Overview

overview

10

Static

static

3

f4452ffa75...18.dll

windows7-x64

10

f4452ffa75...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-12-2024 13:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f4452ffa750b695b3d921c95d4f94eb0_JaffaCakes118.dll

  • Size

    224KB

  • MD5

    f4452ffa750b695b3d921c95d4f94eb0

  • SHA1

    bfb105f0c59478d15bfca22fe93ab1962000c894

  • SHA256

    836b6139cfaf0666b37612e1cbf8578a882b01b6f4041e0d68d03dd63ab4f7fb

  • SHA512

    5cd43273ecc00f27db4e4fc3da225c181130f7ed9c4c6937ed2578a2fa28c21fd42682d639555f5af69ded931985bb89347c130ac7251a74b2935abc06ec7c6f

  • SSDEEP

    3072:ZGd5SXa28vl8juKJcXV9lCgGNlx91xaafMWtXZDPEs3K0G:0d5h7+juU8V9rGrr1xaaflpDPEs3HG

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 10 IoCs
  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of UnmapMainImage 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f4452ffa750b695b3d921c95d4f94eb0_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3556
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\f4452ffa750b695b3d921c95d4f94eb0_JaffaCakes118.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:1320
        • C:\Windows\SysWOW64\rundll32mgrmgr.exe
          C:\Windows\SysWOW64\rundll32mgrmgr.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:5096
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:4752
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              6⤵
                PID:532
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 204
                  7⤵
                  • Program crash
                  PID:3972
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:808
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:808 CREDAT:17410 /prefetch:2
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:836
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                PID:1424
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1424 CREDAT:17410 /prefetch:2
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:2236
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:2352
            • C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
              "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
              5⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of UnmapMainImage
              • Suspicious use of WriteProcessMemory
              PID:4824
              • C:\Program Files (x86)\Microsoft\WaterMark.exe
                "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                6⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of UnmapMainImage
                • Suspicious use of WriteProcessMemory
                PID:5056
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\system32\svchost.exe
                  7⤵
                    PID:3372
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 204
                      8⤵
                      • Program crash
                      PID:2668
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    7⤵
                      PID:916
                    • C:\Program Files\Internet Explorer\iexplore.exe
                      "C:\Program Files\Internet Explorer\iexplore.exe"
                      7⤵
                      • Modifies Internet Explorer settings
                      PID:1152
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\system32\svchost.exe
                  5⤵
                    PID:1852
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 204
                      6⤵
                      • Program crash
                      PID:2260
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    5⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SetWindowsHookEx
                    PID:3128
                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3128 CREDAT:17410 /prefetch:2
                      6⤵
                      • System Location Discovery: System Language Discovery
                      • Modifies Internet Explorer settings
                      • Suspicious use of SetWindowsHookEx
                      PID:3540
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe"
                    5⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:4600
                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4600 CREDAT:17410 /prefetch:2
                      6⤵
                      • System Location Discovery: System Language Discovery
                      • Modifies Internet Explorer settings
                      • Suspicious use of SetWindowsHookEx
                      PID:64
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1852 -ip 1852
            1⤵
              PID:3888
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 532 -ip 532
              1⤵
                PID:4320
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3372 -ip 3372
                1⤵
                  PID:1148

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  471B

                  MD5

                  cda3a1245093d86501ad9761f10320fa

                  SHA1

                  9ff6b95b0a72732f8afbd9504fa640bec134b498

                  SHA256

                  eb60e5aa4327f06e072f6b97c6a52532aa55d5a5dc53e1d48ecced85da6214dc

                  SHA512

                  51abd474d484588dd1cdc5580cf28d6a5d0481a4488f1f5b8a491c4f30ecaf5ba8cffa9c9ac696358d6725c6e290e8d28d2e3984d3d55f0ae496a65bc4142a1d

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  404B

                  MD5

                  1e2787bb78465a8f7cd2fd69acd7d8c5

                  SHA1

                  582d81c0af775f5be5efdf8cf15242ad1c27fc72

                  SHA256

                  2f279f63929c3376f5708d4a662f36d9a6ce65b6229da28615784dd2cb1484b3

                  SHA512

                  c70dbc042a8490884d04f7e636c5cbb86f384535371a16ace30e7af1d8fab796a7f601d8ced34f24bf75cd711de5930a90fef08a10cfa7d3894491e09b657a0b

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                  Filesize

                  404B

                  MD5

                  5e8cb6c93bab6a45e976fc69cc3a2975

                  SHA1

                  92add274f6f35fcc95a07f5c44862541b2122d49

                  SHA256

                  7908e4ecb97620804debaca76155c66056d1a8e6e59f122ed04fbf63b69baf4b

                  SHA512

                  660216df7575d561d6dc6c287cd5326c3168bf2d70a319f154b15e8d83e0451f6d2a5bacdc0ab0d344fb706b8b1123a662fd1fabfe0d64c8ab91236fb708fe0d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AD66CA27-BAEA-11EF-B9B6-E26222BAF6A3}.dat
                  Filesize

                  3KB

                  MD5

                  14348834942ce4777a2b3a5b72e73653

                  SHA1

                  db5063ecdf30deb70ca5175d19e6c505a291c485

                  SHA256

                  801c4341d03653616754949317724baed5f07f8dbae9993209d315804b8ab392

                  SHA512

                  8bf8a4b4182f9eebebf653e3d395105a01f6e8e8b860b03588fb2bbef876e62fa0fdf7a07fda8b9adf5db7d8497be49c348378d6fc78603b9fa64815e54b7b91

