ramnit | b8332784f686d0ead1fcd5b88c5884d2ce7ccfed079930e9e59d4f2b4ea527bf

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Size

987KB
MD5

7aed830d4cabe619f5e876b981d7b3c1
SHA1

09aabac2de18849a44bab0519e9720bfdc5c1157
SHA256

b8332784f686d0ead1fcd5b88c5884d2ce7ccfed079930e9e59d4f2b4ea527bf
SHA512

523cf03959272cabd020dc1d0a0174fd0bf9c1e12aa7af0f501017ac08a97c56f5178afbefed6c6447686ede71705e870a17df3261ec0d0f1cbcd724b14b2b03
SSDEEP

12288:mLxrFRnNdIF0GPIk0Lujxw5n0LAAmDgG9qPgjDkT3x7MWZ0n8JD7D9/:+xrFB3IF000Lujxe0LaDtNW3x7MW1N

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2680	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1mgr.exe
2704	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe

Loads dropped DLL 13 IoCs

pid	Process
2328	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
2328	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
2680	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1mgr.exe
2680	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1mgr.exe
2328	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
2328	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
2328	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
2328	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
2704	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
1676	WerFault.exe
1676	WerFault.exe
1676	WerFault.exe
1676	WerFault.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2680-34-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2680-49-0x0000000000400000-0x000000000045C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2580	2680	WerFault.exe	30
1676	2704	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DXAxHost.Script.1	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E745B262-93B6-4630-B26E-4E0CD4C435EC}\VersionIndependentProgID	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3591BCCA-6D3A-4C9E-9890-5EB6561D903E}\VersionIndependentProgID	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DXAxHost.DXMenu	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A9749998-DFAB-4158-AFF6-5F20CA2722E2}\TypeLib	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{541D379A-8525-4679-BD95-7762A35EB4A3}\TypeLib\Version = "1.0"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{16278BAF-9809-47F5-BE03-F725BC499E5E}\TypeLib\Version = "1.0"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3591BCCA-6D3A-4C9E-9890-5EB6561D903E}\TypeLib	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DXAxHost.Root.1\CLSID	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0CB13FC5-EFA6-400F-9F32-235193A2D8C1}\VersionIndependentProgID\ = "DXAxHost.ObjectCollection"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871E56B6-59E6-48D9-AB00-85F66765ABC2}\TypeLib	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DXAxHost.Preference.1\CLSID	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3BDC6E-6413-40A8-B44C-C3DFB4B767E6}\ProxyStubClsid32	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EA219B20-4DA3-433E-988B-88BF291A8110}\TypeLib\ = "{BB49BAC9-E2FB-44EB-93C4-E0F2DDEE4EAB}"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D59CF868-3464-49D3-9A96-3E6890EDC7E8}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{A1004593-C444-4698-9C9F-66A3D99A8687}\\SDPlugins\\DXAxHost.dll"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DXAxHost.DesktopX\CLSID\ = "{75328D64-87CF-4848-A831-35DEAFE27822}"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8650B19-884F-43B6-A1F4-23A3156F7671}\ = "Preference Class"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1251C89E-C28B-4523-934C-B8C25550AF8B}\TypeLib\ = "{BB49BAC9-E2FB-44EB-93C4-E0F2DDEE4EAB}"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A9749998-DFAB-4158-AFF6-5F20CA2722E2}\TypeLib\ = "{BB49BAC9-E2FB-44EB-93C4-E0F2DDEE4EAB}"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{541D379A-8525-4679-BD95-7762A35EB4A3}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D59CF868-3464-49D3-9A96-3E6890EDC7E8}\VersionIndependentProgID\ = "DXAxHost.Object"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DXAxHost.System\CLSID	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB9FA086-83C4-4F56-B614-77CA8C349270}\VersionIndependentProgID	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB49BAC9-E2FB-44EB-93C4-E0F2DDEE4EAB}\1.0\0\win32	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DXAxHost.Object\CurVer	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0CB13FC5-EFA6-400F-9F32-235193A2D8C1}\TypeLib\ = "{BB49BAC9-E2FB-44EB-93C4-E0F2DDEE4EAB}"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DXAxHost.State.1\CLSID	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1251C89E-C28B-4523-934C-B8C25550AF8B}\ = "Widget Class"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB49BAC9-E2FB-44EB-93C4-E0F2DDEE4EAB}\1.0\0	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3591BCCA-6D3A-4C9E-9890-5EB6561D903E}\VersionIndependentProgID\ = "DXAxHost.System"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A233969-A455-4641-90B7-23F904A0AF2A}\VersionIndependentProgID\ = "DXAxHost.DXForm"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871E56B6-59E6-48D9-AB00-85F66765ABC2}	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8650B19-884F-43B6-A1F4-23A3156F7671}\TypeLib\ = "{BB49BAC9-E2FB-44EB-93C4-E0F2DDEE4EAB}"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB49BAC9-E2FB-44EB-93C4-E0F2DDEE4EAB}	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BD637D4-7497-43D2-8DD2-8A338CADFC01}	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1251C89E-C28B-4523-934C-B8C25550AF8B}\VersionIndependentProgID\ = "DXAxHost.Widget"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3019507-B532-46E0-B6BF-AB5589B458C5}	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB9FA086-83C4-4F56-B614-77CA8C349270}\InprocServer32\ThreadingModel = "Apartment"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DXAxHost.DXForm.1\CLSID	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A233969-A455-4641-90B7-23F904A0AF2A}\TypeLib\ = "{BB49BAC9-E2FB-44EB-93C4-E0F2DDEE4EAB}"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DXAxHost.ObjectCollection.1	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871E56B6-59E6-48D9-AB00-85F66765ABC2}\InprocServer32\ThreadingModel = "Apartment"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80A21AA6-7EFA-496F-8369-2E813E25B97B}\VersionIndependentProgID	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3BDC6E-6413-40A8-B44C-C3DFB4B767E6}\TypeLib\Version = "1.0"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{541D379A-8525-4679-BD95-7762A35EB4A3}\ProxyStubClsid32	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EA219B20-4DA3-433E-988B-88BF291A8110}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DXAxHost.Script\CurVer\ = "DXAxHost.Script.1"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DXAxHost.ObjectCollection.1\ = "ObjectCollection Class"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0CB13FC5-EFA6-400F-9F32-235193A2D8C1}\ProgID\ = "DXAxHost.ObjectCollection.1"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0CB13FC5-EFA6-400F-9F32-235193A2D8C1}\TypeLib	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8650B19-884F-43B6-A1F4-23A3156F7671}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{A1004593-C444-4698-9C9F-66A3D99A8687}\\SDPlugins\\DXAxHost.dll"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1251C89E-C28B-4523-934C-B8C25550AF8B}\ProgID	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB9FA086-83C4-4F56-B614-77CA8C349270}\TypeLib	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DXAxHost.State\ = "State Class"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3019507-B532-46E0-B6BF-AB5589B458C5}\TypeLib\Version = "1.0"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9749998-DFAB-4158-AFF6-5F20CA2722E2}	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A9749998-DFAB-4158-AFF6-5F20CA2722E2}\ = "IObject"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EA219B20-4DA3-433E-988B-88BF291A8110}\TypeLib	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D59CF868-3464-49D3-9A96-3E6890EDC7E8}\TypeLib\ = "{BB49BAC9-E2FB-44EB-93C4-E0F2DDEE4EAB}"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DXAxHost.Root.1\CLSID\ = "{AB9FA086-83C4-4F56-B614-77CA8C349270}"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DXAxHost.DXForm\CLSID\ = "{7A233969-A455-4641-90B7-23F904A0AF2A}"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DXAxHost.Preference\CLSID\ = "{D8650B19-884F-43B6-A1F4-23A3156F7671}"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80A21AA6-7EFA-496F-8369-2E813E25B97B}\Programmable	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3019507-B532-46E0-B6BF-AB5589B458C5}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2680	2328	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe	30
PID 2328 wrote to memory of 2680	2328	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe	30
PID 2328 wrote to memory of 2680	2328	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe	30
PID 2328 wrote to memory of 2680	2328	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe	30
PID 2328 wrote to memory of 2704	2328	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe	31
PID 2328 wrote to memory of 2704	2328	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe	31
PID 2328 wrote to memory of 2704	2328	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe	31
PID 2328 wrote to memory of 2704	2328	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe	31
PID 2704 wrote to memory of 1676	2704	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe	33
PID 2704 wrote to memory of 1676	2704	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe	33
PID 2704 wrote to memory of 1676	2704	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe	33
PID 2704 wrote to memory of 1676	2704	JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1mgr.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1mgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 180
    3⤵
    - Program crash
    PID:2580
- C:\Users\Admin\AppData\Local\Temp\{A1004593-C444-4698-9C9F-66A3D99A8687}\JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
  "C:\Users\Admin\AppData\Local\Temp\{A1004593-C444-4698-9C9F-66A3D99A8687}\JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe" C:\Users\Admin\AppData\Local\Temp\{A1004593-C444-4698-9C9F-66A3D99A8687}\JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 344
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{A1004593-C444-4698-9C9F-66A3D99A8687}\AppData\Scorpion-left.png

