Overview

overview

10

Static

static

3

JaffaCakes...24.exe

windows7-x64

10

JaffaCakes...24.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-01-2025 09:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_e2bc7f59299a26520ecb304c97580024.exe

  • Size

    123KB

  • MD5

    e2bc7f59299a26520ecb304c97580024

  • SHA1

    4562c22a3e01f235d0b57553c5e00afceb35789d

  • SHA256

    14cce378189977dc67738a88b7f9227724abce6c3b394d46431d16fc1989e24a

  • SHA512

    3e6f6afb11679e1581f3036d9764ed80c04311fd03b4c107aba51f7c4f6bcb872e3eec65b59a85cd8e079d7bb3f58384497b071cd91bec1890112be67c99dd82

  • SSDEEP

    1536:eVZnxm6MG9xgfrvEaoiT/GyphjXDYjKwttoswRmhApEqd/04QKcNjU:OnxwgxgfR/DVG7wBpEET3cFU

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 1 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 45 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2bc7f59299a26520ecb304c97580024.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2bc7f59299a26520ecb304c97580024.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:5036
    • C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:456
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:4796
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 204
            4⤵
            • Program crash
            PID:4576
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:924
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:924 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2284
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2020
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2020 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:3532
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4796 -ip 4796
      1⤵
        PID:2184

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        123KB

        MD5

        e2bc7f59299a26520ecb304c97580024

        SHA1

        4562c22a3e01f235d0b57553c5e00afceb35789d

        SHA256

        14cce378189977dc67738a88b7f9227724abce6c3b394d46431d16fc1989e24a

        SHA512

        3e6f6afb11679e1581f3036d9764ed80c04311fd03b4c107aba51f7c4f6bcb872e3eec65b59a85cd8e079d7bb3f58384497b071cd91bec1890112be67c99dd82

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        0ada2095c461df5a751955aa41dd491e

        SHA1

        8366c54b31e1ddc8016aa22aab8c83f73c690810

        SHA256

        80cd542688ed3a45669b53243c3f4922d6eb21a34d8dfeebc6c101484d3bac09

        SHA512

        135991affe343d4358bb15a693effa7a6813d6715e555729d2aa04a98555e13fded55d3100a41a92a5beb57c68fbdacb199a3e66407944e37880b28d42d79e7c

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        3977ee018b6e67f84489844913aa0e71

        SHA1

        b834e164af3eb1b1de71ba41dd50a890a3e30801

        SHA256

        d9e3ccd965a8a085a291cd4b73cf01675aadfc7a7f203650c77669ce0827924a

        SHA512

        775414df21440a9c68c04d1ef89c1fb2777c1a0007c62d81165d7c92363bab4840051a50ad80a1cce87cf05d94c421d59df9e3aa7b07655d5a89642d64488eb0

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        77e6c238a3ad101e98524219bf1e4bbc

        SHA1

        d563350f1c555ed1d0779a22d07a4a7eb7651cd8

        SHA256

        03b21f11846610c8205b946ae499fac456fb396246c462797af486e732aacc6f

        SHA512

        fc6bc3bec9db7c4baeae7ed740c64412f5dc36b0d6f69e5862b44f75685ce1c9ee3e668a0c9ef50d8278e19549f10500ed9148a6bb0dc08161f55714c16cb0cc

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{38A35C6D-D71D-11EF-A7EA-F6235BFAC6D3}.dat
        Filesize

        3KB

        MD5

        568f7179949322f47b47d7e611a9ade0

        SHA1

        d627783bfd62b2adc51d56ae32f1102f27c124f3

        SHA256

        3f17d679adc6504d269a2501a0948aa82e7f2b8f121310138649f6c4c44890c1

        SHA512

        3e1d3bd612f10fbe18cf5e00d5367b40dd689001782681d477b3a31340763840e6852f61e7b63e5e2849fd613675e41758b029a081fef44dd94dfc97c47a9455

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{38A820B4-D71D-11EF-A7EA-F6235BFAC6D3}.dat
        Filesize

        5KB

        MD5

        a86c0ecfccf050084b1442878751fa22

        SHA1

        20c2d93b3c5d174a84e93bedab80fb7e2de8edeb

        SHA256

        63590501c1fe8a48d2cb33f24f9d1bd471746380798391ddedf86d5bc68043e3

        SHA512

        7a1211563a2a3724e84e74d32ca972861d7f6815e9e862d35f14f3ed868b6236efc0d5f742c8f7a7a1b41d5e47cc57dd1120239b90a13a553d266049ad2e8fbd

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKYZDMA5\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • memory/456-34-0x0000000077252000-0x0000000077253000-memory.dmp

        Filesize

        4KB

        Download

      • memory/456-28-0x0000000000060000-0x0000000000061000-memory.dmp

        Filesize

        4KB

        Download

      • memory/456-38-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/456-35-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/456-33-0x0000000000070000-0x0000000000071000-memory.dmp

        Filesize

        4KB

        Download

      • memory/456-25-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/456-26-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/456-27-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/456-29-0x0000000077252000-0x0000000077253000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4796-32-0x0000000000150000-0x0000000000151000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4796-31-0x0000000000170000-0x0000000000171000-memory.dmp

        Filesize

        4KB

        Download

      • memory/5036-4-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/5036-6-0x0000000000400000-0x000000000047A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/5036-2-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/5036-0-0x0000000000400000-0x000000000047A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/5036-7-0x0000000000930000-0x0000000000931000-memory.dmp

        Filesize

        4KB

        Download

      • memory/5036-11-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/5036-3-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/5036-12-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/5036-9-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/5036-8-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/5036-1-0x0000000000401000-0x0000000000402000-memory.dmp

        Filesize

        4KB

        Download