ramnit | 131fbcbf78ec9bcc539ba8a579be1275b74ce55c4556e9efe12677bdc014d963

Analysis

max time kernel
0s
max time network
130s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c2d7a0c2befc9d911c8b9003b4e6d77_JaffaCakes118.html
Size

157KB
MD5

2c2d7a0c2befc9d911c8b9003b4e6d77
SHA1

1c985d3514ecd585da4fe75ac20e2edbaaa8c01a
SHA256

131fbcbf78ec9bcc539ba8a579be1275b74ce55c4556e9efe12677bdc014d963
SHA512

939162fc54d9267e424f7e0254c5da0f0d67a70d3a9b99edc34466d2760a6981a1d80d61f98fba3a3bd72e9d021fd93d40d7b0b7ec1937db21f26303a8a05e96
SSDEEP

1536:iFRTMJouRF1iM6WyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJA:izOR2M6WyfkMY+BES09JXAnyrZalI+YQ

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0030000000004ed7-479.dat	upx
behavioral1/memory/760-490-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2032-482-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9A361301-0E59-11EF-9340-6EAD7206CC74} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2920	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2920	iexplore.exe
2920	iexplore.exe
1752	IEXPLORE.EXE
1752	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 1752	2920	iexplore.exe	28
PID 2920 wrote to memory of 1752	2920	iexplore.exe	28
PID 2920 wrote to memory of 1752	2920	iexplore.exe	28
PID 2920 wrote to memory of 1752	2920	iexplore.exe	28

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\2c2d7a0c2befc9d911c8b9003b4e6d77_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2920 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1752
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    PID:2032
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      PID:760
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2156
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2920 CREDAT:406539 /prefetch:2
  2⤵
  PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
345c31fe72c87690224ae41924fd1e67

SHA1
bc06530b29a8697ac2bf0fd620e69992f9795f0e

SHA256
94011811ed8dad95b34a93e8ceda09b2608b626445ebc21e76610162cfe34d9e

SHA512
d37723fe131bd02d14889fa24be6126f9c0a118731d6f18d9768cb3385057c41aae78358873f667e7463c2b9b3394980d5bbad16542bc37f7d834d8111d6d1df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4ebffa3d4714e0a43740d7bee3611865

SHA1
d21e2ff819239a00d2213fd953a6a31bb24cf4f9

SHA256
589e7cccfc5580bba31eaed5e0ad85d358f6981402fcc0da49554bd8b0d15840

SHA512
fc605c139219482b4eade15f5abf27047c6d32a6f98aca1e2be9566132764a877d957177efe7de097f286b59eaf29942732454253faa2f87cf6625826c5dec53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d4bbc9ddd82809c8bfd2fba7155eec4a

SHA1
49837b284bd64546a9f6e1fd6224e873005f818a

SHA256
a5fc7ebbedc43097d25491075cf4a852fc4c46467e914ca40f519d816247f40f

SHA512
b3467645fed40c4664c5adbe6a3edcdc435c8912fa9c5c6ad502c205c4b8d388156a190d033a96d83cd1a7076d48a0e4af8da9d6d25c9d951c9da76894a51122

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
22c6733e5ad92b1016df62951eb35b30

SHA1
ddc8039c63397e3eb9e11f5967d914c3aadcee2d

SHA256
2e32997efbef8fca80e9802f5acfc1dcd13ab83b5097c8152ffcb124e4c7e229

SHA512
999f1bd9051b38362f37f6dd5fdff15f3ccea997daf4c28c4fdb3ded812b1ee30b89ceb10e2281cf5778545fd864209a3a937ee3aeb8aac3ba48f2a323351b68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
38f9b823f21e920442d236c1b2897b21

SHA1
594c0c5b168c3a9017304ad809a56fc44863df04

SHA256
0097c51322065174098025477c00a55a34d6fba848590a68cf77c369ee343cf7

SHA512
25abf9ad03a3abc8b6bc3907eadd234cc9096dbe5b259add40e8bb4f05eb5d96442c7397f0c653b62507ca1d74e890385dbfac2f1f66b3d85190077412c53e21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e9e0f7823b452cd98f740d2d93c41f09

SHA1
ec743eb9ae389e3ee871534db520cccc8bfe33a3

SHA256
03e6adab269a65b3bbcc3bec201e61da6dd1697c12a5a15b3b21b27583b0e424

SHA512
a50af3253bc2bb061b85b8f8317f36fac7b11b32cb5d8ff312387358764c97f48f0d663df4bb09e3dd6cd479bdd9fdbb2f52fe08a48e3dddfbc8ba680c8fb427

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6de9a2d71d78cb28c337fee49036ef1e

SHA1
6f61c85f67da6a5c7bed4125c764092f59864606

SHA256
2d25dcb65d6ef7fbcfe833754ffefbbe623c5131277eb4312ea8696f73b7bf18

SHA512
f05df53c04a54056d08163353a6b913ba2aea86633947a3221157dda899305f2ed9e7fc8d1c2efd23648403bd10e98160073e02b5821a295432e3f30d08af8fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b358e1e3c6c25a0b7a62a93af641f075

SHA1
1798a4a02b78571d99d843fd7d9d7e3dc58396ae

SHA256
9c6ca5018bf74625747c0f2ad967d09e0d9a754e57528ad7952802777e0574cd

SHA512
ec34a0dfb658ed4ba8a77ee78f46f61b07bf2b0cd4465b73a25f0822410e5f13e6b33d0d7564279fcb4145878039e0493343da983c2cee5973a10b8c00a33c00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8571eb83d6f77b016a080765570fefe2

SHA1
98e768ef5ff01831a5745f54d0c595d6cdd62f72

SHA256
7b01cf0db039604bf339652e0de758cb06d677331186a44f767515abaf5b54a5

SHA512
6c78433c7a0bdfc153b5848517b04e00a469fce10cabab74fcf6b7e119ba931f04b41e27bb36ba202178badfb896cce3837c7994d28e7aa7deffcbb5f9ef627f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f8e23e0e1230167e097c602c7dfc3b50

SHA1
b4a1d582128b8e34096e077813da0e89cb37f916

SHA256
572f986bb7bae569053fbfdf11ffcc78d853b9f89b66dbb192004dd752a4f136

SHA512
29c7c200e75ae7e08574dac90d2831e9409a53318e2d12968df4956e8817bd34c594f8f0f2552bb6d7dc9cd9a6b166d096b16011f4fce4f5a38204c50268bc22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
52b870ed58969ad0c8e26f4bad88a43a

SHA1
854a5f9efa703da9d73c4df351f95cf9f08ab7c7

SHA256
4a738a4dfe33de3a007790cbebfb196278a2826444fe04a35953702ccd26e0fb

SHA512
bdd66786c3c720fa1d7638a32b16eda81c674c5cbe65ea6759d5ad44c1f5340b470c8db6cd04a9df062070755c62cbfbebb94a85420a84652e18c55d4d56d061

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f81369e910cc6e521b0e482796f627ed

SHA1
2a10c27c9db88d785a94b6fa0330dbe1400c56bf

SHA256
c79e3cbe76b96b868628285cbd7ab752404b1a73ef0260381ec99a79de3aac13

SHA512
47c9c89053d95fd5757518c4b0d3f26f088c7193a42fa1016abed015bf4e854806b3f7bda5e1ea56ae0dbb1cfe7047c2f672fb6c38fea53f52b59285dd5901cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
de49a263bde6935e431e3f604133585c

SHA1
a59eb9b54d9d4ec8e56a17f00811222bed01fc91

SHA256
38384e78acae41b1676c06bcbdf008483c69f8b8d7c2bacf296837104f28558c

SHA512
41efa2ba727152142c6b3902a983c4ce249098b1c7a3049af7437e8e5655e53ea15892ccf0a8c5c688fe09a11e3529777b9b0cb29ce510b466bf8cc24c793c90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c5908a4213bccdee669bc0792cd036e2

SHA1
cd2de2a9c15bb822dca65d20656d4fd9b968d5e3

SHA256
08d0c34aea2053f1eccf4eed341016bde309c9387fccda53fde743927442ac56

SHA512
1a3e2ec6f9346c1d1eeaf70c64d89f88a90fd43f1b3bcefd052993c94c8b9f341b1f0492f9032bd638c07ead081ae682702ccfe266b49c9dc575affc7320a153

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
38c96654437e2578d4a585e1e205819c

SHA1
dbd3d6587e633ec11b5c517728bfd1e94ee6db6d

SHA256
33c980ed8b59b358a716ee0a21a9374dc73ade283da13b8df5d9893bf889cf74

SHA512
db95d6bb9026bfd5a35957db22da03c609447e8d526bdc37040e53f018272e433db753673e557e234778d810e3f7226345b0ff631cf6f95520a6cf6cb02cd13f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0549c62a3185c784afca87c089705bc2

SHA1
cb29db557d34fe87a20634677f26ccbef9a91ded

SHA256
589085c32e4dea307038a5b89781173bfd6886e133256aef410b627116c5fd37

SHA512
e2457487d9985e7ba3ab07e9e1bf3b415b19ace59196cfabe81669a0d64c76483062f7d28565288a77b583d7274aa7b88138d459ca5b911e6893896b46bb4838

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7985c3100302d393a4dc6478cae6cbad

SHA1
c2002f89dc9124be660174c6f18780a7a588d7ed

SHA256
97b4317285c4ecd73101e436c20a23b3ad8ea94f9ee4491d72c5605e238fdf9e

SHA512
0a034a0f6937e9b1c306fe48c2dce42ee4bc3e7ed2a7cda01bd7af17bea4f3f4333c3295a776357f3d36bb1be5c26a4ef1bb26a05e3459a0de3c82611fc9802d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1f2127b4c22e2545352fb5409cbc10a3

SHA1
c7fbd0e561085904c13690cf680036752eafcff9

SHA256
fb8d642ce40396509a7b0cab1810c01a8030741efabc259c89ac04cbbbd84275

SHA512
000cf069fbedab1fdb27c20b2aad59bfdad1361327237843379352f051547ef368907de32a73f32148189b3c98cce57bcaef53ed9519767ff0a568152991bd4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7486f606232ed64be4e342a472c2447b

SHA1
7a8649d835ac4c47ddbe9283c5283d78e672f5a3

SHA256
5121beefc07d12ab4ee2f14ae1576594a2ff7a7c37c97dff3c7eb109c5ec3451

SHA512
772add7e2d2799351dd17265a149f580cfc988da6d607d0aa68a093b6d05b69df3e6c329b8398104ce3fdd69020830c9417a040a2dc812d7590059461a9b22ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1131.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1213.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/760-491-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/760-490-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2032-485-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2032-482-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2032-973-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download