Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
27-06-2024 20:13
General
-
Target
175f69bb5f3df6df139d3711f6fac46b_JaffaCakes118.dll
-
Size
208KB
-
MD5
175f69bb5f3df6df139d3711f6fac46b
-
SHA1
16c6e5c4bb04d0189cf718d211c2551473db1550
-
SHA256
4fabf04b7caba69d19f0db876f22d9a994cb143710f1d44d7204dcef03454ccc
-
SHA512
e0c244594152b9a3dd955be528844f72cc61642afc482e690d714dfd37c5a7425600574f491021649e4eb9ff4b3a3a3d69cb65cbd18b832133a9afc81c270680
-
SSDEEP
3072:K2UxPvVKNiNz1a2JRC+Tq/KcKFUvJeXAMWRb3B+me4Tj3ejUP:pGvQ4Nx9RHTV5UvJx/Rr3eG
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 4 IoCs
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 3 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 37 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\175f69bb5f3df6df139d3711f6fac46b_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\175f69bb5f3df6df139d3711f6fac46b_JaffaCakes118.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.htmlFilesize
232KB
MD5a89e956da81cc963af15e34fdde6d52e
SHA1c9fe11aeea3411c192035cc3d9c211df5683d84b
SHA256cac13e9ead53ff3a0ef1d3a766a5925999bbd36da8f4c049bd27c8b1ec82e168
SHA512efaf6c5135edd01875549d6a3a1d676dce088aee016541905d33a388446345144e0c5182153f9c0a161c1191d284ccf93616ff2621a7ed234fd5d705b2a8684c
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.htmlFilesize
228KB
MD5e4c42c8a2e9d28c9a8cf1ff282fba7de
SHA1c7af4ca3fa1577c0ebe460125a03f7f7fc2c0673
SHA256ccc8b0b8156d4158dde6a445c90bd9698ece24bbafb43637cc0dd46bc03c3b9b
SHA5121698ce72eb795abb5748df8766a21b5cd04dc580bc656af2d1d454424662c7e30cd67f30b85810550ffa94441d8a0e60ada190075d1e98a096fbcb07926d8da7
-
\Windows\SysWOW64\rundll32mgr.exeFilesize
109KB
MD59cb1d76074df9146c68ddf4ccf45ad0c
SHA1cfd8e8afcb4d01b8a33bb996f38e8a8ae5902048
SHA256124fca6b9dd184840ec013d834aa93207f592853aa4e43a3c3c3464ceaf5eecd
SHA5128c61494be068468283e6da9dcd9893d883e1c22e7a946cf7a69f4159cd7bd09826eca322b4f38c8c9501ac210a6133df89426a22efacd3591dd9950b407dea2c
-
memory/1684-12-0x00000000001A0000-0x00000000001C6000-memory.dmpFilesize
152KB
-
memory/1684-1-0x000000006D280000-0x000000006D2B4000-memory.dmpFilesize
208KB
-
memory/1684-0-0x000000006D280000-0x000000006D2B4000-memory.dmpFilesize
208KB
-
memory/1684-5-0x00000000001A0000-0x00000000001C6000-memory.dmpFilesize
152KB
-
memory/1684-3-0x000000006D280000-0x000000006D2B4000-memory.dmpFilesize
208KB
-
memory/1944-25-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1944-18-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1944-15-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1944-32-0x00000000001B0000-0x00000000001D6000-memory.dmpFilesize
152KB
-
memory/1944-31-0x00000000001B0000-0x00000000001D6000-memory.dmpFilesize
152KB
-
memory/1944-19-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1944-16-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1944-14-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1944-24-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/1944-17-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1944-13-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2472-46-0x000000007738F000-0x0000000077390000-memory.dmpFilesize
4KB
-
memory/2472-75-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/2472-92-0x000000007738F000-0x0000000077390000-memory.dmpFilesize
4KB
-
memory/2472-572-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2472-45-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/2472-44-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2472-43-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2532-91-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2532-93-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/2532-96-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/2532-98-0x0000000077390000-0x0000000077391000-memory.dmpFilesize
4KB
-
memory/2532-97-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2532-77-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2532-95-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2532-94-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2532-87-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2604-48-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2604-71-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/2604-70-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/2604-69-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/2604-62-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2604-57-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2604-72-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2604-1013-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2604-67-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2604-50-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB