Overview

overview

10

Static

static

5

JaffaCakes...d0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-12-2024 04:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_059e56647b59d1627029303cf20dcbd0.exe

  • Size

    168KB

  • MD5

    059e56647b59d1627029303cf20dcbd0

  • SHA1

    a815d184696403592a184d785b583e97a021b8a1

  • SHA256

    e498db633cccfde06af02fd1df58ac3ba036c0f159897adf9708b6c47315eab3

  • SHA512

    3942ee197e9280977535ed22b535b00e2d315b252cc9df6f57d7844211002f1362fe961b8b3025f2ca779ed5ba1b3f4c30ea3353f04ef46e7fdc656eb4f47f15

  • SSDEEP

    3072:kROzoTq0+RO7IwnYQwUNAi1uZLPQxxVfSkx3XM+S6ba/k:ikdNwBXJHMxPQxxXM+S6ba/k

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 5 IoCs
  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 13 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 22 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_059e56647b59d1627029303cf20dcbd0.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_059e56647b59d1627029303cf20dcbd0.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2560
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_059e56647b59d1627029303cf20dcbd0Srv.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_059e56647b59d1627029303cf20dcbd0Srv.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4988
      • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_059e56647b59d1627029303cf20dcbd0SrvSrv.exe
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_059e56647b59d1627029303cf20dcbd0SrvSrv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2032
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1164
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1164 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:4284
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2264
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2264 CREDAT:17410 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4080
    • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1152
        • C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4084
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2816
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2816 CREDAT:17410 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:996
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4580
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4580 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:5008
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1532
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1532 CREDAT:17410 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    Filesize

    168KB

    MD5

    059e56647b59d1627029303cf20dcbd0

    SHA1

    a815d184696403592a184d785b583e97a021b8a1

    SHA256

    e498db633cccfde06af02fd1df58ac3ba036c0f159897adf9708b6c47315eab3

    SHA512

    3942ee197e9280977535ed22b535b00e2d315b252cc9df6f57d7844211002f1362fe961b8b3025f2ca779ed5ba1b3f4c30ea3353f04ef46e7fdc656eb4f47f15

    Download Submit

  • C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    e5e877bcc2542ab8629d8f34bafcd7f4

    SHA1

    8f618efa1584268e9eafd2b01c2a2ac006113c01

    SHA256

    5e63bcec102963b96b1f7d08ec512431a0ba748f90134dc51a05046296541e9e

    SHA512

    79153f941ae2cc4a5649ac729f03dd3f98df24d5084e36d14467b2a859e6d63fc4167feac24e7b519a9e179fb243447fe6d09519169b11e3151d5cc467e4c9d4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    a414d7e4bb2f7c70ce532b622364835e

    SHA1

    e2d38152b07fefbc2f591799010bb9c45ab01058

    SHA256

    17042fe8405576a7e1b9457d07eb8f36ba13ad84fb45026fe832d97e11c99ebb

    SHA512

    ca8ca4e63afc42abbbda3eeafe6772c22ced724585834e198f5e36178527bfeaff323cfbfadff465a3a1ed338781ae61fd57900ca4d9ff00822c22c71c76f4ec

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    367640b0b8224a68cbe9739ba4888c30

    SHA1

    2c443e6a1dafe5ce19d4664b34e948329d636385

    SHA256

    e6ae6477e3d367854056cf6e48fda23afe36b8765b4ad7746037c3d3965486ce

    SHA512

    dc4e98d92f258e3773c03f2a318d4d93d4aedcd4786f0fef0869cd3a880875de71a908283a9bfa8b688c137fffa31288a8d8a659017706bbd1b5ebca7b588efc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    dc1ca8296c742326cd8e57219b1d1abc

    SHA1

    99ce9406856e33adc235f41a8a25870dc8bc01be

    SHA256

    79c1726752fe5558ae9b3efad2af5592339df8f5fad1f299d754bfa3ea25a946

    SHA512

    62bdaa91c6b2c515178e39616c06226d713aaf0b533786fc8db2b56206b3f4e68f67b27ea8a6951aa9afb4e5727fa5cbae26c00f83cc3e3ac54e3a4a8e07ee4c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    0f4c783a80683bce25f3f9db8356aed8

    SHA1

    8def615a8bf2ee05512740e6f2cc52e708748964

    SHA256

    67e16352a69a12ad9b584e63fc5a1dee2b94912be7cf6c8d36a8b571223027a3

    SHA512

    645bc52b025b3553968fea369ca3a56f948f347d2aea1a14f72639c0cf959f3cba3337d98af7d2795afc0635eba8693b70f98480143c3ace2c2649863de6560a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EEBD0F5E-C733-11EF-A4B7-EE8B2F3CE00B}.dat
    Filesize

