
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\system32\svchost.exe
                  8⤵
                    PID:4404
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 204
                      9⤵
                      • Program crash
                      PID:1492
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    8⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:5012
                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5012 CREDAT:17410 /prefetch:2
                      9⤵
                      • System Location Discovery: System Language Discovery
                      • Modifies Internet Explorer settings
                      • Suspicious use of SetWindowsHookEx
                      PID:3008
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    8⤵
                    • Modifies Internet Explorer settings
                    PID:4656
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\system32\svchost.exe
                6⤵
                  PID:2760
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 204
                    7⤵
                    • Program crash
                    PID:2344
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe"
                  6⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  PID:4172
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4172 CREDAT:17410 /prefetch:2
                    7⤵
                    • System Location Discovery: System Language Discovery
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:376
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe"
                  6⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  PID:3424
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3424 CREDAT:17410 /prefetch:2
                    7⤵
                    • System Location Discovery: System Language Discovery
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:4088
            • C:\Program Files (x86)\Microsoft\WaterMark.exe
              "C:\Program Files (x86)\Microsoft\WaterMark.exe"
              4⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of UnmapMainImage
              • Suspicious use of WriteProcessMemory
              PID:1936
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\system32\svchost.exe
                5⤵
                  PID:2292
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 204
                    6⤵
                    • Program crash
                    PID:2776
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe"
                  5⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:3168
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3168 CREDAT:17410 /prefetch:2
                    6⤵
                    • System Location Discovery: System Language Discovery
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:464
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe"
                  5⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  PID:5112
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5112 CREDAT:17410 /prefetch:2
                    6⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    PID:3524
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4404 -ip 4404
          1⤵
            PID:2164
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2292 -ip 2292
            1⤵
              PID:2300
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2760 -ip 2760
              1⤵
                PID:760

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

                Filesize

                471B

                MD5

                539399c9f7153f78b67cde1bcdea163f

                SHA1

                6cb6e4936d546c17549aec9431a2af7c31bb3c3a

                SHA256

                27b9528028887b2d852cae2cb55efb965fc13dfa0882f85d6236814f7eb0ad65

                SHA512

                11836ba1429de7d15b9eb33b4852b0c71872149e9d448959c366aca1db75796446a86ee5c40b274ac3102d5395c7197d4dc2cd11b32754538aa6883e0ebdbf17

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

                Filesize

                404B

                MD5

                01ddd00ddcc06fb82b72dab40b3fe245

                SHA1

                ee61f4d3327b5701fb6a041bf8ca21d527213a69

                SHA256

                3bd8dcec16f343790c88f02906cb8f739a221319cd1f1772dc5ff300ee930d90

                SHA512

                f623e0f30f0ce16eccb201cb8e74a0226e7f44440d2b9a5ac1e9767e5a0d25b598a2231f7f84dfac9cefb9f6506b9c7cf94726327d597756f28e1c341695c63f

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

                Filesize

                404B

                MD5

                a9db78e68679fff39782446648d8803a

                SHA1

                f8c383cb2e1334b1e6f0fe94b01d318523632567

                SHA256

                daa4f6a5457a5e73f197004efa040ac7fb454dda8317d19fb8198a06f50a3d62

                SHA512

                f3f0ea35723b23f70fc1cf32e4a312b512a3c5810ad36c7f0c3456f109ae2114f67730fc352781cd667e7cee21e14567836ea505f2cd4f6fec0fc3e81aa767f7

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

                Filesize

                404B

                MD5

                742d5fa87f92aa241fd81c2ed8a223cb

                SHA1

                c8606d441ca219ca66f1c9e3cddff6aab15041b7

                SHA256

                b0386309139f352401f200c1cc993e8c6b494859fd9e5eff78b4fdcb0fae9673

                SHA512

                57d06eaf41d790fb372271e6e2d876186d40029400c3990e14c62011c71adb1f501390f1c74730328083ec667a584c1bbf8f6388b1ffc42437548b295f120443

              • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D43BE577-AAC9-11EF-B9B6-6AACA39217E0}.dat

                Filesize

                4KB

                MD5

                899e487f11be7a4f48dda8c43ed2c84b

                SHA1

                8e3f4713e6ae817f8026ca5cc453bc04276fa7fa

                SHA256

                0068c711711a965bf133cf8d76ef5828f92b172f7852b4483029f89916528902

                SHA512

                8a48ff3e041a842d42dd590f5f1188d63e82bb9a351054586595e8babb948c4505cf478837dcc2ad3b9787e12512941e3e4e6defa026e9e1627da43738e06c37

              • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D43BE577-AAC9-11EF-B9B6-6AACA39217E0}.dat

                Filesize

                5KB

                MD5

                30f69a7f338254e8281093fef0490616

                SHA1

                c97e2eb11f6795dd9f603ba34f5aeef649a71863

                SHA256

                715038ee183b522e2bd9e29f5b5ff121e7a5889677017a4231eae0847f771cc1

                SHA512

                15af38701479d678809aee04f8da89f133c39d173ed855641f8ab0f2308743ac48c22eb79c89f0588f41ba72a872f7fa9681a50200212602895e033a8a3870d0

              • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D43C0C87-AAC9-11EF-B9B6-6AACA39217E0}.dat

