Overview

overview

10

Static

static

3

JaffaCakes...e9.exe

windows7-x64

10

JaffaCakes...e9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/01/2025, 12:10 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_568c316139a4e7c91fc1e3f7cdb018e9.exe

  • Size

    184KB

  • MD5

    568c316139a4e7c91fc1e3f7cdb018e9

  • SHA1

    e3573bdbdf809efd5fa803ea54c21693e5866985

  • SHA256

    20bd108ac183273bad7742cca8cb32f4835ef4d9afa168f5c2d8ed05538c557d

  • SHA512

    34d467fc960248aa465e542b4aece4047954bfb243b2b5a5f2d14ea54d9c0b41953d2d0cb0d3d5f9fed1355004bc53aa1449eda2aabc9ef0ab1287e1a87b01ed

  • SSDEEP

    1536:oVZnxm6MG9xgfrvEaoiT/GyphjXDYjKwttoswRmhApE:4nxwgxgfR/DVG7wBpE

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 1 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 45 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_568c316139a4e7c91fc1e3f7cdb018e9.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_568c316139a4e7c91fc1e3f7cdb018e9.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:4084
    • C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:4540
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:4664
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 204
            4⤵
            • Program crash
            PID:3340
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3704
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3704 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1120
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:552
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:552 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1820
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4664 -ip 4664
      1⤵
        PID:4740

      Network

      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        172.214.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.214.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        232.168.11.51.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        232.168.11.51.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        0.159.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        0.159.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        167.173.78.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        167.173.78.104.in-addr.arpa
        IN PTR
        Response
        167.173.78.104.in-addr.arpa
        IN PTR
        a104-78-173-167deploystaticakamaitechnologiescom
      • flag-us
        DNS
        api.bing.com
        iexplore.exe
        Remote address:
        8.8.8.8:53
        Request
        api.bing.com
        IN A
        Response
        api.bing.com
        IN CNAME
        api-bing-com.e-0001.e-msedge.net
        api-bing-com.e-0001.e-msedge.net
        IN CNAME
        e-0001.e-msedge.net
        e-0001.e-msedge.net
        IN A
        13.107.5.80
      • flag-us
        DNS
        228.249.119.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        228.249.119.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        104.219.191.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        104.219.191.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        50.23.12.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        50.23.12.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        206.23.85.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        206.23.85.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        161.19.199.152.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        161.19.199.152.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        200.197.79.204.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        200.197.79.204.in-addr.arpa
        IN PTR
        Response
        200.197.79.204.in-addr.arpa
        IN PTR
        a-0001a-msedgenet
      • flag-us
        DNS
        73.144.22.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        73.144.22.2.in-addr.arpa
        IN PTR
        Response
        73.144.22.2.in-addr.arpa
        IN PTR
        a2-22-144-73deploystaticakamaitechnologiescom
      • 204.79.197.200:443
        ieonline.microsoft.com
        tls, http2
        iexplore.exe
        1.2kB
         8.2kB
         15
        13
      • 8.8.8.8:53
        8.8.8.8.in-addr.arpa
        dns
        66 B
         90 B
         1
        1

        DNS Request

        8.8.8.8.in-addr.arpa

      • 8.8.8.8:53
        232.168.11.51.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        232.168.11.51.in-addr.arpa

      • 8.8.8.8:53
        172.214.232.199.in-addr.arpa
        dns
        74 B
         128 B
         1
        1

        DNS Request

        172.214.232.199.in-addr.arpa

      • 8.8.8.8:53
        0.159.190.20.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        0.159.190.20.in-addr.arpa

      • 8.8.8.8:53
        167.173.78.104.in-addr.arpa
        dns
        73 B
         139 B
         1
        1

        DNS Request

        167.173.78.104.in-addr.arpa

      • 8.8.8.8:53
        api.bing.com
        dns
        iexplore.exe
        58 B
         134 B
         1
        1

        DNS Request

        api.bing.com

        DNS Response

        13.107.5.80

      • 8.8.8.8:53
        228.249.119.40.in-addr.arpa
        dns
        73 B
         159 B
         1
        1

        DNS Request

        228.249.119.40.in-addr.arpa

      • 8.8.8.8:53
        104.219.191.52.in-addr.arpa
        dns
        73 B
         147 B
         1
        1

        DNS Request

        104.219.191.52.in-addr.arpa

      • 8.8.8.8:53
        50.23.12.20.in-addr.arpa
        dns
        70 B
         156 B
         1
        1

        DNS Request

        50.23.12.20.in-addr.arpa

      • 8.8.8.8:53
        206.23.85.13.in-addr.arpa
        dns
        71 B
         145 B
         1
        1

