Overview

overview

10

Static

static

3

JaffaCakes...5b.dll

windows7-x64

7

JaffaCakes...5b.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-01-2025 23:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_0845a31c7483a80013a143dad45c595b.dll

  • Size

    124KB

  • MD5

    0845a31c7483a80013a143dad45c595b

  • SHA1

    398e946b819205be953ebcbbfef8477051ff3f3e

  • SHA256

    07fff1d2d0324137a05dc6a2ca9a7eed6e277ba99476cd2795d97f5ed761c627

  • SHA512

    76562cdcb0a87c47ca760dae2842e76a9482c4eb4622a29bbabfb80a2c08dd027de0b5c8b6d9b7fd0a54225f2c3f92a0638168b3657fa3dcae7c4ce5b4fa19e6

  • SSDEEP

    3072:G61Ye3TaEu2CoCcn3zO7A4D8XHvVx5RwCALswS5rKe:bTa12CoCckAe8fr5rB5

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 45 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0845a31c7483a80013a143dad45c595b.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4612
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0845a31c7483a80013a143dad45c595b.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3888
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:2092
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:2088
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:3564
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 204
                6⤵
                • Program crash
                PID:4220
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3672
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3672 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:3012
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2228
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2228 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1584
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 608
          3⤵
          • Program crash
          PID:2556
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3888 -ip 3888
      1⤵
        PID:4620
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3564 -ip 3564
        1⤵
          PID:1360

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          471B

          MD5

          fbd57568c7e969025fd7a77d6a9e5f45

          SHA1

          d8c221556c7dbeb55cbfe80a3006b6578e2ae4bd

          SHA256

          b820d32dc781d4a3af1cc452d73d4f57e1d963da4cdec90cb0660837657c8328

          SHA512

          c8d4e5b78e01570d02f0953bd0ebd818ed2985dfc5006ba39ce101693f1bc9de8550b9149d3028911ec5c1371b813f0bc8391d10294e04022b52a91c3d47f5cf

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          404B

          MD5

          3c09b4e27bd273e2a35177f5ff082d3e

          SHA1

          168153d9411575444a6fee99b0b56597dfd009a0

          SHA256

          ceeb8b5ff749aaf72944cfed2df3707faa12f9cdb059388ee0d24958a98586e1

          SHA512

          c8512f40c4227a9c19a34dfb5257b33946ab5d312bf0b1dbdef84212fde75453d9c3a8d9ad6796aa3b793241cb676364b53bd1c2d0d505439cd11a8d333aa4fb

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          404B

          MD5

          2c73fead981f875fe39639a730e8304c

          SHA1

          a46c5a259fd0540696df36f159713ccf78f9ba17

          SHA256

          6ffe529c9b660dd9ed9d5b3f8eac7ecbc5b59d6ea3fe8375dfb5bcfd0d3001c2

          SHA512

          73120d51f672628d81a56f2d7899bd323d295ce377da15bd281d98c5dea55e104e4c9e522a11dbb600f757189f4ff75b7573fd9d17d116a2fb9f87cabee80e51

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{86C19167-D84D-11EF-BDBF-520873AEBE93}.dat
          Filesize

          3KB

          MD5

          3119d54e220962fe29d6e101b3ae2277

          SHA1

          e68cb9c57223a7783c4812951ef82b87b90eacf0

          SHA256

          f1f0db30aa224a0b99b887a4abcb918b2de85d585e5af48858e19685331175b1

          SHA512

          dd34a2f4a8916913088de1ef642efd01cf0ac49152a8a13293d8f981a4c6834484adf13bd58537873f5a97e31642f7bff35e11c90278a66d9bd42c974bccfea7

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{86C3F349-D84D-11EF-BDBF-520873AEBE93}.dat
          Filesize

          5KB

          MD5

          4efb96e06941a4db66bbea3989b21991

          SHA1

          dd1438e1da306a84708cc0e3e194eebf14348d73

          SHA256

          162e1a9150e1461e6c7225f7f048450081fef39ea893900370310c3071bb6ec7

          SHA512

          dcc3b7e8b0960ba8f08ba3efe07c3309907732a354261cd56d0c1948b526dea131778e5f223cb577382aaf8a67ae721f2bc90db3bd41f8834f523e1072e1a634

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6IJLDY7V\suggestions[1].en-US
          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          Download Submit

        • C:\Windows\SysWOW64\rundll32mgr.exe
          Filesize

          59KB

          MD5

          0e0f0ae845d89c22bb6385f64a6b85fd

          SHA1

          0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

          SHA256

          5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

          SHA512

          baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

          Download Submit

        • memory/2088-36-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2088-34-0x00000000770F2000-0x00000000770F3000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2088-41-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2088-27-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2088-29-0x00000000770F2000-0x00000000770F3000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2088-28-0x0000000000060000-0x0000000000061000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2088-37-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2088-35-0x0000000000070000-0x0000000000071000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2092-11-0x00000000008C0000-0x00000000008C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2092-12-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2092-14-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2092-7-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2092-13-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2092-9-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2092-5-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2092-6-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3564-31-0x0000000000D40000-0x0000000000D41000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3564-32-0x0000000000D20000-0x0000000000D21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3888-33-0x000000006D100000-0x000000006D11F000-memory.dmp

          Filesize

          124KB

          Download

        • memory/3888-1-0x000000006D100000-0x000000006D11F000-memory.dmp

          Filesize

          124KB

          Download