ramnit | d99cd5edb5f0bc36ddb3944a06ebae91bce35c96f666b69a4754efd131c2d8fa

Analysis

max time kernel
129s
max time network
130s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
14-06-2024 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8d95125fdd5a35ce0e5b3be7aa9da75_JaffaCakes118.html
Size

156KB
MD5

a8d95125fdd5a35ce0e5b3be7aa9da75
SHA1

f82ab2650ece1843cc21014edcaaa61719d82c17
SHA256

d99cd5edb5f0bc36ddb3944a06ebae91bce35c96f666b69a4754efd131c2d8fa
SHA512

2017656cd56d4ba041a48b4ca99eff8dc042f141332dc0ddce3b3bc3b50840524e6132ffe0cddac25b02ce3146af35d817f8cd44374577ce0ea597497869da29
SSDEEP

1536:idRTaya/SsicKcUByLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3om:i7gi3ByfkMY+BES09JXAnyrZalI+YQ

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

svchost.exeDesktopLayer.exe

pid process

1104 svchost.exe
1880 DesktopLayer.exe
Loads dropped DLL 2 IoCs

Processes:

IEXPLORE.EXEsvchost.exe

pid process

2092 IEXPLORE.EXE
1104 svchost.exe

pid	process
1104	svchost.exe
1880	DesktopLayer.exe

pid	process
2092	IEXPLORE.EXE
1104	svchost.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/1104-434-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1104-438-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1104-437-0x0000000000240000-0x000000000024F000-memory.dmp	upx
behavioral1/memory/1880-447-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\pxF289.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6AF9C481-2A2C-11EF-9028-46C1B5BE3FA8} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424517445"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

DesktopLayer.exe

pid process

1880 DesktopLayer.exe
1880 DesktopLayer.exe
1880 DesktopLayer.exe
1880 DesktopLayer.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

1936 iexplore.exe
1936 iexplore.exe

pid	process
1880	DesktopLayer.exe
1880	DesktopLayer.exe
1880	DesktopLayer.exe
1880	DesktopLayer.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1936	iexplore.exe
1936	iexplore.exe
2092	IEXPLORE.EXE
2092	IEXPLORE.EXE
2092	IEXPLORE.EXE
2092	IEXPLORE.EXE
1936	iexplore.exe
1936	iexplore.exe
2412	IEXPLORE.EXE
2412	IEXPLORE.EXE
2412	IEXPLORE.EXE
2412	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exe

description	pid	process	target process
PID 1936 wrote to memory of 2092	1936	iexplore.exe	IEXPLORE.EXE
PID 1936 wrote to memory of 2092	1936	iexplore.exe	IEXPLORE.EXE
PID 1936 wrote to memory of 2092	1936	iexplore.exe	IEXPLORE.EXE
PID 1936 wrote to memory of 2092	1936	iexplore.exe	IEXPLORE.EXE
PID 2092 wrote to memory of 1104	2092	IEXPLORE.EXE	svchost.exe
PID 2092 wrote to memory of 1104	2092	IEXPLORE.EXE	svchost.exe
PID 2092 wrote to memory of 1104	2092	IEXPLORE.EXE	svchost.exe
PID 2092 wrote to memory of 1104	2092	IEXPLORE.EXE	svchost.exe
PID 1104 wrote to memory of 1880	1104	svchost.exe	DesktopLayer.exe
PID 1104 wrote to memory of 1880	1104	svchost.exe	DesktopLayer.exe
PID 1104 wrote to memory of 1880	1104	svchost.exe	DesktopLayer.exe
PID 1104 wrote to memory of 1880	1104	svchost.exe	DesktopLayer.exe
PID 1880 wrote to memory of 2920	1880	DesktopLayer.exe	iexplore.exe
PID 1880 wrote to memory of 2920	1880	DesktopLayer.exe	iexplore.exe
PID 1880 wrote to memory of 2920	1880	DesktopLayer.exe	iexplore.exe
PID 1880 wrote to memory of 2920	1880	DesktopLayer.exe	iexplore.exe
PID 1936 wrote to memory of 2412	1936	iexplore.exe	IEXPLORE.EXE
PID 1936 wrote to memory of 2412	1936	iexplore.exe	IEXPLORE.EXE
PID 1936 wrote to memory of 2412	1936	iexplore.exe	IEXPLORE.EXE
PID 1936 wrote to memory of 2412	1936	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\a8d95125fdd5a35ce0e5b3be7aa9da75_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1936

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1936 CREDAT:275457 /prefetch:2
2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2092

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1104

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1880

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2920

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1936 CREDAT:537606 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2412

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5c81ca99338f223cd3e711bca5d4537e

SHA1
f4b7e8949c30fca2db805a49252fedeab47d97d8

SHA256
df3d14e2ffb07c2d86415819848c0cae1f74336bcd26c7d92a9582ebaf960baf

SHA512
34315aa6508ce84f6b63309bcf4c3ec7a1d3d988e10f6989e511086442134ece7d8d98ef80078a07c99ea44ddebbaab26c81fa689f4911099c19d4a066e3efbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
f5f152c4ab880e8adc47e6dc6027c025