        DNS Request

        206.23.85.13.in-addr.arpa

      • 8.8.8.8:53
        161.19.199.152.in-addr.arpa
        dns
        73 B
         144 B
         1
        1

        DNS Request

        161.19.199.152.in-addr.arpa

      • 8.8.8.8:53
        200.197.79.204.in-addr.arpa
        dns
        73 B
         106 B
         1
        1

        DNS Request

        200.197.79.204.in-addr.arpa

      • 8.8.8.8:53
        73.144.22.2.in-addr.arpa
        dns
        70 B
         133 B
         1
        1

        DNS Request

        73.144.22.2.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        184KB

        MD5

        568c316139a4e7c91fc1e3f7cdb018e9

        SHA1

        e3573bdbdf809efd5fa803ea54c21693e5866985

        SHA256

        20bd108ac183273bad7742cca8cb32f4835ef4d9afa168f5c2d8ed05538c557d

        SHA512

        34d467fc960248aa465e542b4aece4047954bfb243b2b5a5f2d14ea54d9c0b41953d2d0cb0d3d5f9fed1355004bc53aa1449eda2aabc9ef0ab1287e1a87b01ed

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        9e22a9c34466faf7bc9cf642444b3f30

        SHA1

        0ac45262532cce40083cc9049fb12d4efb06c01f

        SHA256

        57569469879a3144b391cf9def258ad9ef29d7fd1d3d70a28cfb506443d7a119

        SHA512

        c60649fb0ecdd14c9a6d8f9ea7ac4356b24a5e1a238705bbc8294b72ea2fda21965af200746ae20dd5f45e386fc30e2189de6007e08ff3d7ec72b8dfc39435fe

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        c6e28cb48a022d4e8059b525197af98d

        SHA1

        bd4ee6f1458d9b2a89eb2ea76e3e0c94cfac2e4a

        SHA256

        5f8d1f023b3af390648035b9cd540dd8b2f0781942ea31fa3b729e342b0f617f

        SHA512

        351be330dad47da5a23149272aa1708fe94175b6d2623614c97f136cfb29c149517e0a2b769c46cc51f65901a68d48235864d1719c44e8b02b97b20c968f5772

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B63509D5-D339-11EF-B9D5-E24E87F0D14E}.dat
        Filesize

        3KB

        MD5

        17759b541b8066ea2afa198104f2e244

        SHA1

        0e32032210d7de26274c8ce625884f20e759507c

        SHA256

        94aab041659863d3fc37ca732bd2f7e4f850f82ccefc0f535fbb7537a13cf252

        SHA512

        5913cfdc21a2d28e524595e4f24b26fd4cf1d2ae05c7e6ef7d643a9ae5802e2959d16a07d79b02fc30186b63a798a759f326298509ff6c3b3a04470f8bd976c8

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B6376C47-D339-11EF-B9D5-E24E87F0D14E}.dat
        Filesize

        5KB

        MD5

        c29b45c46c4d267d7f35c2aae3d2819a

        SHA1

        8065a641004067960bd5ea4890c62925d6dcd02f

        SHA256

        bee0afa923de4f98921af084f863f2a7db2b810eaacff9da8b6b833eadc6416d

        SHA512

        4c2247ce596a5abaeaa8658f9833e6c2eafacf41535f12bd73cb1eddf064cd0ffcf991126cb79dc8d2a74c0af0fd75dd7da490917fdd13efa225fca61573131b

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FQRZN8O7\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • memory/4084-7-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4084-9-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4084-6-0x0000000000400000-0x0000000000477000-memory.dmp

        Filesize

        476KB

        Download

      • memory/4084-3-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4084-2-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4084-8-0x0000000000930000-0x0000000000931000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4084-0-0x0000000000400000-0x0000000000477000-memory.dmp

        Filesize

        476KB

        Download

      • memory/4084-1-0x0000000000401000-0x0000000000402000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4084-4-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4084-11-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4084-10-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4540-22-0x0000000000400000-0x0000000000477000-memory.dmp

        Filesize

        476KB

        Download

      • memory/4540-33-0x0000000000070000-0x0000000000071000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4540-34-0x0000000077622000-0x0000000077623000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4540-26-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4540-37-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4540-39-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4540-27-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4540-28-0x0000000077622000-0x0000000077623000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4540-25-0x0000000000170000-0x0000000000171000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4664-32-0x0000000000430000-0x0000000000431000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4664-31-0x0000000000450000-0x0000000000451000-memory.dmp

        Filesize

        4KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.