Overview

overview

10

Static

static

3

JaffaCakes...0d.exe

windows7-x64

10

JaffaCakes...0d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01-01-2025 03:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_44d434c73772679b9fd27ac8a247000d.exe

  • Size

    510KB

  • MD5

    44d434c73772679b9fd27ac8a247000d

  • SHA1

    c178bbbacd12fdac2c5c107da0b15fcf487e79d8

  • SHA256

    3512da478f3e757315f1061b015a3b5016ee45755b3cc341506f5a1272832c3c

  • SHA512

    91ed354cd5af97db12caf267be240f6f1cbd61dd92edda695346140fbb367722ede1d2e59201296f242fcf9b887e4ae6806bb35da0a14ac009b31efe75805c29

  • SSDEEP

    12288:W4dNeMEumiULIoPDiV4qWW5b+FXZ/becJ+G8:WniVPhSRZyR

Score
10/10
ramnitsalitybackdoorbankerdiscoveryevasionspywarestealertrojanupxworm

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\wininit.exe
    wininit.exe
    1⤵
      PID:380
      • C:\Windows\system32\services.exe
        C:\Windows\system32\services.exe
        2⤵
          PID:476
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k DcomLaunch
            3⤵
              PID:600
              • C:\Windows\system32\wbem\wmiprvse.exe
                C:\Windows\system32\wbem\wmiprvse.exe
                4⤵
                  PID:1744
                • C:\Windows\system32\DllHost.exe
                  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                  4⤵
                    PID:1632
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k RPCSS
                  3⤵
                    PID:680
                  • C:\Windows\System32\svchost.exe
                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                    3⤵
                      PID:760
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                      3⤵
                        PID:804
                        • C:\Windows\system32\Dwm.exe
                          "C:\Windows\system32\Dwm.exe"
                          4⤵
                            PID:1160
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k netsvcs
                          3⤵
                            PID:840
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalService
                            3⤵
                              PID:964
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k NetworkService
                              3⤵
                                PID:280
                              • C:\Windows\System32\spoolsv.exe
                                C:\Windows\System32\spoolsv.exe
                                3⤵
                                  PID:1036
                                • C:\Windows\system32\taskhost.exe
                                  "taskhost.exe"
                                  3⤵
                                    PID:1060
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                                    3⤵
                                      PID:1096
                                    • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
                                      "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
                                      3⤵
                                        PID:812
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                        3⤵
                                          PID:2028
                                        • C:\Windows\system32\sppsvc.exe
                                          C:\Windows\system32\sppsvc.exe
                                          3⤵
                                            PID:1300
                                        • C:\Windows\system32\lsass.exe
                                          C:\Windows\system32\lsass.exe
                                          2⤵
                                            PID:492
                                          • C:\Windows\system32\lsm.exe
                                            C:\Windows\system32\lsm.exe
                                            2⤵
                                              PID:500
                                          • C:\Windows\system32\csrss.exe
                                            %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                            1⤵
                                              PID:396
                                            • C:\Windows\system32\winlogon.exe
                                              winlogon.exe
                                              1⤵
                                                PID:432
                                              • C:\Windows\Explorer.EXE
                                                C:\Windows\Explorer.EXE
                                                1⤵
                                                  PID:1184
                                                  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44d434c73772679b9fd27ac8a247000d.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44d434c73772679b9fd27ac8a247000d.exe"
                                                    2⤵
                                                    • Loads dropped DLL
                                                    • Drops file in Program Files directory
                                                    • System Location Discovery: System Language Discovery
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious behavior: MapViewOfSection
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • Suspicious use of UnmapMainImage
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:2412
                                                    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44d434c73772679b9fd27ac8a247000dmgr.exe
                                                      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44d434c73772679b9fd27ac8a247000dmgr.exe
                                                      3⤵
                                                      • Modifies firewall policy service
                                                      • UAC bypass
                                                      • Windows security bypass
                                                      • Executes dropped EXE
                                                      • Windows security modification
                                                      • Checks whether UAC is enabled
                                                      • Drops file in Program Files directory
                                                      • Drops file in Windows directory
                                                      • System Location Discovery: System Language Discovery
                                                      • Suspicious use of UnmapMainImage
                                                      • System policy modification
                                                      PID:2744

