ramnit | f0e2f3fded9cd38a7a8d6453c3b8b1936d19c7d5ccc527bcdac5769cc54def01

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
12/06/2024, 22:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a29a74030fdb75ef7db6f07e302256af_JaffaCakes118.html
Size

158KB
MD5

a29a74030fdb75ef7db6f07e302256af
SHA1

0a387953c0e4951e14bf619cddb7642f9ba48d4e
SHA256

f0e2f3fded9cd38a7a8d6453c3b8b1936d19c7d5ccc527bcdac5769cc54def01
SHA512

792b791fdf56f0978776c76430bc3a04371118fe9389d987398eb26ebb85e21d4ea0c929f1ea1bef0dfdcf326b52604e173d506853d60435fe85e71f7f72b27a
SSDEEP

3072:iIMxA3CBEyfkMY+BES09JXAnyrZalI+YQ:iZbJsMYod+X3oI+YQ

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
1012	svchost.exe
912	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
2156	IEXPLORE.EXE
1012	svchost.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0032000000004ed7-476.dat	upx
behavioral1/memory/1012-483-0x00000000001C0000-0x00000000001CF000-memory.dmp	upx
behavioral1/memory/1012-482-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/912-493-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/912-490-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxF892.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424391631"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7EEBD7B1-2907-11EF-8547-E6D98B7EB028} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
912	DesktopLayer.exe
912	DesktopLayer.exe
912	DesktopLayer.exe
912	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1992	iexplore.exe
1992	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1992	iexplore.exe
1992	iexplore.exe
2156	IEXPLORE.EXE
2156	IEXPLORE.EXE
2156	IEXPLORE.EXE
2156	IEXPLORE.EXE
1992	iexplore.exe
1992	iexplore.exe
2228	IEXPLORE.EXE
2228	IEXPLORE.EXE
2228	IEXPLORE.EXE
2228	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2156	1992	iexplore.exe	28
PID 1992 wrote to memory of 2156	1992	iexplore.exe	28
PID 1992 wrote to memory of 2156	1992	iexplore.exe	28
PID 1992 wrote to memory of 2156	1992	iexplore.exe	28
PID 2156 wrote to memory of 1012	2156	IEXPLORE.EXE	34
PID 2156 wrote to memory of 1012	2156	IEXPLORE.EXE	34
PID 2156 wrote to memory of 1012	2156	IEXPLORE.EXE	34
PID 2156 wrote to memory of 1012	2156	IEXPLORE.EXE	34
PID 1012 wrote to memory of 912	1012	svchost.exe	35
PID 1012 wrote to memory of 912	1012	svchost.exe	35
PID 1012 wrote to memory of 912	1012	svchost.exe	35
PID 1012 wrote to memory of 912	1012	svchost.exe	35
PID 912 wrote to memory of 2776	912	DesktopLayer.exe	36
PID 912 wrote to memory of 2776	912	DesktopLayer.exe	36
PID 912 wrote to memory of 2776	912	DesktopLayer.exe	36
PID 912 wrote to memory of 2776	912	DesktopLayer.exe	36
PID 1992 wrote to memory of 2228	1992	iexplore.exe	37
PID 1992 wrote to memory of 2228	1992	iexplore.exe	37
PID 1992 wrote to memory of 2228	1992	iexplore.exe	37
PID 1992 wrote to memory of 2228	1992	iexplore.exe	37

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\a29a74030fdb75ef7db6f07e302256af_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1992 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:912
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2776
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1992 CREDAT:275468 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
972ae6911513cb36aa1651842451a1ba

SHA1
5cf015ebce1ac2692a6eaa9130072712d175df72

SHA256
adb183d1566594c44e1ec87eb2010bc05d09984013d9a846687a4e001036742d

SHA512
2937a6c90150201bd2df9d3539f1169db52e3a260e92dbfbf43b38a80a845a627fd886e99a89897aa2433d0526f79267299b938001abfa182ce329accced403c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bffdf431bb0baf059baf05782157eae4

SHA1
ad0741ad1da1cadc568bebfcee680a5088cd34ca

SHA256
c65b4a80ca8ef59414fda979377036803e725c208700753931f64de0b3a29366

SHA512
62af86e67ce5b0ebf18beed281c24eb1c593c18214a9791c0afda0545ad46cfb2fbccabef6c3745bb6b30aa2ce8fe96e9bd636e1699ff703308650089ab0fee9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67a284dae6af7271307a2ffbefa606d5

