Overview

overview

10

Static

static

3

19d126e528...18.dll

windows7-x64

7

19d126e528...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2024 10:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    19d126e528c422aec7280cca54bd14c2_JaffaCakes118.dll

  • Size

    104KB

  • MD5

    19d126e528c422aec7280cca54bd14c2

  • SHA1

    1ce611d34fdd94723739294e65629cbafbf0a819

  • SHA256

    292a49e16b1499130d69a513421f607cf1dbf13a442dc68cf8578689447eca8f

  • SHA512

    a7c1a43165318dc1b347269ee0792cf7494cee788316de332af672b192fd8d263ae44f6378f9be22b6322cef0778a70cd002e9ad42582ef83bdabfd247136572

  • SSDEEP

    3072:Yx73qAAdzsMEYQ5sdTtz1Eu93H3bOtCLu:qqAAdzOvEEwH3beCS

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 51 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\19d126e528c422aec7280cca54bd14c2_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1524
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\19d126e528c422aec7280cca54bd14c2_JaffaCakes118.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3128
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:952
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:2876
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:2188
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 204
                6⤵
                • Program crash
                PID:2968
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3380
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3380 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:640
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4692
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4692 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4896
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 608
          3⤵
          • Program crash
          PID:2544
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3128 -ip 3128
      1⤵
        PID:4368
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2188 -ip 2188
        1⤵
          PID:2412

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C790EE4A-353A-11EF-8383-5A352D2CFE47}.dat
          Filesize

          5KB

          MD5

          bdb8efed3e9c7e287c38ea5f325ce038

          SHA1

          cfa3a7e8554542e9a145fbd30ee65ebe638e4a35

          SHA256

          e4dafa6f8f19e8cf617b498f9067bea3d986dfe209a45f1d5d5468da6d36db55

          SHA512

          c5e541c35990e5f5919d0337309fd464e5404a35798101cdc77373e6ea95e9b7c5114a2c79491fca18d8dc52b7309b29b4101ff5ec6c7ee81f7a4cba15ba1634

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C7935115-353A-11EF-8383-5A352D2CFE47}.dat
          Filesize

          5KB

          MD5

          6a1ddab0bfe07f67abb156dfadaccd1b

          SHA1

          ce03867f5d0bb30a277e0feb072f183c9adafddb

          SHA256

          234a8af58d72327c33a951791a0024f6e481b35799d7dbb13eadf2680e3f3822

          SHA512

          6094293f42567262bb9bbfce29ee4a4068adc62ece9df6e06065f614e21c963fe4fd0d38ffe917e6d5663bf5af105d0f2136d745015b96a18c27eadc395cacf6

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verC340.tmp
          Filesize

          15KB

          MD5

          1a545d0052b581fbb2ab4c52133846bc

          SHA1

          62f3266a9b9925cd6d98658b92adec673cbe3dd3

          SHA256

          557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

          SHA512

          bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\REQ5K173\suggestions[1].en-US
          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          Download Submit
        • C:\Windows\SysWOW64\rundll32mgr.exe
          Filesize

          60KB

          MD5

          cd963c64ad0bea4ca85a4819f6eefed1

          SHA1

          d9cd6316cf3c6ce5ceec9694c2debc7b7981775f

          SHA256

          33c4b715dc8b183dff9aac65cc42c7f2c70658580b8e3d449878251482a5d906

          SHA512

          f7cd12c57eff3acf7c89b0e7b55dfa81623618a65d6c49b490c199cfe63ae9e858f2681c8ef1425d1e4b25f7b0bbd6d4a9d9788956c23f52fece3d5d79b5907e

          Download Submit
        • memory/952-5-0x0000000000400000-0x0000000000421000-memory.dmp
          Filesize

          132KB

          Download
        • memory/952-8-0x0000000000400000-0x0000000000421000-memory.dmp
          Filesize

          132KB

          Download
        • memory/952-10-0x0000000000400000-0x0000000000421000-memory.dmp
          Filesize

          132KB

          Download
        • memory/952-16-0x00000000008A0000-0x00000000008A1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/952-13-0x0000000000400000-0x0000000000421000-memory.dmp
          Filesize

          132KB

          Download
        • memory/952-9-0x0000000000400000-0x0000000000421000-memory.dmp
          Filesize

          132KB

          Download
        • memory/952-7-0x0000000000400000-0x0000000000421000-memory.dmp
          Filesize

          132KB

          Download
        • memory/952-6-0x0000000000400000-0x0000000000421000-memory.dmp
          Filesize

          132KB

          Download
        • memory/2188-29-0x0000000000EA0000-0x0000000000EA1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2188-30-0x0000000000E80000-0x0000000000E81000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2876-26-0x0000000000400000-0x0000000000421000-memory.dmp
          Filesize

          132KB

          Download
        • memory/2876-32-0x0000000000070000-0x0000000000071000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2876-31-0x0000000077992000-0x0000000077993000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2876-27-0x0000000077992000-0x0000000077993000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2876-25-0x0000000000060000-0x0000000000061000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2876-35-0x0000000000400000-0x0000000000421000-memory.dmp
          Filesize

          132KB

          Download
        • memory/2876-24-0x0000000000400000-0x0000000000421000-memory.dmp
          Filesize

          132KB

          Download
        • memory/3128-3-0x000000006D1C0000-0x000000006D1DA000-memory.dmp
          Filesize

          104KB

          Download