Analysis

  • max time kernel
    134s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-01-2025 01:46

General

  • Target

    JaffaCakes118_6979b722b91b41c241800034d5cca3d0.dll

  • Size

    923KB

  • MD5

    6979b722b91b41c241800034d5cca3d0

  • SHA1

    1e09000e0ed0c3e7449526193ecc7fed117d3d2f

  • SHA256

    cb86243a668e3785a115115d394c55c01a6c9fa967934918b68f1040ecbe66f9

  • SHA512

    fc81eca5d2a1d638298e885eae55bbfb4f79537fb153f68fd177cf29e060a3687e302055d29964310a9c9ac6749a5d53d3bc91f9648b66dbe3d91c700f8f6ced

  • SSDEEP

    24576:hL5/rmRsmDWDPNuFhPvYrpLYHSfcoopooLY9Nu0FGrSiva:LK5hPILYHSfeY9nIWMa

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 27 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6979b722b91b41c241800034d5cca3d0.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6979b722b91b41c241800034d5cca3d0.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2844
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3028
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3028 CREDAT:275457 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2624
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
            PID:2756

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      f4b8daff041542fcf5741e8e0c001c27

      SHA1

      78e095ed664e4903670d801e2baa2b351d9a2ccc

      SHA256

      aff3521bff5b30f4f62b9594838f4ba3bcf828ab0d2ec4543492b7b99b92c468

      SHA512

      445b6d7c6f8520d10d8c43ba2c04168142048d0b69085f72ca2951fd6e97a8140078d022de2d2fa002a612fa856fc78e16e7cf3a84d8f1119be43c34814b7fcd

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      b0011d29a1ccd773d8dd510a0aa5e183

      SHA1

      985138d5d350b09d62b7079b2e8d1b518589cd73

      SHA256

      18d2019c351bd7a83eadb7aaa68a6ced43cf1678dc6e3e6086bfafd840c32ef4

      SHA512

      bbed3e2fd66199a3a69913c9b91a2abb983c18a84c0e4af8957510db6818f318914d51cc513c1a5c98b7d2d7b744ab6b5c194809560f83f1d463b3249964da0b

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      3bd74c445f4f7248b029fc2a2fac376c

      SHA1

      61c3a4c61c849919d29bfd2d709fb8850c376d61

      SHA256

      782f6aa4a1e45cd35922408e817952b23f08f1d20660486242170165af6ab94a

      SHA512

      d49fa26697e196f09303416abe3b12aa122f3b407ffeca63f49de637d305cea4f01a3b81947c500d37f556e2f982c9c96040f1f19b0f34c0e7af73a5599739ba

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      c5c546ba25b086ee0d984784d8bb95e6

      SHA1

      8ad2fca64c1e52f87254af4c6b81ac0cd1b70905

      SHA256

      1a389145c15c6d9fe03fdcc6bf1b174af0aef5a22b4e59c2dc8941842879d001

      SHA512

      2ebf1e0e199ec7c9dea5f7ad1ebd8c0bd5009d8ecdf98c8b07d8ef1beeb03ee1b060676d588626e8c56c9fc45abc55b3cf4dbe56824191d955b6640380e4fa71

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      08d61951eb9f33387f36515207310487

      SHA1

      d85686eab4f4cf61e5429693e0f4f991e57c9bcd

      SHA256

      71e8edc81cb0bbe409d843998770b0445276bf8defe4afbc2942b8b4071e58a8

      SHA512

      4a15594c54d57f34146f8268c1e58d83505a4270e3510cc1a5c671f48e3c55c3194e233f2b18ff963e60c8838babcb7583b5a0204acd4f6f6cbd953646402b95

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      6d4b05a8c948fca2913ca26d95f17100

      SHA1

      be609294f54bd2ae2b06afb1bde7b8d510dfffa1

      SHA256

      310192453293d4d94f6f1d56d8c99bea0d6fdb800b06f34857fd34c5cb207e04

      SHA512

      2c0b30d552a9c6fe2a008820eb1cdc4a50ff38c17ace5d972b6e17a252338975b1886e45f836ac18421aad9d0a286ecfa12a1660a36d1cd2885965cd5f855d92

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      138504887018021814f71d32f6733b54

      SHA1

      54815bb34b4334cca3292ab599f23cfc0f85fc31

      SHA256

      b62409f1aaf0edd1cbad142ba101642dc2b4c23026344bb326fe9f97274456b7

      SHA512

      d7e1e91f1dd9ed1553e46200535c666a18fd3696567164482261db88db547f92298f2e5d4ddac21f78ec95ab7514c459a1f0ed92db39555545cd581e1b97a4c5

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      947f08ff1610f034b271fdb5e71d6e7e

      SHA1

      6c5eefbcc2b8d9193f81c07beb0318fff0ad0daf

      SHA256

      5a46f675a284998d134ef735c81598671cc0b357e700b1ac3a1f2d9aa828be20

      SHA512

      f907cf75cac8a3e0ce69190d9e5cada79071f5fb37a1afba934f016109f458b307dd4ccc5ecafc5a43a86e160662497c78147270b2fbeef647f7cb978999982f

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      8c16aabb51f9968de30896b5b718eb24

      SHA1

      981397652ccb2b39a14ed3e76c0c16c9e23dade1

      SHA256

      e445ad7c56e1a83462d7764ba2cdb5d81ba11a2dcf0460c6de138cef34c22808

      SHA512

      4b0b4ceb1a2bf7838a422c37368f193d5f9d668aaad7d76b5f332e21140fab8a770f3d8a0704d7d054cec3b3391dd1a4b399e3562d3ab2766aca6b56f5307dc2

    • C:\Users\Admin\AppData\Local\Temp\CabF23D.tmp

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\Local\Temp\TarF29E.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • C:\Windows\SysWOW64\rundll32mgr.exe

      Filesize

      153KB

      MD5

      14da13653e9f71c2f4d77da520e56cb6

      SHA1

      d8059894212c64c935420b44a212aee5ab015ff8

      SHA256

      105a86dfaa98cbd6ab08dca219e04805b594dbbce2b8872bcaf4dad6f5e2b25d

      SHA512

      879de7e67c7c575c399072538028e60272c82e629469ededc0db7869e4b6070d70c69d31ca06c69a8465b348334505ca20b3af5b8fe48c7d4b51bb9270db143d

    • memory/2716-14-0x0000000000260000-0x0000000000261000-memory.dmp

      Filesize

      4KB

    • memory/2716-18-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

    • memory/2716-13-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

    • memory/2716-16-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

    • memory/2716-15-0x0000000000270000-0x0000000000271000-memory.dmp

      Filesize

      4KB

    • memory/2716-17-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

    • memory/2716-12-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

    • memory/2844-11-0x00000000002E0000-0x0000000000342000-memory.dmp

      Filesize

      392KB

    • memory/2844-1-0x0000000074E40000-0x0000000074F2A000-memory.dmp

      Filesize

      936KB

    • memory/2844-2-0x0000000074E40000-0x0000000074F2A000-memory.dmp

      Filesize

      936KB

    • memory/2844-0-0x0000000074F30000-0x000000007501A000-memory.dmp

      Filesize

      936KB