ramnit | 3c52bdf812310190cec125a018673269e83708be08d49abd3897b536aef3dae6

Analysis

max time kernel
132s
max time network
144s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a6bebbb4f4c7766b1da6ca32433df40_JaffaCakes118.html
Size

463KB
MD5

1a6bebbb4f4c7766b1da6ca32433df40
SHA1

ea676e005d47caad5d0f49efbf99f450da578201
SHA256

3c52bdf812310190cec125a018673269e83708be08d49abd3897b536aef3dae6
SHA512

39136d8c2c29687915059b37c1b2e54c3c67586f6255e0176fd2d6adb4ed05ca2091677c4ea8b6504d0ab9330168f6d1ac57477d1a2c021e571d27ed82b77bea
SSDEEP

6144:S+GsMYod+X3oI+YO/sMYod+X3oI+Y1sMYod+X3oI+YLsMYod+X3oI+YC:dk5d+X3sD5d+X375d+X315d+X3I

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
2692	svchost.exe
2716	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
3016	IEXPLORE.EXE
2692	svchost.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000015f1f-2.dat	upx
behavioral1/memory/2692-6-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2692-9-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2716-17-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2716-16-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2716-20-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2716-22-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px672C.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0CCEB411-3558-11EF-9E46-6ACBDECABE1A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425745645"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2716	DesktopLayer.exe
2716	DesktopLayer.exe
2716	DesktopLayer.exe
2716	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1704	iexplore.exe
1704	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1704	iexplore.exe
1704	iexplore.exe
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE
1704	iexplore.exe
1704	iexplore.exe
2476	IEXPLORE.EXE
2476	IEXPLORE.EXE
2476	IEXPLORE.EXE
2476	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 3016	1704	iexplore.exe	28
PID 1704 wrote to memory of 3016	1704	iexplore.exe	28
PID 1704 wrote to memory of 3016	1704	iexplore.exe	28
PID 1704 wrote to memory of 3016	1704	iexplore.exe	28
PID 3016 wrote to memory of 2692	3016	IEXPLORE.EXE	29
PID 3016 wrote to memory of 2692	3016	IEXPLORE.EXE	29
PID 3016 wrote to memory of 2692	3016	IEXPLORE.EXE	29
PID 3016 wrote to memory of 2692	3016	IEXPLORE.EXE	29
PID 2692 wrote to memory of 2716	2692	svchost.exe	30
PID 2692 wrote to memory of 2716	2692	svchost.exe	30
PID 2692 wrote to memory of 2716	2692	svchost.exe	30
PID 2692 wrote to memory of 2716	2692	svchost.exe	30
PID 2716 wrote to memory of 2740	2716	DesktopLayer.exe	31
PID 2716 wrote to memory of 2740	2716	DesktopLayer.exe	31
PID 2716 wrote to memory of 2740	2716	DesktopLayer.exe	31
PID 2716 wrote to memory of 2740	2716	DesktopLayer.exe	31
PID 1704 wrote to memory of 2476	1704	iexplore.exe	32
PID 1704 wrote to memory of 2476	1704	iexplore.exe	32
PID 1704 wrote to memory of 2476	1704	iexplore.exe	32
PID 1704 wrote to memory of 2476	1704	iexplore.exe	32

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\1a6bebbb4f4c7766b1da6ca32433df40_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1704 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2740
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1704 CREDAT:275465 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5ae3ffe17b9598b7d7c7804b754ed96

SHA1
8df62e0fadf34603fe2aeac9355ce9f4d5fb3edd

SHA256
34453d384cb6b7d157e71e8021250fb010625268d1ac323b534194b860f7d96d

SHA512
5b96bec8efcc6d9afc35ac149b07a354774c20489ddfd5646397e264ff510c47ddbf08b2ac6e9c5770332238409b04f2a3d20c3cd931cd47c3a49a99bb678635

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f0ae28cfcf4b93c2478fbb8944a50c0

SHA1
26ffe81172c0028ccd4ca756ac47171d1d193de3

SHA256
094f72aab8168e727440d8c222c4042a7e9d94d7bf42f24ffcf736f851b385e6

SHA512
d612e211a1916f7f6a501718432fc6345af9ead5bbd48adb7d2a8b03211dac0744938e7b9543f7d3bef6711ad0451f1e97e67700a2febd69abcbf55b3693818e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f88c0ae9099b6a9ec3d1336a2b372bb6

