ramnit | a67101cf89a565259dc3cdc865ec68844cc1173ac970f4fa961351ddbb3672d6

Analysis

max time kernel
140s
max time network
135s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68540bc81369a43dc0b62b693ea2339c_JaffaCakes118.html
Size

158KB
MD5

68540bc81369a43dc0b62b693ea2339c
SHA1

d6059324b1236190b938fbe08eb26597e5161651
SHA256

a67101cf89a565259dc3cdc865ec68844cc1173ac970f4fa961351ddbb3672d6
SHA512

8808d82ddc12ac262f56ff1c0a967824391f22d20a746e409d27e77ffc13e553370f1e4359a3730fe6a1bf46390fa0988bcb8b67c449e2d402fa9813d8a163ca
SSDEEP

1536:iSRT4CcEn8kDFEMms8yLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXAZ:igbvbms8yfkMY+BES09JXAnyrZalI+YQ

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

svchost.exeDesktopLayer.exe

pid process

1524 svchost.exe
948 DesktopLayer.exe
Loads dropped DLL 2 IoCs

Processes:

IEXPLORE.EXEsvchost.exe

pid process

2184 IEXPLORE.EXE
1524 svchost.exe

pid	process
1524	svchost.exe
948	DesktopLayer.exe

pid	process
2184	IEXPLORE.EXE
1524	svchost.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/1524-436-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/948-447-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/948-443-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px1084.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EDE8F331-186F-11EF-B97B-5630532AF2EE} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422567327"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

DesktopLayer.exe

pid process

948 DesktopLayer.exe
948 DesktopLayer.exe
948 DesktopLayer.exe
948 DesktopLayer.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

2212 iexplore.exe
2212 iexplore.exe

pid	process
948	DesktopLayer.exe
948	DesktopLayer.exe
948	DesktopLayer.exe
948	DesktopLayer.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
2212	iexplore.exe
2212	iexplore.exe
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE
2212	iexplore.exe
2212	iexplore.exe
372	IEXPLORE.EXE
372	IEXPLORE.EXE
372	IEXPLORE.EXE
372	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exe

description	pid	process	target process
PID 2212 wrote to memory of 2184	2212	iexplore.exe	IEXPLORE.EXE
PID 2212 wrote to memory of 2184	2212	iexplore.exe	IEXPLORE.EXE
PID 2212 wrote to memory of 2184	2212	iexplore.exe	IEXPLORE.EXE
PID 2212 wrote to memory of 2184	2212	iexplore.exe	IEXPLORE.EXE
PID 2184 wrote to memory of 1524	2184	IEXPLORE.EXE	svchost.exe
PID 2184 wrote to memory of 1524	2184	IEXPLORE.EXE	svchost.exe
PID 2184 wrote to memory of 1524	2184	IEXPLORE.EXE	svchost.exe
PID 2184 wrote to memory of 1524	2184	IEXPLORE.EXE	svchost.exe
PID 1524 wrote to memory of 948	1524	svchost.exe	DesktopLayer.exe
PID 1524 wrote to memory of 948	1524	svchost.exe	DesktopLayer.exe
PID 1524 wrote to memory of 948	1524	svchost.exe	DesktopLayer.exe
PID 1524 wrote to memory of 948	1524	svchost.exe	DesktopLayer.exe
PID 948 wrote to memory of 760	948	DesktopLayer.exe	iexplore.exe
PID 948 wrote to memory of 760	948	DesktopLayer.exe	iexplore.exe
PID 948 wrote to memory of 760	948	DesktopLayer.exe	iexplore.exe
PID 948 wrote to memory of 760	948	DesktopLayer.exe	iexplore.exe
PID 2212 wrote to memory of 372	2212	iexplore.exe	IEXPLORE.EXE
PID 2212 wrote to memory of 372	2212	iexplore.exe	IEXPLORE.EXE
PID 2212 wrote to memory of 372	2212	iexplore.exe	IEXPLORE.EXE
PID 2212 wrote to memory of 372	2212	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\68540bc81369a43dc0b62b693ea2339c_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2212 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:948
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:760
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2212 CREDAT:472074 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
97abd0ac3e61737924cc84ec325167f4

SHA1
de92e1be04ffe251b55b5d5f9ef3ce1e47035eca

SHA256
a7a6c4f0871b0de59ff547acac29433929dc531886c31ceba847aac5b42fdee9

SHA512
1fafa194dfe46c7698fef6c01c58ea4b3002a683fd43594db6fd5b966c1a2caf8a05efe87a6dc2b412850efa75b9f62fc7cb50b56ca851a4e7e1400574c11ab3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
23fe3368f5319c903762ae198ac8591d