SHA1
97142a2c66bd6ffc574ac303068743fde0c9f6e5

SHA256
11ff1798f508f2e2d34c3ec10d055b7eaa2856c357f6afdc594bf1290f430e43

SHA512
17c4433589821003f1447d865703c23267e406327334b705f192248da8f09ed516bbc5e1b3f93a1c7362e225c44433cdc1627802b7426b9027c2acd84779984e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
f9caf90afbcb76757ebe324c7d93e5f3

SHA1
1b15bb378ccf9f19a95a6fb5498fbca035d27628

SHA256
c9dcb6754c1e972f4d81924bf9f694c0fd06dfbd57f62dea7129e5411010d655

SHA512
33c9da06dcd502d49702718d43b3f6fc9a5eb14642d89212b9b130f5bb769fcd8cddfc2df8c7df2303ac7579ecd624f96fbd2d7cdf9c0e1d6cf20ba863c0359b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c3ebbc6b3826f692b0a8a4b4d3dbb51e

SHA1
ec28b5e72dcbd27ba1502e68fd9bd28da27ca0c4

SHA256
11e52e72229c8b7719d8687fb83e9d2b3c69e79eead4916f5971a03b4075ac59

SHA512
3847e8fcff79108836d9b98b2943f0a821fc86dac30ce8e3d74d35710e11548a0b4093c0370942fd42c0606d9e16744237eeddf8fb173d46c04be266cf559058

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
30a0ba41ee742901e12ad9175ee3d2a7

SHA1
2fe0804c72de7cc897b1ee45412a3ccef7a39812

SHA256
61ed41b6344521cd3ae303e0829a97507057a16c85062ac88c965cbf8b06820a

SHA512
c11fa29eca60483eea19904b6791524b34f53b561680c38e375a0dac87c925a7ceadf554ca1dc84ee8f8ae366976ed463a7b266ff906315f4f1b35e308591268

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
030b498eed5a07d5f31e9027eeae331f

SHA1
38b48973a7433301fe30895909a6df7185ec66f6

SHA256
c917b2b9c23c11dfad9bd2ff39cebd041ac37ccfdda11ce04ce1f6e3fe7427f0

SHA512
2b7ba981df541d404acc9acf5fdf3b50346105d4c03f266608c5eca91937008fc1b4a81f4cd72eecf8bd0b65e35066d58a8daafeaf7765b6fb7d3d76b56ef79f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
af3560792019f4def917f0175a4b480f

SHA1
b11d0ce9870eaf9a268dc7eaba1a870ac6e2fbab

SHA256
9ca8df44c49d6bc4709e37122197c0e9a21022e252a540132db5006ae8554e01

SHA512
33dd1c846c2abc1e885c8f63bbd320cf594abc9914e0eb7b5dcaf636baa573463f39ae3bed0dafb99cf2554e0b054c2d36496fc56876b3b6ee6de2129d6cd90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5a7d5965d094a8aaa9af95fb454c6edc

SHA1
ecd39969a5236c1f0fcee019a96ced0024dd6667

SHA256
9d1f3530d058095519810d425c1edda13a2c47f7eb21ee05d2cb3d46f0e8404c

SHA512
c0a835b97e72ef52199af3a70da4b4a70cc0da19fbdb3306439a598c49ebac563550d433b3e19ba4e80f35586c3cef8a0fc93370716c7fc1ad7bcacfbad53663

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
9f290f7bf60a0beb78a064516639b6f1

SHA1
f1acb8ddd299cec4a1a6d7d887e0d2571f819748

SHA256
171fad75d371971f612cfdf0296689242dd9ee2f634d58d89fa0cf4293b45c53

SHA512
255d913a58e7e46f9d1ca102f11c42c079196f03232cbb23a1944ebbf20cf00adc00370235f2d25507c731a252bc63a47159b2e4f96cf00a0071510d1c941a35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c77c1b3ee9f5b72187e84ee10abdf9a4

SHA1
44a0c34e4e296cafa53cb6d2561f951068f1612b

SHA256
02622d9caf1588dadf5aaf25394a1e66d6de329bb234973fa2c171a99d378c86

SHA512
6673206b4bba916aa36c152b16b10eb7dae1071df81de492b5aba07cebe57b3e3740dabec9342bcded98f49aabfd5c5b628df2c8bc94c3f792965c3221ba958d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d22fa64918a09476298b134e41bf92b4

SHA1
99f0be5b170170e3293ed3b21d55e1e5f6ef1ec9

SHA256
15a3e26e5e0bbe3e6ce2e7845c876e4aee22e404de6569e42918531a12c1218e

SHA512
ee430fd69207603154eee0322e16b1faca73be31af2c2b1316ca9674382bee59c985cf93902281dd487425c1ed35e694d1f51ec4a10c1c691630fce83531fd5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1E9A.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1F39.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1104-434-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1104-437-0x0000000000240000-0x000000000024F000-memory.dmp

Filesize
60KB

Download
memory/1104-438-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1880-447-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1880-445-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download