Overview

overview

10

Static

static

3

eba93dae81...18.dll

windows7-x64

10

eba93dae81...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-12-2024 13:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eba93dae81ba74ca30616b13454867bc_JaffaCakes118.dll

  • Size

    839KB

  • MD5

    eba93dae81ba74ca30616b13454867bc

  • SHA1

    1f3a1d5caf142dfc2f438cc72e9173bfbdb0c713

  • SHA256

    ac82fde6c53315ecaaabd732a628820a2da1a4b83ca030b68b57336e527f2dc1

  • SHA512

    85a93be0c4ad0906f21e06e59952b7e7adbf3f42e97f0277b6981b28cecbed42634c8c440196a27d48e4a9ec2f2bc1c8d58bf79885632666ed740907d996e02f

  • SSDEEP

    24576:9L5/rmRsmDWDPNuFhPvYrpLYHSfcoopooLY9Nu0X33Ws:vK5hPILYHSfeY9nH3/

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\eba93dae81ba74ca30616b13454867bc_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3456
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\eba93dae81ba74ca30616b13454867bc_JaffaCakes118.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:184
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3452
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2332
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2332 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:3804
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          PID:3832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    0eb2408dad9b6c5c2af0f3f770cf239c

    SHA1

    23688d12253707cff445ae527cd73be6df353167

    SHA256

    d1e0264cd58cf2defd8bb02f09cff5545e232bdc64bbfd9a719fa64febad8412

    SHA512

    34261bbe1ecdccbb5c1ee70f6dc8ad17a3933fb5e911b4eb53c7d2680a23f2a258cd910ef640c0587b52ec96fa008c49d46c14f5b480f48291916f0822e01f6d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    ae6c3e0285b6e88e46400e53e6ca8620

    SHA1

    49d72a0eedde627b88dedf7dfe5af56d6e92dd9c

    SHA256

    cf99b812d299c5aed1597800931ac84f99f5a42d6fa8733999c2fdb2a7fee4da

    SHA512

    d968fb28aeeecfcfe3b839b41e33a9a220e84e0097f4e2d1b2850fcfb4904ea54a3debd5f143343b5865795c950b19160a7e4ef60f91ea2c2dfec1fea68ff794

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKYZDMA5\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Windows\SysWOW64\rundll32mgr.exe
    Filesize

    69KB

    MD5

    a0413f791dee97d5226ff5f2494b950f

    SHA1

    ea3ed6404133f2c4c4b5209846a866a6de3d8e0e

    SHA256

    2509b43548e5e6fd43b0621e3ecd258d0fc044e9b6b2a6ceae7047cbaa1a4cc9

    SHA512

    8ff3b8b123f14ab031612e2ebf2c6352ccee4edf7b799d89b0593182732eb9f86667e428c7ecbc48faacf056ad5be9bd4352a93743d2358db2a491257a2ffbfd

    Download Submit

  • memory/184-0-0x0000000075140000-0x0000000075215000-memory.dmp

    Filesize

    852KB

    Download

  • memory/3452-5-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3452-6-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3452-8-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3452-7-0x0000000000550000-0x0000000000551000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3452-9-0x00000000006E0000-0x00000000006E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3452-10-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3452-11-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download