Overview

overview

10

Static

static

3

JaffaCakes...af.dll

windows7-x64

10

JaffaCakes...af.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-01-2025 18:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_0698f2de0278691f029a796897b570af.dll

  • Size

    258KB

  • MD5

    0698f2de0278691f029a796897b570af

  • SHA1

    0e2b2eaf168f39947a6de7d96d16fceb3cc1fd7e

  • SHA256

    58afb73ef84043100faaa5aae87cdf72286d70c1efff10949d1833116f320e58

  • SHA512

    aa14610a486a36ed1499e5261eab0bf798e6d1722570fde6d5dbd4cc69e99d2004048e22d3e4272f105214a67489a4f043e617d40326d990431d188c59cea4e8

  • SSDEEP

    6144:jCIGPj038tAgFMldWNX+1gEjbOWwSRUo0:oj038t/FMldW4mEjbHR0

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 45 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0698f2de0278691f029a796897b570af.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3088
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0698f2de0278691f029a796897b570af.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3592
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3940
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:3524
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:4504
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 204
                6⤵
                • Program crash
                PID:4300
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1636
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1636 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4972
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4244
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4244 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4488
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 608
          3⤵
          • Program crash
          PID:4652
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3592 -ip 3592
      1⤵
        PID:2024
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4504 -ip 4504
        1⤵
          PID:1800

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          471B

          MD5

          fbd57568c7e969025fd7a77d6a9e5f45

          SHA1

          d8c221556c7dbeb55cbfe80a3006b6578e2ae4bd

          SHA256

          b820d32dc781d4a3af1cc452d73d4f57e1d963da4cdec90cb0660837657c8328

          SHA512

          c8d4e5b78e01570d02f0953bd0ebd818ed2985dfc5006ba39ce101693f1bc9de8550b9149d3028911ec5c1371b813f0bc8391d10294e04022b52a91c3d47f5cf

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          404B

          MD5

          92675bc1ada2148e790161cff6fd3c28

          SHA1

          49435f62e99dcbab61668cf95e4b222f287c67fd

          SHA256

          629aa6cd9d3e8d7d347b9a066ac02994b25ef7feab139098ef33e48a2adb2691

          SHA512

          d13104e95d7c2e42a05e2a32e31def8594e23a05fcdbdbe250d609c886d0edcfb555ea1ccb1ab1ba32e667ef910684e8439658c376dead75ed811f7978a862b3

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          404B

          MD5

          368470557668e3fcfc55e99e7d8525d1

          SHA1

          05d6322bbbe2ca736edc7684c11cc6c72416b5c6

          SHA256

          935362444294562d0486df62237862b33dd6532ede526836df718f4fcc074fa0

          SHA512

          7db803c6811e0acf089f765667e3afa6263197a1c1e9b6f71044163a68adea1a13abd24d38b904a120bef99536feafd99fa75b36d3fe3cd55af9c0cc47f1b80c

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{434CB49F-D825-11EF-A7EA-5EA348B38F9D}.dat
          Filesize

          5KB

          MD5

          d08b8c7644eda0e0ab01d000dee35b0e

          SHA1

          37085d44c2dcc706a2f99ea54020aef9fa867094

          SHA256

          a9729f7b615eeff99f38a9f8368ee5d56aa32ec8ccc34ab51aaf553333abba4a

          SHA512

          8182b61b6d4f384898372294168c87c15b1de4d77aed49186cf5de03a0717b289c1fc16e7762555e7ebde54f1ffd89a0b90045653b9ea38d021b15638fb4489c

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{434F16D0-D825-11EF-A7EA-5EA348B38F9D}.dat
          Filesize

          3KB

          MD5

          9d685830b893ce9f721224d545fb07e0

          SHA1

          9d6fb29ddf42c296f0a141721ccb1a089c2e800e

          SHA256

          c2ad84d028aff2706b4ae051d45ff16d3644a0cbc52b2f9dcb9b01c4fa6b4bb2

          SHA512

          fa3ec3c9a5e3ffd90cc0606c44e0bcf1e933ec16667305e00eb6a96017b6f634913a0d470f40e8d9d1aaf71a31e822a9f015089f4dce82c8acf3e1cdad3eb9b8

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKYZDMA5\suggestions[1].en-US
          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          Download Submit

        • C:\Windows\SysWOW64\rundll32mgr.exe
          Filesize

          92KB

          MD5

          4ff6af3c7917333f6962d041c1c138b0

          SHA1

          3da870a75d92c62b798b0b2c82a8828e0fd1a6e6

          SHA256

          23b1beaef490a528030292949c5aaed7c7e7817be137483bb9c0444d0f9e9204

          SHA512

          39531a5ed1d391e9f860700c9c054bcc5a9a0eb002dc47aae2c3a0dbdedcb0ac02eb9d3a2bd1d678670610ba689aadb6e9d7ca7e538534e985b5365dd4f2c3d5

          Download Submit

        • memory/3524-41-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3524-44-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3524-22-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/3524-39-0x0000000000070000-0x0000000000071000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3524-40-0x0000000077642000-0x0000000077643000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3524-38-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/3524-30-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3524-31-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3524-32-0x0000000000060000-0x0000000000061000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3524-33-0x0000000077642000-0x0000000077643000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3592-37-0x0000000010000000-0x0000000010045000-memory.dmp

          Filesize

          276KB

          Download

        • memory/3592-1-0x0000000010000000-0x0000000010045000-memory.dmp

          Filesize

          276KB

          Download

        • memory/3940-7-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/3940-11-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3940-5-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/3940-14-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3940-6-0x0000000000401000-0x0000000000404000-memory.dmp

          Filesize

          12KB

          Download

        • memory/3940-8-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3940-9-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3940-10-0x00000000008A0000-0x00000000008A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3940-23-0x0000000000401000-0x0000000000404000-memory.dmp

          Filesize

          12KB

          Download

        • memory/3940-13-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3940-15-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3940-12-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4504-35-0x0000000000C00000-0x0000000000C01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4504-36-0x00000000009E0000-0x00000000009E1000-memory.dmp

          Filesize

          4KB

          Download