Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
-
submitted
28-06-2024 10:18
General
-
Target
19c3974a646ad7ea6852c711dc23f6b9_JaffaCakes118.dll
-
Size
161KB
-
MD5
19c3974a646ad7ea6852c711dc23f6b9
-
SHA1
4b7b510bc717b05204d6fef0cd480f2e3ca77f8b
-
SHA256
6bbd3937f7b0c3c57ddc663176a4245745a920f71a5f699924d7e26315759c5d
-
SHA512
5e4dc4e11d05b88148f6699f926f16d324901989748c5ae58593f9d914ed11702da5accfc87e4be1d780d6dcb2d9da26a23a368189d232704a0e483a7f4c0828
-
SSDEEP
3072:UTU56gVxj27Neum+uemO5WjmmmmmmmmmmmmmmmmmmmrCQmmmmmmmmmmmmmmmmmmK:n4Hm+uemO5Wjmmmmmmmmmmmmmmmmmmmc
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 4 IoCs
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 3 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 37 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\19c3974a646ad7ea6852c711dc23f6b9_JaffaCakes118.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\19c3974a646ad7ea6852c711dc23f6b9_JaffaCakes118.dll3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32mgr.exeC:\Windows\SysWOW64\regsvr32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.htmlFilesize
197KB
MD52ef50be556348bc0a2f4ab8458441e48
SHA1af3af574e164e4c5c1e66a7bf20a8c189e54b942
SHA2561a57e99b8c5c5e9ac000f238f37f40462eeb90dabb4741e576d855abb15d3169
SHA5126ff3bd7af2bd7b81c17f63e81fd22cd90d51980c18633afef15074312e5711ff53340076fd2b2ceb9e909d81be62badb6164cbba0b0a312e59af16771e0b4d19
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.htmlFilesize
193KB
MD59548b3ce20dfd1b1663c74ab473b2225
SHA1a7c5ea812cba26b013dc2654c08c080e56bd4387
SHA2562519d44419af7801062fae09c5aaa3588d04de5b63511277d46442eed5118e91
SHA512b9cfa5f860568014485de8927c829c72ea0358da82097e5d7674d572cf39601b0c551c3a8e9a844d2acc2ccd33efc18fde78089df5b5eb17c26ccb95955e14ca
-
\Windows\SysWOW64\regsvr32mgr.exeFilesize
92KB
MD59efa35f79704a13f682a13efc6770276
SHA1e75cb9eac6f47407baaeac4b6f342e9b34385d02
SHA25698b86f0605c851a7ba65f27c98831ef55195370e20b181d8faa1131e4aee6387
SHA51283a48096a9898482f7069f8ec0372b1dec3145c4c13edd91aa7ea76328544b6bb0c7bb56aebd091f26faaf078e8dc8d560047073911e0a11db62acfc74058874
-
memory/1204-34-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1204-81-0x000000007743F000-0x0000000077440000-memory.dmpFilesize
4KB
-
memory/1204-70-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/1204-567-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1204-51-0x000000007743F000-0x0000000077440000-memory.dmpFilesize
4KB
-
memory/1204-40-0x00000000003C0000-0x00000000003C1000-memory.dmpFilesize
4KB
-
memory/1204-39-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1732-2-0x0000000074670000-0x000000007469B000-memory.dmpFilesize
172KB
-
memory/1732-3-0x0000000000190000-0x00000000001B8000-memory.dmpFilesize
160KB
-
memory/1764-13-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1764-11-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1764-14-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1764-15-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1764-16-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1764-19-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/1764-21-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1764-12-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1764-10-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/2536-87-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/2536-90-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2536-222-0x0000000077440000-0x0000000077441000-memory.dmpFilesize
4KB
-
memory/2536-91-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2536-88-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2536-72-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2536-86-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2536-82-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2536-89-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2816-59-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2816-61-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2816-58-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/2816-56-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/2816-66-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2816-57-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/2816-52-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2816-1008-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2816-42-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2816-44-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB