Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
01-07-2024 10:03
General
-
Target
1adf0d560866732a66a6c227fa3765a0_JaffaCakes118.dll
-
Size
885KB
-
MD5
1adf0d560866732a66a6c227fa3765a0
-
SHA1
64f91d3f02b829e6e6844391937886a7f5c5a5f1
-
SHA256
2474d389b05dd2d08b201de73548d3acd8fbf0e2df76259be3e0264b34b23a38
-
SHA512
35082be2e70baf12b4f903a3459eb3ed457b2dfa3b2b0a17e108e9244b689bc8e66b5460bbac54639522c895190fde637c00b02e53c54ef2a08349b713eb168f
-
SSDEEP
24576:qL5/rmRsmDWDPNuFhPvYrpLYHSfcoopooLY9Nu0P+Fhp1:QK5hPILYHSfeY9nWFhz
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 4 IoCs
-
UPX packed file 12 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 3 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 37 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1adf0d560866732a66a6c227fa3765a0_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1adf0d560866732a66a6c227fa3765a0_JaffaCakes118.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.htmlFilesize
244KB
MD5a79762f16437ff199ff468c586b963d0
SHA17b1dfaa6f55884cce9a7489479ec2ecaa2377a04
SHA25668e0e533009243d951a9840250429c8e44d104eeb1379da912101b54e7889c44
SHA512a640f30fbfc9ebf49537fc4f97040e8717141c393440e4d29bc28b1cca657911170b3b41d9ed1df06101c5278c9b90cbcf533ecca92b30cef14e0ea4d816d780
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.htmlFilesize
240KB
MD52e6a47cf41d41572cedbf06c7ea468b9
SHA1b44b90822391b0cfd6a646c4f55a79857a2d5e94
SHA2560c6a8e9ec5d5077fd81f60f5026f4e36174d6a4a0ee3cb65e37263db17fbb0ae
SHA5120dea18305fbbb734a95e41caf844e9f3207d43472e257c68b56b197fd085c6a495eafe0d8ef18864879b98332eeb68ca73cd19761f8b7070124ce13366aa4e2f
-
\Windows\SysWOW64\rundll32mgr.exeFilesize
115KB
MD550a0e1f79e2c4a873576fde02f8bb90b
SHA111596d44af32a1ae6d74435b3c070b6a47e8ac78
SHA25658134ebb29f8d9f7bc6cfb1319a1f50054e138ede45f111feb081ff15e11b655
SHA512f7627b15264ef3122bbf1217f81ac1ca077a811225d8d1b850d78272ffd2ef5b828be6015866207952c76e81dbd21648e4998c5d3680b55ff1874b8acb70f3c3
-
memory/1768-81-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/1768-88-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/1768-87-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/1768-195-0x0000000077430000-0x0000000077431000-memory.dmpFilesize
4KB
-
memory/1768-86-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/1768-90-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/1768-89-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/1768-85-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/1768-74-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2280-6-0x0000000000220000-0x0000000000247000-memory.dmpFilesize
156KB
-
memory/2280-0-0x00000000749A0000-0x0000000074A81000-memory.dmpFilesize
900KB
-
memory/2280-356-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2280-12-0x0000000000220000-0x0000000000247000-memory.dmpFilesize
156KB
-
memory/2280-4-0x00000000748B0000-0x0000000074991000-memory.dmpFilesize
900KB
-
memory/2280-2-0x0000000074990000-0x0000000074A71000-memory.dmpFilesize
900KB
-
memory/2644-80-0x000000007742F000-0x0000000077430000-memory.dmpFilesize
4KB
-
memory/2644-44-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2644-43-0x0000000000050000-0x0000000000051000-memory.dmpFilesize
4KB
-
memory/2644-47-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2644-45-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2644-46-0x000000007742F000-0x0000000077430000-memory.dmpFilesize
4KB
-
memory/2644-72-0x0000000000060000-0x0000000000061000-memory.dmpFilesize
4KB
-
memory/2644-577-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2644-580-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2756-54-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2756-67-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2756-65-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/2756-64-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/2756-66-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2756-63-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/2756-59-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2756-50-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/2756-48-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2756-801-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2784-22-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/2784-33-0x0000000000280000-0x00000000002A7000-memory.dmpFilesize
156KB
-
memory/2784-23-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2784-14-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2784-15-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2784-16-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2784-19-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2784-17-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2784-32-0x0000000000280000-0x00000000002A7000-memory.dmpFilesize
156KB
-
memory/2784-18-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2784-13-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB