Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...a4.dll

windows7-x64

10

JaffaCakes...a4.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2024, 01:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_0008385427c02ec75fde6fb5f8fa1da4.dll

  • Size

    296KB

  • MD5

    0008385427c02ec75fde6fb5f8fa1da4

  • SHA1

    bb7a6683c933f874905a651c86bca33be436bfd7

  • SHA256

    7d102ee5b6814fe26ca865938848ffa3db1061e6e683c5637e5c11beb257d550

  • SHA512

    b8b3c0b0da26b901d8104498d951194f5653c6dabec9c27eecea407f3373c43c5eef502f52726e4ada259aa03391a241b3e3af52404e12e5369b0aa2bc7c0f3f

  • SSDEEP

    6144:zka3JDB+ISjbaWkcmU4HpkBYY3xAIo8Il405AlpLZhcnsmMXl7C81M3dR1lOeFal:wa3JDB+ISjbaWkcmU4HpkBYY3xAIo8Iv

Score
10/10
ramnitbankerdiscoveryevasionspywarestealertrojanworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0008385427c02ec75fde6fb5f8fa1da4.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4944
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0008385427c02ec75fde6fb5f8fa1da4.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4888
      • C:\Users\Admin\AppData\Local\Temp\6xDn2t3
        "6xDn2t3"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1800
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\system32\svchost.exe
          4⤵
            PID:1560
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 204
              5⤵
              • Program crash
              PID:4060
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4452
            • C:\Program Files\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:744
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:744 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1184
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:744 CREDAT:17416 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:816
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            4⤵
              PID:2112
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 208
                5⤵
                • Program crash
                PID:768
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:32
              • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                5⤵
                • Modifies Internet Explorer settings
                PID:3216
            • C:\Users\Admin\AppData\Local\Temp\awnilygyapippnrw.exe
              "C:\Users\Admin\AppData\Local\Temp\awnilygyapippnrw.exe" elevate
              4⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2076
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\awnilygyapippnrw.exe"" admin
                5⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4924
                • C:\Users\Admin\AppData\Local\Temp\awnilygyapippnrw.exe
                  "C:\Users\Admin\AppData\Local\Temp\awnilygyapippnrw.exe" admin
                  6⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of AdjustPrivilegeToken
                  • System policy modification
                  PID:2708
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 636
            3⤵
            • Program crash
            PID:2420
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4888 -ip 4888
        1⤵
          PID:4752
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1560 -ip 1560
          1⤵
            PID:3420
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2112 -ip 2112
            1⤵
              PID:464

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
              Filesize

              471B

              MD5

              e5e877bcc2542ab8629d8f34bafcd7f4

              SHA1

              8f618efa1584268e9eafd2b01c2a2ac006113c01

              SHA256

              5e63bcec102963b96b1f7d08ec512431a0ba748f90134dc51a05046296541e9e

              SHA512

              79153f941ae2cc4a5649ac729f03dd3f98df24d5084e36d14467b2a859e6d63fc4167feac24e7b519a9e179fb243447fe6d09519169b11e3151d5cc467e4c9d4

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
              Filesize

              404B

              MD5

              cedaf5fed187880cb8b91e4f8d53d9e3

              SHA1

              d746781e3a1df3bf079e1272f706fd8012d9aaee

              SHA256

              9f357bdd60d686f7bb8bd284512045f3c3bbcaa799902bf030b754a4b592aa06

              SHA512

              7aa44bc8e6da8b3b268b2c25a9c88ed5c450bd0ed2c31c7318c190850a6f8edd7e53d78dcfc57c5bf808c6a0161a3a901c15d64e325529b8dd2c33a028005381

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKYZDMA5\suggestions[1].en-US
              Filesize

              17KB

              MD5

              5a34cb996293fde2cb7a4ac89587393a

              SHA1

              3c96c993500690d1a77873cd62bc639b3a10653f

              SHA256

              c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

              SHA512

              e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\6xDn2t3
              Filesize

              91KB

              MD5

              e9639538d169c463914f6b2940eae754

              SHA1

              9d4fcf5d5cf2dcfb1ec07be9861b946f81f91647

              SHA256

              d36631b46cdce695237f408057ca3463a2487a9a9a32887e8b5001ff50c0718d

              SHA512

              b8b708a2ebcec4897ce27c97caf79105f0500937f0ec716f72aefa675968479645c0c5ddf8aa73ee7d12ff4ed565a53436902c7a1477c007bd2ce21a14d0fb21

              Download Submit

            • memory/1560-13-0x0000000001000000-0x0000000001001000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1560-12-0x0000000001020000-0x0000000001021000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1800-9-0x00000000005B0000-0x00000000005B1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1800-11-0x0000000000400000-0x000000000043A000-memory.dmp

              Filesize

              232KB

              Download

            • memory/1800-8-0x00000000004C0000-0x00000000004C1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1800-19-0x0000000077272000-0x0000000077273000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1800-15-0x0000000000400000-0x000000000043A000-memory.dmp

              Filesize

              232KB

              Download

            • memory/1800-20-0x0000000000400000-0x000000000043A000-memory.dmp

              Filesize

              232KB

              Download

            • memory/1800-22-0x0000000077272000-0x0000000077273000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1800-21-0x0000000000400000-0x000000000043A000-memory.dmp

              Filesize

              232KB

              Download

            • memory/1800-5-0x0000000000400000-0x000000000043A000-memory.dmp

              Filesize

              232KB

              Download

            • memory/2076-39-0x0000000000400000-0x000000000043A000-memory.dmp

              Filesize

              232KB

              Download

            • memory/2708-45-0x0000000000400000-0x000000000043A000-memory.dmp

              Filesize

              232KB

              Download

            • memory/4888-0-0x0000000000990000-0x0000000000991000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4888-3-0x000000001000D000-0x000000001000E000-memory.dmp

              Filesize

              4KB

              Download