Overview

overview

10

Static

static

3

d9e42c15f3...18.exe

windows7-x64

7

d9e42c15f3...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    96s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-12-2024 13:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d9e42c15f3e2a812d1a3310c9484eccd_JaffaCakes118.exe

  • Size

    322KB

  • MD5

    d9e42c15f3e2a812d1a3310c9484eccd

  • SHA1

    943030dd9441bdfc1e08fb2d7b56fa6c739b17de

  • SHA256

    18c2096859755667123361128ebee0e144fed0a9265da9f27349c6d306af0af2

  • SHA512

    14e8e0834769cea65899a989129fdab1b5a6274cc02bea8b0a44c367789829387455117c18c3379c13ab96c38ece4ef6de3c4141d96bfe21a79a77f82c6b265e

  • SSDEEP

    6144:2Wg2uJpPt/p64k5GjBVOTgyvOdZQGRZ4zytbLr:dg2uJpPtxIGjBgCZJ4zk3

Score
10/10
ramnitbankerdefense_evasiondiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 5 IoCs
  • Hijack Execution Flow: DLL Search Order Hijacking 1 TTPs

    Possible initial access via DLL redirection search order hijacking.

    defense_evasion
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 51 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9e42c15f3e2a812d1a3310c9484eccd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d9e42c15f3e2a812d1a3310c9484eccd_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Users\Admin\AppData\Local\Temp\d9e42c15f3e2a812d1a3310c9484eccd_JaffaCakes118mgr.exe
      C:\Users\Admin\AppData\Local\Temp\d9e42c15f3e2a812d1a3310c9484eccd_JaffaCakes118mgr.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:2740
      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:1008
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\system32\svchost.exe
          4⤵
            PID:3848
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 204
              5⤵
              • Program crash
              PID:4212
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4940
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4940 CREDAT:17410 /prefetch:2
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2256
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4516
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4516 CREDAT:17410 /prefetch:2
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2220
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3848 -ip 3848
      1⤵
        PID:3340
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x518 0x524
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3940

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        2d1847b341a938389fc5b14b0bcd9eb2

        SHA1

        4036e71c4002e7ee173d59dc84a9cb5aa1390d34

        SHA256

        275c7427c6238d335e521a313e6cff2357b16e645202f11e3433cd56539ccc32

        SHA512

        384e910821ee8b786f70b5358f120cb3aea47f0e50d1f5c6e4c7304435c7d88f2c5ac9027c73823916149a369ac1c7640c18b13db8e6ee740c963e1b8bd51428

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        0d39129ae2805e23f5b9effacb4637c2

        SHA1

        422f9ff3beaf54249d9c9d52d4c53e51c4588cce

        SHA256

        d2c5e2ecc36f9d569196906c54b8a2d5d7d63b5f449fcbef1c48374c03289038

        SHA512

        61c3d0c310be84468a9d4ee8bf78ce2526135c4d59b73b1afd2cb9072578691a4f986349953ee608f761780441ea58e5e1287458c7e3e086ffa46a14796fb935

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        721a9a2ce7e811eb16d033b2b0c49555

        SHA1

        1d3a4980f31668de0dd76b742ee78838d843ebfd

        SHA256

        dd72b1ed6e905e12f292cbc5e481d6ae32aa26561697fffb3a0868e05406d2c0

        SHA512

        038036970059cdb8f427bd82d626b19603b78824175272e33869e31d0c32df7f77b948f22ee99842f691c604ca195e404623ef53e83cae087626fecc6ba161c2

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4A3CFA1A-B633-11EF-A7EA-6AACA39217E0}.dat
        Filesize

        5KB

        MD5

        e78caf9990e615ab7b007bf300b9252e

        SHA1

        6110978590deae1dd485e2392ebc6a4c7381d91a

        SHA256

        d51ac1859a9da8ff5e62e18be2fcca2437861c576090236f89df00818a13f583

        SHA512

        091ec341da288b3ddd882fdcac93b73277752f23072d1941ffd0aa73c0229ad44fd6b6d086ce13aeffee24bbe15c74dd3f930e0ef09a54ac8ed5c19f2e9cb2c7

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4A3F3E1D-B633-11EF-A7EA-6AACA39217E0}.dat
        Filesize

        3KB

        MD5

        4e5fae22a71a70d19d65720e90ead7de

        SHA1

        d99165f66133c5f4756732f0480254093670816f

        SHA256

        2dad9690572e1fb6be1b8e6b77160825e42037ef5a45ca605182e28e4ba089a1

        SHA512

        2fc0e5692cda975c4219053249f4a2c5cc996e9c5b4766cd2e83f27b1c997e57951d69ed0c94b2b820f7ce03690e7833f98fa0155de90a22f3670e36376d76be

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver2FE5.tmp
        Filesize

        15KB

        MD5

        1a545d0052b581fbb2ab4c52133846bc

        SHA1

        62f3266a9b9925cd6d98658b92adec673cbe3dd3

        SHA256

        557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

        SHA512

        bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKYZDMA5\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\bassmod.dll
        Filesize

        9KB

        MD5

        780d14604d49e3c634200c523def8351

        SHA1

        e208ef6f421d2260070a9222f1f918f1de0a8eeb

        SHA256

        844eb66a10b848d3a71a8c63c35f0a01550a46d2ff8503e2ca8947978b03b4d2

        SHA512

        a49c030f11da8f0cdc4205c86bec00653ec2f8899983cad9d7195fd23255439291aaec5a7e128e1a103efd93b8566e86f15af89eba4efebf9debce14a7a5564b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\d9e42c15f3e2a812d1a3310c9484eccd_JaffaCakes118mgr.exe
        Filesize

        60KB

        MD5

        94f2f6ffbba8e7644668b51b39983916

        SHA1

        63357bbdf90101969117983dbc0d4ed0e713c4d7

        SHA256

        ede7603855cb37082c241c720a6650988c684eb3bcb263e5dd7b457458940fed

        SHA512

        d04430ceac70c6fa71d07d9ee82ac2bb5e6c0641d5c9e7e5a3ed39d342e8b198f367676516a55f0653e0b88635a027b9ad220e223145b8be8df281bb6faf7156

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Wplugin.dll
        Filesize

        108KB

        MD5

        8847a8302dacc1d6fca61f125c8fe8e0

        SHA1

        f399142bbf03660bee1df555ebbf3acc8f658cf0

        SHA256

        9c2726defa122089f8251fa104f76d66830f448774ab9bd634adbb6e492e3943

        SHA512

        2b028bb4139c352b80db1509d1a3f479a8ef7e9b3b73ddbf62e2d83d4e59adf4a0bd6b9d68409bc0b6fafb7a5f56844fbfed6d00b824a6b370689801ce1c837f

        Download Submit

      • memory/1008-39-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1008-40-0x0000000077D72000-0x0000000077D73000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1008-57-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1008-56-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1008-38-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1008-37-0x0000000000900000-0x0000000000901000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1008-53-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1008-52-0x0000000000070000-0x0000000000071000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1008-51-0x0000000077D72000-0x0000000077D73000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1320-0-0x0000000000400000-0x000000000044D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/1320-77-0x0000000000400000-0x000000000044D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2740-20-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2740-17-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2740-18-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2740-21-0x00000000008B0000-0x00000000008B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2740-22-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2740-26-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2740-23-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2740-16-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3848-48-0x00000000010D0000-0x00000000010D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3848-49-0x00000000010B0000-0x00000000010B1000-memory.dmp

        Filesize

        4KB

        Download