Overview

overview

10

Static

static

3

JaffaCakes...77.dll

windows7-x64

10

JaffaCakes...77.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-01-2025 08:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_1fcf2a538f2708342acbfb01ce584b77.dll

  • Size

    272KB

  • MD5

    1fcf2a538f2708342acbfb01ce584b77

  • SHA1

    0c4d2ff956f0319261203ec2946235546f46e8c0

  • SHA256

    5c81f6cbe9028f358e71d67da0acc6fb14cee4d1f9d3e9996120c0f2cf69bf00

  • SHA512

    d821f64ae78a724d62c2b4097938c7c3bbc4e28a9ddc884d10b30c9085ad44debc17b46d86b0e9a069f133606d64f24b064ba79580e92c35796b9151037e1498

  • SSDEEP

    3072:261Ye3TaEu2CoCcn3zO7A4D8XHDfTGuwnh7BJz3gOu2RkEVae:rTa12CoCckAe8Dgt0Ol

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 45 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcf2a538f2708342acbfb01ce584b77.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fcf2a538f2708342acbfb01ce584b77.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2932
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:4780
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:2240
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:3960
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 204
                6⤵
                • Program crash
                PID:3172
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4808
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4808 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2256
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1412
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1412 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1996
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 608
          3⤵
          • Program crash
          PID:3232
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2932 -ip 2932
      1⤵
        PID:2212
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3960 -ip 3960
        1⤵
          PID:740

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          471B

          MD5

          dc142ff8759ecb81417ba231bbcf25d0

          SHA1

          201681d524cde8af5c11b5111f5fa697521c5739

          SHA256

          d6e2a573b1e137d8b823b82cfeaadeb30df36a0fa7a268a1278465b28fdc7bb6

          SHA512

          b36456cf3ef37e4bbe0e4acf8b25cc85a39f8517d1b80b3191b1be7ddc6d58c74247b2d9dedb0b67ac4f8a2f3d92773e90aee326cfe612f8573ba6ad6b73e833

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          404B

          MD5

          2fc6646129639c522379b50023d46cd0

          SHA1

          3127a5112cdd626eb63d1374b916737638dfffac

          SHA256

          e130b7ad9e1cbf73a4ae73ce3f8961f9b9e7aba93239bb9922bc5e48750aa240

          SHA512

          39207438343a317b0bb0073a8397ea51a64e61a71e9a77781ae6dd62de89626f9457852cf674beb6ce011be01e9998ddaa19807b05ea31951a6d8629ab6ad81f

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          404B

          MD5

          19dcf39026bc20e268710ff96b37cba7

          SHA1

          877673d28499094ee65b49055698dac41599f545

          SHA256

          5c0d6b6d76cf880e09d3701afd17bd0a117e5491927e07e9d34a22719ce5281b

          SHA512

          4b4151c652dd298f7c9b6e2a88328c737ea7ad8aa8590dd4a2e1c4f582789961de5ad023ad5954bf279ad9e820ab2bb41c8278bf75c506f8d838781f87c37f5d

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          404B

          MD5

          a02522e5aafda63d063e94d0bdb56541

          SHA1

          1546a99d333a7883a412d65bb87f57431352591b

          SHA256

          8930df1cf8e493a337b214b01e161182afee4ce92efa2e03d32c01b608e371ba

          SHA512

          e6a50a69dd399b6d2fb4e5e88451532e66b16a481a507182f086cf74210ef25b91ba22c47d0d3518d00d43738784c2d1aa614db9d9b0373b543ad78f1fbd8e9d

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          404B

          MD5

          284e97945e0769cbf57016cd2fb171f3

          SHA1

          6ffcf5aec191ad512c31d13e89eef899e2b4620d

          SHA256

          2ff031fad60502cf6a93c9dd02ea1c38a53f35d0f3a132c9f82e030f478c2a71

          SHA512

          95c70238a401b41c59445c6bee03faa92d7457cc5e8648fb425685f70e14b6dc213c243f3de4710d0415da85ff020fcdf8a2379034d005519f1ff8bd9390b00b

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5A20494E-DA30-11EF-B319-CE95CE932DF6}.dat
          Filesize

          5KB

          MD5

          7d1a927e3fb4746e2f0d44d14e140b1e

          SHA1

          d4e7df66b3b4fddc9feff36b323eb69db3f915ec

          SHA256

          c478c86e4f1493acce8cd650f6359e40568fbb1525f25b0fba5462a71f5176a0

          SHA512

          504e9fe57677a2c439daffb18f5089194c16376def61da317b85dea16a546d947c7b3b0c04a052383a01bfeb15fe696cac2896eb6cd7e92d2401963b63935741

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5A22AACF-DA30-11EF-B319-CE95CE932DF6}.dat
          Filesize

          3KB

          MD5

          2eb636b7035d3e5554bc4fdae664bf5e

          SHA1

          cf6435485a92df2faf804111c7ff928d537df91f

          SHA256

          12c7c60533209bb2459299b840c5350f373ba2b5382592acf18c4c226b701f68

          SHA512

          da48dcd2e6a20cbe5908dc735c212b707362496d807715d16c48d50b16d533eae66f5c93bad516a1b920bf9d26662545e05ff9572edfe9183d6c85ea98e71c32

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8R55UT9S\suggestions[1].en-US
          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          Download Submit

        • C:\Windows\SysWOW64\rundll32mgr.exe
          Filesize

          207KB

          MD5

          d27fdd034caf68959b687174ef2ab8db

          SHA1

          5c1003a7383d8a9163efd9f1b30345d2ab6a49b8

          SHA256

          f5b72968cebc82ccce4cad4b1bad411e13dc29ee92d0133f4818f2de36d52b0c

          SHA512

          8750ffb67b6fa73078a99b5a2c7db8454885a3758e5813c3074689d3de0c23e4553d62ae092349aafeba863b54429d0a2fa6eea58b48d4d4576d1550c6cbc3f7

          Download Submit

        • memory/2240-32-0x0000000077B32000-0x0000000077B33000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2240-38-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2240-41-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2240-36-0x0000000000070000-0x0000000000071000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2240-28-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2240-29-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2240-30-0x0000000000060000-0x0000000000061000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2240-37-0x0000000077B32000-0x0000000077B33000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2932-1-0x000000006D100000-0x000000006D144000-memory.dmp

          Filesize

          272KB

          Download

        • memory/2932-35-0x000000006D100000-0x000000006D144000-memory.dmp

          Filesize

          272KB

          Download

        • memory/3960-33-0x0000000000550000-0x0000000000551000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3960-34-0x0000000000530000-0x0000000000531000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4780-10-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4780-7-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4780-9-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4780-11-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4780-8-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4780-13-0x00000000001B0000-0x00000000001B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4780-21-0x0000000000401000-0x0000000000404000-memory.dmp

          Filesize

          12KB

          Download

        • memory/4780-14-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4780-12-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4780-6-0x0000000000401000-0x0000000000404000-memory.dmp

          Filesize

          12KB

          Download

        • memory/4780-5-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

          Download