Overview

overview

10

Static

static

3

19589a971e...18.dll

windows7-x64

10

19589a971e...18.dll

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    28-06-2024 07:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    19589a971eb420559794afd71081d286_JaffaCakes118.dll

  • Size

    140KB

  • MD5

    19589a971eb420559794afd71081d286

  • SHA1

    71cbacfb391011112b322d2ff2ed583786dd2752

  • SHA256

    4b983caf22b55ad0ff2b73a2d9427eedae29e418a9141d091464e7a4f799f3d3

  • SHA512

    c4948631d01743602c99dee4c778fd644b68904875460292d929ed0f95b74e0fbb1f40e9c2bf506edc5eb4f2f7bfd328357f11b5c486cb457f9fa00923323fa5

  • SSDEEP

    3072:dNEqkap78EyjCY2Dy8pRuuOKi1xywc/h:HEqkE4x0yeupTnnc/h

Score
10/10
ramnitbankerpersistencespywarestealertrojanupxworm

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\smss.exe
    \SystemRoot\System32\smss.exe
    1⤵
      PID:256
    • C:\Windows\system32\csrss.exe
      %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
      1⤵
        PID:336
      • C:\Windows\system32\wininit.exe
        wininit.exe
        1⤵
          PID:372
          • C:\Windows\system32\services.exe
            C:\Windows\system32\services.exe
            2⤵
              PID:468
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k DcomLaunch
                3⤵
                  PID:600
                  • C:\Windows\system32\wbem\wmiprvse.exe
                    C:\Windows\system32\wbem\wmiprvse.exe -Embedding
                    4⤵
                      PID:2500
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k RPCSS
                    3⤵
                      PID:676
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                      3⤵
                        PID:764
                      • C:\Windows\System32\svchost.exe
                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                        3⤵
                          PID:808
                          • C:\Windows\system32\Dwm.exe
                            "C:\Windows\system32\Dwm.exe"
                            4⤵
                              PID:1332
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k netsvcs
                            3⤵
                              PID:844
                              • C:\Windows\system32\wbem\WMIADAP.EXE
                                wmiadap.exe /F /T /R
                                4⤵
                                  PID:436
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalService
                                3⤵
                                  PID:992
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k NetworkService
                                  3⤵
                                    PID:296
                                  • C:\Windows\System32\spoolsv.exe
                                    C:\Windows\System32\spoolsv.exe
                                    3⤵
                                      PID:980
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                                      3⤵
                                        PID:324
                                      • C:\Windows\system32\taskhost.exe
                                        "taskhost.exe"
                                        3⤵
                                          PID:1232
                                        • C:\Windows\system32\svchost.exe
                                          C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                          3⤵
                                            PID:2952
                                          • C:\Windows\system32\sppsvc.exe
                                            C:\Windows\system32\sppsvc.exe
                                            3⤵
                                              PID:2868
                                          • C:\Windows\system32\lsass.exe
                                            C:\Windows\system32\lsass.exe
                                            2⤵
                                              PID:476
                                            • C:\Windows\system32\lsm.exe
                                              C:\Windows\system32\lsm.exe
                                              2⤵
                                                PID:484
                                            • C:\Windows\system32\csrss.exe
                                              %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                              1⤵
                                                PID:384
                                              • C:\Windows\system32\winlogon.exe
                                                winlogon.exe
                                                1⤵
                                                  PID:420
                                                • C:\Windows\Explorer.EXE
                                                  C:\Windows\Explorer.EXE
                                                  1⤵
                                                    PID:1396
                                                    • C:\Windows\system32\rundll32.exe
                                                      rundll32.exe C:\Users\Admin\AppData\Local\Temp\19589a971eb420559794afd71081d286_JaffaCakes118.dll,#1
                                                      2⤵
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:2980
                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                        rundll32.exe C:\Users\Admin\AppData\Local\Temp\19589a971eb420559794afd71081d286_JaffaCakes118.dll,#1
                                                        3⤵
                                                        • Loads dropped DLL
                                                        • Drops file in System32 directory
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:3000
                                                        • C:\Windows\SysWOW64\rundll32Srv.exe
                                                          C:\Windows\SysWOW64\rundll32Srv.exe
                                                          4⤵
                                                          • Executes dropped EXE
                                                          • Loads dropped DLL
                                                          • Suspicious use of WriteProcessMemory
                                                          PID:2004
                                                          • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                                                            5⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • Suspicious use of WriteProcessMemory
                                                            PID:2716
                                                            • C:\Windows\SysWOW64\svchost.exe
                                                              C:\Windows\system32\svchost.exe
                                                              6⤵
                                                              • Modifies WinLogon for persistence
                                                              • Drops file in System32 directory
                                                              • Drops file in Program Files directory
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2640
                                                            • C:\Windows\SysWOW64\svchost.exe
                                                              C:\Windows\system32\svchost.exe
                                                              6⤵
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • Suspicious use of WriteProcessMemory
                                                              PID:2488

