Overview

overview

10

Static

static

3

JaffaCakes...c0.exe

windows7-x64

10

JaffaCakes...c0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-12-2024 03:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0.exe

  • Size

    692KB

  • MD5

    031ec4623ccb76a9884c4ce825fe32c0

  • SHA1

    4ab1bdd87acb98e7b237161c1586c9e75b934b5e

  • SHA256

    b111298369fa0dd2a784daa671f93dc0c5d3c0d566d39a00909fece66502da69

  • SHA512

    ccca0649f513dafeb27f5d38f1d44fad83d7a14ac25f6152611eb4448b5c4933ac0e104b6f9ca8baa35f0124979166b94593c5f36eb5fc5dfbd36bf308563602

  • SSDEEP

    12288:fZ5gBxN+oknk2HXsMw6x2beVaD9TqOQXUW7VV7:fZDzkCXsMPx2esD9TbQfb

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 4 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:64
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0Srv.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0Srv.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2588
      • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0SrvSrv.exe
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0SrvSrv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4460
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:520
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:520 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:3440
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1896
        • C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1308
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1428
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1428 CREDAT:17410 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:4548
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2904
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:4968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    e5e877bcc2542ab8629d8f34bafcd7f4

    SHA1

    8f618efa1584268e9eafd2b01c2a2ac006113c01

    SHA256

    5e63bcec102963b96b1f7d08ec512431a0ba748f90134dc51a05046296541e9e

    SHA512

    79153f941ae2cc4a5649ac729f03dd3f98df24d5084e36d14467b2a859e6d63fc4167feac24e7b519a9e179fb243447fe6d09519169b11e3151d5cc467e4c9d4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    baea0fe3eb607f5ddbb449d20c935b93

    SHA1

    97221e5fd9d2ab727342ce3bf054affb8e521bd9

    SHA256

    db582a0fb066cb64dcc5d8eec08052c1f714de0cebb73c74def793001abeaf60

    SHA512

    37e8d97e91b5bba9aafac28f2ca9d677f6504a1ead140254cfa359cbb4fff40362e5513b2dcb885841bdb1756673fac754556b65393e160a802588daf60c1b46

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    ce885421c9bd1c33c90dbe83f4fd0ccf

    SHA1

    b90853dcf6b9ea150cf30e858da19a3a51be58bc

    SHA256

    376ed3fcc7af2724d200a7c577f32bd92b756098df9b4a2c8747a44e98016021

    SHA512

    0c302a09cf971791488349f10c7b311164d87ced4aba59a01dde15e43ccd5b2a243c42a9f39f8eb9005afbde8f4c68ef3e5a53bcfb8452d984c22b44f0897f28

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6787DEA3-C729-11EF-A4B7-DEEFF298442C}.dat
    Filesize

    5KB

    MD5

    1f6cb2abb2fcab256ad0a1a4b4096529

    SHA1

    86b0c00ab46229eaa45226813189a9c686e15521

    SHA256

    c3702fa2dbb453e01b1243eb9656ea9afc3fb39fb58f38ca14b19f6262222c6d

    SHA512

    b999071e23a169f7dea019328374b236b59701157f3dfa8a0117841ba41f752b8222893b654de408297d837db6056c395b1c74ac9f6843e0f08e0bc81f74ea4a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6791664B-C729-11EF-A4B7-DEEFF298442C}.dat
    Filesize

    4KB

    MD5

    59c9f21638e50611493d2f2e3c27e824

    SHA1

    5e0bedd875ca16b773de7bc8a118d3703b30908b

    SHA256

    cac4960747ee2ee1dd1be3f74bf6a0c1198b4bdde297d6f2d9b01ad3205827ce

    SHA512

    7af8ef75b8e886412e3a4394bf13b40c5b42ebb26805601c90947cff58467f12bcd2668fcada914455a70733f6b32f5087b54dd88cfc383034d3be9307104e8a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{67918D5B-C729-11EF-A4B7-DEEFF298442C}.dat
    Filesize

    5KB

    MD5

    0a21ade6b33539ee97598f14237f4d66

    SHA1

    38aaa6ee2720582b1814c910eaca86fb507273bc

    SHA256

    2ccf93718592c2c7bf614abb9930236a801b0012062ea5c3076bdb4f52c2d7e2

    SHA512

    b324aa7e6e083de97f462db50b65b9e201181de8d99fdf275103fab27a329f858a31933554d4b05f28d785ca498948b6c42f05c3b2b444ca98934e767bff32ed

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver711.tmp
    Filesize

    15KB

    MD5

    1a545d0052b581fbb2ab4c52133846bc

    SHA1

    62f3266a9b9925cd6d98658b92adec673cbe3dd3

    SHA256

    557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

    SHA512

    bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P2UT3MS5\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0Srv.exe
    Filesize

    111KB

    MD5

    309d79d766e9b9025d15adc1aa5ecf52

    SHA1

    cd2b67a54850229ea8b1e8b82270ccdf0bb088e8

    SHA256

    3d3a07dcc43505b2ecafaa8fc4164a70f66a234c894a7f902444a6fa82e07868

    SHA512

    63cfcfe9ebfd634a1a248eca12d174854c5d828d2e610fb3f65e9a5d5106969f212ec466933e4d6afee2e5e4cd31998ea844c0c1f4ccdd78fa10a24650567308

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_031ec4623ccb76a9884c4ce825fe32c0SrvSrv.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • memory/64-0-0x0000000000400000-0x00000000004BD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/64-31-0x0000000000400000-0x00000000004BD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/1308-27-0x0000000000560000-0x0000000000561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1308-25-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1308-34-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1308-30-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1896-29-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/1896-23-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/1896-22-0x00000000004B0000-0x00000000004B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2588-10-0x00000000005A0000-0x00000000005AF000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2588-11-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2588-4-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/4460-14-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4460-17-0x00000000004A0000-0x00000000004A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4460-12-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download