ramnit | 1ba60ce4d1532e5ee9a1bfeef6c3a8c264d6bf97ee66571560a42b244c0322ac

Analysis

max time kernel
131s
max time network
133s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

687b0a4854dc9e8a75b03b491322dd1f_JaffaCakes118.html
Size

158KB
MD5

687b0a4854dc9e8a75b03b491322dd1f
SHA1

63769a37ad25b9c84bb9ba4ff9a0994da35c21a9
SHA256

1ba60ce4d1532e5ee9a1bfeef6c3a8c264d6bf97ee66571560a42b244c0322ac
SHA512

863a2901e15a0517b7ebf7120fd77da4d41f6d1b154c3a44ea2adab6989c87ed44362898aa95703e8ee8239029a44a7ab5e93dc2098fe59b3c076012caaae1eb
SSDEEP

3072:ir/+ZuhRi8yfkMY+BES09JXAnyrZalI+YQ:i0GihsMYod+X3oI+YQ

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

svchost.exeDesktopLayer.exe

pid process

684 svchost.exe
2364 DesktopLayer.exe
Loads dropped DLL 2 IoCs

Processes:

IEXPLORE.EXEsvchost.exe

pid process

2004 IEXPLORE.EXE
684 svchost.exe

pid	process
684	svchost.exe
2364	DesktopLayer.exe

pid	process
2004	IEXPLORE.EXE
684	svchost.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/684-436-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2364-444-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2364-446-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2364-448-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px2FD.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422570744"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E6C75A31-1877-11EF-906B-FA9381F5F0AB} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

DesktopLayer.exe

pid process

2364 DesktopLayer.exe
2364 DesktopLayer.exe
2364 DesktopLayer.exe
2364 DesktopLayer.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

2480 iexplore.exe
2480 iexplore.exe

pid	process
2364	DesktopLayer.exe
2364	DesktopLayer.exe
2364	DesktopLayer.exe
2364	DesktopLayer.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
2480	iexplore.exe
2480	iexplore.exe
2004	IEXPLORE.EXE
2004	IEXPLORE.EXE
2004	IEXPLORE.EXE
2004	IEXPLORE.EXE
2480	iexplore.exe
2480	iexplore.exe
2124	IEXPLORE.EXE
2124	IEXPLORE.EXE
2124	IEXPLORE.EXE
2124	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exe

description	pid	process	target process
PID 2480 wrote to memory of 2004	2480	iexplore.exe	IEXPLORE.EXE
PID 2480 wrote to memory of 2004	2480	iexplore.exe	IEXPLORE.EXE
PID 2480 wrote to memory of 2004	2480	iexplore.exe	IEXPLORE.EXE
PID 2480 wrote to memory of 2004	2480	iexplore.exe	IEXPLORE.EXE
PID 2004 wrote to memory of 684	2004	IEXPLORE.EXE	svchost.exe
PID 2004 wrote to memory of 684	2004	IEXPLORE.EXE	svchost.exe
PID 2004 wrote to memory of 684	2004	IEXPLORE.EXE	svchost.exe
PID 2004 wrote to memory of 684	2004	IEXPLORE.EXE	svchost.exe
PID 684 wrote to memory of 2364	684	svchost.exe	DesktopLayer.exe
PID 684 wrote to memory of 2364	684	svchost.exe	DesktopLayer.exe
PID 684 wrote to memory of 2364	684	svchost.exe	DesktopLayer.exe
PID 684 wrote to memory of 2364	684	svchost.exe	DesktopLayer.exe
PID 2364 wrote to memory of 2220	2364	DesktopLayer.exe	iexplore.exe
PID 2364 wrote to memory of 2220	2364	DesktopLayer.exe	iexplore.exe
PID 2364 wrote to memory of 2220	2364	DesktopLayer.exe	iexplore.exe
PID 2364 wrote to memory of 2220	2364	DesktopLayer.exe	iexplore.exe
PID 2480 wrote to memory of 2124	2480	iexplore.exe	IEXPLORE.EXE
PID 2480 wrote to memory of 2124	2480	iexplore.exe	IEXPLORE.EXE
PID 2480 wrote to memory of 2124	2480	iexplore.exe	IEXPLORE.EXE
PID 2480 wrote to memory of 2124	2480	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\687b0a4854dc9e8a75b03b491322dd1f_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2480 CREDAT:275457 /prefetch:2
2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:684

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2220

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2480 CREDAT:275472 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ff0273a74d1552398e74b292d41878e1

SHA1
a32f27470f804109e88462377c0f1642521d033e

SHA256
6f1bb632057947e359ba66e37353620fb2c014322749bb3d9edf8badab674354

SHA512
6ef74c7a16bca48acac276747769d2dc9b0487f79930470b8dd688cf5f1cbfe89137f42fa8448333fc5a5e030c10a60de111cd0feb610ac2c4015ccc4a476e0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6a5ba0fd2cede64efb52c95193a96d6e