                                                  Network

                                                  MITRE ATT&CK Matrix ATT&CK v13

                                                  Initial Access

                                                  Execution

                                                  Persistence

                                                  Boot or Logon Autostart Execution

                                                  1
                                                  T1547

                                                  Winlogon Helper DLL

                                                  1
                                                  T1547.004

                                                  Privilege Escalation

                                                  Boot or Logon Autostart Execution

                                                  1
                                                  T1547

                                                  Winlogon Helper DLL

                                                  1
                                                  T1547.004

                                                  Defense Evasion

                                                  Modify Registry

                                                  1
                                                  T1112

                                                  Credential Access

                                                  Discovery

                                                  Lateral Movement

                                                  Collection

                                                  Exfiltration

                                                  Command and Control

                                                  Impact

                                                  Resource Development

                                                  Reconnaissance

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html
                                                    Filesize

                                                    201KB

                                                    MD5

                                                    767eb5d6751aa8fcff636622d12f7046

                                                    SHA1

                                                    eac9bfdcdd60fdbf9026ec238fb3f2ab29b63d9d

                                                    SHA256

                                                    ae220ed6ae256b5e3cc14a22cfb7939f2840582662a424dbc57ff1e6e068d2d5

                                                    SHA512

                                                    f24289c178882e1ef77c668df03abb85e6f2d89f59b54933218c95718d9138e34e210f84b050cceac83d953e64b1d47213dc56de96d7a88bc3af34086488272b

                                                    Download Submit
                                                  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html
                                                    Filesize

                                                    198KB

                                                    MD5

                                                    664c40bc41bb809363bb527caf71eae7

                                                    SHA1

                                                    d63e50230a1d575517d0ee638ae631f6eaa62879

                                                    SHA256

                                                    3fb0037804ec5de62b46a7427f69eada8d40579fb0ffc79213c7587c2e9933bc

                                                    SHA512

                                                    8d30aeda2932ff39337f29c169ecb6ea942df15240c4d5d5baa7f60f9a9853880d4892eddf13259786ab7ab6d2f6cdf5c6e466363df7068b01e4167e7aff35d3

                                                    Download Submit
                                                  • \Windows\SysWOW64\rundll32Srv.exe
                                                    Filesize

                                                    94KB

                                                    MD5

                                                    f6736faa3126f64ed4a7109e40c47806

                                                    SHA1

                                                    0d50917f44d6e173bac24916c95343616dcbf18c

                                                    SHA256

                                                    bc0cb854888c155cbfed860a6546bea3c82db643df30437fe14d91194939a874

                                                    SHA512

                                                    29cc26cd4df360252917a5d913e5e4776b6d05061b464f09dbb33918491affdc15cac9e142a9227a48f27d26db1f8ee85bd3d417365d6fef9b2fd380e090efe5

                                                    Download Submit
                                                  • memory/2004-14-0x0000000000400000-0x0000000000441000-memory.dmp
                                                    Filesize

                                                    260KB

                                                    Download
                                                  • memory/2004-11-0x0000000000220000-0x0000000000221000-memory.dmp
                                                    Filesize

                                                    4KB

                                                    Download
                                                  • memory/2488-72-0x0000000077CA0000-0x0000000077CA1000-memory.dmp
                                                    Filesize

                                                    4KB

                                                    Download
                                                  • memory/2488-53-0x0000000020010000-0x000000002001B000-memory.dmp
                                                    Filesize

                                                    44KB

                                                    Download
                                                  • memory/2488-65-0x0000000000190000-0x0000000000191000-memory.dmp
                                                    Filesize

