ramnit | 8d9dc10d82204593f6eff7e98510f0a86154a0b3f495f71efed7ecf01af802d2

Analysis

max time kernel
133s
max time network
135s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-04-2024 06:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0032849d7bc94780bf3d9780a833ebaa_JaffaCakes118.html
Size

155KB
MD5

0032849d7bc94780bf3d9780a833ebaa
SHA1

6e597709f60ebaf9319a63a424bdcd259d42e409
SHA256

8d9dc10d82204593f6eff7e98510f0a86154a0b3f495f71efed7ecf01af802d2
SHA512

f7d894a48267e41c1373af84a81bdf109f412ac126156c3653b84315b0a002e7627c736e2ba72df05cc81a37774c165ee0f577a0156cd7407e8c3bff3d1aedf7
SSDEEP

1536:iERTz7FpGekotyLyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJA:i2GekLyfkMY+BES09JXAnyrZalI+YQ

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

svchost.exeDesktopLayer.exe

pid process

2784 svchost.exe
888 DesktopLayer.exe
Loads dropped DLL 2 IoCs

Processes:

IEXPLORE.EXEsvchost.exe

pid process

2964 IEXPLORE.EXE
2784 svchost.exe

pid	process
2784	svchost.exe
888	DesktopLayer.exe

pid	process
2964	IEXPLORE.EXE
2784	svchost.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/2784-482-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2784-490-0x0000000000230000-0x000000000023F000-memory.dmp	upx
behavioral1/memory/888-492-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\pxF029.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420275237"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4320A2A1-0397-11EF-BC3A-56D57A935C49} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

DesktopLayer.exe

pid process

888 DesktopLayer.exe
888 DesktopLayer.exe
888 DesktopLayer.exe
888 DesktopLayer.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

1956 iexplore.exe
1956 iexplore.exe

pid	process
888	DesktopLayer.exe
888	DesktopLayer.exe
888	DesktopLayer.exe
888	DesktopLayer.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1956	iexplore.exe
1956	iexplore.exe
2964	IEXPLORE.EXE
2964	IEXPLORE.EXE
2964	IEXPLORE.EXE
2964	IEXPLORE.EXE
1956	iexplore.exe
1956	iexplore.exe
1636	IEXPLORE.EXE
1636	IEXPLORE.EXE
1636	IEXPLORE.EXE
1636	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exe

description	pid	process	target process
PID 1956 wrote to memory of 2964	1956	iexplore.exe	IEXPLORE.EXE
PID 1956 wrote to memory of 2964	1956	iexplore.exe	IEXPLORE.EXE
PID 1956 wrote to memory of 2964	1956	iexplore.exe	IEXPLORE.EXE
PID 1956 wrote to memory of 2964	1956	iexplore.exe	IEXPLORE.EXE
PID 2964 wrote to memory of 2784	2964	IEXPLORE.EXE	svchost.exe
PID 2964 wrote to memory of 2784	2964	IEXPLORE.EXE	svchost.exe
PID 2964 wrote to memory of 2784	2964	IEXPLORE.EXE	svchost.exe
PID 2964 wrote to memory of 2784	2964	IEXPLORE.EXE	svchost.exe
PID 2784 wrote to memory of 888	2784	svchost.exe	DesktopLayer.exe
PID 2784 wrote to memory of 888	2784	svchost.exe	DesktopLayer.exe
PID 2784 wrote to memory of 888	2784	svchost.exe	DesktopLayer.exe
PID 2784 wrote to memory of 888	2784	svchost.exe	DesktopLayer.exe
PID 888 wrote to memory of 2780	888	DesktopLayer.exe	iexplore.exe
PID 888 wrote to memory of 2780	888	DesktopLayer.exe	iexplore.exe
PID 888 wrote to memory of 2780	888	DesktopLayer.exe	iexplore.exe
PID 888 wrote to memory of 2780	888	DesktopLayer.exe	iexplore.exe
PID 1956 wrote to memory of 1636	1956	iexplore.exe	IEXPLORE.EXE
PID 1956 wrote to memory of 1636	1956	iexplore.exe	IEXPLORE.EXE
PID 1956 wrote to memory of 1636	1956	iexplore.exe	IEXPLORE.EXE
PID 1956 wrote to memory of 1636	1956	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\0032849d7bc94780bf3d9780a833ebaa_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1956 CREDAT:275457 /prefetch:2
2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2964

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2784

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:888

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2780

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1956 CREDAT:406543 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1636

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
aa729835542b24115505bcb3983bca68

SHA1
621331af34af895e850c43cd1417e046676afefd

SHA256
b6b0143a35bcba83f5ac60a36ee9f842ded1433106425dec74c7851e8ca1136a

SHA512
dd700c996956fd8751a52925edc2a866ebb22f35f238596bc6cd94643b23c42eca5fcfc4b1f41a3186afab59f37e46ac096c1137f7ee8c66cf745e5e680b7199

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2e910816ac481aa7578e7d9178384757

SHA1
be872c486f0ea1aba0c9dcee7c692f2f5d93d836

SHA256
4ed0134d0cdd4895bad0ac5c89f6f3fdb7201f9526e057378fea962755afad26

SHA512
f7759dd2af8cab38968bf2fd19839f07d304fc6479751521925347b239f26db4be9b29b13941de03882f13d8d11ba771ac9c8532a17abfb3d9420cf0dc61e5d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b96caedbf098a7d273d288821704d536

SHA1
2b7dcbd1d12b636302e3fbc669a2c692b7bb6a33

SHA256
54727a1434721efe5e2aa617e3f68b17b6ada2016ecf24f6113e99767af26fa9

SHA512
e3aeefa643a03cc98692aed753e476afc20805ec361fd391b5079b4370ce11bce971a3459b4362214b6b91ec334db9e1009c490a02109ec40e947bb48ae4cbba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
48289a0e2241a4280ec880c129cfeb4c

SHA1
dffab5175553ef3a93a9e8a31092f74c4ce42550

SHA256
26c56a11d7f81ed8d2f30d42491548a81c761829d59d76643d8552ffc76c035a

SHA512
7adf93745986dcef4137cde28da6a7272b16180bf9c8fd38895bf30a42d83dab45adefb170392da53dccb0dd5e2a53cfc4ccaa5954d070963678d2d57e7fb61e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
21fce8b92a43dbe6917caa9319c00161

SHA1
44f8c2c40854994d28ae6af0b650532151e3c5c7

SHA256
055f2e0636203043113e939705f744e4dad81a3405b0343d1137c0775acc2bf2

SHA512
40b82c2c887df49dfbd4b8d413515ee292b430d0406817f122ea83a4a273089d5a1faf4df969d63081a174437bbf5a7339fc3aaa999331491dae1229b5d780ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c99f58550e1cdb2de6d3a98154327a8f

SHA1
298ff1f150022dd8f53c76f69d81db445a2cc588

SHA256
d89ab57b41ae193676338dbdd05e5e90347314077d44fb04221b64fd83324443

SHA512
01dbfc5251f33256f0d73765d82808176019a3d245bdf646a8e0a0a4e70dd2e4f5b4557938d313bf7d3c5a78916ce5f79bd7306f23f7702bfe8def61507a9729

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9c380e197063df7bdd68fc6221be1081

SHA1
f3c42610311f425e0301f5d0c7d343738b8c71bd

SHA256
8ddbe442c29c6eabb5b39f9f151e88a0394f9e5206224f7d97283721e93175dd

SHA512
5c53f0a8dfc7e66e991d6b5ee9b71f1635caa975021af4ac70ab42437069306b42d2088582e7479bdfffd24c09eb8cabbf7e255cfc9fad39f2eaead7676e1643

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2fc1097be3714e12352f9ff3ac34919c

SHA1
7f6d097af1c598e66298f1d2a108b39ee2903f68

SHA256
4a8b0f4211d12ebb31cdb263034f928a367647b471a150c6fdd60ee94d4e3561

SHA512
5ad786ceb917266a8ea9dd0c331c2aed256b5db35a08ff1998f7f4d67e5308506732cf7cd62304456783942b8bd3852773c0a426a505c451a995b09ae1e7532f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ef67a2eaf266d753123191ccb899995b

SHA1
4cc3bc32b0e28587793b746163692c27884d10c7

SHA256
04812f12e2f20f343f8351f17d7671255c821d3428ca3a2975993b6bb031e785

SHA512
3a38fca83f5c35e2b8860f9701a8ed8690c787b02e18e0b9993e30e863f3c640c363ed1d812ad1b7ca6de045b98280f92b346dd3df7818afb1cc8c6a6405495b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab140D.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar151F.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/888-492-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/888-489-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2784-482-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2784-490-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download