Overview

overview

10

Static

static

3

JaffaCakes...d0.dll

windows7-x64

10

JaffaCakes...d0.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/01/2025, 03:29 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_1d87460328f131cbb148c623653af5d0.dll

  • Size

    374KB

  • MD5

    1d87460328f131cbb148c623653af5d0

  • SHA1

    2b5807abc9e67d579d1da2883cc94a88376f477f

  • SHA256

    1eab24327bf917820a207a9bac437f4e841d15e13303714ace0543fb30eef968

  • SHA512

    f61b54e228528bb308543099fdb33ce28a0c9b67fe600189dff12f7f7c3d54806f2bd3cd6229b6f030ea602effe64ae775206573526968393dda86439b995382

  • SSDEEP

    3072:L0NbrbkYHUyP9eECVWfpIhbWoVnW6IioARoKO7JurqeBTg4vRP86TvOB5n+902nN:ArkYHjIWeWcd71byngzFd+W7JQQVZ

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 45 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1d87460328f131cbb148c623653af5d0.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3304
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1d87460328f131cbb148c623653af5d0.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4048
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:2184
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:1500
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:5104
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 204
                6⤵
                • Program crash
                PID:4996
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:540
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:540 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2356
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2764
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2764 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:3380
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 608
          3⤵
          • Program crash
          PID:3152
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4048 -ip 4048
      1⤵
        PID:5084
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5104 -ip 5104
        1⤵
          PID:4132

        Network

        • flag-us
          DNS
          8.8.8.8.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          8.8.8.8.in-addr.arpa
          IN PTR
          Response
          8.8.8.8.in-addr.arpa
          IN PTR
          dnsgoogle
        • flag-us
          DNS
          28.118.140.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          28.118.140.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          20.49.80.91.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          20.49.80.91.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          76.32.126.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          76.32.126.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          244.160.67.23.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          244.160.67.23.in-addr.arpa
          IN PTR
          Response
          244.160.67.23.in-addr.arpa
          IN PTR
          a23-67-160-244deploystaticakamaitechnologiescom
        • flag-us
          DNS
          api.bing.com
          iexplore.exe
          Remote address:
          8.8.8.8:53
          Request
          api.bing.com
          IN A
          Response
          api.bing.com
          IN CNAME
          api-bing-com.e-0001.e-msedge.net
          api-bing-com.e-0001.e-msedge.net
          IN CNAME
          e-0001.e-msedge.net
          e-0001.e-msedge.net
          IN A
          13.107.5.80
        • flag-us
          DNS
          13.86.106.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          13.86.106.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          104.219.191.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          104.219.191.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          56.163.245.4.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          56.163.245.4.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          241.42.69.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          241.42.69.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          181.129.81.91.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          181.129.81.91.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          161.19.199.152.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          161.19.199.152.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          134.130.81.91.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          134.130.81.91.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          200.197.79.204.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          200.197.79.204.in-addr.arpa
          IN PTR
          Response
          200.197.79.204.in-addr.arpa
          IN PTR
          a-0001a-msedgenet
        • flag-us
          DNS
          172.214.232.199.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          172.214.232.199.in-addr.arpa
          IN PTR
          Response
        • 204.79.197.200:443
          ieonline.microsoft.com
          tls, http2
          iexplore.exe
          1.2kB
           8.3kB
           15
          14
        • 8.8.8.8:53
          8.8.8.8.in-addr.arpa
          dns
          66 B
           90 B
           1
          1

          DNS Request

          8.8.8.8.in-addr.arpa

        • 8.8.8.8:53
          28.118.140.52.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          28.118.140.52.in-addr.arpa

        • 8.8.8.8:53
          20.49.80.91.in-addr.arpa
          dns
          70 B
           145 B
           1
          1

          DNS Request

          20.49.80.91.in-addr.arpa

        • 8.8.8.8:53
          76.32.126.40.in-addr.arpa
          dns
          71 B
           157 B
           1
          1

          DNS Request

          76.32.126.40.in-addr.arpa

        • 8.8.8.8:53
          244.160.67.23.in-addr.arpa
          dns
          72 B
           137 B
           1
          1

          DNS Request

          244.160.67.23.in-addr.arpa

        • 8.8.8.8:53
          api.bing.com
          dns
          iexplore.exe
          58 B
           134 B
           1
          1

          DNS Request

          api.bing.com

          DNS Response

          13.107.5.80

        • 8.8.8.8:53
          13.86.106.20.in-addr.arpa
          dns
          71 B
           157 B
           1
          1

          DNS Request

          13.86.106.20.in-addr.arpa

        • 8.8.8.8:53
          104.219.191.52.in-addr.arpa
          dns
          73 B
           147 B
           1
          1

          DNS Request

          104.219.191.52.in-addr.arpa

        • 8.8.8.8:53
          56.163.245.4.in-addr.arpa
          dns
          71 B
           157 B
           1
          1

          DNS Request

          56.163.245.4.in-addr.arpa

        • 8.8.8.8:53
          241.42.69.40.in-addr.arpa
          dns
          71 B
           145 B
           1
          1

          DNS Request

          241.42.69.40.in-addr.arpa

        • 8.8.8.8:53
          181.129.81.91.in-addr.arpa
          dns
          72 B
           147 B
           1
          1