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AD66CA27-BAEA-11EF-B9B6-E26222BAF6A3}.dat
                  Filesize

                  5KB

                  MD5

                  a2dc3ad975c63362a791f1ecbca75798

                  SHA1

                  dc4fd863fb14872fc30c2c671b845ba168024265

                  SHA256

                  e0811e074a03cd20b8de2d0a92d9e9611084e02065a110b6020ba3d46e7de875

                  SHA512

                  ccb318eba5b1706fb761891e5dbe72cd3cb72341b17ad9018add436df9a94f6f32e97a16302b89bf186a549558f1b1a729d4713dd143696e3212e32bc4fa63cf

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AD66F137-BAEA-11EF-B9B6-E26222BAF6A3}.dat
                  Filesize

                  3KB

                  MD5

                  488a888cba996dd448684425ab8cc7de

                  SHA1

                  0152346f556d74b9a522215f2d359302166253b4

                  SHA256

                  8ffdb6a2c43ace32f7f41e2d758b086e9f162604d68a5a501f68ab573957b9df

                  SHA512

                  276695dd9b30114b0e9ec025f26050495c97758a2e2fe7e9769be880cbbb7e11105c320904f6b0574db5ead459ec74cac96326bb68c808f311ffb8dd95605101

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AD69530C-BAEA-11EF-B9B6-E26222BAF6A3}.dat
                  Filesize

                  5KB

                  MD5

                  03134fdff2e83002eedc09520304d981

                  SHA1

                  94f059728429cddb080650d24110f86aaf6cf9d9

                  SHA256

                  baaf54b55467a6c63dee59156f031e840e65911b2762e29f1e2d8ca3271eec29

                  SHA512

                  bfd9994270b8e76e566e5182b3b96d05befcc3e1ed781daf5074e0d675a09657c714d5727a1dd7ef0c51dbfcd4d3c7eb4841e9415d82bf4164aa4cf5a3ae4510

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver710.tmp
                  Filesize

                  15KB

                  MD5

                  1a545d0052b581fbb2ab4c52133846bc

                  SHA1

                  62f3266a9b9925cd6d98658b92adec673cbe3dd3

                  SHA256

                  557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

                  SHA512

                  bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9MFSIIMR\suggestions[1].en-US
                  Filesize

                  17KB

                  MD5

                  5a34cb996293fde2cb7a4ac89587393a

                  SHA1

                  3c96c993500690d1a77873cd62bc639b3a10653f

                  SHA256

                  c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                  SHA512

                  e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                  Download Submit

                • C:\Windows\SysWOW64\rundll32mgr.exe
                  Filesize

                  185KB

                  MD5

                  a1ada298faa9819dca0eab0165d978d9

                  SHA1

                  50d7bd60790cc2370d4c3a2382e3e7248b95ef6e

                  SHA256

                  3f2af8dff9eb0ee18e38ce952c51bf1b461094fd03e71e137a61219c595cc742

                  SHA512

                  672a5f15f704932ae0dab2562238be9ca91743ce6885b79fe0bbf000ee1a8e9389278591221dcb6ee5d488faaf374d0603a985a62cb1b639ba27b0e774e25978

                  Download Submit

                • C:\Windows\SysWOW64\rundll32mgrmgr.exe
                  Filesize

                  91KB

                  MD5

                  c56eab01a1504045b4e4b4376630e35d

                  SHA1

                  1586025ddf036c2ce35601e6021fad5df2814963

                  SHA256

                  e41b8af9b477ee81e0c2fa21b6a3a5a598a43874128ba117f287ce99471d8631

                  SHA512

                  1f1034f40beeb52e92524dc17984f45f12a911d5364d36ca43ef197b89348d7a3c373ca4ebee20b260693028151df1475d472d3432eed02cce6b2e3ac3d12d71

                  Download Submit

                • memory/532-73-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/532-74-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1320-23-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/1320-13-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/1320-11-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/1320-12-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/1320-5-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/1320-19-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/1320-20-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/1320-21-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/1320-22-0x00000000008C0000-0x00000000008C1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2352-89-0x0000000000070000-0x0000000000071000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2352-37-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/2352-70-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2672-1-0x000000006D200000-0x000000006D238000-memory.dmp

                  Filesize

                  224KB

                  Download

                • memory/4752-59-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/4752-98-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/4752-53-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/4752-38-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/4752-88-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/4752-39-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/4752-61-0x00000000772F2000-0x00000000772F3000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4752-54-0x0000000000430000-0x0000000000431000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4752-85-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/4752-86-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/4824-60-0x0000000000400000-0x0000000000426000-memory.dmp

                  Filesize

                  152KB

                  Download

                • memory/4824-72-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/5056-84-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/5056-97-0x00000000772F2000-0x00000000772F3000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/5056-87-0x0000000020010000-0x0000000020022000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/5056-95-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/5056-80-0x0000000000400000-0x000000000043E000-memory.dmp

                  Filesize

                  248KB

                  Download

                • memory/5056-83-0x0000000000060000-0x0000000000061000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/5096-26-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/5096-9-0x0000000000400000-0x0000000000426000-memory.dmp

                  Filesize

                  152KB

                  Download