Analysis

  • max time kernel
    120s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-12-2024 05:39

General

  • Target

    f79006ba2a3876ab9305195cc8d0c2f0_JaffaCakes118.dll

  • Size

    200KB

  • MD5

    f79006ba2a3876ab9305195cc8d0c2f0

  • SHA1

    9d21ff94924ade4cfa131191a9a7024027e9beb1

  • SHA256

    eb42d640fd9705235e742c0f81f14065aefdaae8217639ba14486d6ab8eb6fee

  • SHA512

    daea132cf93e5e6ba419bb413613c35e24f324abb4ce5f403adbfe4a03d0deaa32db3848e2acc00b980d134c1cf9354fb151bfc4d713abe5066f55bb0f4fcde2

  • SSDEEP

    3072:DOBOLWXivHYMzv2HvP5YeBTEEP2831Vr/rF8QOSta7Wefkka+4BCLUIXCjtmVlGJ:DOp8HpzdQOStKIdSUIXCYGcDlTVE

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f79006ba2a3876ab9305195cc8d0c2f0_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1356
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\f79006ba2a3876ab9305195cc8d0c2f0_JaffaCakes118.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2368
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1000
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1000 CREDAT:275457 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2988
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3044
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3044 CREDAT:275457 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d47ee88621d19857a46cd0d03e69a377

    SHA1

    3355b852dbc3f8d6eaaa06f186484eeea378ae62

    SHA256

    37ab093eca140b987caf3cc63f1a78074e141bab10a625def27a45d15bbd385d

    SHA512

    c40654108f2204c4c22e7b521f97f57a5d28cfb8fb9b4098e21a54d53d0082d136127dcc9395448b580e38120a511639659a8644fd9625bf2e09b394e56e1b34

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2c5f3f57259d3d086cc971e2d3d22652

    SHA1

    c0deaa5a164c8b7d3984ad60d26f138e719265c2

    SHA256

    6b3137ea5b4270486a3f519bceb58db81d6559a4709c504d65cf86596655ae60

    SHA512

    fac6a4165f45383d32bcd83992cc92b91b8dbdbb2cdc4a7ab85564518ad33433ed03ee6ca0d5773d096751483cda117ea5f5ed31e4e70a8458230979554b4e5c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8796f454e02556de4175a05bef4874c0

    SHA1

    69910c54da19f906df58be204ca01cdab9dcfca6

    SHA256

    b952023045ae6db7afabd81991d66050826257271ae00e370dabd3480ca6700f

    SHA512

    f2dda315d522b63f49d4c46d563dd2d1850da6bc5e225db1b83b3f0cc88f9eac70db7f8b97b86eba6aa357b765d4c92969a2137e99c4c3034d0390186451b67d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fb5b7c3987c1070bf330c5655802ac08

    SHA1

    9a18d78cb7b9348fdc5d0f4906ecf4be3edcc869

    SHA256

    9aa6c758faa50edd117b47819a329004a9c40a1e3218b444d6bf3c0d41b01235

    SHA512

    ea8eb0b42081c861e47b198742bf3232d14e3f4aa273b938acc6636cba71b215d72e8ab55f8a120fa6decaabf8b5d5758228f8cedb7a4e2414fd374cdb364a3c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f4ddaa875dbba5c14b5c35638e18cb3c

    SHA1

    0cd0a702518701e03dad2f07fc33f0516d32cdf9

    SHA256

    d8e0c36115f55f7be279fab492def037153b29bdbc1e6778ffafda2558676346

    SHA512

    8982451e0725e51ee789cae23e8b82a89f3beeca0ae05210429d8dd2bfbca4e7b1a8cd19a52cc39d80fc6b993d3586e39785b08b87336f4ebb6a5c10a646ca9e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    77e83bbb6f0b2802065baddf8dc16785

    SHA1

    f1475398a2484b0eb6a2ad0e605b6ff509b66240

    SHA256

    63392eefda179dd16588e8a249180fef5fcaeba18deaa80007cd9c00113f9115

    SHA512

    1a0e0768c6f5ef4dab11349b0de323b670fbed8a99273c85e35a8ba89e092c9a16284486ce08be239482983ed734775c65a1d08e89a63993596cb023023b5544

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e07057dccf9e275aca323d301ed066ce

    SHA1

    88d53dd045dd0dd388de16b29de8f4e70145638f

    SHA256

    98a224de116bf261416126ec4a2c5de4f80a9783e4ae01bcc9d22e65e69e79ca

    SHA512

    044ab32fa53720305bb0f69a2889988c2f0ed57f4af9cec501b67840d7503c665164710e4ddc604660cbba4273a703327b856b1465891c7e03cee356a402de56

