ramnit | 2732e2f048e1133769ee0779fe23d2058ce4f54deb6aaaac68f276e78591f2d7

Analysis

max time kernel
131s
max time network
136s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-05-2024 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37d3363ff1a1ce1cb3317517c63691dc_JaffaCakes118.html
Size

158KB
MD5

37d3363ff1a1ce1cb3317517c63691dc
SHA1

4dab46da83474e29d5f9110579f00c5afa83851a
SHA256

2732e2f048e1133769ee0779fe23d2058ce4f54deb6aaaac68f276e78591f2d7
SHA512

1a2778d52b1a4ea613fc2c0c23ea958203aa74314c414dc13f2cb8d8957a42d01eb1b87ba73f0e6a23e93797104f74951ec83d21e473d83e6c40079e812df7e6
SSDEEP

1536:iWRTDxxL7SiuK5OAyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3om:i8XSC5OAyfkMY+BES09JXAnyrZalI+YQ

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
2200	svchost.exe
2996	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
2484	IEXPLORE.EXE
2200	svchost.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x003e00000000f680-476.dat	upx
behavioral1/memory/2200-480-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2200-482-0x0000000000230000-0x000000000023F000-memory.dmp	upx
behavioral1/memory/2200-483-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2996-493-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2996-495-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2996-492-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px6C98.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421643588"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{33931511-1009-11EF-B671-4AE872E97954} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2996	DesktopLayer.exe
2996	DesktopLayer.exe
2996	DesktopLayer.exe
2996	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2988	iexplore.exe
2988	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2988	iexplore.exe
2988	iexplore.exe
2484	IEXPLORE.EXE
2484	IEXPLORE.EXE
2484	IEXPLORE.EXE
2484	IEXPLORE.EXE
2988	iexplore.exe
2988	iexplore.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2484	2988	iexplore.exe	28
PID 2988 wrote to memory of 2484	2988	iexplore.exe	28
PID 2988 wrote to memory of 2484	2988	iexplore.exe	28
PID 2988 wrote to memory of 2484	2988	iexplore.exe	28
PID 2484 wrote to memory of 2200	2484	IEXPLORE.EXE	34
PID 2484 wrote to memory of 2200	2484	IEXPLORE.EXE	34
PID 2484 wrote to memory of 2200	2484	IEXPLORE.EXE	34
PID 2484 wrote to memory of 2200	2484	IEXPLORE.EXE	34
PID 2200 wrote to memory of 2996	2200	svchost.exe	35
PID 2200 wrote to memory of 2996	2200	svchost.exe	35
PID 2200 wrote to memory of 2996	2200	svchost.exe	35
PID 2200 wrote to memory of 2996	2200	svchost.exe	35
PID 2996 wrote to memory of 1920	2996	DesktopLayer.exe	36
PID 2996 wrote to memory of 1920	2996	DesktopLayer.exe	36
PID 2996 wrote to memory of 1920	2996	DesktopLayer.exe	36
PID 2996 wrote to memory of 1920	2996	DesktopLayer.exe	36
PID 2988 wrote to memory of 2252	2988	iexplore.exe	37
PID 2988 wrote to memory of 2252	2988	iexplore.exe	37
PID 2988 wrote to memory of 2252	2988	iexplore.exe	37
PID 2988 wrote to memory of 2252	2988	iexplore.exe	37

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\37d3363ff1a1ce1cb3317517c63691dc_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2988 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2996
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1920
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2988 CREDAT:472080 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f63c7631e1502edd8121a9ac97b08cb5

SHA1
27c341c5995dbed34baa0353c07a0130d3ca4947

SHA256
c357462193a271aa967328fc1b600a179ea1e02edf72bbd6444f22f7bea90c0c

SHA512
540cec60826590e1680d2dd8547515bf175c7766477aad72329446e34e899f0fcb8ee7903cf4bdbc7df4e2a9b6567d74cc1f391cf4d0778e53aaa42765231e10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d2494539d6b5f46fb9df5f4b6ccb8e67

