Overview

overview

10

Static

static

3

1ba0d79e8b...18.exe

windows7-x64

10

1ba0d79e8b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 14:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1ba0d79e8bf2c95f62ad73aa4602bfb4_JaffaCakes118.exe

  • Size

    124KB

  • MD5

    1ba0d79e8bf2c95f62ad73aa4602bfb4

  • SHA1

    9026519e8d82470409dce9bb10d7dd7799b2b52c

  • SHA256

    ad0f8619d5cc2ee7ceb2a679be0cf7aa3766fb08b23e1ef7f20568bada179304

  • SHA512

    29aa37154cb4a89dd4abca16b088aeff03f4a62e9234f8e72b8d0ba494395ccee264e287e79223b06a9d7248ca2108fdddb1f02162401cbbd8e33bff4a187617

  • SSDEEP

    1536:ZVZnxm6MG9xgfrvEaoiT/GyphjXDYjKwttoswRmhApEH5y:pnxwgxgfR/DVG7wBpEZy

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 1 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 51 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ba0d79e8bf2c95f62ad73aa4602bfb4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1ba0d79e8bf2c95f62ad73aa4602bfb4_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3816
    • C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:1220
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:3788
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 204
            4⤵
            • Program crash
            PID:2288
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1820
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1820 CREDAT:17410 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:4620
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:644
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:644 CREDAT:17410 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2656
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3788 -ip 3788
      1⤵
        PID:4136

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        124KB

        MD5

        1ba0d79e8bf2c95f62ad73aa4602bfb4

        SHA1

        9026519e8d82470409dce9bb10d7dd7799b2b52c

        SHA256

        ad0f8619d5cc2ee7ceb2a679be0cf7aa3766fb08b23e1ef7f20568bada179304

        SHA512

        29aa37154cb4a89dd4abca16b088aeff03f4a62e9234f8e72b8d0ba494395ccee264e287e79223b06a9d7248ca2108fdddb1f02162401cbbd8e33bff4a187617

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        df3b51cc5929f3af03350336b1afc568

        SHA1

        48453c44facbbea059f9da8565cf25b1c2cb9ce0

        SHA256

        2375353160c5f8c4cadce5954ff4a7cc5b9c403890f0404791ff85c8ec0dd748

        SHA512

        d8eaa0761def6d74462748aa794198b5f32fa593662bf373c81e1d300f3f76ecc1c723cef52774caa6482527f26524fd2677a5e2253285cb6d0984b044347e8a

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        7416dad90e8cb201018cc71b3706cab4

        SHA1

        bf238898faa12cb258f0566c8de7617dc4b282f8

        SHA256

        ab2d708ddfe22bc51d2a6220378f191cda1c750f56fc634652b3dd7d8aef885b

        SHA512

        8737e01ed6be26160bf58c4449f0805663ef76e457601413bfba90d1f9facfbdb9a0e6d684d0e72f930f8999e2d9d66d8b043f9fa6705faed44b29a0c7a27fbd

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        9876ad1bf13da9dbe7e2d0e8cc59a251

        SHA1

        8ff0d5436909a6d691497fabfa27d3d3d399bf42

        SHA256

        75256b528f3a75668a76134050ec4456369d233a23e572053dc133a73e9afee5

        SHA512

        3a27102dc4e677b9bb72f1632c43b3db719129f38080142b0ef6e3faeefa9f277d253dfdf80b65fc22d75badab893bf50441a60446d1b3fd810756564d77b2d0

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{61F9A4D6-37B5-11EF-9519-62C35996CAED}.dat
        Filesize

        3KB

        MD5

        bf3873804997342a137490a87366eacf

        SHA1

        791920c203a0412a0a41f4d5dd96a1ffe2a09e48

        SHA256

        03becbc344758b3ab8a423a5cdbf8d61a27794c7f8a2e425279d5bd8b15eeb46

        SHA512

        2b89aa1505f7131361e7a12063bce0a795991e4c7ec02360d054a7818d1741167a74b17d6b9a1e94304707bb5a1da3d70d2bd0646f982bd5b2d9ca49836edd16

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{61FE686E-37B5-11EF-9519-62C35996CAED}.dat
        Filesize

        5KB

        MD5

        4f74540b7d9e630777c1412366248b4a

        SHA1

        350d3dad69dff7979f2bfb1b6a1d850ba78ebbd3

        SHA256

        284369a1923b8b04637dd4b633021bf1625168dc821c3eaac198b2fa4bdce812

        SHA512

        d4141fe2915cf50a90d04e59d707fc0184d434013a219f7be87c473c1166b468f5a20900ed9ee652b74ae9ee1cf5770f28a628849bbfbd28f7748b3bf9208fe1

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verDD12.tmp
        Filesize

        15KB

        MD5

        1a545d0052b581fbb2ab4c52133846bc

        SHA1

        62f3266a9b9925cd6d98658b92adec673cbe3dd3

        SHA256

        557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

        SHA512

        bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VLW1SL5J\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit
      • memory/1220-33-0x0000000077342000-0x0000000077343000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1220-32-0x0000000000070000-0x0000000000071000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1220-36-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/1220-30-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/1220-31-0x0000000077342000-0x0000000077343000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1220-29-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1220-25-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/1220-22-0x00000000001D0000-0x00000000001D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3788-28-0x0000000000400000-0x0000000000401000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3788-27-0x0000000000420000-0x0000000000421000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3816-23-0x0000000000416000-0x0000000000420000-memory.dmp
        Filesize

        40KB

        Download
      • memory/3816-2-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/3816-12-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/3816-0-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/3816-24-0x0000000000401000-0x0000000000416000-memory.dmp
        Filesize

        84KB

        Download
      • memory/3816-6-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/3816-4-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/3816-8-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/3816-9-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/3816-7-0x0000000002C50000-0x0000000002C51000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3816-3-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/3816-1-0x0000000000401000-0x0000000000402000-memory.dmp
        Filesize

        4KB

        Download