Overview

overview

10

Static

static

3

JaffaCakes...f8.exe

windows7-x64

10

JaffaCakes...f8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-01-2025 23:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_44bcb22a8048b100a6aeb89cc107dcf8.exe

  • Size

    121KB

  • MD5

    44bcb22a8048b100a6aeb89cc107dcf8

  • SHA1

    6bfd84c9e10fb205f9f225af28e455c1b1a4a839

  • SHA256

    d8bfb7ae71134e0b2c6c2a3f47495b20cba734dd2f4058c7b20d2ff72054d3c6

  • SHA512

    e1a35aa1e28795abbdc81445e68c141ef76dcc7c875b033fab13702fc50d949b588d8b517b472e55c8b42cb93479f8da3f7fdd31d7550895265a4c32e59f98de

  • SSDEEP

    1536:1R0vxn3Pc0LCH9MtbvabUDzJYWu3BrNDZA8GRGnsQZFtrzT:1R2xn3k0CdM1vabyzJYWqv2Qtb

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 1 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 45 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44bcb22a8048b100a6aeb89cc107dcf8.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44bcb22a8048b100a6aeb89cc107dcf8.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:4156
    • C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:1580
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 204
            4⤵
            • Program crash
            PID:3720
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4428
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4428 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2324
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4588
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4588 CREDAT:17410 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:4556
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1580 -ip 1580
      1⤵
        PID:2432

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        121KB

        MD5

        44bcb22a8048b100a6aeb89cc107dcf8

        SHA1

        6bfd84c9e10fb205f9f225af28e455c1b1a4a839

        SHA256

        d8bfb7ae71134e0b2c6c2a3f47495b20cba734dd2f4058c7b20d2ff72054d3c6

        SHA512

        e1a35aa1e28795abbdc81445e68c141ef76dcc7c875b033fab13702fc50d949b588d8b517b472e55c8b42cb93479f8da3f7fdd31d7550895265a4c32e59f98de

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        65ff4e1a660b03c192195dc09416d8a8

        SHA1

        c8e9c1b5d0e74e2f581eaa06d77db42ddb2b24b9

        SHA256

        25f890730498e80c6b85f0ca869917f45af6cadbb427695a615181eac3285dc2

        SHA512

        3efa3c79d74861659b4e6e97b362fb4943eeae2e81425029bbf407fb2c4c914bc2d2b43bc8164e9ed050cdb24f411a8582e086eb3557227ad79ec2256c5a52ba

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        b8fad37aa5ba7c40ca8d938ec50cd3ea

        SHA1

        25c600df4380a83e30fd010d2edb145438216b33

        SHA256

        08d9faad7b15b097631702e34152fdefae387a01d520615b6858e530a6edb7e4

        SHA512

        552e0b921c7b7e24d899e829934619ce53e18268d22a7c6f7030517d0e197f8a793d6c7ad3b2ec5102b36433fae36e92c7b82021a9de0640a29fcac1ee099755

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{23F4508E-DD08-11EF-9361-5227CD58F2D9}.dat
        Filesize

        3KB

        MD5

        edd4a5d291709f4558f8525d69a300cc

        SHA1

        353f9e0a770d9def89c47c7dd0c3996f6eeefd8b

        SHA256

        4efbdbde8ea14d48c2ff9fe759eb220f384d1edce353b85a749fce54b092e452

        SHA512

        d756fa6d9f808648330d16a1758d08ccd01595f174b5c110eea46335fbffbd4bff6f0c08e04dcdaa34930e6495039cefe3d3d9fa54f007a5db49236201e38d6d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{23F6B32A-DD08-11EF-9361-5227CD58F2D9}.dat
        Filesize

        5KB

        MD5

        316d3720bfd1ba17e1527360ed47ee18

        SHA1

        ad2b17efb3118cb3de64ab9c11d0e5ff491d7551

        SHA256

        d3c4c455c792a30bbe507dd3b3a110450ec78ea79787a80f942ef22bba1cdc2f

        SHA512

        c182feca72bf33e31dc1f3291498a08af594205cb4658dfc0993793977d8c11acbcfca44191dc49cfd62108757ecfa892c7844daebc223ad0c4592e97ffae804

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BHOTC3C\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • memory/1372-33-0x0000000000070000-0x0000000000071000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1372-34-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1372-38-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1372-29-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1372-27-0x0000000077762000-0x0000000077763000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1372-26-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1372-25-0x00000000001D0000-0x00000000001D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1372-24-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1372-22-0x0000000000400000-0x000000000042A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/1372-37-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/1372-32-0x0000000077762000-0x0000000077763000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1580-31-0x0000000000B40000-0x0000000000B41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1580-30-0x0000000000B60000-0x0000000000B61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4156-7-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4156-6-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4156-0-0x0000000000400000-0x000000000042A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/4156-4-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4156-9-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4156-8-0x00000000008F0000-0x00000000008F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4156-11-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4156-5-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4156-3-0x0000000000400000-0x000000000042A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/4156-2-0x0000000000400000-0x000000000042A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/4156-1-0x0000000000401000-0x0000000000402000-memory.dmp

        Filesize

        4KB

        Download