Analysis
-
max time kernel
94s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
10-12-2024 22:21
General
-
Target
deb9daacc6e311f2838892636818ae66_JaffaCakes118.dll
-
Size
340KB
-
MD5
deb9daacc6e311f2838892636818ae66
-
SHA1
72a40cff54a2a7351b49e703b26be9028ac1c164
-
SHA256
52e8a95750d0793b2ef97f7c320d09173f4ee99fce82f7635ee78a0040bde9f2
-
SHA512
507e61263905699f8af4956f049d5044352837e9c085eaa23806b2fb6421545e3581a1b725d4c2259db541c1436da2a1f472a59f5ddd13b7ce23b550cb4b04ba
-
SSDEEP
6144:3796iM+buFRMPnEmUYkkmemLo6BHj79sm6x1G18s7FDjHrHe:37RTubNbfOKn79D61ClFze
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Modifies security service 2 TTPs 3 IoCs
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Ramnit family
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Windows security modification 2 TTPs 6 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
UPX packed file 11 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 38 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 15 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\deb9daacc6e311f2838892636818ae66_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\deb9daacc6e311f2838892636818ae66_JaffaCakes118.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rvtql1X1e"rvtql1X1e"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rvtql1X1e"rvtql1X1e"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 2046⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4424 CREDAT:17410 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4424 CREDAT:17416 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 2046⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"6⤵
- Modifies Internet Explorer settings
-
-
-
C:\Users\Admin\AppData\Local\Temp\qqrxrglf.exe"C:\Users\Admin\AppData\Local\Temp\qqrxrglf.exe" elevate5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qqrxrglf.exe"C:\Users\Admin\AppData\Local\Temp\qqrxrglf.exe" elevate6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\qqrxrglf.exe"" admin7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qqrxrglf.exe"C:\Users\Admin\AppData\Local\Temp\qqrxrglf.exe" admin8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\qqrxrglf.exe"C:\Users\Admin\AppData\Local\Temp\qqrxrglf.exe" admin9⤵
- Modifies firewall policy service
- Modifies security service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 6203⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3900 -ip 39001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4784 -ip 47841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3276 -ip 32761⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
2Windows Service
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471B
MD587f8376b71b1fd35da4b511eff055888
SHA10c55fba0aa699282bbe4d129dd0ba16d4e377ce9
SHA256a1383ed3b4f8967fb19f5b16bfe41eb3242b296ffc06c1098fbe1d1a04a7003f
SHA5128556ed20a3d9daf8f74b2eceaab6a3773b69d5c9524ba8dbb8af1ad64b2235165e487c41646e357be5906aaa7f0f4c57ff8dc9ea2acc0c87f443d3ad083c9031
-
Filesize
404B
MD55bd2bad8814178aec9ed3cb1681b8108
SHA1a121397ee17431af9fd57c88739e9a7b264055f1
SHA2560398c37574a0247100ef38f72076da3cff87901cbbf8dcdef6c99de572412d29
SHA512afffd29c6c2eb02805326f494dd563f7cd0333934f51e7c6ea9434d072592a094aab9f6db6214627c862e64848c7eed4a540f0bb5ba410c098285ba69ddd5992
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
99KB
MD533ace2a98e6aa56dbd6f1ae58a9af9ae
SHA167de6edab77318d997f002c9884dd08069612570
SHA2568bf10012bf59dbc3f6509bbf1dc12490779fc5962aa37fcebbcc434e2612371c
SHA512ea77d71297f7ef842f0c1c7b6f8eb53f8d6d3f223d4f5d2bb4214102601a1197f038a1339d5245ed87671947e90910b78cbe7081d05c0e5cedd55b0726e362f5
-
Filesize
12KB
-
Filesize
192KB
-
Filesize
12KB
-
Filesize
1.4MB
-
Filesize
192KB
-
Filesize
12KB
-
Filesize
192KB
-
Filesize
12KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
192KB
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
216KB
-
Filesize
4KB
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
4KB
-
Filesize
216KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB