Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/01/2025, 02:26

General

  • Target

    JaffaCakes118_276687275f0f9d19ecab6b15e4af797b.dll

  • Size

    258KB

  • MD5

    276687275f0f9d19ecab6b15e4af797b

  • SHA1

    a3da367a3845e706d029252c4d73bfd151989072

  • SHA256

    19e943df00936e368c89f5441771930c885ec4404470cfbec3c69bab1dff4948

  • SHA512

    09301fab68593d612ad5f0ff903648e79497d62b78836687b437fec66f6383f70d0b4201bce4d78efab881464ba86fa1407499be81da6186909f6bd0f678f707

  • SSDEEP

    3072:aCuuNCRs/Pj03pJEEC9ti9pocimFFVW6E1fZim4v5TRRJBYeBTg4vRPW9vc/Bm6g:aCIGPj038tAgFMldWNX+Ejtujg

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 27 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_276687275f0f9d19ecab6b15e4af797b.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4984
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_276687275f0f9d19ecab6b15e4af797b.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5064
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:4632
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:1600
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:2448
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 204
                6⤵
                • Program crash
                PID:4064
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1500
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1500 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4724
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              PID:4124
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 608
          3⤵
          • Program crash
          PID:2736
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2448 -ip 2448
      1⤵
        PID:3584
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5064 -ip 5064
        1⤵
          PID:2716

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

          Filesize

          471B

          MD5

          ce36378334f2edb4e728e0632afebb70

          SHA1

          89d54efcb8c7bbe532e5ad91b38468279d3f5c93

          SHA256

          6be47a3ecfbf81a123c297ee65d70177b4010bfbe728b94b4337453683b9a6e1

          SHA512

          3e09cc9ece1907c072f02f768ec749ceef3b8913f394bb075b1948d0409b7910670b91da7d35160c211d0bf8df05e83409a1ad7493ea53864c41f37305f75aa2

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

          Filesize

          404B

          MD5

          17d88c0b0206def8528ce057cc3f0e18

          SHA1

          93457e1e867629f7741fa812ee3cf506cdc2710b

          SHA256

          2518052c88b3661734d3b0e1ddf6441dbf7cf2615f371468b20842f792b3c624

          SHA512

          f35c0ab1b591673bf7b44af1386de6b89a265802187b62346b60a2307c726a56a2ec61ceb3e78e1882d859184961e226478a5e99429c9f990ef045d13eb2f5b0

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JAZ6MGFU\suggestions[1].en-US

          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        • C:\Windows\SysWOW64\rundll32mgr.exe

          Filesize

          92KB

          MD5

          7ee724f57cd50cc251c9640919b5469e

          SHA1

          f46cf7427e3519358ce354265a7226abb157cf15

          SHA256

          caffeddde0516e982f2adc315190b9a55b67a2646d113f5f892533489307edce

          SHA512

          f6fe974490da9c753f61c455c0efdceebb0d2af46519fbc15843d79aca7c1ef3fb33c77644e977cc0ade60e60e4f72c6a6cf552d1bdfada11abeb29d9c899c32

        • memory/1600-36-0x0000000000070000-0x0000000000071000-memory.dmp

          Filesize

          4KB

        • memory/1600-40-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/1600-27-0x0000000000430000-0x0000000000431000-memory.dmp

          Filesize

          4KB

        • memory/1600-39-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/1600-37-0x00000000774D2000-0x00000000774D3000-memory.dmp

          Filesize

          4KB

        • memory/1600-34-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/1600-31-0x00000000774D2000-0x00000000774D3000-memory.dmp

          Filesize

          4KB

        • memory/1600-30-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/2448-32-0x00000000005A0000-0x00000000005A1000-memory.dmp

          Filesize

          4KB

        • memory/2448-33-0x0000000000580000-0x0000000000581000-memory.dmp

          Filesize

          4KB

        • memory/4632-10-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/4632-6-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/4632-13-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/4632-11-0x00000000001B0000-0x00000000001B1000-memory.dmp

          Filesize

          4KB

        • memory/4632-38-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/4632-12-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/4632-15-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/4632-8-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/4632-7-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/4632-5-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

        • memory/5064-35-0x0000000010000000-0x0000000010045000-memory.dmp

          Filesize

          276KB

        • memory/5064-1-0x0000000010000000-0x0000000010045000-memory.dmp

          Filesize

          276KB