Overview

overview

10

Static

static

5

JaffaCakes...51.exe

windows7-x64

10

JaffaCakes...51.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-01-2025 21:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe

  • Size

    176KB

  • MD5

    60cd2a9d6629a6f7909278d59ef17f51

  • SHA1

    036b6b3cc2e66bb6a2c92a973a16b9505ac4b128

  • SHA256

    9de3cf4e7e6130ac8e4af4a6dd1842b93d8727d7ee397a6f66a19a5d0cf9c536

  • SHA512

    3b28835e32ad54553a7535fbd417d3efc4ce1cab312fca9e79849a0c41c4bb36a9f5dde95cb62b1a6011af13e2d6574ff90cf29be3055a930aaf289657ea1dc2

  • SSDEEP

    3072:8T/55OCLuvYVjHe2PWudHriAXmJ4N/rkqMCSUxRrB9y2:8tKYVjHe2PHriAXlRkzS7

Score
10/10
ramnitbankerdiscoverypersistencespywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 22 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 5 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 50 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of UnmapMainImage 4 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:388
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51mgr.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51mgr.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:3252
      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3436
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\system32\svchost.exe
          4⤵
            PID:3860
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 204
              5⤵
              • Program crash
              PID:2788
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2400
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:17410 /prefetch:2
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1812
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
            • Modifies Internet Explorer settings
            PID:3464
      • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe"
        2⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2204
        • C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe
          "C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:32
          • C:\Users\Admin\AppData\Local\Temp\idemoodp0cetkamgr.exe
            C:\Users\Admin\AppData\Local\Temp\idemoodp0cetkamgr.exe
            4⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:2144
            • C:\Program Files (x86)\Microsoft\WaterMark.exe
              "C:\Program Files (x86)\Microsoft\WaterMark.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of UnmapMainImage
              • Suspicious use of WriteProcessMemory
              PID:2628
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\system32\svchost.exe
                6⤵
                  PID:4972
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe"
                  6⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:2804
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2804 CREDAT:17410 /prefetch:2
                    7⤵
                    • System Location Discovery: System Language Discovery
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:3028
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe"
                  6⤵
                  • Modifies Internet Explorer settings
                  PID:1664
            • C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe
              "C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe"
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:3040
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3860 -ip 3860
        1⤵
          PID:2964

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          471B

          MD5

          30f59b20e935520badc298242cb4cff1

          SHA1

          00622b2054eb148a8459c2ccd0b22606c2d5c7f6

          SHA256

          4a981d199e551f2b8c8fa22f0e3fbc264e876e5ed243d83331b2a6083a753e3c

          SHA512

          f22ca09eb3266cee3f363e4f3f955745382679d136d61e7c27f81081cd77efa5f82f82220526928f73049e692b7c060f64032dfae0f967c579c6e6acfd2e8d21

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          404B

          MD5

          649573164bcb7b0b8afa303ac770c47e

          SHA1

          6d298579c8fcc5dd81a6488461f12fc94a57c1e5

          SHA256

          fb6d25799c5167f8266b6bf002885a18d1ae70801a8d90cc77da5962c687373d

          SHA512

          0807c26ffbad33c3ae8e8f72942e94e6fcafe35c4a256d804c5f233f93016dc801d761eac0895fe446387c4f9acfe3b2ba0f71abd3b6ca61ca9a70ac36f1067b

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E1097E7B-C888-11EF-B9D5-7E3D785E6C2E}.dat
          Filesize

          5KB

          MD5

          a9ebfc0bc44155f06b0636386df2be6b

          SHA1

          790f3ec552a6f43727d766c3decd3d1aa897f61e

          SHA256

          67234056bfbf01085227df4aea522c041f87aaec11c81b5c2a22cc12c2b27658

          SHA512

          d5107d62780b356c5c56f3237912df3ec0a1c47e76b93ad9c89e7dae699c1cfcd86fdf4a2f13dae0381f23d2292f7647e26fe2826ef49faf973c48d0aeb0fc35

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FQRZN8O7\suggestions[1].en-US
          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51mgr.exe
          Filesize

          117KB

          MD5

          71b5d732c52788553e49f6ffbd85af45

          SHA1

          01fe9d4f7fe8b4b8727931fdeb328a58d5b46903

          SHA256

          faee1aafe1afadf0eabd446cf12cc7698933c7a1b5920a748a3c9b90e9210dd2

          SHA512

          16236b287b5ed06a2d3a512f4af159a812b46adad593b9d37119e63cb2e116c472574f7de043092765e75df091b7b4d68d65fa7321c6f58c85a44dbe88884cf7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe
          Filesize

          176KB

          MD5

          60cd2a9d6629a6f7909278d59ef17f51

          SHA1

          036b6b3cc2e66bb6a2c92a973a16b9505ac4b128

          SHA256

          9de3cf4e7e6130ac8e4af4a6dd1842b93d8727d7ee397a6f66a19a5d0cf9c536

          SHA512

          3b28835e32ad54553a7535fbd417d3efc4ce1cab312fca9e79849a0c41c4bb36a9f5dde95cb62b1a6011af13e2d6574ff90cf29be3055a930aaf289657ea1dc2

          Download Submit

        • memory/32-78-0x0000000000400000-0x0000000000448000-memory.dmp

          Filesize

          288KB

          Download

        • memory/32-87-0x0000000000400000-0x0000000000448000-memory.dmp

          Filesize

          288KB

          Download

        • memory/388-0-0x0000000000400000-0x0000000000448000-memory.dmp

          Filesize

          288KB

          Download

        • memory/388-35-0x0000000000400000-0x0000000000448000-memory.dmp

          Filesize

          288KB

          Download

        • memory/388-43-0x0000000000400000-0x0000000000448000-memory.dmp

          Filesize

          288KB

          Download

        • memory/2144-64-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2204-41-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/2204-79-0x0000000000410000-0x00000000004D9000-memory.dmp

          Filesize

          804KB

          Download

        • memory/2204-39-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/2204-44-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/2204-72-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/2628-95-0x0000000077352000-0x0000000077353000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2628-71-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

          Download

        • memory/2628-76-0x0000000000060000-0x0000000000061000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2628-92-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2628-94-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3040-99-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/3040-96-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/3040-130-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/3040-129-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/3040-128-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/3040-127-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/3040-126-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/3040-125-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/3040-124-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/3040-123-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/3040-84-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/3040-85-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/3040-112-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/3040-111-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/3040-89-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/3040-110-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/3040-100-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/3252-16-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3252-9-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3252-17-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3252-19-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3252-10-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3252-7-0x0000000000401000-0x0000000000402000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3252-11-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3252-14-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3252-4-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

          Download

        • memory/3252-15-0x00000000001A0000-0x00000000001A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3436-33-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3436-31-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3436-97-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3436-32-0x0000000000900000-0x0000000000901000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3436-34-0x0000000077352000-0x0000000077353000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3436-88-0x0000000000070000-0x0000000000071000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3436-53-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3436-28-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

          Download

        • memory/3860-38-0x0000000000E90000-0x0000000000E91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3860-37-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

          Filesize

          4KB

          Download