Overview

overview

10

Static

static

3

1a2ed9d7af...18.dll

windows7-x64

10

1a2ed9d7af...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2024 12:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1a2ed9d7af030d031d31b5f8f0f6b9e3_JaffaCakes118.dll

  • Size

    166KB

  • MD5

    1a2ed9d7af030d031d31b5f8f0f6b9e3

  • SHA1

    50719a20b13ed790c8c3078661c986a0904f9cda

  • SHA256

    1c704dd9911e951ff3dc85c249908e2cac465f5a06d706607e33b3d1b56c7d87

  • SHA512

    64a82741af0086e71895ae1c44e3b5d2ac277d7d0622562969662ec2bab264f8b957e4711866445d22af7a73a5860707a7d22be5139aee22b5d97808f153e609

  • SSDEEP

    3072:OTU56gVxj27NevROEuPvisOpkTv7L2GQ6uWr:l4wRj+qYvW4uWr

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 51 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1a2ed9d7af030d031d31b5f8f0f6b9e3_JaffaCakes118.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:432
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\1a2ed9d7af030d031d31b5f8f0f6b9e3_JaffaCakes118.dll
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4628
      • C:\Windows\SysWOW64\regsvr32mgr.exe
        C:\Windows\SysWOW64\regsvr32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:5080
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:1392
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:1976
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 204
                6⤵
                • Program crash
                PID:3056
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1464
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1464 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1648
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3076
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3076 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2356
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1976 -ip 1976
      1⤵
        PID:1432

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FE757BAA-354C-11EF-8383-5AE3054E25D0}.dat
        Filesize

        5KB

        MD5

        79f6d427a267e6a93f63e5bf3fbc55e5

        SHA1

        d5685bfb51ecf23920a4c0d332bd1adcc315f853

        SHA256

        4139949922cb99783e257c55638f19fbda170e5e0b45771f1cee1288462ba4d4

        SHA512

        ee0665530bb320de4baed9564ac28de2de65ea93f4a907189084032faf0784ef8b6d7856fd8344f6df163a87b3afa33051df687f0249796e964ae81b20d620f2

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FE77DE11-354C-11EF-8383-5AE3054E25D0}.dat
        Filesize

        3KB

        MD5

        e1fdadc3832e91d5c225dafa4888b176

        SHA1

        cd265f1e5cd0e34ae8aeb48a9be47abb53ea3d61

        SHA256

        04ea715633f2497c1d5266e501db2111dc4c7a49445d376302653977d1f147f7

        SHA512

        5ec5aaf4036d6436a733982b8b41e646bd71de939ba01677bb0270eb38412b8ae051523b0f8856f1ee0b23c16e870c7898f8d67f67e4c1fdd467dcd450b63e4f

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verBD55.tmp
        Filesize

        15KB

        MD5

        1a545d0052b581fbb2ab4c52133846bc

        SHA1

        62f3266a9b9925cd6d98658b92adec673cbe3dd3

        SHA256

        557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

        SHA512

        bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\REQ5K173\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit
      • C:\Windows\SysWOW64\regsvr32mgr.exe
        Filesize

        96KB

        MD5

        8c51fd9d6daa7b6137634de19a49452c

        SHA1

        db2a11cca434bacad2bf42adeecae38e99cf64f8

        SHA256

        528d190fc376cff62a83391a5ba10ae4ef0c02bedabd0360274ddc2784e11da3

        SHA512

        b93dd6c86d0618798a11dbaa2ded7dac659f6516ca4a87da7297601c27f340fffa4126a852c257654d562529273d8a3f639ec020ab54b879c68226deae549837

        Download Submit
      • memory/1392-35-0x0000000076F92000-0x0000000076F93000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1392-31-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/1392-39-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/1392-24-0x0000000000400000-0x0000000000435000-memory.dmp
        Filesize

        212KB

        Download
      • memory/1392-36-0x0000000000070000-0x0000000000071000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1392-28-0x0000000000060000-0x0000000000061000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1392-29-0x0000000076F92000-0x0000000076F93000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1392-32-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/1976-33-0x0000000000820000-0x0000000000821000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1976-34-0x0000000000800000-0x0000000000801000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4628-1-0x0000000074940000-0x000000007496C000-memory.dmp
        Filesize

        176KB

        Download
      • memory/5080-6-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/5080-7-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/5080-11-0x00000000008B0000-0x00000000008B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/5080-16-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/5080-12-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/5080-13-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/5080-10-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/5080-8-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/5080-4-0x0000000000400000-0x0000000000435000-memory.dmp
        Filesize

        212KB

        Download