Overview

overview

10

Static

static

3

1adf0d5608...18.dll

windows7-x64

10

1adf0d5608...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 10:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1adf0d560866732a66a6c227fa3765a0_JaffaCakes118.dll

  • Size

    885KB

  • MD5

    1adf0d560866732a66a6c227fa3765a0

  • SHA1

    64f91d3f02b829e6e6844391937886a7f5c5a5f1

  • SHA256

    2474d389b05dd2d08b201de73548d3acd8fbf0e2df76259be3e0264b34b23a38

  • SHA512

    35082be2e70baf12b4f903a3459eb3ed457b2dfa3b2b0a17e108e9244b689bc8e66b5460bbac54639522c895190fde637c00b02e53c54ef2a08349b713eb168f

  • SSDEEP

    24576:qL5/rmRsmDWDPNuFhPvYrpLYHSfcoopooLY9Nu0P+Fhp1:QK5hPILYHSfeY9nWFhz

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 53 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1adf0d560866732a66a6c227fa3765a0_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:784
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\1adf0d560866732a66a6c227fa3765a0_JaffaCakes118.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4232
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:1764
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:1284
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:4336
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 204
                6⤵
                • Program crash
                PID:5020
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2388
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2388 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:3288
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2744
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2744 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:3752
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4336 -ip 4336
      1⤵
        PID:792
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3144 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:3408

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          471B

          MD5

          df3b51cc5929f3af03350336b1afc568

          SHA1

          48453c44facbbea059f9da8565cf25b1c2cb9ce0

          SHA256

          2375353160c5f8c4cadce5954ff4a7cc5b9c403890f0404791ff85c8ec0dd748

          SHA512

          d8eaa0761def6d74462748aa794198b5f32fa593662bf373c81e1d300f3f76ecc1c723cef52774caa6482527f26524fd2677a5e2253285cb6d0984b044347e8a

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          404B

          MD5

          33407d3ed4dedd23b914dd1c7526e3b0

          SHA1

          314a9159286d764c1236165ad2ccbf0354cff0bc

          SHA256

          7bcb547c158eef1b25d6578b203b56f211ed7de91f82fb050b27e0ce113b7da7

          SHA512

          efa4af30f69af9d1cc460ba094404f93234a8ef3825567bfbdaeb9649d22854ff610a64bbeafd68870aad25e600d58404592b865ba3bb61fd37b7ecf9919ec1c

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          404B

          MD5

          ef139db68ccd30a9ee0d6b48d31ddd80

          SHA1

          a6059cf48a06a7680b722be1c60778ed36b1a623

          SHA256

          a02d8bbbae895ab209cd2c1de4a7d014052206e7940bee883844f6c8a81481ed

          SHA512

          d465c14f4b48560f747b17ea5d9f18e4c1f241f32b5920d64386a9a5b1f488f04fc940d0ba5cfdf963ff59874cd2273194062b6f2962dab839e1953636cbbbec

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4DE1E0F8-3791-11EF-B9F7-E27D0092C90A}.dat
          Filesize

          5KB

          MD5

          0a01a932cec52c1e26ed63c6938ec884

          SHA1

          d81daaa5fc446409e31cbe572d226d02813b49f6

          SHA256

          cb3d87db7e636fa98fd46d256d650d6204368d52859e26cda68f40c4cfd7801f

          SHA512

          2c4137dafd25ce53ee81f29a6866d39d43c895cf2a0913ec72e8b78f89a73d94da355b3d6e825cdd6861da33f1024da3f4da532346980ffa996465738f9194c9

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4DE8ECC0-3791-11EF-B9F7-E27D0092C90A}.dat
          Filesize

          3KB

          MD5

          064d04a89c6084bc4c86b35f2deb9531

          SHA1

          3fb845ef226a5c5f6dccbc02049dea131c9caf89

          SHA256

          ebbaf86a92682e4b821c8548171d0525c66ed1bcd311a34e313229646dbad38f

          SHA512

          957fd499fe5a981bf7c30ef3ff7e9661c59ed80bc1fa998de78be9cb0c56a5fecbab9119a5e9d9454e0378d73377341e5da89646b6074107cd19f0af15232b8e

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verC416.tmp
          Filesize

          15KB

          MD5

          1a545d0052b581fbb2ab4c52133846bc

          SHA1

          62f3266a9b9925cd6d98658b92adec673cbe3dd3

          SHA256

          557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

          SHA512

          bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\suggestions[1].en-US
          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          Download Submit
        • C:\Windows\SysWOW64\rundll32mgr.exe
          Filesize

          115KB

          MD5

          50a0e1f79e2c4a873576fde02f8bb90b

          SHA1

          11596d44af32a1ae6d74435b3c070b6a47e8ac78

          SHA256

          58134ebb29f8d9f7bc6cfb1319a1f50054e138ede45f111feb081ff15e11b655

          SHA512

          f7627b15264ef3122bbf1217f81ac1ca077a811225d8d1b850d78272ffd2ef5b828be6015866207952c76e81dbd21648e4998c5d3680b55ff1874b8acb70f3c3

          Download Submit
        • memory/1284-32-0x0000000000060000-0x0000000000061000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1284-33-0x00000000772D2000-0x00000000772D3000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1284-42-0x0000000000400000-0x0000000000421000-memory.dmp
          Filesize

          132KB

          Download
        • memory/1284-41-0x0000000000400000-0x0000000000421000-memory.dmp
          Filesize

          132KB

          Download
        • memory/1284-38-0x0000000000170000-0x0000000000171000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1284-31-0x0000000000400000-0x0000000000421000-memory.dmp
          Filesize

          132KB

          Download
        • memory/1284-37-0x00000000772D2000-0x00000000772D3000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1764-11-0x0000000000400000-0x0000000000421000-memory.dmp
          Filesize

          132KB

          Download
        • memory/1764-8-0x0000000000400000-0x0000000000421000-memory.dmp
          Filesize

          132KB

          Download
        • memory/1764-5-0x0000000000400000-0x0000000000427000-memory.dmp
          Filesize

          156KB

          Download
        • memory/1764-6-0x0000000000401000-0x0000000000404000-memory.dmp
          Filesize

          12KB

          Download
        • memory/1764-23-0x0000000000401000-0x0000000000404000-memory.dmp
          Filesize

          12KB

          Download
        • memory/1764-16-0x0000000000400000-0x0000000000421000-memory.dmp
          Filesize

          132KB

          Download
        • memory/1764-17-0x0000000000400000-0x0000000000421000-memory.dmp
          Filesize

          132KB

          Download
        • memory/1764-7-0x0000000000400000-0x0000000000421000-memory.dmp
          Filesize

          132KB

          Download
        • memory/1764-10-0x0000000000400000-0x0000000000421000-memory.dmp
          Filesize

          132KB

          Download
        • memory/1764-14-0x0000000000400000-0x0000000000421000-memory.dmp
          Filesize

          132KB

          Download
        • memory/1764-12-0x00000000005B0000-0x00000000005B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4232-0-0x0000000074C50000-0x0000000074D31000-memory.dmp
          Filesize

          900KB

          Download
        • memory/4336-35-0x0000000000AC0000-0x0000000000AC1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4336-36-0x0000000000AA0000-0x0000000000AA1000-memory.dmp
          Filesize

          4KB

          Download