SHA1
876c52a39fe3f95f9af6ed42864127f7d6627839

SHA256
fce6339ac1cae92424cb87ee2a56ffd924a8124dbd79b86ae90ed9105c19605f

SHA512
4fb98fea8745890c35e84b3984b569ad737c614bf355fd847c8d8217768e8c5cb7fa936c3f88cbfdcfcb037d054f0ffe9236465ba43d4b34c1ee53b55bd27bfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
14977c02ba06f54e0d0b65f8f133b3d6

SHA1
bc041483e92b3fddb3448d61e5b7171847086393

SHA256
baf76e7a076b5857ecd8e471e8cb14fc2d0e335ea10ee417204dce8fb0fa0b43

SHA512
cb30003412296bc813fba08f64e48e566b1c17d5fad029483ea3b56cf8a8a7d481e30593db0862430ec5c82fe3a18151e2ca9f544563480b9ceece873d348c34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
02737c4fc536f6bdc5f3ceb34a719fd3

SHA1
99309c0e56711eaa0e95cd474488ec469b19f77a

SHA256
54c40f2b66f9f72e88a45bb0ca1394ab1047265a7aa01f8b384c0511bba90992

SHA512
8691d95b7dc8fd08d171031eb06639f6041776a74c5b30f823926ce970846630b86879b63575e5d806feb2823060af7ec0551cfc4ea8062e26e361a5fc2c5c5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1452ed6f1ba40fbb3819d7a05e8abd82

SHA1
fd6685c87b99f8487eda16d6991dd6cbcd9bc389

SHA256
34a3011a16c2368fc14cf82144576425f1bdb5fa1f8779036ddf8eafe787f465

SHA512
b4495043c99305686d3804743a6db42f32c2e5d917f9a3d4fc4f4096b3d4534d4d201154015add3ba8a337a586a1d9e4965ab97aae348ec6074ae079f6c053d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
32aea3af79d5638e5345ae8a42de8b84

SHA1
08c6cfdcf75e5a18306c9ec52b79fe4f1ff1dbe3

SHA256
67ed909b5bb426b9f047cc8c19e51efb1b7999c77109dfe329cba6471956d1d9

SHA512
ea70f821b3cc1ae1ecb003cc239b1c5c98042039847be3abc48f445abab28a84b32284dee72bc9486fa4c691b3fa791e33dbfe6d313a94c2e490c4d1a4cd226b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dfc43e8d9ba243704933c139a34a4bba

SHA1
015dfb0c5204b77e7078b81e3aaf1e9792af12d7

SHA256
e450319302f54060ad3261ed15cd49d8a640ad88f2e2c142fd7fbc1c3e3f54b1

SHA512
deefb85f8e8b46216259e7488450e49e645a088a9695cce00ef6eef2851194d87d8629fe1d81660180616a113195d53aed6b08cd539258ed3578ff48f1978ba4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d71b73f9db07f05bb47e566c0c041f69

SHA1
24c5bca1e42418173f40cb172e9c392dd1f01a87

SHA256
83c80db655afb128c4f4ad67d9b5c91e7c3a77184add4ec8c788ee5f221ec63f

SHA512
7b376df2a84e0d6efc8760b47bfbcc12117ee8fdec56a56cdaf39d71d8cf3fbaf8f5d36c8a408f2b83a5afbf93f329e9dd79b73e34535f460c0a5bd59e61d2bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a0307c1ad45419fe6575ace005e9c719

SHA1
e66ebd4a2945905666fb2493a6d9e62412cd4237

SHA256
b3eaca076e938317f586936f375e587a91e2697a8670f09246d022dcf44bf6e9

SHA512
9a8029f4b92cdcdc4ab6501a1e2d2b65b36ee50ca3976dcd614a99acf561396f7bf9060b64de11816b00697230d8ed1f8b4079e99867975dba7876c9225170fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fa6601ab05c51ffa42e4596408359cb6

SHA1
58ff9b8423a495761237140c0f0531a9e653128c

SHA256
fede310ad8429b74be0a6b1189042ed609f6c84a009aa16cf048c02001666f4a

SHA512
a7fbe1768a34269cbe232923bf1e60ca2198c979b449d78805dfd03d694284d2a2cdd757c43e8bb476fd86829bdb2288c91edf9a4a3104dfa2b1974cb161d08a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8e829cdb6050c390f8dfc398225c78d8

SHA1
6467b849a952a5f7f1d409e94e1248c55b080c6d

SHA256
8bfbac5fa24b293fed22cc4227faab093a3d997e2310cacc4a79283b90b8b34b

SHA512
c36ca0db9c4fffabb6f6a8820dc8ee3323bb978f0c593a23f89f9f094ed7e598291c6553229600f3887ec6c2443161917ea10de810c869f34b3b63548f328864

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab20D9.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar217A.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/684-437-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/684-436-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/684-443-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/2364-444-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2364-448-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2364-447-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2364-446-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download