Overview

overview

10

Static

static

3

15d00fc2ef...18.dll

windows7-x64

10

15d00fc2ef...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-06-2024 11:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    15d00fc2efbd85c50422b973081840bc_JaffaCakes118.dll

  • Size

    337KB

  • MD5

    15d00fc2efbd85c50422b973081840bc

  • SHA1

    cf3d6bc5ebf9d8d989166adbfd967be2bef3ef74

  • SHA256

    dd32e1e9e2417e47708a7553a41bfcf5208bd3ca89a7f04742b202c910483e25

  • SHA512

    c91c07e4355a5887d058ea5f10b402792730c0d3f8e221a130a78eb9371d0667fc96e7111ac5337f144d12ff29b9f9a590ee454936d747abd29e5fa1c4cbd02a

  • SSDEEP

    6144:qN0yr1sO/wIKS0FKtOT/OrDtgUi0uvQee7Qee/0QeesQeeglQeekQeeDC7M3HCRD:qG6wndYtamDSU1MHCRflZ

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 50 IoCs
    adwarespyware
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\15d00fc2efbd85c50422b973081840bc_JaffaCakes118.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:700
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\15d00fc2efbd85c50422b973081840bc_JaffaCakes118.dll
      2⤵
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4420
      • C:\Windows\SysWOW64\regsvr32mgr.exe
        C:\Windows\SysWOW64\regsvr32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:2440
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:2476
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:4808
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 212
                6⤵
                • Program crash
                PID:1664
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4532
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4532 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1108
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2344
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2344 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:3944
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4808 -ip 4808
      1⤵
        PID:492

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        fa34ecb8815a2d98849888cb1cdbf38b

        SHA1

        84fd0e04586009efb3683c98da8d9aa41487cd42

        SHA256

        5077a54924f80491a74ed78bbd73ff7bf85a27caddb80ceaa9ccb86f8b9a11be

        SHA512

        ccfdb76ccedd0076601e17272d346229e2b9c0dd884c09bb7701b32c5dc177da8a91bb539ce751297d8ea44716fc497e8a337a9499c93a474ba85915f28f1053

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        5bc462ba93738ff71a16941567172fae

        SHA1

        a1d96090724e6b82ee4c8b410c341fca125fa7ac

        SHA256

        9c91debf608b3a6a505a2294e22f677212b7c457f33a6bd3bedc7099032c047c

        SHA512

        1afcb16226898b7f15c4f67b30747c43adc1c45587fbb74387d4f2f8529783efa7c4017f13cfb4781da452afb5d0d47737a7150755d2f54112ef58128c2b6764

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8AD34947-3477-11EF-B1BA-424A43B6706F}.dat
        Filesize

        5KB

        MD5

        5afa36d743f8763807f2f6b5fa4a611f

        SHA1

        9861208ac535bba014edc29ce962c262334d3ee8

        SHA256

        d078672dfddcc8036f3860bc6231ab368c4cfdce8556fa6fadb04b46f434cb1f

        SHA512

        58a0476ad1e1799c62d41d14f3e65fd240bccbc0c2481b37d01fd68a0e38b1e76ea33ca40f8c698585fe4ce5c3df396b6e32eb8acfc0896fdfc5e101c3347471

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8AD80DD2-3477-11EF-B1BA-424A43B6706F}.dat
        Filesize

        3KB

        MD5

        c3b95aad69d65e65e24bc50a14858331

        SHA1

        d6b69ba076bc1b3eef39f7b55b485cf9987cf7f4

        SHA256

        be8ff145dded062875bf14b70392966eb690ed56bc063ae1e4f37530c75ebca5

        SHA512

        e8c218c6aeb3614cdfbd64b4bc179bb0018faf676a7225fe236f1f2946c972bbd72d4d4c6b61080a7a09ab39691c11cad44bba180f15d2038485aa24ef4abaa5

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verF9B.tmp
        Filesize

        15KB

        MD5

        1a545d0052b581fbb2ab4c52133846bc

        SHA1

        62f3266a9b9925cd6d98658b92adec673cbe3dd3

        SHA256

        557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

        SHA512

        bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4NMOWK91\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit
      • C:\Windows\SysWOW64\regsvr32mgr.exe
        Filesize

        96KB

        MD5

        8c51fd9d6daa7b6137634de19a49452c

        SHA1

        db2a11cca434bacad2bf42adeecae38e99cf64f8

        SHA256

        528d190fc376cff62a83391a5ba10ae4ef0c02bedabd0360274ddc2784e11da3

        SHA512

        b93dd6c86d0618798a11dbaa2ded7dac659f6516ca4a87da7297601c27f340fffa4126a852c257654d562529273d8a3f639ec020ab54b879c68226deae549837

        Download Submit
      • memory/2440-7-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/2440-14-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/2440-10-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/2440-6-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/2440-18-0x00000000008B0000-0x00000000008B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2440-11-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/2440-9-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/2440-8-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/2440-5-0x0000000000400000-0x0000000000435000-memory.dmp
        Filesize

        212KB

        Download
      • memory/2476-27-0x0000000000060000-0x0000000000061000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2476-33-0x0000000000070000-0x0000000000071000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2476-32-0x0000000077172000-0x0000000077173000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2476-36-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/2476-28-0x0000000077172000-0x0000000077173000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2476-25-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/2476-26-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/4420-1-0x0000000074AF0000-0x0000000074B47000-memory.dmp
        Filesize

        348KB

        Download
      • memory/4808-30-0x0000000001050000-0x0000000001051000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4808-31-0x0000000001030000-0x0000000001031000-memory.dmp
        Filesize

        4KB

        Download