ramnit | 0ae889c41539c4ab10574940c4e3c9ab041dbc6dabbf1189b5d49f96a4206093

Analysis

max time kernel
138s
max time network
138s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 09:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

62e36ffef77e97846c787acec4369845_JaffaCakes118.html
Size

144KB
MD5

62e36ffef77e97846c787acec4369845
SHA1

878a9387006936ebd34b69fd76422182ef33cf81
SHA256

0ae889c41539c4ab10574940c4e3c9ab041dbc6dabbf1189b5d49f96a4206093
SHA512

eba47720ee792e515e89479d661904fe419133a343d2b345b6ba4597d22b88ade754159f6d92fa4014ae23aafc2518656eee18203ff0ff32bbc3df2fec8b554a
SSDEEP

1536:iJRTQAidenTyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJrusBw:ivfRTyfkMY+BES09JXAnyrZalI+YQ

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
2904	svchost.exe
2380	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
2884	IEXPLORE.EXE
2904	svchost.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x002b000000004ed7-476.dat	upx
behavioral1/memory/2904-481-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2380-492-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2380-491-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2380-494-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2380-489-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2380-496-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxFAC3.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D36A1381-1758-11EF-87AA-FA8378BF1C4A} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422447442"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2380	DesktopLayer.exe
2380	DesktopLayer.exe
2380	DesktopLayer.exe
2380	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1688	iexplore.exe
1688	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1688	iexplore.exe
1688	iexplore.exe
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
1688	iexplore.exe
1688	iexplore.exe
1292	IEXPLORE.EXE
1292	IEXPLORE.EXE
1292	IEXPLORE.EXE
1292	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2884	1688	iexplore.exe	28
PID 1688 wrote to memory of 2884	1688	iexplore.exe	28
PID 1688 wrote to memory of 2884	1688	iexplore.exe	28
PID 1688 wrote to memory of 2884	1688	iexplore.exe	28
PID 2884 wrote to memory of 2904	2884	IEXPLORE.EXE	34
PID 2884 wrote to memory of 2904	2884	IEXPLORE.EXE	34
PID 2884 wrote to memory of 2904	2884	IEXPLORE.EXE	34
PID 2884 wrote to memory of 2904	2884	IEXPLORE.EXE	34
PID 2904 wrote to memory of 2380	2904	svchost.exe	35
PID 2904 wrote to memory of 2380	2904	svchost.exe	35
PID 2904 wrote to memory of 2380	2904	svchost.exe	35
PID 2904 wrote to memory of 2380	2904	svchost.exe	35
PID 2380 wrote to memory of 2832	2380	DesktopLayer.exe	36
PID 2380 wrote to memory of 2832	2380	DesktopLayer.exe	36
PID 2380 wrote to memory of 2832	2380	DesktopLayer.exe	36
PID 2380 wrote to memory of 2832	2380	DesktopLayer.exe	36
PID 1688 wrote to memory of 1292	1688	iexplore.exe	37
PID 1688 wrote to memory of 1292	1688	iexplore.exe	37
PID 1688 wrote to memory of 1292	1688	iexplore.exe	37
PID 1688 wrote to memory of 1292	1688	iexplore.exe	37

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\62e36ffef77e97846c787acec4369845_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1688 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2380
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2832
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1688 CREDAT:275475 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fd46f2460c7e6eb9535d509dc63bf653

SHA1
02e61267a892dd1adbe48998217c2d209e689b39

SHA256
823ab87ac9a165eeaf82e2ebd28df1a139975c37c328f1e69f1cd1e4e2a45853

SHA512
77df7b3f4ee8d3940d68e5e087891cb33cb72ba68e3a7738f9e082d8c3820852e925cae9149ecf587de739cbbca31ba36c527df38974a62dc36c2c95c7201f4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0a29214ca94d3d6a01f8e1b677becf7a

SHA1
e78950b82612eed6104fad6a54cec95186a6ec24

SHA256
7df3e9d1302c1601bc9e4b72d5a376afb5d4330674ce4998d69b450dbe3ab0cc

SHA512
699a824303faa2f5c3b7fbe81f63a0f1464336268fc6adc1f442e39f429bb86d0a2b04fd2df407462e1cf2f12535bf4d16ae8ae3f672f4adb17e664017db81c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6421c9d337d641c1a66c5a190d060d41

SHA1
5af8dd56f7b9fe20f8208ed97d486f350baac719

SHA256
bf97722036fc5e5518bc0c19555f4dad7cd838fe17a3e880ead27e7efefaf022

SHA512
82129d778534442d9bae2a073daa9d503823fabce705bc6049bf7a3cdd34d5c91a3c196bf32775e23c10ba66044dc9e38caa61cb8d84a6a32138f53250d05abd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
418a087f89b05ac79e71f0f07a2b943f

SHA1
8883002c77a42dec6a40dd5eade33f8924c3cfa2

SHA256
ee53a2780404c9e75d095c51d3e49996938f60e686443c1a7853067ed8dd553e

SHA512
ba50fed9f249a9ef0218e97f6a60855eb3e8a01bb64940fae6a2c95709b3bc49bf3582ad6f7f74d75366a5b5e31c22b4a74af2506f5a7bf1f4c0434b0d2b0345

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d3ec35913c15ed42be495cf8ad6700ae

SHA1
0dce033b29050a4214f72de18df6756358c993f5

SHA256
a8caca218cdf41c0f6c499943d6fb08a02097f5908ad531d96a9cd3706631f61

SHA512
c23c5939d3ed55f99c41bdabd5d08012eb67ba31f1c75d59b12f6bb0b0d5ef4bd35a25907562a8a6927ff879b0fe1b358e5f34f29f5bdd7630d519296e42426d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d664703ed647f13ff579e00af1b25e73

SHA1
ba8fb1a63e0fa090aa678edabde80fba976b1687

SHA256
16231db8258395976f2eaebd77eec93aac828e6a37410f9f867d4180c42fb14b

SHA512
f8caf491698f92e066851f0e22e98a3853ebc75a9cd2ca32a0c74753d48d4c6e1dda837a3857d77111209e16fd0368c3889d7963ffedfc3a41a58b9c3ce007a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
39ead2dc5c494efcb36113838907dac8

SHA1
30a61193e03a42dc95d0bfcbb3e9923aea5ea9a5

SHA256
21a41ce219614b6dd3c822f87a9d587bf1f353caa0c94bbbc0da717af1fd6f83

SHA512
4c1c3148b462eb0f171832c41695d68850b9386903d867318baa0b515b9fb2b6b2f126ca02c1413ba9410b6b3af04b7f79927b06b1e3920ab35801fa1ce0ee20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3fc34ccd51cc0b9f93b068d842e5b4db

SHA1
a617aedd83a2b75e4ebd24a7025febbcb8c852cc

SHA256
94348abb257b02f43b1a2ad60940c7fe2b24757be189013f8f186fbf299f56ec

SHA512
5b218e7451226f95b4ef078dbac6f19c05b3f2602a8d0203649209e3cc22c43ee182259d046b1ab60675994039909b03d0e608078a2237060bdffe8fec1a76ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7c6d32340ec1fb7a61bd70fb61f10bf8

SHA1
0ce18cd691d1230b535931ffc36fb6db6dcbadb2

SHA256
769a028a075402246d021233716fc3086fd59021b6a0d7480a0c83715907f651

SHA512
eb4a3f0fdb624f8629171b8c120ae7d5eda5d394494e323b85069fd1e7b95ce302c6957b9b5751329ba24aea92a298d7d88830c1f595ab877ad191329fcc0d3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1f8342d089638f348e4867bb11408439

SHA1
2e48a3e0aee7d3f42cf04e088198d3dc0d376568

SHA256
7179001e00cd69ec298ac58f9c740f24f6b39d0facdb464d0bbdff1740ac9c7c

SHA512
d1d80f06386d9a8c2854f8e2ea745f62af25ebfdc290a589a59fe3fc61819a3538ebaf05863ec5cdfb0314e31e67262faa525b189c473069fd847c8a3b29fa00

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1CE5.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1DD1.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1DF5.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/2380-493-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2380-492-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2380-491-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2380-494-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2380-489-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2380-496-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2904-481-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2904-482-0x00000000003C0000-0x00000000003CF000-memory.dmp

Filesize
60KB

Download