Overview

overview

10

Static

static

3

19b20cdad4...18.exe

windows7-x64

7

19b20cdad4...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2024 09:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    19b20cdad4a0845f4159cd7e7cc07171_JaffaCakes118.exe

  • Size

    164KB

  • MD5

    19b20cdad4a0845f4159cd7e7cc07171

  • SHA1

    96b5955de3c049289ad098315764cd85681191c1

  • SHA256

    bd1cd66742d6a64fe01698ade6837f6a4ea8cbe73c7c8ffd2f8c512a0a490d28

  • SHA512

    9ca03fb39f6c38a8446bb59b5b75fa30b25089bba4997cdfb20ec40f545d358c92e42259574b25fa59680aa572a4ac645684041dd4ba766a0ede0c4c0bdd589a

  • SSDEEP

    3072:Xuug/5q6gVLypcUYNNUMT+f02kqXlgOlxuBQb3TS/1:XuTgVLycU0U1kxixuB+DG

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\19b20cdad4a0845f4159cd7e7cc07171_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\19b20cdad4a0845f4159cd7e7cc07171_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2748
    • C:\Users\Admin\AppData\Local\Temp\19b20cdad4a0845f4159cd7e7cc07171_JaffaCakes118mgr.exe
      C:\Users\Admin\AppData\Local\Temp\19b20cdad4a0845f4159cd7e7cc07171_JaffaCakes118mgr.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:3740
      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:4620
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\system32\svchost.exe
          4⤵
            PID:1820
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 204
              5⤵
              • Program crash
              PID:1084
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1456
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1456 CREDAT:17410 /prefetch:2
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1712
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4124
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4124 CREDAT:17410 /prefetch:2
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:404
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1820 -ip 1820
      1⤵
        PID:4020

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1D1E8778-3534-11EF-86EC-FE349C7D5183}.dat
        Filesize

        5KB

        MD5

        6b927955dcd94dab25fad2a487e1dadf

        SHA1

        7adceb0361925425d89808a7fd303db6092e41b5

        SHA256

        4dd3c35a4568dc7d53316b8b31ce22fa9dfe468cf804477c5fa7199aa936e32c

        SHA512

        d1afafd44a942ebca6ccee2e8dcd7c3a29b22c483377bf4e54799423feaffdb831af835fc9dc9740accb3d2d267192787cb36278b577f18eafdddb92a83994e4

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1D20EAA5-3534-11EF-86EC-FE349C7D5183}.dat
        Filesize

        3KB

        MD5

        f0299acd8e4140556ecb07a3448a2b52

        SHA1

        8c7223a0bb72fe10529c38b831a37f7428bb9532

        SHA256

        0fce84bcc7444e1455ee539893b1b38bf5b46c59271e9e7fe9433f8d7a36f6a3

        SHA512

        619281e696411eb704fa449afa7930dc508125ee725d95b725f4e4a52d570696db9a70453d67ed5a630e084246892ca90c35bc7c911d6752e144de4aec8421cc

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verB73A.tmp
        Filesize

        15KB

        MD5

        1a545d0052b581fbb2ab4c52133846bc

        SHA1

        62f3266a9b9925cd6d98658b92adec673cbe3dd3

        SHA256

        557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

        SHA512

        bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GU2A83AM\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\19b20cdad4a0845f4159cd7e7cc07171_JaffaCakes118mgr.exe
        Filesize

        92KB

        MD5

        5adaae6bfabaddea50ed5c0b957ad92e

        SHA1

        6053981e2aa05ac58fbb6dbb44f9883aff8d72d4

        SHA256

        6762ce79f5b4746fad78ffdc7ab627fe08ef6cb6028c3ffe2c71245ba27b322f

        SHA512

        6561dd9676f180f084eb0a00411a68cc00eef7847d74eff6e13549f788830b79a678cd5089268527393052bab511482cb9122daa035b2f96777b4e9075818441

        Download Submit
      • memory/1820-32-0x00000000009F0000-0x00000000009F1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1820-31-0x0000000000C10000-0x0000000000C11000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2748-0-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download
      • memory/2748-13-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download
      • memory/3740-8-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/3740-7-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/3740-18-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/3740-14-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/3740-15-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/3740-11-0x00000000008B0000-0x00000000008B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3740-10-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/3740-6-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/3740-4-0x0000000000400000-0x0000000000428E39-memory.dmp
        Filesize

        163KB

        Download
      • memory/4620-28-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/4620-35-0x0000000076F62000-0x0000000076F63000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4620-34-0x0000000000070000-0x0000000000071000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4620-33-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/4620-38-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/4620-27-0x00000000008C0000-0x00000000008C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4620-29-0x0000000076F62000-0x0000000076F63000-memory.dmp
        Filesize

        4KB

        Download