Overview

overview

10

Static

static

3

1e98591806...18.exe

windows7-x64

7

1e98591806...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-07-2024 08:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1e98591806468a3bc9d68e7fa659a3e2_JaffaCakes118.exe

  • Size

    186KB

  • MD5

    1e98591806468a3bc9d68e7fa659a3e2

  • SHA1

    af379098cad3f17e223ecd1aa8a026f927eda1bd

  • SHA256

    9246aaa4119ab78c06e12f3cba6da3941c641b4a132a36b8fbcf45372ea08f56

  • SHA512

    d03c238651a9f8e9309e46fb9131ff4e2b44b16668c43a5e9f9f12e574922eaaf2ed0ecf6ac382de5d53a91450b5b5ecb1adbdeb7f7e2b07dffa71826fb0faf2

  • SSDEEP

    3072:knxwgxgfR/DVG7wBpEfdPbzIcJabw0ejQ7sDz1RNnF:4+xDVG0BpjcJa80mQ7sX1RJF

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 5 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 51 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 3 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e98591806468a3bc9d68e7fa659a3e2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1e98591806468a3bc9d68e7fa659a3e2_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2656
    • C:\Users\Admin\AppData\Local\Temp\1e98591806468a3bc9d68e7fa659a3e2_JaffaCakes118mgr.exe
      C:\Users\Admin\AppData\Local\Temp\1e98591806468a3bc9d68e7fa659a3e2_JaffaCakes118mgr.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:5064
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\system32\svchost.exe
          4⤵
            PID:552
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 204
              5⤵
              • Program crash
              PID:4280
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1624
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1624 CREDAT:17410 /prefetch:2
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:3160
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4300
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4300 CREDAT:17410 /prefetch:2
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:4956
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 552 -ip 552
      1⤵
        PID:2584

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EE282F74-384A-11EF-9D11-56995CF5AA0C}.dat
        Filesize

        5KB

        MD5

        76a495a1035dca0b6db6d38b5fbe50b0

        SHA1

        de2bd81d80ee01983842007c4862b8064bfab450

        SHA256

        be57100e5c43fc34a81ca4df794a2ce8efb006a49bc9bc237a63e98f94e75516

        SHA512

        97de1b69e9c3a9cdf9d66a8fd468aa6a0521a673639ad14f2fa0d573a2b6356695410120b5040c810afce24a089c9f889f7fdcc9a703474d35ddba4521366f40

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EE2CF429-384A-11EF-9D11-56995CF5AA0C}.dat
        Filesize

        3KB

        MD5

        544ab0570b61675c13c88125ea66372e

        SHA1

        02ec4a58f5d8ceba4bf246268062b6961124f734

        SHA256

        9a3e1f6d08b3866e90ff3c1c729f53ef4074f990568c652b5d2e1038e91aa44c

        SHA512

        95d49882686a08a15cdf18875f63120c58ea6cb7c85ec8e062e4177d64d0cd346d28839ce4734ea1c3ca42571e43af0f0db71ea56e862235c567fc8ac5e4141b

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verC786.tmp
        Filesize

        15KB

        MD5

        1a545d0052b581fbb2ab4c52133846bc

        SHA1

        62f3266a9b9925cd6d98658b92adec673cbe3dd3

        SHA256

        557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

        SHA512

        bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QQACG5HD\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\1e98591806468a3bc9d68e7fa659a3e2_JaffaCakes118mgr.exe
        Filesize

        92KB

        MD5

        96cff787d9cd572c465811f1b072e852

        SHA1

        f41dc6bbaa9e613f255484a125d83fa1b336148c

        SHA256

        8735197d71a2a4c3894f43e1461e9ae4ccd4ca5c861332ae3c79e02f48143de9

        SHA512

        19789b2071f8e04e186135c6d2495ece4e69da19c1cf748e6619ed6fcbfca36e6698cce5f0dc10bc7d81847be2eb36ea3f2b9504d26088ac8b9903e6506394ff

        Download Submit
      • memory/552-43-0x00000000001C0000-0x00000000001C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/552-44-0x00000000001A0000-0x00000000001A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2656-20-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/2656-23-0x0000000000416000-0x0000000000420000-memory.dmp
        Filesize

        40KB

        Download
      • memory/2656-0-0x0000000000400000-0x0000000000466000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2656-24-0x0000000000401000-0x0000000000416000-memory.dmp
        Filesize

        84KB

        Download
      • memory/2752-26-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/2752-16-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/2752-14-0x00000000001B0000-0x00000000001B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2752-13-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/2752-6-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/2752-17-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/2752-7-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/2752-8-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/2752-4-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

        Download
      • memory/5064-30-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

        Download
      • memory/5064-45-0x0000000000070000-0x0000000000071000-memory.dmp
        Filesize

        4KB

        Download
      • memory/5064-46-0x0000000077A92000-0x0000000077A93000-memory.dmp
        Filesize

        4KB

        Download
      • memory/5064-37-0x0000000000430000-0x0000000000431000-memory.dmp
        Filesize

        4KB

        Download
      • memory/5064-40-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/5064-49-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

        Download
      • memory/5064-51-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/5064-41-0x0000000077A92000-0x0000000077A93000-memory.dmp
        Filesize

        4KB

        Download
      • memory/5064-39-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download