ramnit | d5571af42dcf0586285d9948f2a97043f3609cace5b4ad51a539d9b5204ff727

Processes:

678dddd7ede67f36302f80b735593267_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,,C:\\Users\\Admin\\AppData\\Local\\oxysyljr\\weqfjlpi.exe"	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\oxysyljr\\weqfjlpi.exe"	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

Windows Service

Processes:

678dddd7ede67f36302f80b735593267_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

Windows Service

Processes:

678dddd7ede67f36302f80b735593267_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4"	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

Processes:

678dddd7ede67f36302f80b735593267_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe

Windows security bypass 2 TTPs 6 IoCs

Disable or Modify Tools

Modify Registry

Processes:

678dddd7ede67f36302f80b735593267_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe

Drops startup file 2 IoCs

Processes:

678dddd7ede67f36302f80b735593267_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\weqfjlpi.exe	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\weqfjlpi.exe	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2052-5-0x0000000015190000-0x00000000151CD000-memory.dmp	upx
behavioral1/memory/2052-8-0x0000000015190000-0x00000000151CD000-memory.dmp	upx
behavioral1/memory/2052-6-0x0000000015190000-0x00000000151CD000-memory.dmp	upx
behavioral1/memory/2052-3-0x0000000015190000-0x00000000151CD000-memory.dmp	upx

Windows security modification 2 TTPs 6 IoCs

Disable or Modify Tools

Modify Registry

Processes:

678dddd7ede67f36302f80b735593267_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

678dddd7ede67f36302f80b735593267_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\WeqFjlpi = "C:\\Users\\Admin\\AppData\\Local\\oxysyljr\\weqfjlpi.exe"	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

Processes:

678dddd7ede67f36302f80b735593267_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

678dddd7ede67f36302f80b735593267_JaffaCakes118.exe

description	pid	process	target process
PID 1752 set thread context of 2052	1752	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

678dddd7ede67f36302f80b735593267_JaffaCakes118.exe

pid process

2052 678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
2052 678dddd7ede67f36302f80b735593267_JaffaCakes118.exe

pid	process
2052	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
2052	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

678dddd7ede67f36302f80b735593267_JaffaCakes118.exe

description	pid	process
Token: SeSecurityPrivilege	2052	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
Token: SeRestorePrivilege	2052	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
Token: SeBackupPrivilege	2052	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
Token: SeShutdownPrivilege	2052	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

678dddd7ede67f36302f80b735593267_JaffaCakes118.exe

description	pid	process	target process
PID 1752 wrote to memory of 2052	1752	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
PID 1752 wrote to memory of 2052	1752	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
PID 1752 wrote to memory of 2052	1752	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
PID 1752 wrote to memory of 2052	1752	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
PID 1752 wrote to memory of 2052	1752	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
PID 1752 wrote to memory of 2052	1752	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
PID 1752 wrote to memory of 2052	1752	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
PID 1752 wrote to memory of 2052	1752	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
PID 1752 wrote to memory of 2052	1752	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

Processes:

678dddd7ede67f36302f80b735593267_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	678dddd7ede67f36302f80b735593267_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\678dddd7ede67f36302f80b735593267_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\678dddd7ede67f36302f80b735593267_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\678dddd7ede67f36302f80b735593267_JaffaCakes118.exe"
2⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies security service
- UAC bypass
- Windows security bypass
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2052

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

8

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

3

T1562

Disable or Modify Tools

3

Credential Access

Discovery

System Information Discovery