Filesize
52KB

MD5
8198cd31b2ea2ad3b3693a1b8e071e46

SHA1
d4eb8416b8ef64bcc44af523f1f4475d03baab9e

SHA256
96ce154c858d0a2a6846d0f4da73e691d76dfade2e10f3fe8b5e20d892401436

SHA512
c426982de5e57785ce57e84e639f84f97eb0e996d79da0b9f510330706af67dcbd79e537404f8e24a8a6a079625deaa076b1d2108644cc2f5997a3167af0e9e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A1004593-C444-4698-9C9F-66A3D99A8687}\AppData\Scorpion-right.png

Filesize
53KB

MD5
f44b059266acaa1009d198304777c65a

SHA1
e2e96addc11d7facedd6432230fa0f29307561dc

SHA256
9765585f463c902e62c3cca9a2b5cdd30e1731b0e692fb2195e75ab21592cc6e

SHA512
4e1e6a69eb8efb279da8e1a1573b9aec566079dde4c8b0b98c9a806c8b3b6bb8a3670def5d488110b356211157e23a4cf2c96fa78dfc1972dd529eaac435a8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A1004593-C444-4698-9C9F-66A3D99A8687}\AppData\package2.ini

Filesize
1KB

MD5
83929d1fca6cb2fa96f8140925ca54cc

SHA1
47971683f0aa07309e79924613993afa44780cf7

SHA256
4a26a1f4e22dd91db4c002c466ad9d90341db10184a3dee1f95352a047ae6ce7

SHA512
66da31647ffb2097e658d8c686838ccb02b95934bf67fcff2497008070367c3ff546678c934f8791ada328b3d002824c23cd1ad6c6399c25f567bc6da72ae1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A1004593-C444-4698-9C9F-66A3D99A8687}\AppData\{2A5E76FA-E842-468A-A631-955B361088C6}.DXScript2

Filesize
2KB

MD5
f0ae38e114cdac427363e46fd52c0411

SHA1
1088a0c2c6dac5d08a8d96a6fb1f07c28a0a3813

SHA256
28f987803cc0464c856a238d2a9c3072d629a6778584d49f3603fe60ae0fffd1

SHA512
8cb497445abd667dc452443299129ccacf6bfebb21e58a0c581f5fda0e1b64a1e8b51d93aadfc43baa9157cc95d777c4e7d944c2b4baf94d50d31c813a9f44b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A1004593-C444-4698-9C9F-66A3D99A8687}\JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1.exe

Filesize
509KB

MD5
39ff1caef76b63a24dd2122f1db6a33d

SHA1
ef949cc7a84d5fb0d597e40c756bdcd526c4bc74

SHA256
a48a6fdf8a4ae921fc911cff34a536699ac03c4ffba131408b944fa8eca27f64

SHA512
8bfdc2bae5281e5ab3cbb509bc3fff70f6b7c5e6f82ee3bb1b23a4941497c26d92eb787e95d8f8e84b05a1b6168c87279c98fbbcb476fbff54db54f24f8ace28

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A1004593-C444-4698-9C9F-66A3D99A8687}\SDPlugins\DXAxHost.dll

Filesize
334KB

MD5
41e991f5f348d9ae671618fe0c88a56b

SHA1
e871b59d19332674472817d92d053955e94c33d8

SHA256
506a7d0aa3365618ee8be7c47dfccb5bd28738ddf717e1e06f8c654f6668f2b2

SHA512
9df62cded2683c8956dcb50ba0d8b8cb0efdea8b0618239bb717e72a0324df29f5fb291aca9673ef915728c0327186ea14f9face5431da814bf1d6c3fdcb22e9

Download Submit
\Users\Admin\AppData\Local\Temp\JaffaCakes118_7aed830d4cabe619f5e876b981d7b3c1mgr.exe

Filesize
354KB

MD5
a8245f71e4e4aff10e574300abd2bcc2

SHA1
7ea3ae53a0697e526c6bc877b103b390af042d7a

SHA256
7bf945e4d87567106bfe8980b4fe1e6482578ab91fa9d82426c804ae5c3f2546

SHA512
8c32f1f55c0475ce06ddbd3db80d529addb401089bd61491641d2e2c0c36020eabc5a947735388ae7a90514c543cb29450afa13b1e3f90387e432b62d4628978

Download Submit
\Users\Admin\AppData\Local\Temp\~TM2607.tmp

Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\~TM2656.tmp

Filesize
1.1MB

MD5
9b98d47916ead4f69ef51b56b0c2323c

SHA1
290a80b4ded0efc0fd00816f373fcea81a521330

SHA256
96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

SHA512
68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

Download Submit
memory/2328-9-0x00000000002C0000-0x000000000031C000-memory.dmp

Filesize
368KB

Download
memory/2328-56-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2328-1-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2680-49-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2680-34-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2680-23-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download