ramnit | 0bde47ee190d9e38f2a41286f35bf88f61b24e06ca9b07033bd8db57cc7eaf1a

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 07:11 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23c1c06e6f365462a328244a31c6a81c_JaffaCakes118.html
Size

463KB
MD5

23c1c06e6f365462a328244a31c6a81c
SHA1

6e4249fd7481753c0b0ec8ff215702e2c612a144
SHA256

0bde47ee190d9e38f2a41286f35bf88f61b24e06ca9b07033bd8db57cc7eaf1a
SHA512

6aa44b0c274ccda0c724cb6e507a62edeb6af7d952d468551c31b223b6174d1642f2f399bd656dbd67c3264da6abe2648e2e43bfb12153c0c3c4e3926a8d117d
SSDEEP

6144:S+8sMYod+X3oI+Y+tsMYod+X3oI+Y1sMYod+X3oI+YLsMYod+X3oI+Yu:/q5d+X3055d+X375d+X315d+X3I

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
2728	svchost.exe
2724	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
2552	IEXPLORE.EXE
2728	svchost.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000015ca5-2.dat	upx
behavioral1/memory/2728-7-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2724-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2724-17-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2724-20-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px12B6.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2D54FFD1-0D0A-11EF-8356-E61A8C993A67} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421314151"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2724	DesktopLayer.exe
2724	DesktopLayer.exe
2724	DesktopLayer.exe
2724	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2972	iexplore.exe
2972	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2972	iexplore.exe
2972	iexplore.exe
2552	IEXPLORE.EXE
2552	IEXPLORE.EXE
2972	iexplore.exe
2972	iexplore.exe
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2552	2972	iexplore.exe	28
PID 2972 wrote to memory of 2552	2972	iexplore.exe	28
PID 2972 wrote to memory of 2552	2972	iexplore.exe	28
PID 2972 wrote to memory of 2552	2972	iexplore.exe	28
PID 2552 wrote to memory of 2728	2552	IEXPLORE.EXE	29
PID 2552 wrote to memory of 2728	2552	IEXPLORE.EXE	29
PID 2552 wrote to memory of 2728	2552	IEXPLORE.EXE	29
PID 2552 wrote to memory of 2728	2552	IEXPLORE.EXE	29
PID 2728 wrote to memory of 2724	2728	svchost.exe	30
PID 2728 wrote to memory of 2724	2728	svchost.exe	30
PID 2728 wrote to memory of 2724	2728	svchost.exe	30
PID 2728 wrote to memory of 2724	2728	svchost.exe	30
PID 2724 wrote to memory of 2652	2724	DesktopLayer.exe	31
PID 2724 wrote to memory of 2652	2724	DesktopLayer.exe	31
PID 2724 wrote to memory of 2652	2724	DesktopLayer.exe	31
PID 2724 wrote to memory of 2652	2724	DesktopLayer.exe	31
PID 2972 wrote to memory of 2596	2972	iexplore.exe	32
PID 2972 wrote to memory of 2596	2972	iexplore.exe	32
PID 2972 wrote to memory of 2596	2972	iexplore.exe	32
PID 2972 wrote to memory of 2596	2972	iexplore.exe	32

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\23c1c06e6f365462a328244a31c6a81c_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2972 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2652
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2972 CREDAT:209933 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2596

Network

DNS

bdimg.share.baidu.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

bdimg.share.baidu.com

IN A

Response

bdimg.share.baidu.com

IN CNAME

share.jomodns.com

share.jomodns.com

IN CNAME

share.n.shifen.com

share.n.shifen.com

IN A

182.61.244.229

share.n.shifen.com

IN A

14.215.182.161

share.n.shifen.com

IN A

39.156.68.163

share.n.shifen.com

IN A

112.34.113.148

share.n.shifen.com

IN A

163.177.17.97

share.n.shifen.com

IN A

180.101.212.103

share.n.shifen.com

IN A

182.61.201.93

share.n.shifen.com

IN A

182.61.201.94
DNS

api.bing.com

iexplore.exe

Remote address:

8.8.8.8:53

Request

api.bing.com

IN A

Response

api.bing.com

IN CNAME

api-bing-com.e-0001.e-msedge.net

api-bing-com.e-0001.e-msedge.net

IN CNAME

e-0001.e-msedge.net

e-0001.e-msedge.net

IN A

13.107.5.80

182.61.244.229:80

bdimg.share.baidu.com

IEXPLORE.EXE

152 B
3
182.61.244.229:80

bdimg.share.baidu.com

IEXPLORE.EXE

152 B
3
14.215.182.161:80

bdimg.share.baidu.com

IEXPLORE.EXE

152 B
3
14.215.182.161:80

bdimg.share.baidu.com

IEXPLORE.EXE

152 B
3
39.156.68.163:80

bdimg.share.baidu.com

IEXPLORE.EXE

152 B
3
39.156.68.163:80

bdimg.share.baidu.com

IEXPLORE.EXE

152 B
3
112.34.113.148:80

bdimg.share.baidu.com

IEXPLORE.EXE

152 B
3
112.34.113.148:80

bdimg.share.baidu.com

IEXPLORE.EXE

152 B
3
204.79.197.200:443

ieonline.microsoft.com

tls

iexplore.exe

799 B
7.7kB
10
13
204.79.197.200:443

ieonline.microsoft.com

tls

iexplore.exe

799 B
7.7kB
10
12
204.79.197.200:443

ieonline.microsoft.com

tls

iexplore.exe

779 B
7.6kB
9
12
163.177.17.97:80

bdimg.share.baidu.com

IEXPLORE.EXE

152 B
3
163.177.17.97:80

bdimg.share.baidu.com

IEXPLORE.EXE

152 B
3
180.101.212.103:80

bdimg.share.baidu.com

IEXPLORE.EXE

152 B
3
180.101.212.103:80

bdimg.share.baidu.com

IEXPLORE.EXE

152 B
3
182.61.201.93:80

bdimg.share.baidu.com

IEXPLORE.EXE

152 B
3
182.61.201.93:80

bdimg.share.baidu.com

IEXPLORE.EXE

152 B
3
182.61.201.94:80

bdimg.share.baidu.com

IEXPLORE.EXE

52 B
1
182.61.201.94:80

bdimg.share.baidu.com

IEXPLORE.EXE

52 B
1

8.8.8.8:53

bdimg.share.baidu.com

dns

IEXPLORE.EXE

67 B
252 B
1
1

DNS Request

bdimg.share.baidu.com

DNS Response

182.61.244.229

14.215.182.161

39.156.68.163

112.34.113.148

163.177.17.97

180.101.212.103

182.61.201.93

182.61.201.94
8.8.8.8:53

api.bing.com

dns

iexplore.exe

58 B
134 B
1
1

DNS Request

api.bing.com

DNS Response

13.107.5.80

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eeb8680b4c222be9f8fd09890defee29

SHA1
73451a2c3a0e42e1db218e55ce9e301ef7d92840

SHA256
bc1031b2a7052aabb1b744217b6799a54687544af3a25f66b869cfdb66f96f77

SHA512
0512978c979893ea250fc039d3fdc010ed980ca5dbf5d7f1bc810a9e982695a5b4ec902b3ef498cf4c0a9c571b67bfb079372d68eefd2b07554146938cbbc7ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
00839aafedf0d55b028d849e2edd329a

SHA1
405f9e215f6d13403c052cba7a7c4e5c4a997cda

SHA256
e31909488befdbe4593fab0b8bff49374dcf551628b35c7894268486e1dee481

SHA512
87c9935b7ec40279407d12ae491a325a29d7a13d19e9bb3edbd3391a7ce02f6cc7f90b7c93d65ebf7d35929e1513bb2fd3e85d2dc98e9c993c3b97471330e8b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
736d5f4c8192c682279238d7c8c48763

SHA1
e00be284f5cf0399d0747fd1958521630e3bc224

SHA256
2f1d46ee86f17a92d12ea16d2e7095287f3652984ba948e4b15622184c76b654

SHA512
cbd4cd099cc193ee6d211c900d01dda26e89ff4fa210626f084efafef33f8f93669f696192e3744677e9c14ebd2bf28ca5dfaac91aede789a292c57caebc0c73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f058e76f7dc78a940c880376ba4ac0bc

SHA1
c02facf265294e80c3cd4ceaf284eb84fe48bf96

SHA256
17ac0c0e7cdac87c349538e2e47d57fbf38151dfaf0cb9f7c0ed48463787ad84

SHA512
706a34f44ebcda7de9adcb4c6b81fc70c5fb5773586511a15d6612ded1c3dab4181f01df450efe3e80d27b9cea6a4bb99134328389dee26f5666de37e72e9dc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
58da70c09aa435b4fb05821a04e1c5c3

SHA1
30a130998aaf27bbcbe9a129cfb284be3f2fdf32

SHA256
9f3328135936b9cce2b06b069f0fd831b4813d13cbccef1e6a0f6721a872edb4

SHA512
22a74e942b98b8f554c6af7136e97e927d3aa006eed5ce5422c09543f1ab5ba028a927495a608e76bf21155730b4c2b1224bcd2944e8f52c7bffdcc801f2e47d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9959f44cbe759a6e1efbbdcd2ea124a4

SHA1
3450499a68c4704f95051a47fc9bfad1f233fdc6

SHA256
82c190e0be77c70832f3a6588d04674cbd93f6c628e76c43249239c3af212df5

SHA512
159802a25dfb5e1ddb96435dae54b29ca74e765c4f1de0682fd8c4997ce3d1f20a6577d9d07b666de4ecfd9cdf8e391160ad871c169ae2bd78444573324d0122

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
af77bc11ad94580009b4c070744b32e3

SHA1
e2a7582668bb02b11cfc55aa6f02af4cee13224c

SHA256
5f5999f49e9eb545df54e14c09218b8cce61bf4c926f2e66313daa3b7bba0afc

SHA512
330959984080a6d345b84139b0ec21719c41747f307c443f98d15af0dd2c4ce81cd696736403ea6b0c3dc85a1bd3c2c5d53958e1bb91115758d428b187cfb82d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF3F.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFD2.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/2724-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2724-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2724-16-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2724-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2728-8-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2728-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download