Overview

overview

10

Static

static

3

JaffaCakes...29.exe

windows7-x64

10

JaffaCakes...29.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-01-2025 12:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_565b0b835572ec055fc43fa74d37a729.exe

  • Size

    95KB

  • MD5

    565b0b835572ec055fc43fa74d37a729

  • SHA1

    07262b68a7d071bca9c439d5d74bee95a9d9a118

  • SHA256

    27cb09f098609b05b298e4e6343e62622d5fa1bcbc27435f3875fbe9ca888887

  • SHA512

    1f5dccc8cbd9ab319de8c49a942371afddc8392dc45c9392aca9212433625ccd3aa3c5a18c6b88c2096b11ecf5767ed3135770bc294701dd243e207be89b0800

  • SSDEEP

    768:006R0UKzOgnKqGR7//GPc0LOBhvBrHks3IiyhDYQbGmxlNaM+WGa1wuxnzgOYw9Y:qR0vxn3Pc0LCH9MtbvabUDzJYWu3B

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 1 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 45 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_565b0b835572ec055fc43fa74d37a729.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_565b0b835572ec055fc43fa74d37a729.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3788
    • C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:4084
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:740
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 204
            4⤵
            • Program crash
            PID:3488
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2524
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2524 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1836
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:628
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:628 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:4108
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 740 -ip 740
      1⤵
        PID:3812

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        95KB

        MD5

        565b0b835572ec055fc43fa74d37a729

        SHA1

        07262b68a7d071bca9c439d5d74bee95a9d9a118

        SHA256

        27cb09f098609b05b298e4e6343e62622d5fa1bcbc27435f3875fbe9ca888887

        SHA512

        1f5dccc8cbd9ab319de8c49a942371afddc8392dc45c9392aca9212433625ccd3aa3c5a18c6b88c2096b11ecf5767ed3135770bc294701dd243e207be89b0800

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        9e22a9c34466faf7bc9cf642444b3f30

        SHA1

        0ac45262532cce40083cc9049fb12d4efb06c01f

        SHA256

        57569469879a3144b391cf9def258ad9ef29d7fd1d3d70a28cfb506443d7a119

        SHA512

        c60649fb0ecdd14c9a6d8f9ea7ac4356b24a5e1a238705bbc8294b72ea2fda21965af200746ae20dd5f45e386fc30e2189de6007e08ff3d7ec72b8dfc39435fe

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        476424b72c1bc8c32a56e6abe35a04f4

        SHA1

        224d4cade03aee1077d8149fabe4c067a636094b

        SHA256

        df45804f2f971bd1e0dc251bfe556120948efb92f27df8ed7ffa2e72c1f52248

        SHA512

        635ed219c501aa32d84bd7a06f6b0ec7b5543940ddbe221cb1fdd05c399681073515706137aaa4de4f8189daa5e18d44a17e99fa5fee06003b3a7043b4da8f58

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        89c2aa233efe38ccb2bf9fece5a08631

        SHA1

        30d4a1d8a4627a1691c798035f28855a3063b3bf

        SHA256

        bf4adb17b4a44928d6fb4706287175a3e65152743e67e11ce65ea122f2e59177

        SHA512

        ce46b98847c1e44d189af6d9e89aa185e2445fcda4ac723c430b9f65e3839cf5590aa29d8bd21eff567f235236fde0a8c2247942ba93a6886906d3b95b0d285d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{86442FC1-D338-11EF-BDBF-DA61A5E71E4E}.dat
        Filesize

        5KB

        MD5

        a73eb561fc1682112a70187017b697dc

        SHA1

        63d58b4d80123a0fd2bcc06c9c0b56be822385d6

        SHA256

        1959ee41ea5d63b68152025a4689843b2cc126184ea4ab23da191baf0be5cfaf

        SHA512

        ceb930ae4538a039a1666f957c716ac79642967f49cc9e77917cd2b433322e9906e6a2cc78dba24fd246314a522b6b616cd50b4190960f51fa6fad281004ad9f

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{86469336-D338-11EF-BDBF-DA61A5E71E4E}.dat
        Filesize

        3KB

        MD5

        963d13414e536a889e9d10e9cf67feba

        SHA1

        198ad4db981e3843e1528d57c0d6e5d8c53dd515

        SHA256

        af9fd725fe16272b11ffa1a0a3ffa4ada8a39cee7602cead22de357ef623a704

        SHA512

        d74603b32e9576ffa8790af66c57e435972e91f160b68ce591300068816aa1bc66ae24d8b8d6dae835dfcd373fa03eed160868083122dd48f6db4741406bc0d6

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6IJLDY7V\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • memory/740-30-0x0000000000E40000-0x0000000000E41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/740-29-0x0000000000E60000-0x0000000000E61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3788-10-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3788-0-0x0000000000400000-0x0000000000454000-memory.dmp

        Filesize

        336KB

        Download

      • memory/3788-9-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3788-4-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3788-1-0x0000000000401000-0x0000000000402000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3788-5-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3788-2-0x0000000000400000-0x0000000000454000-memory.dmp

        Filesize

        336KB

        Download

      • memory/3788-6-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3788-8-0x0000000000A70000-0x0000000000A71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3788-3-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3788-7-0x0000000000400000-0x0000000000454000-memory.dmp

        Filesize

        336KB

        Download

      • memory/3788-11-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4084-26-0x0000000000060000-0x0000000000061000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4084-33-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4084-36-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4084-32-0x0000000077D52000-0x0000000077D53000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4084-31-0x0000000000070000-0x0000000000071000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4084-27-0x0000000077D52000-0x0000000077D53000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4084-24-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download