Overview

overview

10

Static

static

3

JaffaCakes...08.dll

windows7-x64

10

JaffaCakes...08.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-01-2025 18:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_42666e61f8c187a3e1881f9fcf99c508.dll

  • Size

    392KB

  • MD5

    42666e61f8c187a3e1881f9fcf99c508

  • SHA1

    5d92eacf49b4a501190caaa2b62be404bcc56983

  • SHA256

    5c2c5645b8423fefc02c2fc73a0d24a0a18d3258c64a7ba39cbee1691c8f1708

  • SHA512

    c478c719e2d93eea72e462a899e4b7252e554742f563a3845da5725543789870572e72306eb9df345e4596d1a139dc7abd0e84b321edba11ece4eba8e194f9a5

  • SSDEEP

    6144:BdSOvikWQ4/nL4+sEBC6mywRw/YgnX+I9ABFe:fikWbj5sEBCTywiKIiBFe

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 5 IoCs
  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 45 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 4 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42666e61f8c187a3e1881f9fcf99c508.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4376
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42666e61f8c187a3e1881f9fcf99c508.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:208
        • C:\Windows\SysWOW64\rundll32mgrmgr.exe
          C:\Windows\SysWOW64\rundll32mgrmgr.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:4800
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:2740
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              6⤵
                PID:2968
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 204
                  7⤵
                  • Program crash
                  PID:3372
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:2628
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2628 CREDAT:17410 /prefetch:2
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:1152
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:3340
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3340 CREDAT:17410 /prefetch:2
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:3992
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of UnmapMainImage
            PID:32
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 32 -s 280
              5⤵
              • Program crash
              PID:2684
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 608
          3⤵
          • Program crash
          PID:2296
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 32 -ip 32
      1⤵
        PID:816
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2968 -ip 2968
        1⤵
          PID:3576
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2280 -ip 2280
          1⤵
            PID:3252

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            471B

            MD5

            65ff4e1a660b03c192195dc09416d8a8

            SHA1

            c8e9c1b5d0e74e2f581eaa06d77db42ddb2b24b9

            SHA256

            25f890730498e80c6b85f0ca869917f45af6cadbb427695a615181eac3285dc2

            SHA512

            3efa3c79d74861659b4e6e97b362fb4943eeae2e81425029bbf407fb2c4c914bc2d2b43bc8164e9ed050cdb24f411a8582e086eb3557227ad79ec2256c5a52ba

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            404B

            MD5

            2a0200c8aacb3232462388815b0b413a

            SHA1

            50ad87a020a396bddb1b610047eac48cde9f0e10

            SHA256

            3ffca35744311b6bb7b2bf147536d206c806e9b8387ced4cb450b5f73161b427

            SHA512

            d9e8eec7627e77b1afaf243eeb7b720bb4830f269cf3a4774d120d28bbebca232c55a04363a7df7e4893d41637e5a538d88bf758572c164072cecc73ae5beebb

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            404B

            MD5

            91bde962ca8f0422607eab442ee44e5f

            SHA1

            4a4f901be7920e2395ef72c34a2ced1d61f3b7c0

            SHA256

            f59c0e6c64e7818430eb8ee66b9250b699e27d09cd4d77ce87a39dd41dc42be4

            SHA512

            375ad672b098e7073f3d4963c6ed982e8702a77b92263c01e5a2f0d6d3247dd12def58145c64f2eb071d91ad84cabd1997ca801b0139921cc3a9ea4ed3eb5ab6

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9ADA37BB-DCDB-11EF-9361-FA9F886F8D04}.dat
            Filesize

            3KB

            MD5

            f629724da7c53734eb96caee18b54b29

            SHA1

            37a1f04e671150912fcfaa455d46dc5a57ab84b6

            SHA256

            a7dcaa37a50e452e48dd7b6a3000bae658a4d82e095382277903f12792cc26f1

            SHA512

            84fec522fbe73c18b059fca365e17b7c05dd97814f3978f2b6069c3695eb6d58ad7fdb480ac0430ea6d7a4093e6fe7d4dcadf9519f5c91bcdef1f37159d90f9d