SHA1
dab6240891e88e33ddfbd54775fd9fb73ae12de9

SHA256
91fe4a825efa500fe795b2c7346082ad7321f7f8f753559c398c9bd5c270c943

SHA512
eb37a77b08eff31f4ce3eb9831a552f9f9d64130ddcd7a42083e14361fd2c77057f271321d90bd339e7805138382c6246364f207ac296262270936efcbbb9bb5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ce5eace466ecff8d502b9356588d3f3e

SHA1
072c03f370c610705b47ccd448332911fa53d200

SHA256
26713ba59dfab464b7236f77a7bc69d23a87b50402ce859d06a5406401c05bb5

SHA512
66fb55ac85243db7d533026b8e99a445f965f2f4b6f19c153b949331e59975a4ec01bb9628ffb4c7e37252b56153be6da49e5780f5ff08dabfd8a1303a3f91cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5786c0cd66b864083e2bd54eccfb3eaf

SHA1
bd51548c686b11248db6c26809a83c5b395a3e6b

SHA256
e106d0201e2f35904115ca3ac78ab8d883cb22d740c537daba7cdeef7739d2fc

SHA512
32d87e9c958d5f46655bab6d173c6c2598b427479f3f36b234f1f333606824a14740724a008d177016791c85831b6c3776b3fb661a85753f7064ba004e8af152

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2172ce6e16ffa4c31c1a06410d3587f3

SHA1
fc3605c467c289e8457907eab9436b62f6c24fd1

SHA256
aaf7226c229daa595b5f96858c7925d2b6dab83d8dc5f39193417d8266296fb2

SHA512
c18f45743994ca6577a671bd598919ea1c1a8409b688d950a902728880eb6a06d352ff3c4817649c4b6f7b7b4ea9f5cc8713142505179497b744c630ef1fd260

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
387c24c2a56f2e56e8e6a53155438032

SHA1
72a3731ee245fc3b4ce02cea90078444591ceb99

SHA256
21a624ba6d23c4c5eeaf674e8a8df6de5d5d7b930de361071e31e36877984c81

SHA512
aa911c419ed6263501b023d1b1e5e75d3302361510b883b6b6ab1f704506b3e4cbfcdbfd19bfe4b631c4788ebf54f13c2054ea1fd3907dca86923714b3e68b73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2cc726af473e0ef5dde1524744388862

SHA1
27cd43cc6d6d356d104a89432421a6bf058751a4

SHA256
f82447df09c78a5dca2d1cb489ce2d20eed8f82c238bc991bf605f523978ea2c

SHA512
75a1b787ed44321ccea1d08ba9db981aa72b7155a4cc157ebb98cba3011c8c9b1139898a14d56f670f7bffe9683c623005625b6eb34347497b0722ad7856ef81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7aa6ca7cbc6c7044cff8701c5dedfb94

SHA1
80017b40d0490e596d900b396bc94d62d4c456f5

SHA256
2e6e8e6ad71ff609f9ec966186f17af196c2a705b2ee70ca516db11f3364751a

SHA512
115f203e9bca3a9acd12c77db603af30dd58edf9f5fbfdafd2195872b9d3a249a45199542b9a66d60844ebc5dfa057c7f6d5ce0b402bd556ae62ca122d38f9f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
55b37b25109d49522375fa7d1ac4d93e

SHA1
63a83023b15a39f519bc5dff032f285277ca2cd2

SHA256
03a53e8bac5e7f6275cf41f3b534287ceafb38c4ae3ac1c200a04bb1a05c2652

SHA512
9f6f8b9198d1bbf4b5b3c2fab8b660c2cf4a9302c7b3452b08002e1d521713cf598d2388f1612d6791870fe783efed9937e6751e7b6dbbf0c644777c7d3b84ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8af8d816ddbfc24e905d2460a75eb776

SHA1
fa4995de45bebbc58e5a6ccc1c8078fff05c5e75

SHA256
1e59591a9515316e4469e21ffac0cbc33c5db3da5b1013e68f19fb97ca3e902e

SHA512
dd480fb470b9749f699706a60879c99a8cc07d147c6c6ec5b743096650ec9d1bbcbc3aa71785b3139a87e3928d88af3c25b9cfafb2d9fd800d3364170a509c46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
225dd76477c2add12a6e614ddb58294e

SHA1
ce9f79993272a6a9c86f0e5d10eca494fcb6a5a6

SHA256
f7d71b62c473805bc569e8969245b07468162bad98f3da3a96ec0634a93f2b93

SHA512
ba3d16eea4a5195b38037580dae970b3aeb7319a9b395e31a9c5c7dfa8dbf9989ce25c34f99d1572486e2d6b4fc78c31ac14463881612ffcc0ef9d530bd6219f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab47CC.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4D0C.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/948-445-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/948-443-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/948-447-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1524-436-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1524-441-0x00000000003B0000-0x00000000003BF000-memory.dmp

Filesize
60KB

Download
memory/1524-880-0x00000000003B0000-0x00000000003BF000-memory.dmp

Filesize
60KB

Download