Overview

overview

10

Static

static

3

JaffaCakes...b6.exe

windows7-x64

7

JaffaCakes...b6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-01-2025 11:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_350927ebb05a125ced257aecd02a05b6.exe

  • Size

    137KB

  • MD5

    350927ebb05a125ced257aecd02a05b6

  • SHA1

    80bed72e79da83c7fb39e4792bb221c516ae50ff

  • SHA256

    3f042d2ba4460447990b0a062186643b376dedfef266f817eb5e50a43ce92b70

  • SHA512

    a195847e5ae5a2b41174f3b4344a517169e77d59b774c1a9cdad043204de3d46bce5be4be3c2e582483ddec461757a99c8b97fc1199d4f3bce1a164d2ad3afc5

  • SSDEEP

    3072:DaIu9tg7Whz3ww3E7MJUB6Jm2NlRpbt3p1yVs5U2m:iow0uUP2NNbT1+B

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 27 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_350927ebb05a125ced257aecd02a05b6.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_350927ebb05a125ced257aecd02a05b6.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3132
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_350927ebb05a125ced257aecd02a05b6mgr.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_350927ebb05a125ced257aecd02a05b6mgr.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:4940
      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:4924
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\system32\svchost.exe
          4⤵
            PID:3060
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 204
              5⤵
              • Program crash
              PID:4180
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1364
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1364 CREDAT:17410 /prefetch:2
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1408
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
            • Modifies Internet Explorer settings
            PID:2164
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 472
        2⤵
        • Program crash
        PID:2908
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3132 -ip 3132
      1⤵
        PID:1788
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3060 -ip 3060
        1⤵
          PID:4484

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          471B

          MD5

          206fe14723a861b688f6473333dc507c

          SHA1

          9e2e50dfd67986677e808b216db08c02961ffd7b

          SHA256

          c8b5bc9cb349c22051a2fedd1b4f755a1d6cce5cfb19be11a93c8e1d7daa5f18

          SHA512

          a69a00c9a0b0bb6db4bd7e216a57c1f90c01f9fd0f029dcab1328112ec23ceb34e47be669a433fce8e3e575bfb153736269563bed172c6fc4875b8632890317a

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          404B

          MD5

          583110799e6dd83690918bee6cf5e5f0

          SHA1

          d1d8ab2c19c0665993def1c89fd519109d15d94e

          SHA256

          338ebe17900691bb099355f7b69c0305fae7778b694c5c0e8bd0e88b20993368

          SHA512

          35f1f6c590b494eb2ece42f1cf65e7b2044dc44eb5c6faf19b0001b5d2f03a0149eb2f1a21169aefdce4f09652075ee7804994eb3a337beceb964d970da59b8b

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FQRZN8O7\suggestions[1].en-US
          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_350927ebb05a125ced257aecd02a05b6mgr.exe
          Filesize

          59KB

          MD5

          0e0f0ae845d89c22bb6385f64a6b85fd

          SHA1

          0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

          SHA256

          5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

          SHA512

          baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

          Download Submit

        • memory/3060-34-0x0000000000920000-0x0000000000921000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3060-33-0x0000000000940000-0x0000000000941000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3132-0-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

          Download

        • memory/3132-35-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

          Download

        • memory/4924-37-0x0000000000070000-0x0000000000071000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4924-40-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4924-41-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4924-39-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4924-38-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4924-28-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4924-29-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4924-31-0x00000000775E2000-0x00000000775E3000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4924-30-0x0000000000060000-0x0000000000061000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4924-36-0x00000000775E2000-0x00000000775E3000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4940-20-0x0000000000401000-0x0000000000405000-memory.dmp

          Filesize

          16KB

          Download

        • memory/4940-15-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4940-13-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4940-11-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4940-5-0x0000000000401000-0x0000000000405000-memory.dmp

          Filesize

          16KB

          Download

        • memory/4940-7-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4940-12-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4940-10-0x00000000018E0000-0x00000000018E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4940-9-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4940-8-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4940-6-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

          Download