                                                    4KB

                                                    Download
                                                  • memory/2488-66-0x0000000020010000-0x000000002001B000-memory.dmp
                                                    Filesize

                                                    44KB

                                                    Download
                                                  • memory/2488-69-0x0000000020010000-0x000000002001B000-memory.dmp
                                                    Filesize

                                                    44KB

                                                    Download
                                                  • memory/2488-67-0x0000000020010000-0x000000002001B000-memory.dmp
                                                    Filesize

                                                    44KB

                                                    Download
                                                  • memory/2488-68-0x00000000001A0000-0x00000000001A1000-memory.dmp
                                                    Filesize

                                                    4KB

                                                    Download
                                                  • memory/2488-60-0x0000000020010000-0x000000002001B000-memory.dmp
                                                    Filesize

                                                    44KB

                                                    Download
                                                  • memory/2488-64-0x0000000020010000-0x000000002001B000-memory.dmp
                                                    Filesize

                                                    44KB

                                                    Download
                                                  • memory/2640-43-0x0000000020010000-0x0000000020021000-memory.dmp
                                                    Filesize

                                                    68KB

                                                    Download
                                                  • memory/2640-28-0x0000000020010000-0x0000000020021000-memory.dmp
                                                    Filesize

                                                    68KB

                                                    Download
                                                  • memory/2640-778-0x0000000020010000-0x0000000020021000-memory.dmp
                                                    Filesize

                                                    68KB

                                                    Download
                                                  • memory/2640-48-0x0000000020010000-0x0000000020021000-memory.dmp
                                                    Filesize

                                                    68KB

                                                    Download
                                                  • memory/2640-30-0x0000000000080000-0x0000000000081000-memory.dmp
                                                    Filesize

                                                    4KB

                                                    Download
                                                  • memory/2640-41-0x0000000020010000-0x0000000020021000-memory.dmp
                                                    Filesize

                                                    68KB

                                                    Download
                                                  • memory/2640-40-0x0000000000090000-0x0000000000091000-memory.dmp
                                                    Filesize

                                                    4KB

                                                    Download
                                                  • memory/2640-35-0x0000000000080000-0x0000000000081000-memory.dmp
                                                    Filesize

                                                    4KB

                                                    Download
                                                  • memory/2640-36-0x0000000020010000-0x0000000020021000-memory.dmp
                                                    Filesize

                                                    68KB

                                                    Download
                                                  • memory/2640-34-0x00000000000A0000-0x00000000000A1000-memory.dmp
                                                    Filesize

                                                    4KB

                                                    Download
                                                  • memory/2716-59-0x0000000077C9F000-0x0000000077CA0000-memory.dmp
                                                    Filesize

                                                    4KB

                                                    Download
                                                  • memory/2716-51-0x00000000002B0000-0x00000000002B1000-memory.dmp
                                                    Filesize

                                                    4KB

                                                    Download
                                                  • memory/2716-26-0x0000000000400000-0x0000000000441000-memory.dmp
                                                    Filesize

                                                    260KB

                                                    Download
                                                  • memory/2716-25-0x00000000002A0000-0x00000000002A1000-memory.dmp
                                                    Filesize

                                                    4KB

                                                    Download
                                                  • memory/2716-23-0x0000000000400000-0x0000000000441000-memory.dmp
                                                    Filesize

                                                    260KB

                                                    Download
                                                  • memory/2716-333-0x0000000000400000-0x0000000000441000-memory.dmp
                                                    Filesize

                                                    260KB

                                                    Download
                                                  • memory/2716-557-0x0000000000400000-0x0000000000441000-memory.dmp
                                                    Filesize

                                                    260KB

                                                    Download
                                                  • memory/3000-50-0x000000006D040000-0x000000006D063000-memory.dmp
                                                    Filesize

                                                    140KB

                                                    Download
                                                  • memory/3000-3-0x0000000000220000-0x0000000000261000-memory.dmp
                                                    Filesize

                                                    260KB

                                                    Download
                                                  • memory/3000-10-0x0000000000220000-0x0000000000261000-memory.dmp
                                                    Filesize

                                                    260KB

                                                    Download
                                                  • memory/3000-1-0x000000006D040000-0x000000006D063000-memory.dmp
                                                    Filesize

                                                    140KB

                                                    Download