          DNS Request

          181.129.81.91.in-addr.arpa

        • 8.8.8.8:53
          161.19.199.152.in-addr.arpa
          dns
          73 B
           144 B
           1
          1

          DNS Request

          161.19.199.152.in-addr.arpa

        • 8.8.8.8:53
          134.130.81.91.in-addr.arpa
          dns
          72 B
           147 B
           1
          1

          DNS Request

          134.130.81.91.in-addr.arpa

        • 8.8.8.8:53
          200.197.79.204.in-addr.arpa
          dns
          73 B
           106 B
           1
          1

          DNS Request

          200.197.79.204.in-addr.arpa

        • 8.8.8.8:53
          172.214.232.199.in-addr.arpa
          dns
          74 B
           128 B
           1
          1

          DNS Request

          172.214.232.199.in-addr.arpa

        • 8.8.8.8:53

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          471B

          MD5

          dc142ff8759ecb81417ba231bbcf25d0

          SHA1

          201681d524cde8af5c11b5111f5fa697521c5739

          SHA256

          d6e2a573b1e137d8b823b82cfeaadeb30df36a0fa7a268a1278465b28fdc7bb6

          SHA512

          b36456cf3ef37e4bbe0e4acf8b25cc85a39f8517d1b80b3191b1be7ddc6d58c74247b2d9dedb0b67ac4f8a2f3d92773e90aee326cfe612f8573ba6ad6b73e833

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          404B

          MD5

          91f7e089c8bbbe9f36947bc281cdec17

          SHA1

          f238784a8a47afe4a52b9716609763ddf98ada82

          SHA256

          69feb4e764bdd237177a32246ffaf069132d472947ec2e522fb97dbaf68a16bf

          SHA512

          afdd86f1e8311a5c534954c4c2a89f869bc763c715199afb67b9d36d2e5b0f18ba8124d3d2d4c0575d17c6f3c99faeefeab2d1addff25b6edece5134b91d5336

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          404B

          MD5

          c1156bcf0613a17fd2f7b53fe167be1f

          SHA1

          e15547a90cdbcc2818f3d66f5be0d94d15543f31

          SHA256

          f300bae8e8e26f57d2b15f1f58b94e548aa4eec4c04d885cdbc65c9e635b89ac

          SHA512

          bd5c309394afebae3de20c3d2dd8d1449de60215ec083f5131efbef9b14578cfa16b4db15753afc5709b9949303dfaac87081aa36626519ec3152065f943caee

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6BAE5064-DA03-11EF-AF2A-CEB9D96D8528}.dat
          Filesize

          5KB

          MD5

          8f864e9cface076c67bbb82fafd9ab0d

          SHA1

          8d30571674bfa7e72c164b7d21d72a474e484f22

          SHA256

          dbdabf330e282bfaaa52a7d81789ea3766273c3271e198c2c548c5237eadf20f

          SHA512

          7a8d9f23945d43991fff7bd3e65301555b1c64582204efdd36800031417ecc9df1f83f074724ef93c53bf37634cfc5e16c7f24735e67853e0cd4eaff5e6741d7

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6BB31506-DA03-11EF-AF2A-CEB9D96D8528}.dat
          Filesize

          3KB

          MD5

          fc9e185bed62544a7b9af9f315e84c86

          SHA1

          498b2d353e2a5ef3e11f24044c75e70ce7956c79

          SHA256

          5f6f6a12fb10862d6ad12363c72a0a32cc9b08e8893c8f012645178c2001d03a

          SHA512

          3b7891557de23e63169a7729d7078257dc18f28621bce1a2df8354b8ff6a13ae04bb6f19fc86f28b063af4d2a35eb015b4eceb7cc76ee1486f1b9b8a063cb367

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DQ67RYHS\suggestions[1].en-US
          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          Download Submit

        • C:\Windows\SysWOW64\rundll32mgr.exe
          Filesize

          207KB

          MD5

          d27fdd034caf68959b687174ef2ab8db

          SHA1

          5c1003a7383d8a9163efd9f1b30345d2ab6a49b8

          SHA256

          f5b72968cebc82ccce4cad4b1bad411e13dc29ee92d0133f4818f2de36d52b0c

          SHA512

          8750ffb67b6fa73078a99b5a2c7db8454885a3758e5813c3074689d3de0c23e4553d62ae092349aafeba863b54429d0a2fa6eea58b48d4d4576d1550c6cbc3f7

          Download Submit

        • memory/1500-40-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/1500-37-0x0000000000070000-0x0000000000071000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1500-44-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/1500-41-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/1500-21-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/1500-33-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/1500-30-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/1500-38-0x00000000779B2000-0x00000000779B3000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1500-39-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/1500-29-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/1500-28-0x0000000000430000-0x0000000000431000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1500-32-0x00000000779B2000-0x00000000779B3000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2184-13-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2184-7-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2184-12-0x00000000008C0000-0x00000000008C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2184-11-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2184-8-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2184-14-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2184-16-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2184-6-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2184-4-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download

        • memory/4048-36-0x00000000753B0000-0x0000000075413000-memory.dmp

          Filesize

          396KB

          Download

        • memory/4048-1-0x00000000753B0000-0x0000000075413000-memory.dmp

          Filesize

          396KB

          Download

        • memory/5104-35-0x0000000000450000-0x0000000000451000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5104-34-0x0000000000470000-0x0000000000471000-memory.dmp

          Filesize

          4KB

          Download

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.