SHA1
21843b25cde78c865771e1c42bd644b5b05b5e63

SHA256
01f8ee87229b0686af5bc80f71f21d4faf1c9252794bb074effe1786d6b686c3

SHA512
f3ee4da9750d4e9bb1df86c0de80eb2a2ae9904d9252e4830594de75870042bc81a09efdac5305296ecc0524ad6a0c2a7b9c5e54ed1f020167e3972299ca9536

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c23aa2107f87d2e2b530382ef8ac2932

SHA1
d5e35b439ec5dda67382173638a9fd36b84e8500

SHA256
fbe56f2c5d225a3110ec15eb058991da66dfc7b0dd1ad6956655e59fdffa0395

SHA512
864dd0ae6a24b245f7220e917331f2acac6decf8af077d7769c670a06dee986932f8fda2cdbfdc9ef35539dbef5863fdec0b03d342f09a952fbd886ea0155ed4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
502d074cf4a18a65a244e37828376739

SHA1
c39c48f437c4267db847e2bc6d428c7605700e36

SHA256
0061bad9c226035b14fd7d5819062d38bc3b2c3b93e8cc0f5d274b3b3bb11b93

SHA512
94887d52c7a52d515a8d8c26e61e71372ce3481c9d81e5db978f0574af3dad288ccf954d972544cf41be1c78f2e45d45eb72849e33d955c168bc2e8a6406f1eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4745b9e3e721927581984bf2e174826

SHA1
79308b69bce34490bfe8f7328712f0c39eccdd5c

SHA256
7768c4ed6a01436bb3f2bc0722c8d979d8c9a78f9ffaecb93e9c68c900f210f7

SHA512
384aef9d9064f40a425603c40cb472570c981e5ad0cb05c99b6626c79dde87d43f44aaeb7ac1d2b448179ff9a112e5a6fb7ee43831b64b77933ddbd9273acc99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
409b09a70ea18df44c6ea3a2e52696be

SHA1
2ed40020cc49ea91beb9f7e67770379abe23906b

SHA256
dbcf8fe4dae1c22dd8f50bc09563bc3a9bd0b804a76d52b95b8bd23f01392b1c

SHA512
7bb5ec92d1e8d8ce5e0cf097fa4ba397bb9918e818d13396224e8f3825072d25bc92921f4176087be3d30463c4f298e27eb05ad44bab54c317de164e8a89d7a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27a6cf28583d7b80b3f61891741107bd

SHA1
a6362d89dccfb4945b068ebf46a6814e65daef7e

SHA256
d0627c0d64a9fca880d0c940d009476ba0af6f111cb3d02ea4bdcb40a39e9f1e

SHA512
3b3de99649a3bb374d90c52e0d34b6d2df691c37a1f4c6f1850f37ee41aea8e7487b6955e39230230eaf9f4dc0019653af37ce6f9e01652e3fc07c01adba767d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7eec629669f1debb59fe8c47e5638c2b

SHA1
ea236164a43cd30ae4b7d6037666d0b25f69da74

SHA256
0f4cf9a9facf139046dad2036b3b9a3726a1e70047082554a27310c7517dabd0

SHA512
03bc3b9cac5926aeab0643583690a7e05bbecd353675077d57c98820af556542a2d965bc110d1e4c066ffdfdf1449e2b99528ceb6a97b5c738d6bcbeb15e1a2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
812b4c48d921a8fbd2c8ae5b6a02f11d

SHA1
29b69a4fa65a4af31acc7a179b7e786f9712b88a

SHA256
8bc42ce96f9ff8e86d9d486fcdcc19a6f7f61e66f625848a99c9965fac339cda

SHA512
d361ef5cf517f6fcae98eae48a4e50bc017982ad7613e34a600eab16c3f15895fca609908c60de3e745ad551ff64b9fdd20104f99171bfd9fdc5b4c4893da4ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d78386dfa92941f86b03211c5202323

SHA1
fff6d65facedc8b8ba486bc0ea693fb570d1aedf

SHA256
c9b65e66e86e77a391d76885592616aa4e3578523962598fe0cfd2bf77914e00

SHA512
95ab8609872b25601a45c6c7622b6f106301b59a1587907972a6e20a60f8a380d992a7381228fdd7a97d30988f5331dcb411ea19ba95a1f815bcc9d2755a9d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab18EF.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar19C1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/912-493-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/912-491-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/912-490-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1012-483-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/1012-482-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download