Analysis

  • max time kernel
    120s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-12-2024 01:02

General

  • Target

    f691160e17a3118afddcbd578676e8c8_JaffaCakes118.dll

  • Size

    236KB

  • MD5

    f691160e17a3118afddcbd578676e8c8

  • SHA1

    2d1a31a313dda3b3345bf45ab7811cabf140306b

  • SHA256

    e8799123eb7ea657ed640c7b31b9a8fb45ab53c48116eee0f0257b99d5863d63

  • SHA512

    dbfd6858cad07bd5b3f852d5765f5b75fd0d0e39923c7cf240a8982759ea4f35dd999c1479d102e190ebd1b09e4328e2bb5118df521f27d14bf52490c75e95a8

  • SSDEEP

    3072:iNzt20uHs4Lhun3AZi3SnTyS72V7jzzCqHwJHoc8WqR0Mcve+3h0Lp2k55jXkNPt:azFn4ut3Oy+2xjXfI8wMcvpSNh5op

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f691160e17a3118afddcbd578676e8c8_JaffaCakes118.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\f691160e17a3118afddcbd578676e8c8_JaffaCakes118.dll
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2068
      • C:\Windows\SysWOW64\regsvr32Srv.exe
        C:\Windows\SysWOW64\regsvr32Srv.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2148
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2360
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2416
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2416 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    32c1e6b91929269a98b3850308e395a0

    SHA1

    5ee8f87c5c6881f988aa7dc0670d36ca52b6fe4d

    SHA256

    86db68bbde29198cfdcc6d3f928d8543d81adcc07b82c84d10eaafcc2e42d8dd

    SHA512

    2253c90f47a0afe3b4e37837846f0faf63c716f5bfa1d73f0339838aa5187a6c438a9c5431933dfe793c64f927e2311eabf4cef1a64c925dd414e8001b3b69d7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    48f7322b9ea1bcc7d05489c4e93545e3

    SHA1

    e16aba77e43d08ada06589198fb3c4824be46931

    SHA256

    6afcce6a19354153e55ed8c396d724dd2ea01e6409042ebed73190222c99be0c

    SHA512

    728100ff6b47abb7b18dd774777f62e708597881e868f23acba57a7e7f86b2013c0f0de4adc5a4508f3acbecf01ebd8d770c626f19a4f5829a3eae347cd7f64c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ba5755b0c798f1d97c5cd521ddb7102e

    SHA1

    231bf04d739338ea1a781336ea186c03504edbec

    SHA256

    eea10e8b34f92b39115e49cc6fd6cf7fdcc4a2b45083bf7e8cc863e9b2d0f2a6

    SHA512

    1570c9e735fdcda2102f0d0d662e52cc37517997645fdea090808ac19452da671e7692f169d11276fe17935e645ecb269aa7533a4145be76f1106ee3c8806370

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    dbe24ad6eb90b69dc92817e85f1a9066

    SHA1

    375da827f6cfce0947e57684f270da98401ee927

    SHA256

    8ded7f68f19d8d20226effa4b737bc74cca423484f9adee258b61c21aeaac7d3

    SHA512

    96e4c39d07f400bf2d56996cb48ba84896184e6cc7467231531512ea004a63bfe63398808ce228a76a8c13faf5a68de02886068096ea14cb0368084fb082796a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ff79d506af6b5e28d4ca036f072f770f

    SHA1

    cbb669bd2a9bb685f95b7068b8ded4ed534e528e

    SHA256

    0caab4f6d813c8872450d1a764c679b935908d422541114267fb018e771ba327

    SHA512

    b904b65b2423cc89213e3ca5d1794bc43060df526aa518db2f79ef12d3c2936cd409c06be6e2ec66f99d02e4e4506869149663697bc62df4ea6d26dbee692f40

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    42206ad443a84e5933bac37204385f52

