Overview

overview

10

Static

static

3

JaffaCakes...c7.dll

windows7-x64

7

JaffaCakes...c7.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-01-2025 18:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_60034e92b90b53d335651348520a20c7.dll

  • Size

    164KB

  • MD5

    60034e92b90b53d335651348520a20c7

  • SHA1

    288fb9a592ce0e7d443876f0a7b82b4b73746dbb

  • SHA256

    dc754d725ab21ad99acd57d86371720e309b7ecaec209a47e7e31eef5657e70a

  • SHA512

    ed2036cf1631beb3dad26e4206fb7ec10fb010fc3f21be67ced04042daf4187d1bf8039ad355d29e14a1c4b013a035bde27b3f9b902d884ba192de85030d4861

  • SSDEEP

    3072:eMFU3pb7H58PXlboF8BTaUjawdTH1X6eNomDtIf8KEG:5ekVPTtVX6co50K1

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 45 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60034e92b90b53d335651348520a20c7.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:972
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60034e92b90b53d335651348520a20c7.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4196
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3928
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:4020
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:2680
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 204
                6⤵
                • Program crash
                PID:5012
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3552
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3552 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2552
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1184
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1184 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1652
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2680 -ip 2680
      1⤵
        PID:1060

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        30f59b20e935520badc298242cb4cff1

        SHA1

        00622b2054eb148a8459c2ccd0b22606c2d5c7f6

        SHA256

        4a981d199e551f2b8c8fa22f0e3fbc264e876e5ed243d83331b2a6083a753e3c

        SHA512

        f22ca09eb3266cee3f363e4f3f955745382679d136d61e7c27f81081cd77efa5f82f82220526928f73049e692b7c060f64032dfae0f967c579c6e6acfd2e8d21

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        1cdb1244b6c621bfc3a667239af3cf38

        SHA1

        c52ff3c7900238218a7839ecc3b68820475d2d86

        SHA256

        3019380f61f61c72beca2938d2cfafbc40cdc07d79d72c3e2b28f136af8f5990

        SHA512

        ff90658f1a0af4d0c5a48191aa94b5cfc7acab9eee6a657e72c8f63a84d960401a9b85826cb8fe804eede7854923279dd8bc8dfcc9531f67ba508076317d8262

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E3334BD5-C86E-11EF-ADF2-EE8B2F3CE00B}.dat
        Filesize

        5KB

        MD5

        6605c0d545e6be01a70285a01952d866

        SHA1

        c19c6036d2d1ac6a0df6c9a9eca2cfbe283cebc4

        SHA256

        8a289680e9367980540c7677c82056bd2c8405d49e5c6b0c2a942a5357e4adef

        SHA512

        63d72b3e8f4995572dd7e375052b9426702b61d04a940173b826d4b8c0170993b7772b15f1e42c250648b84d5d157cff303ef26bad692993fad71aa0a86349fb

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E335AE16-C86E-11EF-ADF2-EE8B2F3CE00B}.dat
        Filesize

        3KB

        MD5

        7459fc7fd2311b7dc3d80483b0877116

        SHA1

        80e060c4e0ca943a16be53af112b707471f78c7f

        SHA256

        2ae493726cee0765165e36209597983531edf0bacbf87b23eec763fa633c4f2e

        SHA512

        dbcc98f00d1aef6afd4b45113c08967dce5f5b47d8477f2a7300b94dd0bb4f57370303fd23e480ab521f2fe99cc624cf654f8f3c4fa8f6a050b2c162321cd071

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver4ED.tmp
        Filesize

        15KB

        MD5

        1a545d0052b581fbb2ab4c52133846bc

        SHA1

        62f3266a9b9925cd6d98658b92adec673cbe3dd3

        SHA256

        557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

        SHA512

        bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGH3GSHW\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • C:\Windows\SysWOW64\rundll32mgr.exe
        Filesize

        59KB

        MD5

        aea1462e5f1f31dd74df7833b5a07305

        SHA1

        cea53b9b3311f1003df5d9266f9e3fbd5c971f28

        SHA256

        62c957db467d22cf12af74a4dae478e7d239ecae5d53f3c6399583f38f5224af

        SHA512

        776eeffb068df67e852191f5ec869df6e4cb6c4f14dbe8748cf6b3f9aad2f3b09baa7c61285cb5a5f1253b5bd9525470a25ca77fbe2d26ed02ae7d955142970e

        Download Submit

      • memory/2680-36-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2680-35-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3928-14-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3928-9-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3928-10-0x00000000005A0000-0x00000000005A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3928-7-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3928-11-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3928-5-0x0000000000401000-0x0000000000405000-memory.dmp

        Filesize

        16KB

        Download

      • memory/3928-20-0x0000000000401000-0x0000000000405000-memory.dmp

        Filesize

        16KB

        Download

      • memory/3928-16-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3928-13-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3928-6-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3928-8-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4020-31-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4020-37-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4020-40-0x0000000077502000-0x0000000077503000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4020-38-0x0000000000170000-0x0000000000171000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4020-39-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4020-33-0x0000000077502000-0x0000000077503000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4020-32-0x0000000000060000-0x0000000000061000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4020-43-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4020-44-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4020-28-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4020-27-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4020-22-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4196-0-0x0000000010000000-0x000000001002C000-memory.dmp

        Filesize

        176KB

        Download