Overview

overview

10

Static

static

3

JaffaCakes...87.dll

windows7-x64

7

JaffaCakes...87.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-01-2025 14:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_2260faa6ded27d0ea29a6ce473234287.dll

  • Size

    204KB

  • MD5

    2260faa6ded27d0ea29a6ce473234287

  • SHA1

    2255bd1375ff9f257b30b9484dac4eb7fb88cfd6

  • SHA256

    7d70a94483ca1e8e84379bfc091bcdd25c64e7dc2f4359ca64adedf52ea5189d

  • SHA512

    82fbfc72526b803884068b943ce79e1d648934180c8dc5acc197b5f403648caea3992ea0795e25162fe66e8660cacd6334ce6b0102ecd9a61b39617c53e84f80

  • SSDEEP

    3072:l2UxPvVKNiNz1a2JRC+Tq/KcnjLFhVz1YyqR:wGvQ4Nx9RHTVmLVz1pqR

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 27 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2260faa6ded27d0ea29a6ce473234287.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2260faa6ded27d0ea29a6ce473234287.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4344
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3660
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:880
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:2364
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 196
                6⤵
                • Program crash
                PID:4256
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3120
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3120 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:3924
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              PID:4072
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2364 -ip 2364
      1⤵
        PID:1984

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        ce36378334f2edb4e728e0632afebb70

        SHA1

        89d54efcb8c7bbe532e5ad91b38468279d3f5c93

        SHA256

        6be47a3ecfbf81a123c297ee65d70177b4010bfbe728b94b4337453683b9a6e1

        SHA512

        3e09cc9ece1907c072f02f768ec749ceef3b8913f394bb075b1948d0409b7910670b91da7d35160c211d0bf8df05e83409a1ad7493ea53864c41f37305f75aa2

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        90571252df2b01825d4dc943d20e0f8c

        SHA1

        13122b6704725b578074e00328a1a30df6d57f3c

        SHA256

        5a513f19cd72e470a13465aa0d30bf8961b4de21720c35a969b0e4ab0c58ab29

        SHA512

        27fa35333797309e87fb186bfe00335198cae8945aa72f7d736c734030c4832197a2dde5787aa1ef97dc5572322dca32f388c2b6852bdbbd0eb2308a1b987ec3

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XH3Z2ZON\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • C:\Windows\SysWOW64\rundll32mgr.exe
        Filesize

        103KB

        MD5

        0ff8c1c8de1f818a51512f4d894e30d1

        SHA1

        bd99a343ea5ca5ebdd7207651478a8425054716a

        SHA256

        7cc54785e229b1605103e3219969939eb80f106e9edca3cb380917ac33526d28

        SHA512

        da23767aa25ba5c1bb55c338fa82b1b60853c83fd1e4af28cc023fdd1405b46717bc58137d7bfe7a3a581dcd23de0520ab6ace88434b8cf35b3a0278f516dfd2

        Download Submit

      • memory/880-37-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/880-30-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/880-40-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/880-38-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/880-39-0x0000000077882000-0x0000000077883000-memory.dmp

        Filesize

        4KB

        Download

      • memory/880-36-0x0000000000070000-0x0000000000071000-memory.dmp

        Filesize

        4KB

        Download

      • memory/880-31-0x0000000000060000-0x0000000000061000-memory.dmp

        Filesize

        4KB

        Download

      • memory/880-32-0x0000000077882000-0x0000000077883000-memory.dmp

        Filesize

        4KB

        Download

      • memory/880-29-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2364-35-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2364-34-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3660-10-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3660-26-0x0000000000401000-0x0000000000404000-memory.dmp

        Filesize

        12KB

        Download

      • memory/3660-15-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3660-16-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3660-13-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3660-7-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3660-6-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3660-11-0x00000000001B0000-0x00000000001B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3660-8-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3660-5-0x0000000000401000-0x0000000000404000-memory.dmp

        Filesize

        12KB

        Download

      • memory/4344-0-0x000000006D280000-0x000000006D2B3000-memory.dmp

        Filesize

        204KB

        Download