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2aabe151a82c13bbc458714c43cdc74f

    SHA1

    47c42d34484676a5230574c83c57c113cfdc9182

    SHA256

    8b919e15f29961fd2252bb051da5e3e49143c414edff04629179faf52b291492

    SHA512

    23083c01c0e080808343667f789313daeb801bbacae97f47897d405984e10e46317522c98ea31039ab242ec399f0b60897ec1d84da5ebaa16b0d79ccafa25e10

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b55fd14931bfd1013643aac95af7fc1f

    SHA1

    31f832205103d265ff1d54e68d0193759d4e9dcc

    SHA256

    a5b7d7e982be4fa4331bec940f38627c910da90121b5c581f43eff0fb378ffe0

    SHA512

    0b6e6fdedcd41f05902e0b67f691beb5b57e3f87afb372db4ac10dbceed5c1dba1deded729b2b55ff17fdc9df99498743781b15f978c8c2c828af830ab32e8a7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    4175c8aa562e8a13973c88fe756e4158

    SHA1

    358a242474aec30360a24cde893e2b79b1d6444b

    SHA256

    fc2be6fe6003384ab0b9cb6cb6d3ce75a176d0265f464ec7050e97bcfccd4d2d

    SHA512

    e99675ae2acd9d8d0abfc1cd768450c5d841b12fef87052661e7ed053b0fc39ffcdaeb4929cfbb8f6cf9fec6286b3cf43e10d242bbf36957247be6656399e9b5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    08efc65ba6c469657a9ff4a6ff52e49d

    SHA1

    32b20f40410f9977376e03a0c143ca9662d17101

    SHA256

    8567e20ddecd41c7a430f5108a19f7d0fb49fa4211ba766a3fb87c3a4ad84559

    SHA512

    7a801a6ac64e84ec7da898b60f4838e79f890b8ce6ab57292cda545ea661d33cecc04b615cb43bbf59e16479952c4f8d3a3c65e46636a38bc899914c3d175690

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b55285e31a825cccbfb3bb88d4cca1ed

    SHA1

    b1eb2588fa18681fbf389a3f2dc7ffe3bcda8544

    SHA256

    cdb9d6a78a5b3bdd4ee6e2946369b9be717838170f6b37673daac3e4f4b8eff8

    SHA512

    d0ec733550a75a382f3c72259be0388addc9d3901a3e2e1d75586b306cebbb154d07ee3514b8a0bb18d915496b8d968f8f8c373d1546517e49517e088429e7ec

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c40ffbd0e30ee9916d9aef0c9cb10b12

    SHA1

    05878e8628b2b9db417cf9923c1255bd903ee8b9

    SHA256

    eb45b7ba4f5fa79eaefdffd0512e6aca35d1e8358463cab0379317cb4c1db9b8

    SHA512

    f049d0cfa6cc28fb1816fcf29025f76fd886fea9b48c7997fa41ca7464a969f28d87a7bfa86819dbbc3b25415b2e0bf893aa7cff2ef3e156d94c34bde9dd737f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5b03cc6409a27052d4bdb4354b35c20b

    SHA1

    82237fc8e9c68e2993c99a89706014da154cc5fb

    SHA256

    91ad198c833ccb231fdb94f5e60fd2633e65c1cd6d7954b1338b24724a4332b0

    SHA512

    6aeb1763bc2f1e716e4c8f32de79c772793332d4a92cf4a2299daab64bf73e853a755aea1a277579bd2d10971c2946e97a884915fde26150a172ea57b3588028

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    dc5191926705495d5f0e097e0708087d

    SHA1

    6a2a202f4b1c7dca1a37e7e48b969598a70a233b

    SHA256

    35a17e5f7812a86ffbb66064511a6b829e432a233d69ffcd7a6f4789a81b7f67

    SHA512

    8b6c0e7b70e5b35d17f3537730cc3a17bf11c038f489f2e38797b2781bf8e92d04694725519997a02811cc321c9c6e7c7f233fa9660559b210197a37ea2870ac

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    103fb6db2e844f2a0f2cf41a9c09d9db

    SHA1

    87e82245d0ad1394995c612f25e657dbbb048da9

    SHA256

    68667467326c00f05e067a1546908d46fe4cce4d36bc8ef8a72c00102a366f9f

    SHA512

    5367cd23f1d1fdbc5271e8c52a7e971ec413925908e7b74dddd31e93e8da4be33706eb2c4b5323e12eebf3a0a5aa83477402dbdf52320c1f705bae36304f1bd7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6c0c9450f598539f79673a7a9fb1d128

