Overview

overview

10

Static

static

3

JaffaCakes...cc.exe

windows7-x64

10

JaffaCakes...cc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/01/2025, 12:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_6cae6d45fe26d5d600bf1bf1eb3a05cc.exe

  • Size

    164KB

  • MD5

    6cae6d45fe26d5d600bf1bf1eb3a05cc

  • SHA1

    d51d77518a2962bb746e01943d705bfe7af15ed8

  • SHA256

    a290f9ff96b2fb7d25abbecde72eced5105d4421970a2e2b5d522c206583499e

  • SHA512

    760c23f29211288be8eb9d5c3eb54c2a1fcce670b15371a46961e3b435deed006b5ffd52cf452c4a409c16c1e02da0aca1b01861113d585aa5398b33441ca7e2

  • SSDEEP

    3072:ptxf026qbJ1y4GNq5jz+/YiMaunOBpRuh1+cKVvbAdjg4kbG:puqHGoq/TMZIps6vAjdN

Score
10/10
ramnitsalitybackdoorbankerdiscoveryevasionspywarestealertrojanupxworm

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 51 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6cae6d45fe26d5d600bf1bf1eb3a05cc.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6cae6d45fe26d5d600bf1bf1eb3a05cc.exe"
    1⤵
    • Modifies firewall policy service
    • UAC bypass
    • Windows security bypass
    • Windows security modification
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:5032
    • C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:500
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:3284
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2160
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2160 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1880
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4012
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4012 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1612

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\WaterMark.exe
      Filesize

      164KB

      MD5

      6cae6d45fe26d5d600bf1bf1eb3a05cc

      SHA1

      d51d77518a2962bb746e01943d705bfe7af15ed8

      SHA256

      a290f9ff96b2fb7d25abbecde72eced5105d4421970a2e2b5d522c206583499e

      SHA512

      760c23f29211288be8eb9d5c3eb54c2a1fcce670b15371a46961e3b435deed006b5ffd52cf452c4a409c16c1e02da0aca1b01861113d585aa5398b33441ca7e2

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      8fad2e07a4c7a80a9b50d87e76420c29

      SHA1

      7faa7310d52e1b97b5f7597dda3fa439f4ec04d8

      SHA256

      be210b4b624d55d076fdc5b6d9f6b98acb116c646e43c56e52790d910bca942d

      SHA512

      459a02e6817f3ba0a1edc2590a266a772127f39f651c9a5ee1170fbaefedeadff6a6ff948f97ed09670413dabe611c2c34e00e7600b4ff501455c35776da7895

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      404B

      MD5

      1bca5384aa08e2879d531b8c83de304a

      SHA1

      89435057785c079955bb8359839d46d394d18fcf

      SHA256

      3c1923345c34762a7cfe1d04c814a0204e67b0f7919156fd045f752766ba8b2d

      SHA512

      dbd8815ea02440c20934b4cc812458f0899e7f5d2fbee837ae7bd4ae6db659b3c976ce238407ba9b779f94cc97134b33d1e1008fede4f83d6bf4b6373037f545

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B4BD2188-C9CF-11EF-BDBF-4A034D48373C}.dat
      Filesize

      3KB

      MD5

      9f79737293ddb0499eeec58cfdd8de7a

      SHA1

      9674e43cfab47fc3f77b1f9cd1bce9b2cb943242

      SHA256

      22d7fb6c05a025f473ee0206af8bcb71b8d72e15f12e28c23e82171a0f74625f

      SHA512

      58489e8618d2fedb7fa50be1e5ec31ca59a91fb7167e090540d2c8cfa64bbda0f016ebe39007f92af5a896e1ddecd3925e0d7f52e8957db3e5381fd296ec7dcb

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B4BF83ED-C9CF-11EF-BDBF-4A034D48373C}.dat
      Filesize

      5KB

      MD5

      497dda49913b9e5678f6fb2536038ea5

      SHA1

      8bcdbedb52f5be60d50b170787af07e615aa64f0

      SHA256

      d5a35701c8d47f17d8f8d3e6170f2a48bd298e1011754651e28a0d2aa7c87e39

      SHA512

      0101d30f04358e27a0d84f09a669ee39478f4773782963c1fc56ecd5d33f50f196af6762db5cf9095e6153a24325d1fdca7755a4626c51c4da9e4d71d66d402c

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver3812.tmp
      Filesize

      15KB

      MD5

      1a545d0052b581fbb2ab4c52133846bc

      SHA1

      62f3266a9b9925cd6d98658b92adec673cbe3dd3

      SHA256

      557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

      SHA512

      bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6IJLDY7V\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit

    • memory/500-36-0x00000000779F2000-0x00000000779F3000-memory.dmp

      Filesize

      4KB

      Download

    • memory/500-37-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/500-35-0x0000000000070000-0x0000000000071000-memory.dmp

      Filesize

      4KB

      Download

    • memory/500-32-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/500-33-0x00000000779F2000-0x00000000779F3000-memory.dmp

      Filesize

      4KB

      Download

    • memory/500-23-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/500-31-0x0000000000060000-0x0000000000061000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5032-11-0x0000000003360000-0x00000000043EE000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/5032-17-0x0000000000960000-0x0000000000961000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5032-10-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/5032-9-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/5032-0-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/5032-3-0x0000000003360000-0x00000000043EE000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/5032-16-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/5032-13-0x0000000003360000-0x00000000043EE000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/5032-4-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/5032-5-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/5032-6-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/5032-7-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/5032-1-0x0000000003360000-0x00000000043EE000-memory.dmp

      Filesize

      16.6MB

      Download