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9ADC98E3-DCDB-11EF-9361-FA9F886F8D04}.dat
            Filesize

            5KB

            MD5

            247a5f8df4c7738ef0fc628a126c501d

            SHA1

            adbe0a771dbd3460899f68c829640dd075f0219b

            SHA256

            420cb91a98bc46da7267f06b8133ce6a409037ee29100d586028eeaf3712b0ba

            SHA512

            8e9fe2231db732728ad1b9d87efeddbba89b36060d2d57fa2bbf1b4bbf7cff902258f50a0366b49788a380feca72679004a0b11acd31cd998e4d81b661364ec8

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BHOTC3C\suggestions[1].en-US
            Filesize

            17KB

            MD5

            5a34cb996293fde2cb7a4ac89587393a

            SHA1

            3c96c993500690d1a77873cd62bc639b3a10653f

            SHA256

            c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

            SHA512

            e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

            Download Submit

          • C:\Windows\SysWOW64\rundll32mgr.exe
            Filesize

            353KB

            MD5

            76e85689885580b9975504c664a97a08

            SHA1

            426e3aa560c4f220763003e420ff70607c0ff79f

            SHA256

            5de2e5901dc1e8a8e386ebecd59b015cba0822af2cb5fe31beb77f8e3348dff4

            SHA512

            19f941926710e53b621e831179ca0a9da9feb07645f49c14b01acde502b80788b4d2392c68b56fd7d1b45d9eba693040e8a998379dbcb203433871afbed37101

            Download Submit

          • C:\Windows\SysWOW64\rundll32mgrmgr.exe
            Filesize

            175KB

            MD5

            fe6bdfb690990c611819824f9c399b99

            SHA1

            dcf9e9eccb5fe063c54e2a060e2902c5a553965b

            SHA256

            a8cbc975cfe1494a87696702ee999d09cb77d933a14debd957d7a38848651c7d

            SHA512

            57ae5917715bbcb57e34aca387018ee5c9b51bb8e026992b6c83c796c7e779a8ee8b8c55183797f288b3dc530e7bf40ed9031640c2c5fbf2f030e3ce15613205

            Download Submit

          • memory/32-54-0x0000000000400000-0x0000000000437000-memory.dmp

            Filesize

            220KB

            Download

          • memory/208-7-0x0000000000400000-0x0000000000464000-memory.dmp

            Filesize

            400KB

            Download

          • memory/208-17-0x0000000000401000-0x0000000000404000-memory.dmp

            Filesize

            12KB

            Download

          • memory/208-18-0x0000000000400000-0x0000000000464000-memory.dmp

            Filesize

            400KB

            Download

          • memory/208-40-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download

          • memory/208-52-0x0000000000401000-0x0000000000404000-memory.dmp

            Filesize

            12KB

            Download

          • memory/2280-1-0x000000006D180000-0x000000006D1E2000-memory.dmp

            Filesize

            392KB

            Download

          • memory/2280-61-0x000000006D180000-0x000000006D1E2000-memory.dmp

            Filesize

            392KB

            Download

          • memory/2740-51-0x0000000000830000-0x0000000000831000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2740-67-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download

          • memory/2740-66-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download

          • memory/2740-43-0x0000000000400000-0x0000000000437000-memory.dmp

            Filesize

            220KB

            Download

          • memory/2740-56-0x0000000077102000-0x0000000077103000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2740-62-0x0000000000890000-0x0000000000891000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2740-63-0x0000000077102000-0x0000000077103000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2740-55-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download

          • memory/2968-58-0x00000000001E0000-0x00000000001E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2968-57-0x0000000000400000-0x0000000000401000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4800-10-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download

          • memory/4800-11-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download

          • memory/4800-13-0x0000000000400000-0x0000000000437000-memory.dmp

            Filesize

            220KB

            Download

          • memory/4800-14-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download

          • memory/4800-15-0x0000000002820000-0x0000000002821000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4800-19-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download

          • memory/4800-20-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download

          • memory/4800-21-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download

          • memory/4800-12-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

            Download