Overview

overview

10

Static

static

3

JaffaCakes...5f.exe

windows7-x64

10

JaffaCakes...5f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-01-2025 18:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_19f447bf03a5055f379751ec9d47735f.exe

  • Size

    408KB

  • MD5

    19f447bf03a5055f379751ec9d47735f

  • SHA1

    dd5c17cd3ed77005e76d4572415ee8af88da86c3

  • SHA256

    7c6dbf173631073895a2664383561c04e3e7344e0dd2a1e82ffd3267cafb967e

  • SHA512

    70e4429c2188b9917042af395cdddc409c9a4b587aa20f96f47362168a65a98ce8fa60091ab70f5eb4c396812445ef0ab1647f8a00aa48f27b63142c450c2d7f

  • SSDEEP

    6144:8lSDpABxavrQLKLl5enErwbBxVED8bR3javMVoyoHXI1pX:8EDpOIrQLKben5bBxaeRzxgI1d

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 4 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_19f447bf03a5055f379751ec9d47735f.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_19f447bf03a5055f379751ec9d47735f.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_19f447bf03a5055f379751ec9d47735fSrv.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_19f447bf03a5055f379751ec9d47735fSrv.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4944
      • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_19f447bf03a5055f379751ec9d47735fSrvmgr.exe
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_19f447bf03a5055f379751ec9d47735fSrvmgr.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:3568
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 10176
          4⤵
          • Program crash
          PID:3816
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3200
        • C:\Program Files (x86)\Microsoft\DesktopLayermgr.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayermgr.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:4020
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 10176
            5⤵
            • Program crash
            PID:3004
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1548
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1548 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:4564
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4020 -ip 4020
    1⤵
      PID:1940
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3568 -ip 3568
      1⤵
        PID:2784

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\DesktopLayermgr.exe
        Filesize

        94KB

        MD5

        f8434f362add5334f4f050f4b4b373a7

        SHA1

        f5915cb0d72c8faffe11126bc29da1b1db8092bc

        SHA256

        d34b378ede04c585c2bff8cf32112904e8512ee80c5a9fbb34ba224d8dbc868b

        SHA512

        6c6b4ea2b0e37a346145ee2814789d9da4c2688aff1c3e1cced16a620e8dc81566670336a3fe8a510b1754bbac6c3c6ac20aa7e20359b9c322bb220b50ac30b9

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        dc142ff8759ecb81417ba231bbcf25d0

        SHA1

        201681d524cde8af5c11b5111f5fa697521c5739

        SHA256

        d6e2a573b1e137d8b823b82cfeaadeb30df36a0fa7a268a1278465b28fdc7bb6

        SHA512

        b36456cf3ef37e4bbe0e4acf8b25cc85a39f8517d1b80b3191b1be7ddc6d58c74247b2d9dedb0b67ac4f8a2f3d92773e90aee326cfe612f8573ba6ad6b73e833

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        9019af91bbe85cc069666dc03ce17a4f

        SHA1

        40d23831655b6eb1c9729c9e14d0e1f57482b0d9

        SHA256

        997b0c8257c70c5099a904d01cc29fdd93f4c2df7b0c48fb527caa81251668b0

        SHA512

        e787c2bdb2f491db34ddf2f749f9f10654f68fc0153a85f750bc9401c18df9f001fd6128eec7129474d97f4ffc22e977781ef4645c3cc4a43638ec12f91e421a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BHOTC3C\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_19f447bf03a5055f379751ec9d47735fSrv.exe
        Filesize

        152KB

        MD5

        2c60a0eb60587e6e9dbd389576a30d91

        SHA1

        9fc335861b437bb6cb3079fb07e420d8f39a4b12

        SHA256

        e8452f0b8c328b8737d3244729cfb9b5e4295167bfda075b2679c0c9978ab631

        SHA512

        10f7f201c1c6a36d23df72bf333663de844b7dc1b7ab7cdfeb787e66bff2bc47cda3dbe96db2d6ecb2b33364923c8334310ba1a00937e7de3e1cf8e4869e3697

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\~TM78AA.tmp
        Filesize

        1.6MB

        MD5

        4f3387277ccbd6d1f21ac5c07fe4ca68

        SHA1

        e16506f662dc92023bf82def1d621497c8ab5890

        SHA256

        767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

        SHA512

        9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

        Download Submit

      • memory/3044-36-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/3044-32-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/3044-0-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/3200-21-0x0000000000400000-0x0000000000447000-memory.dmp

        Filesize

        284KB

        Download

      • memory/3200-20-0x0000000000400000-0x0000000000447000-memory.dmp

        Filesize

        284KB

        Download

      • memory/3200-18-0x0000000000580000-0x0000000000581000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3568-22-0x0000000000400000-0x000000000042A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/4944-13-0x0000000000400000-0x0000000000447000-memory.dmp

        Filesize

        284KB

        Download

      • memory/4944-11-0x00000000005E0000-0x00000000005EF000-memory.dmp

        Filesize

        60KB

        Download

      • memory/4944-4-0x0000000000400000-0x0000000000447000-memory.dmp

        Filesize

        284KB

        Download