Overview

overview

10

Static

static

3

1a351e907d...18.dll

windows7-x64

10

1a351e907d...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2024 12:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1a351e907deae966141fe7575f17c053_JaffaCakes118.dll

  • Size

    220KB

  • MD5

    1a351e907deae966141fe7575f17c053

  • SHA1

    ec5f68bbde00029efb31fb32748890dab418afbe

  • SHA256

    c6c1de2aba94d50a9f4f5799fd35640985166985e69b916f0a426103d57407cf

  • SHA512

    ff2038281cc5a4bdb1b59b93d79c858961d3c400c928d19db97dddab4b600f000230dda949603abc779e8c47e1b1e1a72cfcbe0fcb51b4ed02a5438727db9eba

  • SSDEEP

    6144:9/mmNwlmUSWIY7vDDkTGei9zAFIzF5wXn6/+magVWL:9+mNwl6wvDDJ9UFILwLmagi

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 4 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a351e907deae966141fe7575f17c053_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5116
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a351e907deae966141fe7575f17c053_JaffaCakes118.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4196
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4764
        • C:\Windows\SysWOW64\rundll32Srv.exe
          "C:\Windows\SysWOW64\rundll32Srv.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious use of WriteProcessMemory
          PID:4276
          • C:\Program Files (x86)\Microsoft\WaterMark.exe
            "C:\Program Files (x86)\Microsoft\WaterMark.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3744
            • C:\Program Files (x86)\Microsoft\WaterMark.exe
              "C:\Program Files (x86)\Microsoft\WaterMark.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3980
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\system32\svchost.exe
                7⤵
                  PID:3400
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 196
                    8⤵
                    • Program crash
                    PID:1984
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe"
                  7⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:368
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:368 CREDAT:17410 /prefetch:2
                    8⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:4420
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3400 -ip 3400
      1⤵
        PID:1724

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        293ea21f7d2b09f447f07d065dd542b9

        SHA1

        5d30d1d814dab60840b66cb9ee7dd8ceea05df70

        SHA256

        2203bb67fc1d126a35d05b53e3b9c39acf5a06b6f2d792099460e8caa83f2a32

        SHA512

        7d5ff3768b8ab54f4186a325ac433eb4a1f3dfabb30d641a0a1d6b9f2f24c5dd83cc5d05c13477cab16c5644d39e45ae991d75a1ddb7c79b76e562b4f2eb2898

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        65540c7881222a180f814182a05f3288

        SHA1

        bfdec61b095a2e5ff2b2f91b9fa11d120b709507

        SHA256

        585f6d4a1eb16b919f7b06ee47abed375a8cf1a01cc65ebc70d76452d29c13c1

        SHA512

        0a0bf2856132bd1b5ed368623025b5bcefc3e489cc6200ba1dd2d3d52ed42ceeebf7e4035d0d60ac85f05b8599d0f4a95660fd49acebc3886a6b3d73ab964551

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VLW1SL5J\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit
      • C:\Windows\SysWOW64\rundll32Srv.exe
        Filesize

        69KB

        MD5

        3284b0d95ae1f80355da5e04e79a6be1

        SHA1

        642bbb026f238a4eed9931772869b637621d98c8

        SHA256

        f2cf33052bb9ed658351e1ff0687d0602a1f619e0976cd45852d3eb109aacf60

        SHA512

        13712a19409818ecb66ecb2bb045a5800e4362f0ff0e9b2d158590fd501c35861ceae195f8171301ef6e72dd3b6f28184af31188836d92c171bfa6bedeb98547

        Download Submit
      • memory/3400-37-0x0000000000F50000-0x0000000000F51000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3400-36-0x0000000000F70000-0x0000000000F71000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3744-22-0x0000000000400000-0x0000000000459000-memory.dmp
        Filesize

        356KB

        Download
      • memory/3744-32-0x0000000000400000-0x0000000000459000-memory.dmp
        Filesize

        356KB

        Download
      • memory/3980-38-0x0000000000400000-0x0000000000418000-memory.dmp
        Filesize

        96KB

        Download
      • memory/3980-34-0x0000000000400000-0x0000000000418000-memory.dmp
        Filesize

        96KB

        Download
      • memory/3980-39-0x0000000077842000-0x0000000077843000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3980-33-0x00000000001D0000-0x00000000001D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3980-30-0x0000000000400000-0x0000000000418000-memory.dmp
        Filesize

        96KB

        Download
      • memory/4196-1-0x000000006DAC0000-0x000000006DAFF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4276-16-0x0000000000400000-0x0000000000418000-memory.dmp
        Filesize

        96KB

        Download
      • memory/4276-12-0x0000000000400000-0x0000000000418000-memory.dmp
        Filesize

        96KB

        Download
      • memory/4276-13-0x0000000000400000-0x0000000000418000-memory.dmp
        Filesize

        96KB

        Download
      • memory/4276-9-0x0000000000400000-0x0000000000418000-memory.dmp
        Filesize

        96KB

        Download
      • memory/4764-15-0x0000000000400000-0x0000000000459000-memory.dmp
        Filesize

        356KB

        Download
      • memory/4764-5-0x0000000000400000-0x0000000000459000-memory.dmp
        Filesize

        356KB

        Download
      • memory/4764-6-0x00000000001C0000-0x00000000001C3000-memory.dmp
        Filesize

        12KB

        Download