Overview

overview

10

Static

static

3

JaffaCakes...16.dll

windows7-x64

7

JaffaCakes...16.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-01-2025 23:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_507e0345352a44025f02624aa377a816.dll

  • Size

    284KB

  • MD5

    507e0345352a44025f02624aa377a816

  • SHA1

    be7487e48c8da3e1aba65ae7a0816e3594ba3c12

  • SHA256

    7ce29d90f6e47e95fed0c40fce635ebdb1b1a53ed690477f4b1749b723333e2e

  • SHA512

    fcdd631e95e68adebf20e84e854e9cdb4be56e1704b949b0347006368806f0585891146f4c95e1a9d6d219eb3b67f52fed58b90dcc9b5697e113c159fe67ac2e

  • SSDEEP

    3072:W0NbrbkYHUyP9eECVWfpIhbWoVnW6IioARoKO7JurqeBTg4vRP86TvOB5n+902bT:trkYHjIWeWcd71byneDf0aZqez6ix

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_507e0345352a44025f02624aa377a816.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2616
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_507e0345352a44025f02624aa377a816.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:2508
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:1504
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:4956
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 208
                6⤵
                • Program crash
                PID:4380
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1756
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1756 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2580
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4720
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4720 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2868
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 608
          3⤵
          • Program crash
          PID:4924
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1720 -ip 1720
      1⤵
        PID:3060
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4956 -ip 4956
        1⤵
          PID:1028

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9776E15D-DE5D-11EF-8277-E65C00D8F0F4}.dat
          Filesize

          5KB

          MD5

          25ac1225f4371415a7a21e896b850664

          SHA1

          959eb31189100a0cbec8943d8a59f139e92c2869

          SHA256

          134e4ae8703264083447169230453c9fb522d21848dda754bd7ab32a320c7847

          SHA512

          b32642b20734b107c07bc14bc10a194ceb7564837797b3e3e60047fb996f38def02f6571951130189f1f71e20f6ae6425f02651cf72a03065415bb9fd0bef631

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{977942C9-DE5D-11EF-8277-E65C00D8F0F4}.dat
          Filesize

          3KB

          MD5

          607aef43976a57df350268ec282e8787

          SHA1

          dbe5a45fc7e399fa82baff2538fd5a50bd8f6fef

          SHA256

          42bb26eb249e72da69b1e7ad2cc910371065e780ae21960472fcc7ac64a20d16

          SHA512

          25f46e73b6766f88ef748b94ac6f12fbaf33d8833e3492e37d056c8eb9d1f3eb2753ab43b254839d5d3fbb2f9df25330fb31eb0b2c7db4d3b2d7d19855d3bc0c

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O32JA4D6\suggestions[1].en-US
          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          Download Submit

        • C:\Windows\SysWOW64\rundll32mgr.exe
          Filesize

          117KB

          MD5

          8496f6a2cbd1e710149e098e047eaee2

          SHA1

          dd0a84f13d385928e5270ef9b4b442150fd4a060

          SHA256

          dfa3498dc41116db8aec3fd24721709e90248ad9de239222f1ed31f1f9286a03

          SHA512

          c7a58e158ff3fbfd2bf5e2327221f6f5d24fc7abef2b48da63e98ee96efb3ff0e9d8ce8047f34f3843f385ca0607ee85a5ca7e0a8e3330366a23e99c1d9e3dd5

          Download Submit

        • memory/1504-30-0x0000000077142000-0x0000000077143000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1504-31-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

          Download

        • memory/1504-40-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/1504-41-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

          Download

        • memory/1504-29-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/1504-28-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/1504-26-0x0000000000900000-0x0000000000901000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1504-42-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/1504-37-0x0000000077142000-0x0000000077143000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1504-36-0x0000000000070000-0x0000000000071000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1720-35-0x0000000074B60000-0x0000000074BAC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1720-1-0x0000000074B60000-0x0000000074BAC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2508-17-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2508-11-0x0000000002840000-0x0000000002841000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2508-6-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2508-7-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2508-8-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2508-10-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2508-13-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2508-14-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/2508-4-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

          Download

        • memory/4956-33-0x0000000000910000-0x0000000000911000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4956-34-0x00000000008F0000-0x00000000008F1000-memory.dmp

          Filesize

          4KB

          Download