                Filesize

                5KB

                MD5

                b9a299bf4eff0288ea365553f4a24fbe

                SHA1

                d86b97cc00155142c0691d0c606e757afa1c4e5d

                SHA256

                51d81c024cb13213ea422f2486c6e45d19e92a0fb2bc7cb5c428f240892265e1

                SHA512

                fc9c76063af87c279de319c4bb336af2b60f7fe78beadd3135adedf7e57cba97f4f2a4fdb6f40459331f5eacaa458775f025e55960ddf86a175debc7f6df55c3

              • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D43E47E9-AAC9-11EF-B9B6-6AACA39217E0}.dat

                Filesize

                3KB

                MD5

                953409ef856c5c18c24d92267d2c680b

                SHA1

                0749ea663f09b01749bcaad87700c49ea9571c2b

                SHA256

                cc8000c9eda4c51aa804930011e23508844b13f1f6b89587ca305f4843787bbb

                SHA512

                f8ca4f22bef400542b17e1d0bacb4cb5b26b019bde10dc61f77f4fae9f3b7a1e3e2ea43d8c5c2c7a2af66e651207c19d2779623e344dc17abb13bd92f064556a

              • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D440AA5B-AAC9-11EF-B9B6-6AACA39217E0}.dat

                Filesize

                5KB

                MD5

                c1d860b3166a613c4c92bf8eeba11dc9

                SHA1

                b83a6131195271b25a39dbb22e4d844caef57bd4

                SHA256

                eab64db2d2a305fa76bc2fcdc6af6566c9d4e6bef58feb0e1bd18cf9300e2ced

                SHA512

                5ace60fe29a15223c05a42d9dfab65860cf2381d83cf6d9272e228b7dfd781141cc7474e4fdcac6d21e73ea2880e5c310006ea7e783d8f1afa006801d2136d72

              • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verFF7E.tmp

                Filesize

                15KB

                MD5

                1a545d0052b581fbb2ab4c52133846bc

                SHA1

                62f3266a9b9925cd6d98658b92adec673cbe3dd3

                SHA256

                557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

                SHA512

                bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9MFSIIMR\suggestions[1].en-US

                Filesize

                17KB

                MD5

                5a34cb996293fde2cb7a4ac89587393a

                SHA1

                3c96c993500690d1a77873cd62bc639b3a10653f

                SHA256

                c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                SHA512

                e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

              • C:\Windows\SysWOW64\regsvr32mgr.exe

                Filesize

                234KB

                MD5

                c3a6eaa4a1cbbe625a1f4ed4f486ce15

                SHA1

                c7810ef979cf5242d99ad79b29849604c7508b99

                SHA256

                e898c9afe93f94d2b0183582a583386aa33a3765fd40caf82ea37c01832e12e6

                SHA512

                461ba410a006f47760c0f8368955b5c66f1789ba33546e3d9b704f9197b86b465f3328dd704e1c1904efdf8d460bb74a1190d0c69cfb2d4adcf1982a5c286942

              • C:\Windows\SysWOW64\regsvr32mgrmgr.exe

                Filesize

                116KB

                MD5

                fd6899e36fcc5f26903dea1c0519a8fd

                SHA1

                af249681be87eed2b680baa7d9b514c051d6d4a7

                SHA256

                b9d75d71f61d31de963a29114d370d6495a18c81e78c78ce89c77ef134f8e6e8

                SHA512

                78980b599fe5cd62fdaf6165a38e16c629cf0e7864f45bbdbc8c95b1ed1967f1cfdfdecaa879a5b5656f57ced55919082c4bd5fcd7a4a7f4fa6ac64fca58a16d

              • memory/216-77-0x0000000000430000-0x0000000000431000-memory.dmp

                Filesize

                4KB

              • memory/1784-16-0x00000000008E0000-0x00000000008E1000-memory.dmp

                Filesize

                4KB

              • memory/1784-12-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

              • memory/1784-13-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

              • memory/1784-15-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

              • memory/1784-11-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

              • memory/1784-28-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

              • memory/1784-24-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

              • memory/1784-23-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

              • memory/1784-4-0x0000000000400000-0x0000000000459000-memory.dmp

                Filesize

                356KB

              • memory/1936-64-0x00000000001E0000-0x00000000001E1000-memory.dmp

                Filesize

                4KB

              • memory/1936-67-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

              • memory/1936-88-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

              • memory/1936-56-0x0000000000400000-0x0000000000459000-memory.dmp

                Filesize

                356KB

              • memory/2652-51-0x0000000000400000-0x0000000000459000-memory.dmp

                Filesize

                356KB

              • memory/2652-87-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

              • memory/2652-66-0x0000000000060000-0x0000000000061000-memory.dmp

                Filesize

                4KB

              • memory/2652-61-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

              • memory/2652-79-0x0000000000070000-0x0000000000071000-memory.dmp

                Filesize

                4KB

              • memory/2652-89-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

              • memory/4564-1-0x0000000010000000-0x0000000010044000-memory.dmp

                Filesize

                272KB

              • memory/4580-44-0x0000000000401000-0x0000000000405000-memory.dmp

                Filesize

                16KB

              • memory/4580-29-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB

              • memory/4580-18-0x0000000000400000-0x000000000043B000-memory.dmp

                Filesize

                236KB

              • memory/4580-17-0x0000000000401000-0x0000000000405000-memory.dmp

                Filesize

                16KB

              • memory/4580-9-0x0000000000400000-0x000000000043B000-memory.dmp

                Filesize

                236KB

              • memory/4596-59-0x0000000000400000-0x000000000043B000-memory.dmp

                Filesize

                236KB

              • memory/4596-68-0x0000000000400000-0x0000000000421000-memory.dmp

                Filesize

                132KB