Analysis

  • max time kernel
    94s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-12-2024 00:19

General

  • Target

    f667671bdf5170d3e25e0360817082c9_JaffaCakes118.dll

  • Size

    237KB

  • MD5

    f667671bdf5170d3e25e0360817082c9

  • SHA1

    a494e7b08af1c47e8eebe41c7d26e53befeda4d7

  • SHA256

    ce013942a8e802231ad39f922cdea139ce9a737ac20c1b48517065ce5e40f206

  • SHA512

    888473c8a527e441b0b126a84294d523902cc0a57b300f828825901e5558cedef1c73d809e9987ab42c60f6d3c2f1df42fd69542a3634035df1febd2290ceaaf

  • SSDEEP

    3072:C+gMajJFHo/W1axo5W1Om0XxZANPIkWVHtXWKn5PMEzhRxfMGAQKKuqCabTJgrqb:PgLH01BGkP0XWQMahR6G9KDqCab1grwz

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f667671bdf5170d3e25e0360817082c9_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4844
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\f667671bdf5170d3e25e0360817082c9_JaffaCakes118.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:612
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:4368
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 508
          4⤵
          • Program crash
          PID:4728
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4368 -ip 4368
    1⤵
      PID:864

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\~TMA2A8.tmp

      Filesize

      1.6MB

      MD5

      4f3387277ccbd6d1f21ac5c07fe4ca68

      SHA1

      e16506f662dc92023bf82def1d621497c8ab5890

      SHA256

      767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

      SHA512

      9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

    • C:\Windows\SysWOW64\rundll32mgr.exe

      Filesize

      144KB

      MD5

      609c9eadac4c1cc48b5f89be6c36e276

      SHA1

      f047b565fdb73d5b75ffaed7b2faa335e82b3514

      SHA256

      e982967b3a8613149cd29d659a4b4aa6241ef8e4f124458785220e76e8b18325

      SHA512

      246dab455d7b7661126e79bb9b1b2aee2fee26790b8fde0779d529cfceb295b9df2fb5aca2da1ab3d52f22b4157a46ea8b164e7aa02e842aca2cd27076d85fb5

    • memory/612-1-0x0000000075200000-0x0000000075242000-memory.dmp

      Filesize

      264KB

    • memory/4368-5-0x0000000000400000-0x0000000000451000-memory.dmp

      Filesize

      324KB

    • memory/4368-6-0x0000000000400000-0x0000000000451000-memory.dmp

      Filesize

      324KB