Overview

overview

10

Static

static

3

19c3974a64...18.dll

windows7-x64

10

19c3974a64...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2024 10:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    19c3974a646ad7ea6852c711dc23f6b9_JaffaCakes118.dll

  • Size

    161KB

  • MD5

    19c3974a646ad7ea6852c711dc23f6b9

  • SHA1

    4b7b510bc717b05204d6fef0cd480f2e3ca77f8b

  • SHA256

    6bbd3937f7b0c3c57ddc663176a4245745a920f71a5f699924d7e26315759c5d

  • SHA512

    5e4dc4e11d05b88148f6699f926f16d324901989748c5ae58593f9d914ed11702da5accfc87e4be1d780d6dcb2d9da26a23a368189d232704a0e483a7f4c0828

  • SSDEEP

    3072:UTU56gVxj27Neum+uemO5WjmmmmmmmmmmmmmmmmmmmrCQmmmmmmmmmmmmmmmmmmK:n4Hm+uemO5Wjmmmmmmmmmmmmmmmmmmmc

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 51 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\19c3974a646ad7ea6852c711dc23f6b9_JaffaCakes118.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4860
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\19c3974a646ad7ea6852c711dc23f6b9_JaffaCakes118.dll
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4624
      • C:\Windows\SysWOW64\regsvr32mgr.exe
        C:\Windows\SysWOW64\regsvr32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:2632
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:540
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:1616
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 204
                6⤵
                • Program crash
                PID:3148
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:704
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:704 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4560
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3376
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3376 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1796
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1616 -ip 1616
      1⤵
        PID:3488

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D7FD420B-3537-11EF-9D11-429904AF4EC5}.dat
        Filesize

        3KB

        MD5

        cf1d620528eff0da992e2081d6650085

        SHA1

        2e318d33261b0e149e18d21e11b2cb91aa753b3c

        SHA256

        d2b792cc506e2849d92f60f92ab5d19917f1175b3a08640a1cc1504ddff27dca

        SHA512

        44fceece6a602e028d65262239373428497cff58e6e183fd91a5dbc68a6a96a9f4f0673999721cc5a03334a056b9e6ca73f53746f3c40a19809549cf0f563190

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D7FFA4BE-3537-11EF-9D11-429904AF4EC5}.dat
        Filesize

        5KB

        MD5

        cee6b1a5bc59981015c554a62eefc18f

        SHA1

        9ad63ced7dad40fd9bc3e95ea4cdcf129e19f78d

        SHA256

        e5d60b35c1f4f75d4d69c011a0754c3a29c2897d405984b212e0e8dc54e4a4a7

        SHA512

        908070081997fe6b18ecb3ec33999b7d592aa312d4ddbb300be7b4c796020324f22162930a9256a5c7ab65251f1c403d19cd2a7f5c5d284ef46c5edda15b9bed

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verB111.tmp
        Filesize

        15KB

        MD5

        1a545d0052b581fbb2ab4c52133846bc

        SHA1

        62f3266a9b9925cd6d98658b92adec673cbe3dd3

        SHA256

        557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

        SHA512

        bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QQACG5HD\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit
      • C:\Windows\SysWOW64\regsvr32mgr.exe
        Filesize

        92KB

        MD5

        9efa35f79704a13f682a13efc6770276

        SHA1

        e75cb9eac6f47407baaeac4b6f342e9b34385d02

        SHA256

        98b86f0605c851a7ba65f27c98831ef55195370e20b181d8faa1131e4aee6387

        SHA512

        83a48096a9898482f7069f8ec0372b1dec3145c4c13edd91aa7ea76328544b6bb0c7bb56aebd091f26faaf078e8dc8d560047073911e0a11db62acfc74058874

        Download Submit
      • memory/540-34-0x0000000077132000-0x0000000077133000-memory.dmp
        Filesize

        4KB

        Download
      • memory/540-35-0x0000000000070000-0x0000000000071000-memory.dmp
        Filesize

        4KB

        Download
      • memory/540-39-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/540-24-0x0000000000400000-0x0000000000428000-memory.dmp
        Filesize

        160KB

        Download
      • memory/540-28-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/540-31-0x0000000077132000-0x0000000077133000-memory.dmp
        Filesize

        4KB

        Download
      • memory/540-30-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/540-27-0x00000000001D0000-0x00000000001D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/540-38-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/1616-33-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1616-32-0x0000000000BF0000-0x0000000000BF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2632-7-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/2632-6-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/2632-10-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/2632-11-0x00000000008A0000-0x00000000008A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2632-12-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/2632-16-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/2632-13-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/2632-8-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/2632-5-0x0000000000400000-0x0000000000428000-memory.dmp
        Filesize

        160KB

        Download
      • memory/4624-2-0x0000000074AE0000-0x0000000074B0B000-memory.dmp
        Filesize

        172KB

        Download