Overview

overview

10

Static

static

3

JaffaCakes...4b.dll

windows7-x64

10

JaffaCakes...4b.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-01-2025 06:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_14ad43217a55a86f51b05be8f0bf574b.dll

  • Size

    211KB

  • MD5

    14ad43217a55a86f51b05be8f0bf574b

  • SHA1

    999cfe432875832d12820162c13a40f32c4754fc

  • SHA256

    7d303510d1eb72e62f8cc5978e1dbfed7d789cd701bf8a1b8dd7864db953edd0

  • SHA512

    1cd04c3f3fb7e343d181bba8f0cc31bbb1378a57ad95d8d28eab2dcfdfa6f317bef03ce71593fded91c2f38d0fb22d35beb980654c8ef6442a125a8aa6856118

  • SSDEEP

    1536:FkWv+m3NWbVQqtfTsbgrlNBPFsdaOjTCsD1nzf/9r:FkTm3NWbVQqxob6uTDBzVr

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 45 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_14ad43217a55a86f51b05be8f0bf574b.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4068
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_14ad43217a55a86f51b05be8f0bf574b.dll
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\Windows\SysWOW64\regsvr32mgr.exe
        C:\Windows\SysWOW64\regsvr32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:2264
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:1648
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:3604
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 204
                6⤵
                • Program crash
                PID:216
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2852
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2852 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4248
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2400
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2800
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3604 -ip 3604
      1⤵
        PID:2484

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        2c48c73220d62a8faffe599e95896274

        SHA1

        452cd4222360fe7e881055d815ec65a2bbac564b

        SHA256

        35a3978f9dea3056b0c4a0a1945d785bb7a0022484782f414fa9ffa04f3d5967

        SHA512

        6547f2798297acc7ac11506328ef05f29074655f3e5a60adb188106c769806a2b1a8a15c7bd38c39da560df7df953798561398245667095536fc5748692cc9d8

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        b892bd30e2785a4202634ec8955e9c4a

        SHA1

        c12f5666d3e8c5d5cef40cdad5e007b4304baf2a

        SHA256

        e6b3e6868347dc6ed5db2d905f44748ef0c31ab770374e4bcde3e08052153951

        SHA512

        a8063c594f73858bbe9fd608b35be15d6e6267d22f0a16b17318d587d9c90a82e1987fff6ddc13fcb4e4979f5b7a5e84b55da1c6b244d39b5f0dbc2a0c6a59e8

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{37C139B3-D956-11EF-BDBF-6AACA39217E0}.dat
        Filesize

        3KB

        MD5

        1bfd79f0cb44498271ddb4fbfede5d5b

        SHA1

        9ca305f44a563ce8677ae32372257ede6087e7a8

        SHA256

        0fa9e1a63b61a05f906de63414a2c56c42cdeb99bfca4007d5a20dddf4303462

        SHA512

        03baff9b5b4f1dcc9d1b6d96904c28482e593321c8f3f07c8c525053f396eeee4d7fb9cfcdd47b06a6af74304df4940bb6d41992376f4d2e4a8c9deff5b6ac81

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{37C39B65-D956-11EF-BDBF-6AACA39217E0}.dat
        Filesize

        5KB

        MD5

        bc8d99dafe24f98d76dad7f7104e0d35

        SHA1

        052920bfb2580d2ab13ff85c97d07df4f9155544

        SHA256

        65720860b8f2c3d70d40ab586369cb56229eaf2d626afe54eff8589742cb7231

        SHA512

        fcdc891dd8191a7d76a6476d609e75b11d7841b4e4a0f231ff82a39a382e61e0a36deec39e3fd55d9faf189d462bb66fdd162430678de7f6502054f9c25db184

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6IJLDY7V\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • C:\Windows\SysWOW64\regsvr32mgr.exe
        Filesize

        204KB

        MD5

        2adc5366ba8cb74ff49d3ce3ec5a79c8

        SHA1

        3b6540f48f0c77d609ad5938158afd7a8f4d5155

        SHA256

        38f30d351ad68266118057ef971bd45af0d6a02fbd27c90da108e6c75bb07490

        SHA512

        07f09ee289b6d15357b66c4600eeb14cb07b7af231ebe56d45ce31879cce80427486c01c4becfce162a3ba7c05c3f96783e20f75fe0a08871fb44f1e75f10722

        Download Submit

      • memory/1648-35-0x0000000000070000-0x0000000000071000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1648-39-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1648-40-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1648-36-0x0000000077A42000-0x0000000077A43000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1648-32-0x0000000077A42000-0x0000000077A43000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1648-27-0x0000000000470000-0x0000000000471000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1648-31-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1648-30-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1648-28-0x0000000000400000-0x000000000048D000-memory.dmp

        Filesize

        564KB

        Download

      • memory/2184-1-0x00000000753E0000-0x0000000075419000-memory.dmp

        Filesize

        228KB

        Download

      • memory/2264-10-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2264-7-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2264-12-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2264-15-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2264-11-0x00000000028B0000-0x00000000028B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2264-8-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2264-13-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2264-6-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2264-4-0x0000000000400000-0x000000000048D000-memory.dmp

        Filesize

        564KB

        Download

      • memory/3604-34-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3604-33-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

        Filesize

        4KB

        Download