SHA1
841d3f6d14f46e24781142114a1b7f60ac47518b

SHA256
70fe69f2fd9e090afdc33fab16e2d3403aef5305341c5c2c30a9d7050bc11ece

SHA512
868183eed54fe7e48111bccc9e6e262781c79e0d2d30dc79a9d9cf34428dcdccd17afe909aff9f56b1103e83ec7a3a1d7452681d02842b727130854c3cab7b28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8089e3e4b0890e9758ebc794031b11d5

SHA1
5bd19ad28674c49e823044d3f0181ef22b390d15

SHA256
52abd3164fb0b8db09f7119ea6853d1bb4c2d3461bbdfe46ac0e4b9edb8dbbf9

SHA512
05b2ff9a95584ad84ca544f90edbd8459077a9602ae312755ac86b6207544ac66b861a35f89617d979b29953fe6c201474e6e7398714a41c0cfa334edd3c4332

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9b0923009bca6c471692f7cc6ebaa0b

SHA1
cc552c1538917ba66226e5f4a1f8225fa17f03a8

SHA256
16b173e2b92fffb3d795914b88bd4d834b4ae6675442232ea14480536bf36afa

SHA512
f2957b5d2ec2ee9f7a2d7293e633563a4cb8e0c22fbd9e47c32664d3e3d24c8042926915c2946e876bc5f5f4cd208d978251cffc3fd99e4d80b213831ecc4267

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6663228cb7872d83d262cf63260040d0

SHA1
088e9a09165428081fae2c8c43fd0d16ba500b47

SHA256
fe3e157ebe37e3a58cf7614266d11a4434c663df085fbff99c541699b440c1fa

SHA512
2b85c929aef931da3d181976dc66cacc470cb9720ced25bca3b658998c630e777dbd99a4a06f4f1ddf05d8ef7c5a1a252a4968cee5e92e74b81509b65d4340f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e5a10d5e8dd5b5129647bd43a0abf526

SHA1
bb042c8ac44d6ae2b31d50ac9ba0de8bf1eccfc8

SHA256
6d3792026c0b1a3d30ff1f3fc1c77719eb798034855836e37a2eed4bf5a9cddc

SHA512
00547cea5e2f6dc842ce1f98127a3ddb9abf6f592e230fd7ca3e7e7f0d549b563573090b419fe9c45ca950722f84d956b65aa7a8f0d26be5648fa78683c1045c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cfc3e1127aabf9d68b9c6b304c568c5f

SHA1
2af6e26242b6c28afa08fa585b4e05851c14939a

SHA256
bd10f2fd3b63b28706df5f8b7692d2d02a653dcbeb4b2dab596abab37db87987

SHA512
b579d28d2e9eae8c82a6fce96d7dd7e332f1841cde5929eb86855a8946f1a487deb810ab3d5c5408f6f273a739ed6e1eb434e354f1cf1d1772fb17022106bd67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f1e493dc499de1b79f0a0d21cd6e50e

SHA1
0990f1349706ad2412c090f2c071c6e23b879894

SHA256
364f0d510953ec413b25aed42a0c8bb8a9b3a0af2a5f81be374891da5bd901c3

SHA512
ec75a10f90e20c2514fa6d8b0b8aeb04f4af316d71a8e389d6120b551752e212c91ca5a98293ce32013caf90809ccafd4c6854e3bc7ae2a39e1219d53bf8cd93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f592ac5d994a0a35317e68d72ccb4460

SHA1
eaaaa11c206cdce8bd21d86102fe922500e6d37d

SHA256
a6c3dd12f2ce55c67409c8fdab5cf6e4a51c8585735968443e3a8ca46673ef73

SHA512
5dd8d039b1c103e7819765fed584554aad5460bfc1554bd4304c3073132c25f1bd1c9d76db3af012e987952b3ac3b9134b55fb40aac70039a881f0fd416326fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5AFE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5B9D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/2692-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2692-8-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2692-6-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2716-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2716-19-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2716-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2716-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2716-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download