ramnit | d3c680458805dad3729014536a3b040516c0e8da62ecfe52336b35dc28b05f73

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a24227f01f252a44502896b2da579567_JaffaCakes118.exe
Size

204KB
MD5

a24227f01f252a44502896b2da579567
SHA1

e1fed8cb7719203155ee769a0d64f3ee37ffbf47
SHA256

d3c680458805dad3729014536a3b040516c0e8da62ecfe52336b35dc28b05f73
SHA512

4bd7a43ef83fc1787368ab1710618fd283e5712a273d0c61dc68feaee68e179aac9c0dec1ef24d4ee60672581f9a9afce1341bbff27b880b55db8c4069e5c1a3
SSDEEP

6144:1Ot4bkSbcC48mwHcFWnQOQ5WvSJ90ycNMrc457bv9:1OTM+YQr2+ncNMvJ

Score

10^/10

ramnit banker discovery spyware stealer trojan worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 1 IoCs

pid	Process
2364	a24227f01f252a44502896b2da579567_JaffaCakes118mgr.exe

Loads dropped DLL 4 IoCs

pid	Process
2372	a24227f01f252a44502896b2da579567_JaffaCakes118.exe
2372	a24227f01f252a44502896b2da579567_JaffaCakes118.exe
2364	a24227f01f252a44502896b2da579567_JaffaCakes118mgr.exe
2364	a24227f01f252a44502896b2da579567_JaffaCakes118mgr.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2664	2364	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a24227f01f252a44502896b2da579567_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a24227f01f252a44502896b2da579567_JaffaCakes118mgr.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2364	2372	a24227f01f252a44502896b2da579567_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2364	2372	a24227f01f252a44502896b2da579567_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2364	2372	a24227f01f252a44502896b2da579567_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2364	2372	a24227f01f252a44502896b2da579567_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\a24227f01f252a44502896b2da579567_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a24227f01f252a44502896b2da579567_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\a24227f01f252a44502896b2da579567_JaffaCakes118mgr.exe
  C:\Users\Admin\AppData\Local\Temp\a24227f01f252a44502896b2da579567_JaffaCakes118mgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2364
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 164
    3⤵
    - Program crash
    PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a24227f01f252a44502896b2da579567_JaffaCakes118mgr.exe

Filesize
164KB

MD5
a65c1e3711d4d938d5e5c33f24e15a49

SHA1
55e3b14bcdcdbfdb30ab4c94be9e5329c250cb12

SHA256
4ab1f8ec8a46b72f89dc77b6f7c9a547bb9cbe0d3a8723ff375f821a7bb73bab

SHA512
a4fde8f7766c5dbabe4352b577cd4e515368f0f747a9337c526e3c0115daea0675d85a34285902ce6d23f4367e22c51c8f57652a98a36a7c691f57f114021fa3

Download Submit
\Users\Admin\AppData\Local\Temp\~TM197A.tmp

Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\~TM19C9.tmp

Filesize
1.1MB

MD5
9b98d47916ead4f69ef51b56b0c2323c

SHA1
290a80b4ded0efc0fd00816f373fcea81a521330

SHA256
96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

SHA512
68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

Download Submit
memory/2364-11-0x0000000000400000-0x000000000048D144-memory.dmp

Filesize
564KB

Download
memory/2364-14-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2364-15-0x0000000000400000-0x000000000048D144-memory.dmp

Filesize
564KB

Download
memory/2364-22-0x0000000000400000-0x000000000048D144-memory.dmp

Filesize
564KB

Download
memory/2364-24-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2372-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2372-9-0x0000000001BD0000-0x0000000001C5E000-memory.dmp

Filesize
568KB

Download
memory/2372-8-0x0000000001BD0000-0x0000000001C5E000-memory.dmp

Filesize
568KB

Download
memory/2372-25-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download