Overview

overview

10

Static

static

3

f398732653...18.dll

windows7-x64

10

f398732653...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-12-2024 10:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f3987326538e5cb56782d1a4d9c73819_JaffaCakes118.dll

  • Size

    272KB

  • MD5

    f3987326538e5cb56782d1a4d9c73819

  • SHA1

    7c8eebfd02d9791cafff8ebe0c45be90aaf6121b

  • SHA256

    b67453daff810578504caff00a43ec9f26b8c1808a0872af086852200adb03e5

  • SHA512

    f75000799ab66eb6cb28b5d5c6177849bc8bbd5eb5b748b412b1ec2964a443e607362c46c241f2169d50ca21d7855b660fdcf23a92a8c76f3b0c231ad26290d2

  • SSDEEP

    3072:wuE+8MXzT68mUZ7v92xfJXxg0phoLQtGv3dpSclFClpI2OrOmhx+LW1zn:wuE+8M6uvwZY0CQg1KlpI2SO0+W5

Score
10/10
ramnitbankerdiscoveryevasionspywarestealertrojanupxworm

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Modifies security service 2 TTPs 3 IoCs
    evasion
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f3987326538e5cb56782d1a4d9c73819_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4944
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\f3987326538e5cb56782d1a4d9c73819_JaffaCakes118.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4208
      • C:\Users\Admin\AppData\Local\Temp\rvtql1X1e
        "rvtql1X1e"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5060
        • C:\Users\Admin\AppData\Local\Temp\rvtql1X1e
          "rvtql1X1e"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1680
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:3192
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 204
                6⤵
                • Program crash
                PID:3800
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:5092
              • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:5048
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5048 CREDAT:17410 /prefetch:2
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:2492
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5048 CREDAT:17416 /prefetch:2
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:5052
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              5⤵
                PID:1072
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 208
                  6⤵
                  • Program crash
                  PID:1736
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                5⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4312
                • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                  6⤵
                  • Modifies Internet Explorer settings
                  PID:3936
              • C:\Users\Admin\AppData\Local\Temp\cwcrburr.exe
                "C:\Users\Admin\AppData\Local\Temp\cwcrburr.exe" elevate
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4292
                • C:\Users\Admin\AppData\Local\Temp\cwcrburr.exe
                  "C:\Users\Admin\AppData\Local\Temp\cwcrburr.exe" elevate
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:448
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\cwcrburr.exe"" admin
                    7⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:2544
                    • C:\Users\Admin\AppData\Local\Temp\cwcrburr.exe
                      "C:\Users\Admin\AppData\Local\Temp\cwcrburr.exe" admin
                      8⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of SetWindowsHookEx
                      PID:3940
                      • C:\Users\Admin\AppData\Local\Temp\cwcrburr.exe
                        "C:\Users\Admin\AppData\Local\Temp\cwcrburr.exe" admin
                        9⤵
                        • Modifies firewall policy service
                        • Modifies security service
                        • UAC bypass
                        • Windows security bypass
                        • Executes dropped EXE
                        • Windows security modification
                        • Checks whether UAC is enabled
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:624
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3192 -ip 3192
        1⤵
          PID:4744
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1072 -ip 1072
          1⤵
            PID:3492

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            471B

            MD5

            07e369ebdbb322a72367beb15fea66c2

            SHA1

            7772c54598e1862ebffe373b494651ec745f6c9f

            SHA256

            b50e533aec8439f67cd49f1119099293c18626136694d72fc4c5b00f950e8e0c

            SHA512

            65f401db96f0e2c1a1ae79528087ff3e2e24bb5353425ecf93c884519aaf950422a6599f2e3afe6839070071d033ea8d19c546d5493aa511beb97c6fea5ba0f5

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            404B

            MD5

            00f6fc2354065c588ae7e9fd26671dc2

            SHA1

            cf3975e071fd586091b08834533b9b3c1d48d2e9

            SHA256

            74e41cd8c3af47c1a47c6450918e891a4238f008fde67da8d209d09e38ca95a3

            SHA512

            fbef02e41b77012c42ef901a1a1471989b01bbb046745acbaddec0641873100d1f0456464c296ca731f6d6cb032828bafe2c9a4e2c06361d2ecd584484f4c225

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8R55UT9S\suggestions[1].en-US
            Filesize

            17KB

            MD5

            5a34cb996293fde2cb7a4ac89587393a

            SHA1

            3c96c993500690d1a77873cd62bc639b3a10653f

            SHA256

            c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

            SHA512

            e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\rvtql1X1e
            Filesize

            99KB

            MD5

            33ace2a98e6aa56dbd6f1ae58a9af9ae

            SHA1

            67de6edab77318d997f002c9884dd08069612570

            SHA256

            8bf10012bf59dbc3f6509bbf1dc12490779fc5962aa37fcebbcc434e2612371c

            SHA512

            ea77d71297f7ef842f0c1c7b6f8eb53f8d6d3f223d4f5d2bb4214102601a1197f038a1339d5245ed87671947e90910b78cbe7081d05c0e5cedd55b0726e362f5

            Download Submit

          • memory/448-66-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/624-83-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/1680-27-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/1680-31-0x00000000779A2000-0x00000000779A3000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1680-15-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/1680-16-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/1680-21-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/1680-35-0x00000000779A2000-0x00000000779A3000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1680-34-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/1680-20-0x0000000000670000-0x0000000000671000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1680-33-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/1680-19-0x0000000000550000-0x0000000000551000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1680-11-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/1680-26-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/1680-28-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/1680-14-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/3192-23-0x00000000003C0000-0x00000000003C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3192-24-0x00000000003A0000-0x00000000003A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3940-81-0x0000000000400000-0x0000000000430000-memory.dmp

            Filesize

            192KB

            Download

          • memory/3940-72-0x0000000070440000-0x000000007059D000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/4208-0-0x00000000008F0000-0x00000000008F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4208-4-0x000000001001A000-0x000000001001B000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4292-55-0x00000000001C0000-0x00000000001C3000-memory.dmp

            Filesize

            12KB

            Download

          • memory/4292-56-0x0000000070000000-0x000000007015D000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/4292-68-0x0000000000400000-0x0000000000430000-memory.dmp

            Filesize

            192KB

            Download

          • memory/5060-17-0x0000000000400000-0x0000000000430000-memory.dmp

            Filesize

            192KB

            Download

          • memory/5060-25-0x00000000001C0000-0x00000000001C3000-memory.dmp

            Filesize

            12KB

            Download

          • memory/5060-8-0x0000000075230000-0x000000007538D000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/5060-7-0x00000000001C0000-0x00000000001C3000-memory.dmp

            Filesize

            12KB

            Download

          • memory/5060-6-0x0000000000400000-0x0000000000430000-memory.dmp

            Filesize

            192KB

            Download