ramnit | 67ead114399648a62cd128e4f8f75ebf68c0104f4a9e9b6397078938eec23043

Analysis

max time kernel
129s
max time network
131s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/06/2024, 06:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a43b31b88f9b8a6b2a31a0272f28de46_JaffaCakes118.html
Size

159KB
MD5

a43b31b88f9b8a6b2a31a0272f28de46
SHA1

fc11def2e5c63690a599efda8df7db31a69ce714
SHA256

67ead114399648a62cd128e4f8f75ebf68c0104f4a9e9b6397078938eec23043
SHA512

6cfb34fce6a410dc8f1376a545eb70781937f2e0fbc7ed9dcda5a26bc3be4a2533319787dc89ac096567f511a378b7e9d081e9f51b6ff25ed57b4f7b8b624c0c
SSDEEP

1536:i7RTcACSIgZn9Ma/6yLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3p:iV3/pR/6yfkMY+BES09JXAnyrZalI+YQ

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
2236	svchost.exe
2324	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
2504	IEXPLORE.EXE
2236	svchost.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0034000000004ed7-476.dat	upx
behavioral1/memory/2236-483-0x0000000000230000-0x000000000023F000-memory.dmp	upx
behavioral1/memory/2236-482-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2324-489-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2324-493-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxEB87.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{218E0F01-294F-11EF-8A7C-66DD11CD6629} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424422399"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2324	DesktopLayer.exe
2324	DesktopLayer.exe
2324	DesktopLayer.exe
2324	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1912	iexplore.exe
1912	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1912	iexplore.exe
1912	iexplore.exe
2504	IEXPLORE.EXE
2504	IEXPLORE.EXE
2504	IEXPLORE.EXE
2504	IEXPLORE.EXE
1912	iexplore.exe
1912	iexplore.exe
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 2504	1912	iexplore.exe	28
PID 1912 wrote to memory of 2504	1912	iexplore.exe	28
PID 1912 wrote to memory of 2504	1912	iexplore.exe	28
PID 1912 wrote to memory of 2504	1912	iexplore.exe	28
PID 2504 wrote to memory of 2236	2504	IEXPLORE.EXE	34
PID 2504 wrote to memory of 2236	2504	IEXPLORE.EXE	34
PID 2504 wrote to memory of 2236	2504	IEXPLORE.EXE	34
PID 2504 wrote to memory of 2236	2504	IEXPLORE.EXE	34
PID 2236 wrote to memory of 2324	2236	svchost.exe	35
PID 2236 wrote to memory of 2324	2236	svchost.exe	35
PID 2236 wrote to memory of 2324	2236	svchost.exe	35
PID 2236 wrote to memory of 2324	2236	svchost.exe	35
PID 2324 wrote to memory of 1500	2324	DesktopLayer.exe	36
PID 2324 wrote to memory of 1500	2324	DesktopLayer.exe	36
PID 2324 wrote to memory of 1500	2324	DesktopLayer.exe	36
PID 2324 wrote to memory of 1500	2324	DesktopLayer.exe	36
PID 1912 wrote to memory of 2868	1912	iexplore.exe	37
PID 1912 wrote to memory of 2868	1912	iexplore.exe	37
PID 1912 wrote to memory of 2868	1912	iexplore.exe	37
PID 1912 wrote to memory of 2868	1912	iexplore.exe	37

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\a43b31b88f9b8a6b2a31a0272f28de46_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1912 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2324
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1500
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1912 CREDAT:209939 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
741e8550eb05e9aef2cde1916166c2b4

SHA1
652620682bdd2141d6979d272aa7a15b3ad76b1b

SHA256
fb90d76a563c9db237f21ea2bffb19243617f1f96d01bf71bc741873da039dd6

SHA512
a389015bbd5cfd49bdfdf0d7f488c9ee3610ae1ac4b2e306baf47db8b4f75d9511752019051e8bd7c36ca8abc9657ddd6d4bb4a9d0776b521bd5aac5cc5766ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
258bf48b7eea419d0a4a2ebd5ca4b622

