Analysis

  • max time kernel
    93s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-12-2024 05:56

General

  • Target

    f79e89a0711a923d6c65ba893f8f4191_JaffaCakes118.dll

  • Size

    96KB

  • MD5

    f79e89a0711a923d6c65ba893f8f4191

  • SHA1

    1dc38c3467823cc4434dd34d95b7bf08a38b4452

  • SHA256

    106943d35578ea72207bbb7df6733a5bcebc4c99c9aaec9e752caf2cac841408

  • SHA512

    9a1dfb174b02d6cd2d6626b761d6810fb20b1c0344f9795b6271c3e20b6623962b24c282c3b90932fa0012099c7998b5878e7f81180fe0da36b83723c71b00cd

  • SSDEEP

    1536:TiBIdkwPKXBTRJV/sE3IXmKcnb05pDnR3ruPycZzGreQsjsQ:uGd5SXNXV/smxnb03day+iU

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 55 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f79e89a0711a923d6c65ba893f8f4191_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4128
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\f79e89a0711a923d6c65ba893f8f4191_JaffaCakes118.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1588
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:4528
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:4308
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:3116
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 208
                6⤵
                • Program crash
                PID:1028
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1356
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1356 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:32
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2376
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2376 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2972
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 608
          3⤵
          • Program crash
          PID:4964
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1588 -ip 1588
      1⤵
        PID:4924
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3116 -ip 3116
        1⤵
          PID:3988

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

          Filesize

          471B

          MD5

          cda3a1245093d86501ad9761f10320fa

          SHA1

          9ff6b95b0a72732f8afbd9504fa640bec134b498

          SHA256

          eb60e5aa4327f06e072f6b97c6a52532aa55d5a5dc53e1d48ecced85da6214dc

          SHA512

          51abd474d484588dd1cdc5580cf28d6a5d0481a4488f1f5b8a491c4f30ecaf5ba8cffa9c9ac696358d6725c6e290e8d28d2e3984d3d55f0ae496a65bc4142a1d

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

          Filesize

          404B

          MD5

          114e1fa7471cf819b4c48034ff706401

          SHA1

          e3d1cf82c98053b0474f42698ba1353e7503ec6f

          SHA256

          17e8decc49fe57d3e997c27abf494856490f4b37f7c2088211d527ee008d7fb9

          SHA512

          b4ac9a408f44a4548ad3168f8bc6bc7f445ca5c37c9d149afe7266a270baa4f29c6184bf20356020db8495a4de5107e975ffc880e8e1b4302d72bd0f4aaf91c4

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

          Filesize

          404B

          MD5

          b0a2de73ae910a0527e8652d9f29ef2d

          SHA1

          ab23d24d7a5a72615e537cea23a1d5864463f1e4

          SHA256

          3917840c9980cd5d536e4a6385816b407dfdf7639aba04bd258aa2d6a12c2f1c

          SHA512

          e70f8e301c767e7fecad62fbc50967bcd7f2ef8da9de7dc3f51a702f252b19602d5fc1f4a7d43c41f4a79dfd567e219c7e5e6750b3b13404a1bbaaf5210b0624

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{794541F0-BB72-11EF-B319-DA61A5E71E4E}.dat

          Filesize

          3KB

          MD5

          ba663836931cfd82dabc14bbc5d37f1f

          SHA1

          bc9a564c254a254b926acfcb39aeb270a6ec821a

          SHA256

          8ab5f5dfafa8870daf2618f33ab5826ac03e67c745fefaf8359e4f8615955215

          SHA512

          2ab4621190145c38a5a64f2b6b210caf96f05d277443741b544b5dd40b3842c59b3c15173da4a60fc8274ed82301f7ff05e17b781515b3342155ac69d782bef8

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{794A06B4-BB72-11EF-B319-DA61A5E71E4E}.dat

          Filesize

          5KB

          MD5

          47a845893c6ada740af89dc58a54adfb

          SHA1

          b885df402a7b4e781b279edcb4a41b79037db0c2

          SHA256

          13a3d0dc5da52740d7a158b767ef1ace22811f1965ffc4e818558189eecb3129

          SHA512

          9a34376560ad5a149f636f470a27969830b74433850d41228f8c625b3e88229b1c9a0c6b656a837d0df5955e1c593a49a232e58961982ac80e1eb8ade79691a2

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver2093.tmp

          Filesize

          15KB

          MD5

          1a545d0052b581fbb2ab4c52133846bc

          SHA1

          62f3266a9b9925cd6d98658b92adec673cbe3dd3

          SHA256

          557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

          SHA512

          bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8R55UT9S\suggestions[1].en-US

          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        • C:\Windows\SysWOW64\rundll32mgr.exe

          Filesize

          60KB

          MD5

          cd963c64ad0bea4ca85a4819f6eefed1

          SHA1

          d9cd6316cf3c6ce5ceec9694c2debc7b7981775f

          SHA256

          33c4b715dc8b183dff9aac65cc42c7f2c70658580b8e3d449878251482a5d906

          SHA512

          f7cd12c57eff3acf7c89b0e7b55dfa81623618a65d6c49b490c199cfe63ae9e858f2681c8ef1425d1e4b25f7b0bbd6d4a9d9788956c23f52fece3d5d79b5907e

        • memory/1588-1-0x000000006D200000-0x000000006D218000-memory.dmp

          Filesize

          96KB

        • memory/1588-33-0x000000006D200000-0x000000006D218000-memory.dmp

          Filesize

          96KB

        • memory/3116-31-0x0000000000700000-0x0000000000701000-memory.dmp

          Filesize

          4KB

        • memory/3116-32-0x00000000006E0000-0x00000000006E1000-memory.dmp

          Filesize

          4KB

        • memory/4308-40-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/4308-28-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/4308-27-0x0000000000060000-0x0000000000061000-memory.dmp

          Filesize

          4KB

        • memory/4308-30-0x0000000077CB2000-0x0000000077CB3000-memory.dmp

          Filesize

          4KB

        • memory/4308-34-0x0000000077CB2000-0x0000000077CB3000-memory.dmp

          Filesize

          4KB

        • memory/4308-35-0x0000000000070000-0x0000000000071000-memory.dmp

          Filesize

          4KB

        • memory/4308-36-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/4308-37-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/4528-9-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/4528-5-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/4528-10-0x00000000012B0000-0x00000000012B1000-memory.dmp

          Filesize

          4KB

        • memory/4528-11-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/4528-13-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/4528-6-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/4528-12-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/4528-7-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB