Overview

overview

10

Static

static

3

JaffaCakes...50.dll

windows7-x64

10

JaffaCakes...50.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-01-2025 00:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_692efe0f0a2e1c3914f29dd480ce0550.dll

  • Size

    451KB

  • MD5

    692efe0f0a2e1c3914f29dd480ce0550

  • SHA1

    8c3ef6b92a3f6ff586313bb0406844b68d9b5464

  • SHA256

    cb92007410ba11fa6bcefd23c8e0c8741c3f7469c5f20714a3b0b6895f0fea6f

  • SHA512

    bd22e56fb9a5600d2f6586a6a600c34287a94142ddcd53d55919633334fbe7b7cbf3d163c6601c64fda7bd6a21db2ba531db2174ca038cc236453cb4031b8434

  • SSDEEP

    12288:WU866w0B2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0NuJvm0aL7+z:WSGB2uJ2s4otqFCJrW9FqvSbqsHasgXi

Score
10/10
ramnitbankerdiscoveryevasionspywarestealertrojanupxworm

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 1 IoCs
  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_692efe0f0a2e1c3914f29dd480ce0550.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_692efe0f0a2e1c3914f29dd480ce0550.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3240
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3140
        • C:\Documents and Settings\tazebama.dl_
          "C:\Documents and Settings\tazebama.dl_"
          4⤵
          • Modifies visibility of file extensions in Explorer
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:648
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 740
            5⤵
            • Program crash
            PID:3336
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 10196
          4⤵
          • Program crash
          PID:1192
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 604
        3⤵
        • Program crash
        PID:1676
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 648 -ip 648
    1⤵
      PID:1564
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3140 -ip 3140
      1⤵
        PID:5068
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3240 -ip 3240
        1⤵
          PID:4404

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Documents and Settings\tazebama.dl_
          Filesize

          157KB

          MD5

          47b113070aff9783c00295fbe1833d73

          SHA1

          1c4c8e70fbf2bea92166287dcc434d9cf6e6f105

          SHA256

          89fd79c1bfff8f3916e98ffdf05d1eaf05c23413463fcc82bfe378dc3d174780

          SHA512

          4f0f2736ba66e7039ec114ebb417e9dcdb8948659b813eca19050d6fe7a425fd94949036d23f195713a318ed98d63c2284a96b090ba7ae0beb1ec434a0837922

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\~TM7AED.tmp
          Filesize

          1.6MB

          MD5

          4f3387277ccbd6d1f21ac5c07fe4ca68

          SHA1

          e16506f662dc92023bf82def1d621497c8ab5890

          SHA256

          767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

          SHA512

          9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

          Download Submit

        • C:\Users\tazebama.dll
          Filesize

          32KB

          MD5

          b6a03576e595afacb37ada2f1d5a0529

          SHA1

          d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

          SHA256

          1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

          SHA512

          181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

          Download Submit

        • C:\Windows\SysWOW64\rundll32mgr.exe
          Filesize

          256KB

          MD5

          d50830773758ad14ed57327d9374cabb

          SHA1

          eb83933da289253ad585a4cb195a26a2dbc65abd

          SHA256

          0099712d314b7470f2bbd7141e3b8fcd8aaa63edb97ee8d1baff55f3ae55128a

          SHA512

          108f3e9690d32b1b9e7359c0feb9624ecf750a8f5dd41d9dc5fee3c80f99563b1819ae06e665f676bb560f80534ba4df0943cea43897f15b130e6f180094142f

          Download Submit

        • C:\autorun.inf
          Filesize

          126B

          MD5

          163e20cbccefcdd42f46e43a94173c46

          SHA1

          4c7b5048e8608e2a75799e00ecf1bbb4773279ae

          SHA256

          7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

          SHA512

          e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

          Download Submit

        • C:\zPharaoh.exe
          Filesize

          157KB

          MD5

          042ae7730c6d6f58f27dad0a69efc9e4

          SHA1

          f46d3db5ed0790cd66bcd64ce1f673cad829f8b9

          SHA256

          50ddd83b0914653f429b165f1906fad7b866adeed913ff1c1d88b1ba4842fc38

          SHA512

          cec02f613f0450d3a0d315e68558b5c1f5a9719c5ec325619fda690bc4c01f934b2e528723abf74e079f7f767dfe08dd40bbf1541d07c46c3f7b97f3674ea3c8

          Download Submit

        • F:\zPharaoh.exe
          Filesize

          158KB

          MD5

          00d2c3bfcb0d71a302a0baa3cfd48ff2

          SHA1

          8db917038045a50e909f0efbfe49ffc1ccdba16c

          SHA256

          5d1590865cddc04306d58e86486072ec2c46d0d6a9a85ee21ac0554af4e70cdd

          SHA512

          1c7d07a8ff187cf8853753ca9ce6decd207333c2050d6fc694ad826c974eb51a686180f000042b04f8f1e482dddc5bba62ae55d5e9e9e637b4e101505da37e7b

          Download Submit

        • memory/648-18-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download

        • memory/648-50-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download

        • memory/3140-14-0x0000000000400000-0x000000000040C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/3140-20-0x0000000000400000-0x000000000042C1D8-memory.dmp

          Filesize

          176KB

          Download

        • memory/3140-15-0x0000000000400000-0x000000000042C1D8-memory.dmp

          Filesize

          176KB

          Download

        • memory/3140-5-0x0000000000400000-0x000000000042C1D8-memory.dmp

          Filesize

          176KB

          Download

        • memory/3140-52-0x0000000000400000-0x000000000040C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/3240-0-0x0000000075150000-0x00000000751C7000-memory.dmp

          Filesize

          476KB

          Download

        • memory/3240-12-0x00000000003E0000-0x00000000003E1000-memory.dmp

          Filesize

          4KB

          Download