    4KB

    MD5

    c568d277dd7053a0bd66aa3bbbe0ff38

    SHA1

    3beceabde1fe9d8dae4809fe8e295df674d1a66c

    SHA256

    2ee831b03fadcbfa992fb0ff311e628c24ced4145892439c2de75858461188d3

    SHA512

    baaba88ed135d6440426cc0cac479e6af2a3c6c241d5d6c2db02ba9a61f8df74bf76e9d67a93d8c14e9ff11fcce056ec254d0503140714f25088c6feefb2cc96

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EEBD0F5E-C733-11EF-A4B7-EE8B2F3CE00B}.dat
    Filesize

    3KB

    MD5

    b117348b60fc6662b0435dd4e2fa0d05

    SHA1

    25f4b45fa1d5c6c09d88da2508957f0c6764fe0a

    SHA256

    48d7c2a9795fc6ab3efca8b131f31bed68d3c5111b5d119116fe731346ba924d

    SHA512

    76b9a67f3bab2c8a79913e3e4aee2a96546efbf2989f3f4f5e1a51d3c56dd0a9384dd88bdf407f6cad5bbecfdf7a1d1fb0249fc55a5127b58718765024d41eba

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EEC436EB-C733-11EF-A4B7-EE8B2F3CE00B}.dat
    Filesize

    5KB

    MD5

    67b76fa7e1061bb338429a6eef315de2

    SHA1

    b56d8a2e2516f5fd4928ed8c2bba0a6d7f8d0330

    SHA256

    3f865f484998781cb448b86f5779310723784a7f2d598c83def896a0693f3545

    SHA512

    1de2e445b428dfac3a3b0dd1940dda220fb571fc3dce92c7ea738372109c9e595193c2b8c5ec96b7975904a2db80c13e3d05b6062242d7b72e666883f94d974c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EECB5DB7-C733-11EF-A4B7-EE8B2F3CE00B}.dat
    Filesize

    3KB

    MD5

    a3b72706d55cc7d8746a92bc739be968

    SHA1

    d482122d0936f6f49e540ef3d3be4a5fd1f7b726

    SHA256

    5991d132acb23c90c9ed944c6258dd625326103f90faf5485a175b955b67ed5f

    SHA512

    8dc51b67afc53706f467cebc2b3c7cf3edab1695219d7c0be4b943b56194a887e9075bfc68c469f76113b28667386fe213a1c482481d2970f9079be87f10bf94

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EECB5DB7-C733-11EF-A4B7-EE8B2F3CE00B}.dat
    Filesize

    5KB

    MD5

    5e2fc750c6de6eeab59fcafbddd23151

    SHA1

    f1254e0f298c7be75db742c898e8092168dac548

    SHA256

    4bd6ddfa9ff95ff8fd429ca9ecd0eab716bf759a614922724f8def3c981916fe

    SHA512

    e49049fff2368081a375b796a2ae0b7c7ec62147009507ca7863508e4b10513a651bdd456644e891f84b40df559c0a095a068c75977e2a5fe990f1d40c799214

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verF492.tmp
    Filesize

    15KB

    MD5

    1a545d0052b581fbb2ab4c52133846bc

    SHA1

    62f3266a9b9925cd6d98658b92adec673cbe3dd3

    SHA256

    557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

    SHA512

    bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P2UT3MS5\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_059e56647b59d1627029303cf20dcbd0Srv.exe
    Filesize

    111KB

    MD5

    1306a06f8db37adbfa5ed9afe0033c38

    SHA1

    d8163d41ff88f132593febed331e274a06c69a0a

    SHA256

    c5017d71a52c7101e3c7fe9b05bf25070bd0d799aee5d70e2108db9c46e5d9cf

    SHA512

    dbdd6523cf51f7127dcfe34b62b79b14f81c4c83884db0e5792e5d31788f5c3495988f63dad560beff79ff7b71686ef4bc43e6106fe7f1683bcab08296fdcf98

    Download Submit

  • memory/1152-34-0x00000000006C0000-0x00000000006C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1152-29-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/1152-36-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/1684-35-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1684-28-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1684-22-0x00000000004B0000-0x00000000004B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1684-17-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2032-18-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2032-25-0x0000000000570000-0x0000000000571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2032-30-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2560-0-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2560-8-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2560-5-0x0000000000460000-0x000000000046F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/4084-43-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4084-41-0x0000000001F10000-0x0000000001F11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4988-27-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/4988-16-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/4988-21-0x00000000005C0000-0x00000000005C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4988-4-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download