SHA1
b42d6077f4c24fe335780e1a1f609dac9318b4f6

SHA256
0f6e08e5ac5366f4968511ac68e8177999e269e125bd35f46530849f1cab296b

SHA512
62c1c24dbc660ad5ee57df59a102e4cd841a9019051e9f97a21ff7f7760d8e9022de89b02a5f765a7fbb6f8042a41e507b839187f0778aaf3632bb4c32ac8e35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
56ae87797b79dc4131c80a1f3e4d318c

SHA1
9383a15f9aebf59ef6319218d3145279636f460e

SHA256
6dbeb1fa737e85f893fec6f051c96a80fec0b2ef33ba01fe4ed3af93a678089f

SHA512
2b5241977912c06a27f25722ad9256cb9b2d5b0452b89724179a5bebae5501f26312271eca46dbeede63e64d6ec54f5380ed3aa859b3fdcc458c5636675e680c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1dd76dd1039c30c93e7339890060a710

SHA1
fbc4fe591b6ef0e8db9ca7e1b0af99a94ee27111

SHA256
61cc83c3b4006bc1c0a90ff87b77f4ca202830c3b20d5ddc37767e5302f17c40

SHA512
7667ed0c540bbc29eaeeaf005861e53cd3a746666424cf7b1c7c8f02b1e4489f11daedc88aed25fbe46c15f07309c13fdae31a1a6472780629833d03678dd9e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c6548391452d42d2bdbde38eb1eb8ebb

SHA1
f9c876e188735e56b64d2bc805e8692d2bee57c9

SHA256
21854e2e283043d1f10d68824878cbe08d95bdb4fc474a16269b783b88345035

SHA512
92cf8a05d70a4ffca6551b125f9cc4c9b8e2334c9661a9f41b2740dd80cd7a5922c2fbe77698b85143fc315f6fc0b5a2e697f680bcbe8f4be41b264a5a38a13e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
981de50b0ab613383c7195f57cf7b57e

SHA1
c063c56177ac7112a9bc7eab9ff908e1195d4bbc

SHA256
e95b11a628fec7c20b8bce965fe5a8f404943bdcbd32c49757949fe37153e264

SHA512
3cff378cf83da7a7bc6b6483fe810533fe4d4b95427760efff64d2e2164ad81b5c617a24619fb3a004d47b12fdddd6a64f57edad00223564291924f85a6d1a33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
07052c3ab6c46eaeee61879196a21ee7

SHA1
d7d3aadbcbd55752191773060540908c7c0f559d

SHA256
fbd6d52020dab2f2c38d460f185303bdbbc2378272a3357e1e974d2f40f110c2

SHA512
9c6281bdd199320be3b46f0a759e498014546be123f16d0225b7021a3ea5a7f4485562de0be476a8a8cd99b31dfcbc0fa0c1c4867842127bfbc9e71ecfca0e20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
914f1fd9fdf15904eb9b3554393905cd

SHA1
7b1f4269c4e14b560cd7341bd8b22f5a959e5759

SHA256
b78089a2e902f546a321077230641207185f156d6bd6e5639dd82378156b6025

SHA512
65c827473c9e95b2f59a8a3ac6146f22a28588db4655934afab41b61cf6ad7b52708ccfeccc14510776db249d32f2efaca1813cb6763989ab54a5ede1ff54528

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
310169792f05851a1e3f696835858acd

SHA1
70ab660229065b2eb0bdfbdf18ead9920f690ccc

SHA256
2cef69c1c3c27ceeec891308da17ea16058551200a236d663283d1f3ff7f2edf

SHA512
e703d71f5c173cb6e076febd6440b6c8d95d09f00c3d4d663fe45198e96d4027f321a0c284ad920ba9757f47e1fff564f9d0d8f2572c8bc59c4802a56e49504d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e1b41d72efbf41d089e87821317ed8a1

SHA1
68f6b468f726d5715982f91a11a2a00f05ca4748

SHA256
2630a63c23e8ae24f23ea276bbfb41c19c4ed1b007a16d03756ffb166ee600d6

SHA512
dc43ed27525999da6378955b6b7e2b46094ec2fd04eee3240fec31e4399a43cf99d271347caad283debc3aa8c28b82543d4e6c7795300c5eb5f5f2d78126b0ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab932D.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar946C.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/2200-482-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2200-490-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/2200-483-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2200-480-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2996-492-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2996-495-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2996-493-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2996-494-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download