    SHA1

    60b1c3926c8d8aba80ea1e43d3c92f4a9e980f66

    SHA256

    2e362521e24f2b7381c4cb9f2c3dc08af955db856b96577262432741ab9fb878

    SHA512

    62d8839445a19664807e98662bf9c739772bf059a7db67cec13d9a214fe4f2eae0ab795524e9dea0aa7a199bef8ae9a4023461ed09e70d383ee8832bc95e40fc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8b3327f304144562fe96294b5b422685

    SHA1

    73afdb483eb65a65ec7fb710e26ad1f291967f52

    SHA256

    01a8f41e77d27ad186dd7487a7beb8dcc1b06295af6c6e9d4eca4d426caf5e56

    SHA512

    a1c968df3797c07e0a24869e07c4ae516d5739a68b6f910d0513416f1b1a8993357090b43b26e8c55bc39c1fd3dad2e202f1d28adcab2be1317e4f7197b556c5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6d4d7384c0d7650ca35ad93597211516

    SHA1

    8027055fb9cbc7b75e69317c992a9ed22ba433d0

    SHA256

    2c5c80758c3d25c1964c535af583da4827e4a4b32fac1f8d29790775854d5fac

    SHA512

    411f2959b4787e50900aa1620e060f7155f519d9e4c7448ad570cd9cdcf8939e42ef6c72911520e9a8844af1d78ff5b2d665d211c856ab23c3046801705cdb43

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{293A0431-BB70-11EF-AD2E-6E295C7D81A3}.dat

    Filesize

    4KB

    MD5

    165eafa416eb346a69b05f602a62a51a

    SHA1

    ce985a530149c1aae45b661f6bc868101f5d0c8d

    SHA256

    e296651f939a2b406f62152a4108483ef995f4990d7665828bbb5e02fd82c163

    SHA512

    87871b6e3fa51e6fbdd16e032d6d3411f44904bbc1d45a3031ef714fb48c9e6a232c4cb5b5a3030ab743e8245b9cfc369525aeb51971e5ad754f0c286cbc1b44

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{293C6591-BB70-11EF-AD2E-6E295C7D81A3}.dat

    Filesize

    5KB

    MD5

    1676d4d28982ed090d5a51c3f14a89d0

    SHA1

    574a5550bd322d7403da6dc5639e783b2aafde29

    SHA256

    703f099546f431b94ac01deb695fc53a4a0f4ef3948bacb35756f4b10b14ef9c

    SHA512

    bb8ee17c439abdc44b145cadc5ceb2ea7d9a181f062e64c17613730112335e87b5dd27bea38a9d09108fcae03b43a9f1515cc68663ac4d4672fbbd44da438398

  • C:\Users\Admin\AppData\Local\Temp\CabE534.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarE611.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Windows\SysWOW64\rundll32mgr.exe

    Filesize

    101KB

    MD5

    1f92a7cf627f4c7d554d28326f1da954

    SHA1

    b7befe20fd68856539347f0650473b6dad504863

    SHA256

    fee6b0318f0ba98b8df448017226ad900167f9d7cb1d21d603f5da3022f29e00

    SHA512

    07c8d54b2b68f11b9a05fd652f0dc5b3bc30de58eb20537846763bc011e64496c0636a8e37abbc96d07a6ff9c304141e38e8f0453760d48f753343eaa319fec5

  • memory/2028-451-0x0000000000210000-0x0000000000212000-memory.dmp

    Filesize

    8KB

  • memory/2028-12-0x0000000000210000-0x000000000027A000-memory.dmp

    Filesize

    424KB

  • memory/2028-1-0x0000000007000000-0x0000000007034000-memory.dmp

    Filesize

    208KB

  • memory/2028-2-0x0000000007000000-0x0000000007034000-memory.dmp

    Filesize

    208KB

  • memory/2028-36-0x0000000000210000-0x000000000027A000-memory.dmp

    Filesize

    424KB

  • memory/2028-0-0x0000000007000000-0x0000000007034000-memory.dmp

    Filesize

    208KB

  • memory/2028-6-0x0000000000210000-0x000000000027A000-memory.dmp

    Filesize

    424KB

  • memory/2368-18-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2368-17-0x00000000776DF000-0x00000000776E0000-memory.dmp

    Filesize

    4KB

  • memory/2368-13-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

  • memory/2368-16-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2368-15-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

  • memory/2368-14-0x0000000000330000-0x0000000000331000-memory.dmp

    Filesize

    4KB

  • memory/2368-21-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB