ramnit | 5c849cdaa86d2e558d609610da74a29e3af0fbe1d8a1da106af34bfe20e355cd

Analysis

max time kernel
133s
max time network
134s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00038e530513da8c91bcd6610e98a98d_JaffaCakes118.html
Size

158KB
MD5

00038e530513da8c91bcd6610e98a98d
SHA1

84d64e00679cf226095f03c0b1da4912707bf052
SHA256

5c849cdaa86d2e558d609610da74a29e3af0fbe1d8a1da106af34bfe20e355cd
SHA512

cafcb828eda72238500763ffc22e8c9f2a4fdfb22bab8b03b829d9b2c9e5465e9d0185323770462bc4f5e6835770ce4eb59ce2808e2c851f99d8f483a69bac1d
SSDEEP

3072:iqVfqBR6TyfkMY+BES09JXAnyrZalI+YQ:i8qBR62sMYod+X3oI+YQ

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

svchost.exeDesktopLayer.exe

pid process

1220 svchost.exe
2028 DesktopLayer.exe
Loads dropped DLL 2 IoCs

Processes:

IEXPLORE.EXEsvchost.exe

pid process

1976 IEXPLORE.EXE
1220 svchost.exe

pid	process
1220	svchost.exe
2028	DesktopLayer.exe

pid	process
1976	IEXPLORE.EXE
1220	svchost.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/1220-482-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1220-486-0x00000000003C0000-0x00000000003EE000-memory.dmp	upx
behavioral1/memory/2028-491-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2028-493-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px177.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420238901"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A7FF7BB1-0342-11EF-AAE3-46DB0C2B2B48} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

DesktopLayer.exe

pid process

2028 DesktopLayer.exe
2028 DesktopLayer.exe
2028 DesktopLayer.exe
2028 DesktopLayer.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

2860 iexplore.exe
2860 iexplore.exe

pid	process
2028	DesktopLayer.exe
2028	DesktopLayer.exe
2028	DesktopLayer.exe
2028	DesktopLayer.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
2860	iexplore.exe
2860	iexplore.exe
1976	IEXPLORE.EXE
1976	IEXPLORE.EXE
1976	IEXPLORE.EXE
1976	IEXPLORE.EXE
2860	iexplore.exe
2860	iexplore.exe
1744	IEXPLORE.EXE
1744	IEXPLORE.EXE
1744	IEXPLORE.EXE
1744	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exe

description	pid	process	target process
PID 2860 wrote to memory of 1976	2860	iexplore.exe	IEXPLORE.EXE
PID 2860 wrote to memory of 1976	2860	iexplore.exe	IEXPLORE.EXE
PID 2860 wrote to memory of 1976	2860	iexplore.exe	IEXPLORE.EXE
PID 2860 wrote to memory of 1976	2860	iexplore.exe	IEXPLORE.EXE
PID 1976 wrote to memory of 1220	1976	IEXPLORE.EXE	svchost.exe
PID 1976 wrote to memory of 1220	1976	IEXPLORE.EXE	svchost.exe
PID 1976 wrote to memory of 1220	1976	IEXPLORE.EXE	svchost.exe
PID 1976 wrote to memory of 1220	1976	IEXPLORE.EXE	svchost.exe
PID 1220 wrote to memory of 2028	1220	svchost.exe	DesktopLayer.exe
PID 1220 wrote to memory of 2028	1220	svchost.exe	DesktopLayer.exe
PID 1220 wrote to memory of 2028	1220	svchost.exe	DesktopLayer.exe
PID 1220 wrote to memory of 2028	1220	svchost.exe	DesktopLayer.exe
PID 2028 wrote to memory of 2036	2028	DesktopLayer.exe	iexplore.exe
PID 2028 wrote to memory of 2036	2028	DesktopLayer.exe	iexplore.exe
PID 2028 wrote to memory of 2036	2028	DesktopLayer.exe	iexplore.exe
PID 2028 wrote to memory of 2036	2028	DesktopLayer.exe	iexplore.exe
PID 2860 wrote to memory of 1744	2860	iexplore.exe	IEXPLORE.EXE
PID 2860 wrote to memory of 1744	2860	iexplore.exe	IEXPLORE.EXE
PID 2860 wrote to memory of 1744	2860	iexplore.exe	IEXPLORE.EXE
PID 2860 wrote to memory of 1744	2860	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\00038e530513da8c91bcd6610e98a98d_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2860 CREDAT:275457 /prefetch:2
2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1220

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2028

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2036

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2860 CREDAT:537613 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f87372123cbeefb257298009e0c709d6

SHA1
32cb8edb399d266be5e6d77a7361116c526fbbc6

SHA256
d47c7d3373e11e0bd4310c22aac28f7567e79a13b53d1431453ff01bd4099361

SHA512
150bfee7ac2311f8ada48a1bd2967f9f4256c7cebfbc5e32654410cc9877db5395c1463c1175484a2511248b48e1a48cd3c2f77cb332e10a9e92d436adb695d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
832ab95681a0df3dfead6345c379984e

SHA1
8a4dd67417475c7231e3e32f899b4cbc922d83fe

SHA256
bfe80ed07e4dedb43359b9bdc49f7e48546653ac9d8d96be36c032946870a6f9

SHA512
0e6ac52162856ed1e60fa8769c208a4d2886271ae1417d1e6d66ecd525a4e39c792d85ac3d2e6ce762453ccc8e142d88c38c736b09395e64997d85a84119dc2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ed303fa60a4b603101940910a726c7ab

SHA1
f4dd8b8665d8fa4fc2efabb6b25264a7f860d045

SHA256
75ccc575a24a761edd1252c9177c20f6a2f0b0cb11cbf27731e5f5aa62bdb256

SHA512
980af86966fdec78af5f27f61204b54275318865dfbdda02d76ff846e0f7b89b56a83d50c41144a00bc00ae6e3377111fedb989e23f065616e4f50dd9894986f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
36fac7a967a679b1c294612f6e9f6ca6

SHA1
84880940adfdfb8c6712480a1475b8962909ad79

SHA256
8022d19316f8dc6fae06ff0d36597169496d19fdc32e6cd02e79da598dee6c89

SHA512
d0bff437e06e11e2641c86217c53705616c374ff4f61db73296c62f54803556039f50631b6bd113d4bb313cd5b5fb124bf640b95ab322a5f64a10776b1f91f05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
dc62c9344c0d4f7417d87d3d040f4942

SHA1
6d9158af8b0a40086b2d03d0d6ec1380ca819ce7

SHA256
a4bd126472186ee3bd5661f1a0beb892f4f40f6b22e61acc568491bfc0c427e2

SHA512
7ccdff474f8731044269f306597e32454cf0d95d936c15d603ad15eb0ee755bb35c0daa57d10a952c9438a3e8d0470ef8c157185558c1c2b71cfbd007cdd0c65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
dd8d980f8af45ee6ec27b521b7772960

SHA1
aa7f40b4ab45cc683209f1a478409b86ba9e5a78

SHA256
41c4a90d2a079b07e88c2ea54496d3d9c3e8dcc6b38ec84e3eb9f4532f8d04a7

SHA512
bbe3f0b3b12dadc7af5423d9f7b6a08077de8a525ea9fba6df0726d6f03fe6c66d116d159f5ff1e928c1a3704da3eea6ab750ba5c7a5223ca0ab755b9bc2edf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c118a46f5f6881232433c2cc6a626bfd

SHA1
e1be14ac3e34be5f2c744a4eb3960bbfa4c6af10

SHA256
4a001ede3b9cdaa63c3fd46a6d7a81c59530ccd620ff7ef2992b7718c82ed2af

SHA512
b410674809dc2bd92907f18b1f666dc783205251b7594eb5de8ec17a2961aee265c1d41c8c58786a5ea403dba7f53a2217d73dbbb55f0c3b9aeb1d20987a8e18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
abd4c2c29f92694cbc3e29778607693f

SHA1
9c3425c9b2175cae25f3a832384135049c9921f7

SHA256
bd3d1e23f93dbe6855a21f35da27cc81b0b0d2ee5008c3d3c9a14e92512dfd82

SHA512
5fedf024ac9cfb7726e963b7d60f8b82d8e379b376a13cc4c74ac366a9575b2c93b7549f3ae4d920f506d8f986c05720c7dda443d866f45f20df7d2e3c5deb1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e28099548d2b024ded47fc392b74d4af

SHA1
cdb6f39d73b69774fae6fefb3421217e32aab9d1

SHA256
8e411533acd71c57398c9ff76de956d094523b26bfdf8ba71e1faa4b8fc8a9b1

SHA512
e3c59b19c3313f54700e90b700a6b2c78c94b9d9bd1a255662dd6c9bba4f40bda9cd2fff3fd0727fe86f623e7fa16edb08945fb5dfb7c9738ea410c004f98570

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
66dc2f32b68751199ff007b5ee7f1c28

SHA1
6430cc43410d00c658da9edee33e13b96bd0c345

SHA256
d7a8b88a0e1084b9731b4e4991214c92560cd2b9e113d0f18edb689fc6d35476

SHA512
cfa03f5582a82ea9e16446e5be06884ab51f3a5c4ce197b21351ce69a8740bd26377b31ad4fee0679c1ca4534ab5bb79d072522fdfd424d84930eed212a2cad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2230.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar23A0.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1220-486-0x00000000003C0000-0x00000000003EE000-memory.dmp

Filesize
184KB

Download
memory/1220-483-0x00000000003B0000-0x00000000003BF000-memory.dmp

Filesize
60KB

Download
memory/1220-482-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2028-494-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2028-493-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2028-491-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2028-492-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download