SHA1
e5ed04f8466f32c2d4d5641a817d36458a8a2b99

SHA256
95045da89f0a1d54ee2678b4d9bb3aff5e4631ef18ff39f60c8b46a3a5e19065

SHA512
ed56dfe1178d183b768d625bc5f102f454c7d1d89b6b90e4ac4fb0b64001232bd22389a6da162a9c919cfd35cb3bcdae814474f15ed92e15bb81f462628d010d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0835292a55c86609258b7a5530233280

SHA1
1cf25fad8b9867744e0308fb14cdb5a6105ad236

SHA256
c02e92d9d92750df3149858c28ba91d95c13d9e02a9f1a3dc56d5e31ee761276

SHA512
10cfe1d7f6ff7b73d15fb1e09e3203b9d96df70852135bda3fa4aae2c98177372a7f33d395eebcad35156eaee77448fd898381010813a89ec6a43f079f3f348d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
649821a1513c9a89dea72c19e9e010eb

SHA1
b572cb85502d734e62332abcf553787081964f55

SHA256
659e36f2fb54693640639045e591b4f29ed67efdc368c5030e2fe7073028f284

SHA512
3ae18d9a4e1defc0ce83adf74ddbc096dd1eb529cab71ab0353937ce9c321a4edc1fa0dd1fc2ad062953bffb7456f7ff7d5004947106a47d34640c6637bec93b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
153f6d1e735b55aaf448ddecbd40b0bc

SHA1
037ce43dbb238437af894b0d6a899929e27ab321

SHA256
c5cef8267fd868ebf9e74cfb5c7d8b6f674d71414ec116b2f190470fb1a3d0ba

SHA512
0e34bac7607025aeb8ce6053614723061ed0304b922f52661cf4a4b622e038d57af9721903d7ccecdccc7fae75c31598677b7e83332120503134a5ed0e786864

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3060f8a3d043a9bbfc6b7e145c2d24ac

SHA1
093f2780d829ae8f6857645c36cb314655ef228b

SHA256
367c8e2503c4c2d98af1372a90834861b6e6edf16bb41ab907fb7a3209313142

SHA512
d3f20ef4416b717ae22bd8e1915ee1cb2fc3fdebf96efe2c2d98e88fe0150c6480a0d10fc1671ff348754cdd020f07aa4e680d469d7116d12bc34189ece27c2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
abdca51bc5b70b67760e79b5660f1886

SHA1
ed32e273a6869262cb6382d0c55c084e40dfeb80

SHA256
916ef04ba7c9613fc87c18315a6a17521260803087418fc01c01737cf6ccee88

SHA512
57b2b68584cd9c6cb38845626234fb712eb457f94c460fea913380acca8ac601c6a8b3764c8dada5e7961e4220678a37a5e0f4a774a0e62b7270727d618f77a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1abbb837e64567d15cce7ea887afec99

SHA1
c8011d0c0a4bcf7126d84dfd86fd1fe6eab3e534

SHA256
89af886bfa6c538da671cad14c312253db854b3d9226a538d83f792532023271

SHA512
77fe9563cf83aba9f72b4a42bc80a8202e6cf5754be0c882025a5034b5fe038a7f42d8bbe4210fdf7bebbbcf1c7ed9e8ed85905e80fc60fd04d1a6782f839ede

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a9084918bec1dcaaff40cafd0165cef

SHA1
5f8024e51a225b97138769642498e8fa968279e9

SHA256
c76b4288bdb5dd4cbc981457dd41cab147e3456e40aab282d703cbd08e1f6926

SHA512
2514708334326525beba5c28e8810960594c6ec04fdf8d4fe920b41663e0b3ae2f849b8035b6687563d696bbafe2fd749930f074bdfc9df3e1990384deb5480e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef011a49a6668f17052b2d7ac680d62f

SHA1
91d6947d919bb03d9a90ec4cd16de225dd87f7d1

SHA256
4eeeda9ca0cb7653fa2b69c3499e8467da0fbefc0e3e23d017d6f6ecf42f954f

SHA512
73e9e21af5d49a3c98485e92d0877799d4f4de9d5d6459ae0db03060389fbec1e99e6fd9781bd5bd8201c16df718c2292447b1410b2d5063c3af5844e1e07c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB68.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC88.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/2236-483-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2236-482-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2324-491-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2324-493-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2324-489-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download