Overview

overview

10

Static

static

3

JaffaCakes...e3.exe

windows7-x64

10

JaffaCakes...e3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-01-2025 05:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_6a852f3f28a75def46974009e5b569e3.exe

  • Size

    68KB

  • MD5

    6a852f3f28a75def46974009e5b569e3

  • SHA1

    997c1155453b3ff415a76dd6ed63a107385f7efb

  • SHA256

    f1313bbd77810038b3c423eb2c300adc856a63143da7ea9ccb1353a9acc98eb4

  • SHA512

    49ea1108501d2bd9c3bc114d01c7d1601ed0c4556bfcb669eb7e1e9518aa760858d127ac53176ad63aee485e5c13ebabc9caf44f2ca5063a645c1f59c6b9b5d5

  • SSDEEP

    768:mVWES4y2xSot1iuA3dS4beiTvq12zJFmE6X2iXkatjpIs2B9XajL998i+fasIqHp:0nxy2YobszXymJ7A2aJ2fKdR+f

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a852f3f28a75def46974009e5b569e3.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a852f3f28a75def46974009e5b569e3.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:5008
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:224
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 208
            4⤵
            • Program crash
            PID:4864
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2424
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2424 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:836
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4360
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4360 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1812
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 224 -ip 224
      1⤵
        PID:4180

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        Filesize

        68KB

        MD5

        6a852f3f28a75def46974009e5b569e3

        SHA1

        997c1155453b3ff415a76dd6ed63a107385f7efb

        SHA256

        f1313bbd77810038b3c423eb2c300adc856a63143da7ea9ccb1353a9acc98eb4

        SHA512

        49ea1108501d2bd9c3bc114d01c7d1601ed0c4556bfcb669eb7e1e9518aa760858d127ac53176ad63aee485e5c13ebabc9caf44f2ca5063a645c1f59c6b9b5d5

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        d3ef026dd88e6e5106ac84f80286c124

        SHA1

        75062b0190d63b6ee191c2d3fd7deed40520a363

        SHA256

        2ecb929a03fb648afd921206e9f84eebfe98b3b343061e6d2e5bbf3a1d02619c

        SHA512

        809dafd4a0fb9c3c22d3fff05ebb4c025b35a69b514ddb082565a14b3543581f1c430532b6dec2dd4da97a4c9b9818b57d91dcc6f91a3a5425f5a65a078cf64e

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        e209549cd14a7787e9603667cfd022c2

        SHA1

        6319938ca2c0de9888881546feea78eb12ee2dcd

        SHA256

        727e7470e6dfe775bd1977789f6f83b6ea4a96ab2e1d87d59f1476ffb6b44400

        SHA512

        cbcc6b67909d843b415bb01145374b70444ab3625c52628c2913f9b2db36dfb3724f65fd9c121488ca435b2c28f80e2778186470af8d27b042b3df6156fdb154

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{33DF98CD-C994-11EF-AEE2-CAF61997B0B0}.dat
        Filesize

        5KB

        MD5

        a6c9790d6a4e24848ae0a3c341fc05d9

        SHA1

        9aae99f11f547b053b30a88dbb5a7b8d8386d142

        SHA256

        0d7d0071bb01940f0ac3620a312a10d21dd87336c7f0705134596dd138418904

        SHA512

        1899dd7733bab7030b5f89d87ffbfcd58fe1c143e14535f63347b8609af2069ee3258d56330b50f7c23471b6e9a8142beec147e3c1e42a8b9a82868d2cfb4459

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{33E1FA95-C994-11EF-AEE2-CAF61997B0B0}.dat
        Filesize

        4KB

        MD5

        0eeb1af6b7c1cc2754d9315dcba33af4

        SHA1

        e9c47c9e9c215716d6fd2ca9d60b27504b175c72

        SHA256

        ee3c789d2fd4575657be60a9b259dc2cf3a267bb56f6f09d8b919f39a2903892

        SHA512

        ca859988fdac803ca956f7ac15824fd814aa500dc66ea9276fb56df539c45ebc6355038a1153d4675ffc5f29878806afa9e493c326f5d3dd8d7f908c94dec148

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver1DB5.tmp
        Filesize

        15KB

        MD5

        1a545d0052b581fbb2ab4c52133846bc

        SHA1

        62f3266a9b9925cd6d98658b92adec673cbe3dd3

        SHA256

        557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

        SHA512

        bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M6JHG9EK\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • memory/224-14-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/224-15-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1908-6-0x00000000006D0000-0x00000000006ED000-memory.dmp

        Filesize

        116KB

        Download

      • memory/1908-0-0x00000000006D0000-0x00000000006ED000-memory.dmp

        Filesize

        116KB

        Download

      • memory/1908-1-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/1908-7-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/5008-11-0x0000000002040000-0x0000000002041000-memory.dmp

        Filesize

        4KB

        Download

      • memory/5008-12-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/5008-9-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/5008-21-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/5008-23-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/5008-10-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/5008-17-0x00000000024A0000-0x00000000024A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/5008-18-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/5008-16-0x0000000077BD2000-0x0000000077BD3000-memory.dmp

        Filesize

        4KB

        Download