                                                Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\PROGRAM FILES (X86)\MICROSOFT\WATERMARK.EXE
                                                  Filesize

                                                  510KB

                                                  MD5

                                                  44d434c73772679b9fd27ac8a247000d

                                                  SHA1

                                                  c178bbbacd12fdac2c5c107da0b15fcf487e79d8

                                                  SHA256

                                                  3512da478f3e757315f1061b015a3b5016ee45755b3cc341506f5a1272832c3c

                                                  SHA512

                                                  91ed354cd5af97db12caf267be240f6f1cbd61dd92edda695346140fbb367722ede1d2e59201296f242fcf9b887e4ae6806bb35da0a14ac009b31efe75805c29

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44d434c73772679b9fd27ac8a247000dmgr.exe
                                                  Filesize

                                                  254KB

                                                  MD5

                                                  af23a09fdf3c51d9b0f8ea8dd2c1be5c

                                                  SHA1

                                                  694a2eea3b5dd0a81d52f6442e520f9f6aaab710

                                                  SHA256

                                                  85dc6867d888f91b2eb64b3290ee30fcbb371aca34e828e87338c5c6895c2233

                                                  SHA512

                                                  dafc362de882969f49dcfaf67e387b0ecb7860d53cd0cc934319869f5a0b5a88843c77b160fcfa77572a37e14dd9cb265102512a57ee9bfaaf9f57c361bb83ca

                                                  Download Submit

                                                • memory/2412-36-0x0000000000400000-0x0000000000421000-memory.dmp

                                                  Filesize

                                                  132KB

                                                  Download

                                                • memory/2412-35-0x0000000000270000-0x0000000000271000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/2412-12-0x00000000778FF000-0x0000000077900000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/2412-11-0x0000000077900000-0x0000000077901000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/2412-24-0x0000000000400000-0x0000000000421000-memory.dmp

                                                  Filesize

                                                  132KB

                                                  Download

                                                • memory/2412-15-0x0000000000400000-0x0000000000421000-memory.dmp

                                                  Filesize

                                                  132KB

                                                  Download

                                                • memory/2412-18-0x0000000000400000-0x0000000000421000-memory.dmp

                                                  Filesize

                                                  132KB

                                                  Download

                                                • memory/2412-17-0x0000000000400000-0x0000000000421000-memory.dmp

                                                  Filesize

                                                  132KB

                                                  Download

                                                • memory/2412-16-0x0000000000400000-0x0000000000421000-memory.dmp

                                                  Filesize

                                                  132KB

                                                  Download

                                                • memory/2412-23-0x0000000000400000-0x0000000000421000-memory.dmp

                                                  Filesize

                                                  132KB

                                                  Download

                                                • memory/2412-1-0x0000000000400000-0x000000000048C000-memory.dmp

                                                  Filesize

                                                  560KB

                                                  Download

                                                • memory/2412-9-0x0000000000120000-0x000000000016B000-memory.dmp

                                                  Filesize

                                                  300KB

                                                  Download

                                                • memory/2744-31-0x00000000025C0000-0x000000000364E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                  Download

                                                • memory/2744-41-0x00000000025C0000-0x000000000364E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                  Download

                                                • memory/2744-30-0x00000000025C0000-0x000000000364E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                  Download

                                                • memory/2744-33-0x00000000025C0000-0x000000000364E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                  Download

                                                • memory/2744-32-0x00000000025C0000-0x000000000364E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                  Download

                                                • memory/2744-37-0x0000000000400000-0x0000000000421000-memory.dmp

                                                  Filesize

                                                  132KB

                                                  Download

                                                • memory/2744-10-0x0000000000400000-0x000000000044B000-memory.dmp

                                                  Filesize

                                                  300KB

                                                  Download

                                                • memory/2744-13-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                  Download

                                                • memory/2744-34-0x00000000025C0000-0x000000000364E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                  Download

                                                • memory/2744-51-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                  Download

                                                • memory/2744-29-0x00000000025C0000-0x000000000364E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                  Download

                                                • memory/2744-40-0x00000000025C0000-0x000000000364E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                  Download