ramnit | d5571af42dcf0586285d9948f2a97043f3609cace5b4ad51a539d9b5204ff727 | Triage

Sharing

General

Target

678dddd7ede67f36302f80b735593267_JaffaCakes118
Size

218KB
Sample

240522-rm9dkseb9w
MD5

678dddd7ede67f36302f80b735593267
SHA1

e6ef41f48f6eef53e3fde62e9f717d67e933db7d
SHA256

d5571af42dcf0586285d9948f2a97043f3609cace5b4ad51a539d9b5204ff727
SHA512

36075b4a7b83330ebb6fd384b06f34d66ad3fa58679c0b5ec4766e490c9ec80d6d10109d54af40a9e1281e330d8f48527b4288e7d8ab05641c0fd7d64c93f930
SSDEEP

6144:nwFDaEr6Lp/5uvOvBkN3xEZwxJ9tcBK9H:nwFDa5LpEYBoE6D9Oc

Score

10^/10

ramnit banker evasion persistence spyware stealer trojan upx worm

Malware Config

Targets

- Target
  
  678dddd7ede67f36302f80b735593267_JaffaCakes118
- Size
  
  218KB
- MD5
  
  678dddd7ede67f36302f80b735593267
- SHA1
  
  e6ef41f48f6eef53e3fde62e9f717d67e933db7d
- SHA256
  
  d5571af42dcf0586285d9948f2a97043f3609cace5b4ad51a539d9b5204ff727
- SHA512
  
  36075b4a7b83330ebb6fd384b06f34d66ad3fa58679c0b5ec4766e490c9ec80d6d10109d54af40a9e1281e330d8f48527b4288e7d8ab05641c0fd7d64c93f930
- SSDEEP
  
  6144:nwFDaEr6Lp/5uvOvBkN3xEZwxJ9tcBK9H:nwFDa5LpEYBoE6D9Oc
Score

10^/10

ramnit banker evasion persistence spyware stealer trojan upx worm
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Ramnit
  Ramnit is a versatile family that holds viruses, worms, and Trojans.
  trojan spyware stealer worm banker ramnit
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Drops startup file
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Abuse Elevation Control Mechanism

Bypass User Account Control

Defense Evasion

Modify Registry

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

ramnitbankerevasionpersistencespywarestealertrojanupxworm

behavioral2

ramnitbankerevasionpersistencespywarestealertrojanupxworm