Overview

overview

10

Static

static

3

JaffaCakes...d7.dll

windows7-x64

7

JaffaCakes...d7.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-01-2025 09:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_0c50d216390548b09583801e20f742d7.dll

  • Size

    260KB

  • MD5

    0c50d216390548b09583801e20f742d7

  • SHA1

    1185e77d22867ef88fc7934aa65d11840f3e20b5

  • SHA256

    9a093bd4022cfc4b7b455e84081d4347a749a856c2ec58d0e69c57a8738c7bbc

  • SHA512

    f65e17ce3065e5be7adc714b487aeba09df62abe36067ccc3ada18ba4372fc33fede7d8a07f72a925a7383894a5c202f582b1ef788ed9d812b4182639bb4f1e9

  • SSDEEP

    3072:jZmu9K33WSwdJ/tILtAPrL+oxdvKjD4NxBbwsp+OkE8juIcyFkOmWWVGZCF/GzAH:j8b33QqUrSJqBbcjuI5FCWWs0FuUH

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 27 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0c50d216390548b09583801e20f742d7.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0c50d216390548b09583801e20f742d7.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4808
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:2216
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:3700
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:2612
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 204
                6⤵
                • Program crash
                PID:2596
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:5020
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5020 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4272
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              PID:2984
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2612 -ip 2612
      1⤵
        PID:612

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        fbd57568c7e969025fd7a77d6a9e5f45

        SHA1

        d8c221556c7dbeb55cbfe80a3006b6578e2ae4bd

        SHA256

        b820d32dc781d4a3af1cc452d73d4f57e1d963da4cdec90cb0660837657c8328

        SHA512

        c8d4e5b78e01570d02f0953bd0ebd818ed2985dfc5006ba39ce101693f1bc9de8550b9149d3028911ec5c1371b813f0bc8391d10294e04022b52a91c3d47f5cf

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        33f966b3fe659729efc5e83aea2a4720

        SHA1

        fc711d25c8d78c7e70e990f00f2899be059503cb

        SHA256

        ea92a658d834e953e3d7d5f1def5ed052b59860e2602811d557a4cdb1a1e9e8d

        SHA512

        28c519cc0035ed8ff5a0c181f65816589b7fc2bcdc716d866e18dfb5a76aad622c43fbf5cbbb6df7bbec138c83554cd3cdd4b60290cfe54d3ab265f207f0d5c4

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8R55UT9S\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • C:\Windows\SysWOW64\rundll32mgr.exe
        Filesize

        117KB

        MD5

        0c00db0a3b1e96c4e73428454f3a5b3d

        SHA1

        cae348375b0e76565de8ace6d8395b52d5d98c2c

        SHA256

        2afdcc089299160da7c303bc24a426db98a374b16a7b536173b62bd1ea9362d7

        SHA512

        64bfebad17c33f1c91a92128226d544866f587445b9ca076c586dedab03e92c927f41f4dfb9e7be65657aa9cb930e9f30c6e7daff751237c5a70e01b6a55ca8b

        Download Submit

      • memory/2216-10-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2216-16-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2216-11-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2216-6-0x0000000000401000-0x0000000000404000-memory.dmp

        Filesize

        12KB

        Download

      • memory/2216-4-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/2216-8-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2216-31-0x0000000000401000-0x0000000000404000-memory.dmp

        Filesize

        12KB

        Download

      • memory/2216-7-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/2216-9-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2216-14-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2216-13-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2216-12-0x0000000000A40000-0x0000000000A41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2612-35-0x00000000003B0000-0x00000000003B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2612-36-0x0000000000390000-0x0000000000391000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3700-26-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/3700-29-0x00000000001D0000-0x00000000001D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3700-32-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3700-37-0x0000000077A12000-0x0000000077A13000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3700-38-0x00000000001E0000-0x00000000001E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3700-40-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3700-39-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/3700-41-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3700-42-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3700-33-0x0000000077A12000-0x0000000077A13000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4808-0-0x0000000075430000-0x0000000075473000-memory.dmp

        Filesize

        268KB

        Download