Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/01/2025, 06:26

General

  • Target

    JaffaCakes118_6dcfa9e1f6477356a7e6986c692abaee.exe

  • Size

    112KB

  • MD5

    6dcfa9e1f6477356a7e6986c692abaee

  • SHA1

    d0ec609fd686286e818d78d163137e3854743b6d

  • SHA256

    2ce0b6461c8e68ab43fc51d9e0b71e8709db9a30f5dfa7cea845e4ad5ee8ac1a

  • SHA512

    74bdfdfd625843eb274a221a861362702f5660f581bc199b31b1689b0462edc40e72718e3fd44700a435fedd73020f02196a13be2c744e5717942186324d99d3

  • SSDEEP

    1536:lVZnxm6MG9xgfrvEaoiT/GyphjXDYjKwttoswRmhApEjD0N9Y6js+uTAbeP:1nxwgxgfR/DVG7wBpEsNDj4AU

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 1 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 45 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6dcfa9e1f6477356a7e6986c692abaee.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6dcfa9e1f6477356a7e6986c692abaee.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2624
    • C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:4268
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:1204
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 208
            4⤵
            • Program crash
            PID:3768
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3764
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3764 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:436
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3928
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3928 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1256
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1204 -ip 1204
      1⤵
        PID:3208

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe

        Filesize

        112KB

        MD5

        6dcfa9e1f6477356a7e6986c692abaee

        SHA1

        d0ec609fd686286e818d78d163137e3854743b6d

        SHA256

        2ce0b6461c8e68ab43fc51d9e0b71e8709db9a30f5dfa7cea845e4ad5ee8ac1a

        SHA512

        74bdfdfd625843eb274a221a861362702f5660f581bc199b31b1689b0462edc40e72718e3fd44700a435fedd73020f02196a13be2c744e5717942186324d99d3

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

        Filesize

        471B

        MD5

        9e22a9c34466faf7bc9cf642444b3f30

        SHA1

        0ac45262532cce40083cc9049fb12d4efb06c01f

        SHA256

        57569469879a3144b391cf9def258ad9ef29d7fd1d3d70a28cfb506443d7a119

        SHA512

        c60649fb0ecdd14c9a6d8f9ea7ac4356b24a5e1a238705bbc8294b72ea2fda21965af200746ae20dd5f45e386fc30e2189de6007e08ff3d7ec72b8dfc39435fe

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

        Filesize

        404B

        MD5

        73f9b0ed2c3d3ac130615bf6a684f27e

        SHA1

        71ba303e99623424e9fef9aafd0bb7dabd758850

        SHA256

        c14dc12e0168fd5cafb3e79a357dd0cf6fd88b6383e783fbbae3f95a2c7b5972

        SHA512

        6c40b50b34e585962adcd294429c6d163372bb26b874d061be80878d938fd8f3dd362686622253bc0091057ee7bdae098a2212d6b2c4c756ce9bb12aa3842251

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E1165EC5-D3D2-11EF-ADF2-CA65FB447F0B}.dat

        Filesize

        5KB

        MD5

        6cc4c2115ee73f98aa06ac923cd0c2eb

        SHA1

        8abb0bfec058d8367258623a8e2575716140483a

        SHA256

        012bccd3217a3a820efaeb4c96b4c30bae67e531dc3b8b703ddba1c9907f9fcc

        SHA512

        f13dd33db459b3573a3bde6968ea0d4bac678a21a9f9cc6cd434691722b273c67d6424a8a2af42e8791f48c91a338573d374feb0c17fdc4af01a1144200aa658

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E118C121-D3D2-11EF-ADF2-CA65FB447F0B}.dat

        Filesize

        3KB

        MD5

        67c9b108b7d243af95c9ff53292a82f8

        SHA1

        ab595a6ca5a8f7cf099d5368d8a4014e5c93afe3

        SHA256

        fd3b5edf3e6d61b1b8704e1cf23460f8ba8058dd94c613c23e6a2f02644e8dac

        SHA512

        d6b2c909e7253de4797979000d28cfe27f4ba294be50160b33670b9c90f60b95fd90de4bbf9194bd92301e6623901362b4d7eccdc488d5a595ce7343158054cf

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGH3GSHW\suggestions[1].en-US

        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      • memory/1204-32-0x00000000010D0000-0x00000000010D1000-memory.dmp

        Filesize

        4KB

      • memory/1204-31-0x00000000010F0000-0x00000000010F1000-memory.dmp

        Filesize

        4KB

      • memory/2624-7-0x00000000001F0000-0x00000000001F1000-memory.dmp

        Filesize

        4KB

      • memory/2624-14-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/2624-1-0x0000000000401000-0x0000000000402000-memory.dmp

        Filesize

        4KB

      • memory/2624-4-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/2624-11-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/2624-9-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/2624-0-0x0000000000400000-0x00000000004CB000-memory.dmp

        Filesize

        812KB

      • memory/2624-6-0x0000000000400000-0x00000000004CB000-memory.dmp

        Filesize

        812KB

      • memory/2624-3-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/2624-2-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/2624-8-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4268-28-0x0000000077192000-0x0000000077193000-memory.dmp

        Filesize

        4KB

      • memory/4268-33-0x0000000000070000-0x0000000000071000-memory.dmp

        Filesize

        4KB

      • memory/4268-34-0x0000000077192000-0x0000000077193000-memory.dmp

        Filesize

        4KB

      • memory/4268-30-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4268-18-0x0000000000400000-0x00000000004CB000-memory.dmp

        Filesize

        812KB

      • memory/4268-37-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4268-38-0x0000000000400000-0x00000000004CB000-memory.dmp

        Filesize

        812KB

      • memory/4268-39-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4268-25-0x00000000004B0000-0x00000000004B1000-memory.dmp

        Filesize

        4KB

      • memory/4268-26-0x0000000000400000-0x00000000004CB000-memory.dmp

        Filesize

        812KB

      • memory/4268-27-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB