ramnit | c9af01171d3c5c41221b49642549843a106fa90c56ff75e56b204ff139a1b410 | Triage

Submit
Reports

Overview

overview

Static

static

3

5c94d437a5...18.exe

windows7-x64

5c94d437a5...18.exe

windows10-2004-x64

Sharing

General

Target

5c94d437a54b1ae038201e0ef3af5dd2_JaffaCakes118
Size

264KB
Sample

240719-s5zsjaybml
MD5

5c94d437a54b1ae038201e0ef3af5dd2
SHA1

7a83adb3448550ae7227e165ea8d70752c0a1826
SHA256

c9af01171d3c5c41221b49642549843a106fa90c56ff75e56b204ff139a1b410
SHA512

3b7eccef66a51498e9f433efa76a4d601377e08ea85dc0807e280840a780de0fd3475ce30b7f2de7fa46de67cb20cbada26179f446b23d8e8ebe5bcb02defe34
SSDEEP

3072:JxGoxu+UXHx3+q84qtJ8lkuLrTCvnGuMR/r:CDXxOqw0XrTiGu4r

Score

10^/10

ramnit banker persistence spyware stealer trojan upx worm

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

5c94d437a54b1ae038201e0ef3af5dd2_JaffaCakes118.exe

Resource

win7-20240708-en

ramnit banker persistence spyware stealer trojan upx worm

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

5c94d437a54b1ae038201e0ef3af5dd2_JaffaCakes118.exe

Resource

win10v2004-20240709-en

ramnit banker persistence spyware stealer trojan upx worm

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  5c94d437a54b1ae038201e0ef3af5dd2_JaffaCakes118
- Size
  
  264KB
- MD5
  
  5c94d437a54b1ae038201e0ef3af5dd2
- SHA1
  
  7a83adb3448550ae7227e165ea8d70752c0a1826
- SHA256
  
  c9af01171d3c5c41221b49642549843a106fa90c56ff75e56b204ff139a1b410
- SHA512
  
  3b7eccef66a51498e9f433efa76a4d601377e08ea85dc0807e280840a780de0fd3475ce30b7f2de7fa46de67cb20cbada26179f446b23d8e8ebe5bcb02defe34
- SSDEEP
  
  3072:JxGoxu+UXHx3+q84qtJ8lkuLrTCvnGuMR/r:CDXxOqw0XrTiGu4r
Score

10^/10

ramnit banker persistence spyware stealer trojan upx worm
- Modifies WinLogon for persistence
  persistence
- Ramnit
  Ramnit is a versatile family that holds viruses, worms, and Trojans.
  trojan spyware stealer worm banker ramnit
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ramnitbankerpersistencespywarestealertrojanupxworm

behavioral2

ramnitbankerpersistencespywarestealertrojanupxworm

© 2018-2025

Terms | Privacy