    SHA1

    a7e48ca91425a6265746e1eb8fba0a2e0a5e7562

    SHA256

    84c89da9178bd5fba53a10ff7365913da35eb17d411370bba27d558f6ac50e1c

    SHA512

    96082c007c88fa56b61b3b92995ae0783fa7745f7f9921e6c0b806b15ef68028cd0a53a22604b95ee6dff1c178aa85904490ba04d5b2474bccefafd64c755caf

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    90143dc55b8c6da24d0003e8b716689c

    SHA1

    59986c2ff03ff4eaab32c71ecc2d27be751c9ef6

    SHA256

    7f776acfbd3a587b99f7abd88eb13bde53adfe4bbb236334ef266f47838fd0cc

    SHA512

    712bc40a70617e10edacdccd33070a050952a1394da23c5f378ac54d488a93bb22f201709450d91a96873c45d79f07baafd70bed0a894ca6fafdf9a191ba90d1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d4b92949e5de69b5d803cc939fa2400e

    SHA1

    2154f84e7e2930262c62d50244785435e8a9a688

    SHA256

    336928f984997fac4210704fc86ff0900ac55109be18f491ea07561b463c36b2

    SHA512

    d1b9ebfd672cbcf84512ed20562de0b01d4415b27a2f61806a895c8dfc7dd0fe3d4e55ce8b3530ae0b62b9097cbf90fd3bce6e32a7d1bfad3f7706b7c51d8f99

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    4263fbc025eb3727d7fe7c78c5cc5e51

    SHA1

    0387431efb5e8bf2b468be6e5c146cc3054f5270

    SHA256

    f5303ab34c20a0bcb9e8000d85827f79130ca49ed9c4e6a7114c738196d71e98

    SHA512

    7b21d6ed5f9cd9a5317f12e8949bfae146d7845cab7b89d1fce7be5df6007cd623e7cddb01057fbb050cccf995fc3925f95dee077030dbf5170627403f163d35

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ec285cd5ad482e3363183e14634eb710

    SHA1

    2d6d300390ee8cc755e64927cbff0d36eab31522

    SHA256

    f6a7d038a6310da710eacfbf2330d7ed5e5bdd469429c651fe0a71ad9ebc96ba

    SHA512

    6fef3118dbd775848ae35122a2e462fb1aa6332de25c8fc5e285f82251d8d93194306a322e15155b61f0fce5814b16832305b384b81dbe276a3b99846cb1ed6f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    98733738b6e10445d0d31eabb3d82a8d

    SHA1

    c095b2ab14ed02c5145b08db9e0d1aaee2ab03ff

    SHA256

    d067bd2ee08cfcb1c70dce81d598c3175ed2db33c54ef99e6b8cf6fa0431ae86

    SHA512

    c2ca89cd4d0e6243d57690df91028e2cf4d3df16c4bd2a3c2fda4b6e4d09cec15ba647c076b079c4d18797498d98088fe4f9b8648382ac44443af8dc52f298bb

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ff50cc029f657bf0c71f1694e300c30f

    SHA1

    772753e97b8b4e223780c55b8c517feab0530423

    SHA256

    1ffbbf81d02320573e645d0e1335815ef0db6941d88dbae91c30c76df20510dc

    SHA512

    7f6f9b9da2e58fe66cc059d3665624f21d5e5f43eb062d251cd0e90d346dc335ac50d80d226c57b7f02e45eda99059d9d18c4b7d5ea709e1bcec70c68a08cb3f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    bd25a7d15e76d028a5981145b60260f5

    SHA1

    7a4ced8546dd6fe4ac6e49687bd16417036b2793

    SHA256

    b5f159e50a66198740574a2c6a80dfe8298c2b458d5b63a6ea146bd924e00e4d

    SHA512

    b907e430c5dbdceb8fce32f39764deaa519d33cd020176e4fb0e3dcace9759f7ef530e430a4b209ab5ba9cbca57bd0dd8696f1c067b8447671b7dc90d9fa9521

