Overview

overview

10

Static

static

3

JaffaCakes...e8.exe

windows7-x64

10

JaffaCakes...e8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-01-2025 18:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_2ce4a273fa5ed2316b8eb396ae789be8.exe

  • Size

    95KB

  • MD5

    2ce4a273fa5ed2316b8eb396ae789be8

  • SHA1

    6d5fc6a040bce50aecb8895fb98cb9b50bad33d2

  • SHA256

    1b891b72412300cd382f237129bb3c6fa117ac4fc68960869b90a67166d859f8

  • SHA512

    0ef2f3c28b003eb113359d0435db35f6848f1098be9ad57084a3917ab7f165051697d4c88270276071e6633e50514c22c9d75b24fde23d677772bb27670307a1

  • SSDEEP

    768:506R0UKzOgnKqGR7//GPc0LOBhvBrHks3IiyhDYQbGmxlNaM+WGa1wuxnzgOYw9Y:PR0vxn3Pc0LCH9MtbvabUDzJYWu3B

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 1 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 55 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2ce4a273fa5ed2316b8eb396ae789be8.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2ce4a273fa5ed2316b8eb396ae789be8.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1844
    • C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:3012
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:3916
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 204
            4⤵
            • Program crash
            PID:4736
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3564
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3564 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2956
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1264
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1264 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2792
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3916 -ip 3916
      1⤵
        PID:1900

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        95KB

        MD5

        2ce4a273fa5ed2316b8eb396ae789be8

        SHA1

        6d5fc6a040bce50aecb8895fb98cb9b50bad33d2

        SHA256

        1b891b72412300cd382f237129bb3c6fa117ac4fc68960869b90a67166d859f8

        SHA512

        0ef2f3c28b003eb113359d0435db35f6848f1098be9ad57084a3917ab7f165051697d4c88270276071e6633e50514c22c9d75b24fde23d677772bb27670307a1

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        4678c6b9e04d71f22ad272e0502cdb5e

        SHA1

        3f4cda0c3979c8f87b48914dd58b7eec0d480738

        SHA256

        8a2e74caaacdb17295780859af0882ff7e55a14ba77b04ab4656462c44adb673

        SHA512

        b347198672efdfb51dfdc266aa96b463fc8ee2bb260f9b493055849be7805c38b0c176d25bece406106d9d2e526c5948579f53d38737517496c1c81a7f9a2bbf

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        676f0c491883c751e501802c14f75bb2

        SHA1

        5520e81e3945492736c2daf1b831095f772460ba

        SHA256

        93ca886e2ed79ab1f133a2f0551587a1a88671c96eb45301cf89f4146ed71ac7

        SHA512

        45c4ef0bc7d2db698cd4505534677fb19bf6df2526c6d4c3c71008ec3eeafb5398bb60483276ab80b9a7b6828427be907538243f8d7381fb9bafaf0c9bea136c

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        3f9079cefaf2a36fa5154367feffeede

        SHA1

        88b948a064867403015634d4add552de6d59e98c

        SHA256

        b31bccd0b9b3a028865cbcdca3e4d691875ec94a0a9339f3df6f44ab94575402

        SHA512

        57c61b38948efadfb8fa313ef9fa4584b629333cbab1c4cede3214f27d221f82c5fd0f8a8dea5febbcf1b947836d3810f41aba883504ee8cab3b02cc6e6f892e

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DE704BB7-D1DC-11EF-AF2A-FA9F886F8D04}.dat
        Filesize

        3KB

        MD5

        874faa9a22760bba514fb6ac0e1c3f79

        SHA1

        393075770659283dce5dd28daef4685489eb747d

        SHA256

        5dfd698ae8c1409a3dcf07e7f32093846b58dc74e42a9b55aad460f342d50a41

        SHA512

        b3c3e81dd1a8909a7292009d39598ee6c1964655ecc9c138e7a0281263d9d4b33380ded006050d6664d00429feed9c57186b61fc3019cdc28581d89cf248f679

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DE72AD20-D1DC-11EF-AF2A-FA9F886F8D04}.dat
        Filesize

        5KB

        MD5

        7d65ab7f844af6278e3bc35ea658ebd3

        SHA1

        68cca46d4a15042048682964fdee595b3a7a97eb

        SHA256

        54f96e3f5f0670539c63d77bf641e725b510fcb901447ec356cd2c163ff7a736

        SHA512

        679cc08377bdb06d31a6b0cf81c2f1165cd85a88f4542ec9166be490680e9580959c8657aca99122012bf427220e8536acbb883fd3fa0406110103782f6db473

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver5734.tmp
        Filesize

        15KB

        MD5

        1a545d0052b581fbb2ab4c52133846bc

        SHA1

        62f3266a9b9925cd6d98658b92adec673cbe3dd3

        SHA256

        557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

        SHA512

        bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DQ67RYHS\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • memory/1844-8-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1844-4-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1844-12-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1844-0-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/1844-1-0x0000000000401000-0x0000000000402000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1844-2-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/1844-3-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/1844-7-0x00000000008D0000-0x00000000008D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1844-6-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1844-5-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1844-10-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1844-9-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3012-32-0x0000000000070000-0x0000000000071000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3012-33-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3012-34-0x00000000777B2000-0x00000000777B3000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3012-35-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3012-25-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3012-26-0x0000000000430000-0x0000000000431000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3012-38-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3012-27-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3012-28-0x00000000777B2000-0x00000000777B3000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3012-22-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/3916-30-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3916-31-0x0000000000B90000-0x0000000000B91000-memory.dmp

        Filesize

        4KB

        Download