Overview

overview

10

Static

static

3

JaffaCakes...50.dll

windows7-x64

10

JaffaCakes...50.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-01-2025 00:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_692efe0f0a2e1c3914f29dd480ce0550.dll

  • Size

    451KB

  • MD5

    692efe0f0a2e1c3914f29dd480ce0550

  • SHA1

    8c3ef6b92a3f6ff586313bb0406844b68d9b5464

  • SHA256

    cb92007410ba11fa6bcefd23c8e0c8741c3f7469c5f20714a3b0b6895f0fea6f

  • SHA512

    bd22e56fb9a5600d2f6586a6a600c34287a94142ddcd53d55919633334fbe7b7cbf3d163c6601c64fda7bd6a21db2ba531db2174ca038cc236453cb4031b8434

  • SSDEEP

    12288:WU866w0B2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0NuJvm0aL7+z:WSGB2uJ2s4otqFCJrW9FqvSbqsHasgXi

Score
10/10
ramnitbankerdiscoveryevasionspywarestealertrojanupxworm

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 11 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 8 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_692efe0f0a2e1c3914f29dd480ce0550.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_692efe0f0a2e1c3914f29dd480ce0550.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2244
        • C:\Documents and Settings\tazebama.dl_
          "C:\Documents and Settings\tazebama.dl_"
          4⤵
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2708
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 324
            5⤵
            • Loads dropped DLL
            • Program crash
            PID:2612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\RCXD605.tmp
    Filesize

    69KB

    MD5

    8ba404e90194c38541e324657e72f74c

    SHA1

    ad9fda28f95b7747579a7fbb8a18e1d1e6311a49

    SHA256

    8145e4c62390f9c55343cc6dadb790dc2cb9463c4f578fa57bf43f12c4720340

    SHA512

    1f594ebb6b970c9cb86b97d642351106a52db407c6e90db7391b50e97a1136e5ba13aeec66c9b985192c377d8c5c70d3746a00f37bcc83855fea316cf8d82362

    Download Submit

  • C:\Users\tazebama.dl_
    Filesize

    157KB

    MD5

    47b113070aff9783c00295fbe1833d73

    SHA1

    1c4c8e70fbf2bea92166287dcc434d9cf6e6f105

    SHA256

    89fd79c1bfff8f3916e98ffdf05d1eaf05c23413463fcc82bfe378dc3d174780

    SHA512

    4f0f2736ba66e7039ec114ebb417e9dcdb8948659b813eca19050d6fe7a425fd94949036d23f195713a318ed98d63c2284a96b090ba7ae0beb1ec434a0837922

    Download Submit

  • C:\autorun.inf
    Filesize

    126B

    MD5

    163e20cbccefcdd42f46e43a94173c46

    SHA1

    4c7b5048e8608e2a75799e00ecf1bbb4773279ae

    SHA256

    7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

    SHA512

    e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

    Download Submit

  • C:\zPharaoh.exe
    Filesize

    158KB

    MD5

    faf07457b75188e34860dce1421ee24e

    SHA1

    ff59c5b737ad491e187addb25abcde02ec2b49e4

    SHA256

    e4117aa4af8c099653e79491dc6d74056831714716e8dc3f4853b768e6f80d46

    SHA512

    e6f6a14bc0fb70344dd2d024a3fe4df477ab1ecaf1f7faecf763a1275b6079c6e39ccad40f4be323f3de398d4bf78cd14ced9763a621f3d34578fbef7002833f

    Download Submit

  • C:\zPharaoh.exe
    Filesize

    158KB

    MD5

    970a6455d395edec4986693e6401a113

    SHA1

    1a9da6a8f41f2352a80ec5cad94bee6e12347a5e

    SHA256

    0be45c1ed6f6b97991b586843ff727f3f1021c27a543bf2498352278788decad

    SHA512

    9b008835fdec03e356ac85961cfde991ecfe5b2adf089dab24be42402140c74acd91a0a22101d20a0dbfd7d42c95e4a52cdcde1874d087a78fb03f30adb3efeb

    Download Submit

  • \Users\Admin\AppData\Local\Temp\~TMD4FB.tmp
    Filesize

    1.2MB

    MD5

    d124f55b9393c976963407dff51ffa79

    SHA1

    2c7bbedd79791bfb866898c85b504186db610b5d

    SHA256

    ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

    SHA512

    278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

    Download Submit

  • \Users\Admin\AppData\Local\Temp\~TMD50C.tmp
    Filesize

    1.1MB

    MD5

    9b98d47916ead4f69ef51b56b0c2323c

    SHA1

    290a80b4ded0efc0fd00816f373fcea81a521330

    SHA256

    96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

    SHA512

    68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

    Download Submit

  • \Users\tazebama.dll
    Filesize

    32KB

    MD5

    b6a03576e595afacb37ada2f1d5a0529

    SHA1

    d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

    SHA256

    1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

    SHA512

    181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

    Download Submit

  • \Windows\SysWOW64\rundll32mgr.exe
    Filesize

    256KB

    MD5

    d50830773758ad14ed57327d9374cabb

    SHA1

    eb83933da289253ad585a4cb195a26a2dbc65abd

    SHA256

    0099712d314b7470f2bbd7141e3b8fcd8aaa63edb97ee8d1baff55f3ae55128a

    SHA512

    108f3e9690d32b1b9e7359c0feb9624ecf750a8f5dd41d9dc5fee3c80f99563b1819ae06e665f676bb560f80534ba4df0943cea43897f15b130e6f180094142f

    Download Submit

  • memory/2196-10-0x00000000002E0000-0x000000000030D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2196-33-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2196-32-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2196-34-0x0000000000190000-0x0000000000191000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2196-4-0x00000000748E0000-0x0000000074957000-memory.dmp

    Filesize

    476KB

    Download

  • memory/2196-0-0x0000000074960000-0x00000000749D7000-memory.dmp

    Filesize

    476KB

    Download

  • memory/2196-2-0x0000000074960000-0x00000000749D7000-memory.dmp

    Filesize

    476KB

    Download

  • memory/2244-41-0x0000000076C54000-0x0000000076C55000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2244-26-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2244-45-0x0000000076BC0000-0x0000000076CD0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2244-44-0x0000000000220000-0x0000000000238000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2244-43-0x0000000000400000-0x000000000042C1D8-memory.dmp

    Filesize

    176KB

    Download

  • memory/2244-28-0x0000000000400000-0x000000000042C1D8-memory.dmp

    Filesize

    176KB

    Download

  • memory/2244-35-0x000000007737F000-0x0000000077381000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2244-36-0x0000000077380000-0x0000000077381000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2244-37-0x0000000077380000-0x0000000077382000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2244-25-0x0000000000220000-0x0000000000238000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2244-12-0x0000000000400000-0x000000000042C1D8-memory.dmp

    Filesize

    176KB

    Download

  • memory/2708-27-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2708-84-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download