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a518cfc72efd59b49060ca55f4194d1f

    SHA1

    9b964f28b50a75f2cc8f4466d284d4bb286e6d61

    SHA256

    83e9ecddcb70a97430cfa28185ae3d5e024b67d1c4fe768072d011f316ff4805

    SHA512

    e5a8cca822760d43e389053dc4cc5f4d26b397887e7f460924f431ffeb398bccaa6e01969dd83f03be60573f24fa4a84483857650caf64a4c7a553b417e90bdf

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a177175b2bbea99859b6ebfaeb8dd3a8

    SHA1

    9035b30a68707918d935e2eab74e4b6501db95b4

    SHA256

    2d9693e231d836dc4798b872aceb2452a9a8034d15dda680a34e852c8f618e28

    SHA512

    60da770633cca11821e722c99608d86f7f0be210c391e065bb03b9694de3437b5d5e185fdfa3f2ab466f19ec9197b97db85fb07735277e67270f5b65dad7d57d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    308ba8077cbc79ac55f6f34d92653304

    SHA1

    94e5eaacc0c04f8c6b3e343635fa9f4a0d19ce4d

    SHA256

    0a1c98d0a98995fe584f006ba4ae4d9d8bdde26e109630a7a621b3696af82b74

    SHA512

    dc86501760f92a74eb396919629fd016399d84559a07b91d48a958827eae8ee38db36335c4060be540e5499f7b30820390699577948ca811d74f37d9ec3f2607

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    be061669ccfbd06c54dcbe1d176eef81

    SHA1

    e94158f6711ae565af3612e1941f7c9aab03d895

    SHA256

    b0ef6d1a3f47d8d7814a93f2f3df96a2986b41830e24df7866f9b53fab3f874b

    SHA512

    3d36c55f2fa1cb67b55f45698403cca4af42c882e88d2d75ac8141675e82e4c3b6fabd591a06e2f6b8234a5e6662e26840876a78f9746564dff552d66e53daae

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ec9c306d8a007c98dcbf0efd337de400

    SHA1

    984711f3b5b938b8c0c93ba87f86986d84da8868

    SHA256

    4740966b4bc800b4ed1fc859032e6f994f4a36f407e3e525cfe6b5543b3cafa9

    SHA512

    6e4f78fe3235822002190dcc6762b393a691ed9a84b21b5fc27f9ab2f5ba508bc36bedaf4b688504a81767aaae88e688e1259cce89cb8234995718b470f711fa

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    283f23838ff2895706d97182e79fe22a

    SHA1

    00c3ed571c85f7d1b715932ce161ebb627f0f5cb

    SHA256

    3fd16b0e08781623494cb4666d90ba76826511b090b8160a772a994f91af4a06

    SHA512

    9c596735586a4d62b1b5820c5ae5c1a903da007321bca2721e2ca162781c0a4201fc15284f9b3a59a91bfe080572417b428a34b2393531529a17a954efa0e551

  • C:\Users\Admin\AppData\Local\Temp\CabE532.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarE5F4.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Windows\SysWOW64\regsvr32Srv.exe

    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

  • memory/2068-1-0x0000000010000000-0x000000001003D000-memory.dmp

    Filesize

    244KB

  • memory/2068-26-0x0000000000190000-0x00000000001BE000-memory.dmp

    Filesize

    184KB

  • memory/2068-6-0x0000000000190000-0x00000000001BE000-memory.dmp

    Filesize

    184KB

  • memory/2148-17-0x0000000000240000-0x000000000026E000-memory.dmp

    Filesize

    184KB

  • memory/2148-10-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2148-7-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2148-9-0x0000000000230000-0x000000000023F000-memory.dmp

    Filesize

    60KB

  • memory/2360-18-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2360-19-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2360-22-0x00000000001D0000-0x00000000001D1000-memory.dmp

    Filesize

    4KB

  • memory/2360-23-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2360-25-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2360-21-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB