ramnit | 197cff67ae152324accce5613ace5f7aaf359d3d35f3922fb4f568554d48f8ac

Analysis

max time kernel
129s
max time network
131s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 23:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

319cd3ffa5efd09d63ccc1d55fd4aad1_JaffaCakes118.html
Size

155KB
MD5

319cd3ffa5efd09d63ccc1d55fd4aad1
SHA1

0dd2398ce2b1992197505789a0dfe7e2c9f3a7c1
SHA256

197cff67ae152324accce5613ace5f7aaf359d3d35f3922fb4f568554d48f8ac
SHA512

bd4cbf26ea87ef1e8794b42cf81386b1b8842157cd2ba64da7526baf541f9fd3627344bf7568201c26155807609436de8afff5619d3099044757724e2f6d458a
SSDEEP

1536:i2RTOc9JlhT5UHnulzyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXAZ:icpTeH4zyfkMY+BES09JXAnyrZalI+YQ

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
1340	svchost.exe
544	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
2920	IEXPLORE.EXE
1340	svchost.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0033000000004ed7-430.dat	upx
behavioral1/memory/1340-436-0x0000000000230000-0x000000000023F000-memory.dmp	upx
behavioral1/memory/1340-437-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1340-435-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/544-448-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/544-444-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxFBDC.tmp	svchost.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FC4F3A41-0F25-11EF-BB21-6AD47596CE83} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421545999"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
544	DesktopLayer.exe
544	DesktopLayer.exe
544	DesktopLayer.exe
544	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1700	iexplore.exe
1700	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1700	iexplore.exe
1700	iexplore.exe
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
1700	iexplore.exe
1700	iexplore.exe
1788	IEXPLORE.EXE
1788	IEXPLORE.EXE
1788	IEXPLORE.EXE
1788	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2920	1700	iexplore.exe	28
PID 1700 wrote to memory of 2920	1700	iexplore.exe	28
PID 1700 wrote to memory of 2920	1700	iexplore.exe	28
PID 1700 wrote to memory of 2920	1700	iexplore.exe	28
PID 2920 wrote to memory of 1340	2920	IEXPLORE.EXE	34
PID 2920 wrote to memory of 1340	2920	IEXPLORE.EXE	34
PID 2920 wrote to memory of 1340	2920	IEXPLORE.EXE	34
PID 2920 wrote to memory of 1340	2920	IEXPLORE.EXE	34
PID 1340 wrote to memory of 544	1340	svchost.exe	35
PID 1340 wrote to memory of 544	1340	svchost.exe	35
PID 1340 wrote to memory of 544	1340	svchost.exe	35
PID 1340 wrote to memory of 544	1340	svchost.exe	35
PID 544 wrote to memory of 2208	544	DesktopLayer.exe	36
PID 544 wrote to memory of 2208	544	DesktopLayer.exe	36
PID 544 wrote to memory of 2208	544	DesktopLayer.exe	36
PID 544 wrote to memory of 2208	544	DesktopLayer.exe	36
PID 1700 wrote to memory of 1788	1700	iexplore.exe	37
PID 1700 wrote to memory of 1788	1700	iexplore.exe	37
PID 1700 wrote to memory of 1788	1700	iexplore.exe	37
PID 1700 wrote to memory of 1788	1700	iexplore.exe	37

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\319cd3ffa5efd09d63ccc1d55fd4aad1_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1700 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:544
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2208
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1700 CREDAT:603146 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f63d17f626f78aa340055f2e41b2266a

SHA1
d754dfba3e8570cb51f481afc20c2aa1637e1425

SHA256
510f0ae53525a87280f162e65067427d93c4dfee92b4e21e9ec11e8090534705

SHA512
27fe2cca7dec57607948fc53e8434b3dccddbca00865f13270d0baf3fafd0bffc625c2648870df600b213ff38a367955ccf9218492dd827bba98bc5532923c43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bd801f5306b672f2a3612d92267a91b2

SHA1
09e656a359bf152e96f95d873d6b94b474e70614

SHA256
065ad2c94a493030b94929adff1efe5b057b90d0fa33c5129153772ec67c7f4a

SHA512
f8747d7408cacdb2b973d09713945696bcb774c6a94b60f9116d49cbf48bdbb8c2a6f26386dae5c46588b29941300009e357d8c72f986e6ec5bf5c930fa10d6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ee108c82dc39ad8ccbbd8298792cda6d

SHA1
78550680d047a519a6faf320ed19256f2df31ed1

SHA256
19693b1da48bae0bba39826555e99f9dff695af889ae46ff4f2c451a40031749

SHA512
6c22095cfde4f82ecf32d1ded4ff088afbcac1850e55734fc583046dcce6ba94613e34857f06bbe9f991f5c85792cb959b8c8728dca5b3f05e3447cdb9e4198b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
566bc36f7e7712f176c08aca73368d2b

SHA1
25b9548861dcaf6cf18304afacfffd3e51e023f3

SHA256
9ad4d6d0aa458137113e51fb2313465fb2fd918f0c2103706e1eeb43a078c6ee

SHA512
87000924128c27a238f9e157e41ff2e22fffe32a0c6ff4ed7f293a606d8dea70b1df32b5daf9a3df2132a0e7035d756a2bb9e3fab0734de7d5a6d77443ef03f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
24778fa9939ef1efac1e97c6b827123a

SHA1
7e131b3c891450cec688b83a1a92b6b1c2a087c9

SHA256
3bd0490fe3e007323e07d89123bfdc81bb9356010ef6049508c949b55cc85be7

SHA512
39dc141588bf98055ad1eda9f0aa1b4326f656cf42db9c36a5ce4099cf36c139cc3b6c6ae08c68bc763adbd76079451e1ca54505fc75374751f0e89d0b86f53f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2752a8b09f1fd59f7d49290a0eb2f058

SHA1
432fa873778be062ccfb8435749495ce47aebeb5

SHA256
c9ca50152866a2ee9e5d8af83a1f5efc2c8489fd0b9359285f8c44e204bfe8bd

SHA512
73eb995f59ddbf4729d92e86909709f7b7d7cdec7091d7014a9bd30b19159c597010910d7dbef7e853485925f599a0167edebc4d862db2a7f2d1725b03c82886

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
18f34f2cd0c38d8b2da916e3fcf52329

SHA1
2d62725a9718ea78da4b2b2de19140724dc655d9

SHA256
35a17b0474cf28a24d90c21c8f8f498249a136040dee758d32de6d37e7a47204

SHA512
34ac416959616bcdfff3955c59438aa5667926d11c937223848d9232a5a4ae84d3f474fda0a34323b7d78e0432ecb0b9f2ad8f508f54ca7de4347c9cc30becfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5db8e6cca677ff9688e67e5b0f61c75b

SHA1
61ba8c19eb149790deb5f3b4acf87fd491028066

SHA256
93bb7d14ba2a5965b45a2bf1537d7a7d0e4b18a7e8514271f09c3f1027e10e1f

SHA512
bac8884a858db8f96eee96358d2b6f9e892b027b25495d92c12382790bda6e3a24d07f9410483107eefe89b41371b272d3b925e71a48e73da59cb09ea4ad988f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c5d618454bb7ae349bec5df31546f44e

SHA1
6c801db65da73045ad8ea3bb5507314a5ebbeed6

SHA256
f031b4b6e0c0dbebe4c1d238276266e0f5dbe3fd3f2b994dd6403588ec3c5dc9

SHA512
9adaa5a8f48cd2d7dafe1022a8f7f7d94eff753623e870927a5d9fba95e8f8b01a75f9479e701d78ef6bbc1cb811ffdc3d631e1a47ba91b1e0ef1f67d3fbeacd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
83610acb887ecf6872a2807b7916831c

SHA1
64609465377c76e9623aa797d356b23f80c3b788

SHA256
289ac544572e967388f944dbd2f3cfa5d2e1485a810e68bff66beb5ae5c63b97

SHA512
ce6fe764cad3e7457b3eae1d3b2eb1c7248bf4c04c5a80214e5163b57ea8cf87aed848ae0a9795a4307b9a68f4299046206ecf338c11a69ba90ca1bb1137444a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c2eca4e89efb2a9ce112a29fc8a90251

SHA1
961600085175dd0e2b48bfd181a4d4b677878664

SHA256
d1ac0286aabf8e6ff11338b28886ebbb289c86dbdf58244228dded8612255439

SHA512
92b981003421fa7befd93db4df84e5ba8a5728f158861a194ebb48919c96399e24ac53fab3e6d53d359b4b2c79fc6818ae96bf35111b6869ba99ddea6852140f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1AE2.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1B24.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/544-446-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/544-444-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/544-448-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1340-436-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/1340-437-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1340-435-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download