ramnit | 9b1a8d531e2e236b985adac7282d693ac8c5f8136bfa6071ff32821c9c3dc342

Analysis

max time kernel
16s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
15/09/2024, 06:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e1e038644262e3d6878ebee04f0a6889_JaffaCakes118.exe
Size

256KB
MD5

e1e038644262e3d6878ebee04f0a6889
SHA1

fd5e52845ea34fd37b04d609d5417209f3272fa1
SHA256

9b1a8d531e2e236b985adac7282d693ac8c5f8136bfa6071ff32821c9c3dc342
SHA512

c932e9fa7eb480332253b66d0d9a31c64a9ef00b73e0f837a50a394d41c45dfe20ce635fafa9792673a43a135ef9769747a38caca170f304eac03d0352663889
SSDEEP

3072:nDt64f+TPTRK3a1o5ZlbmvvzT0s2rRsamQN6ahC1bBz7zU/WZAn53mkZ8f7QJ4r:nUJTymjT0s/76C1bxsUAnLZe73r

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 1 IoCs

pid	Process
1596	e1e038644262e3d6878ebee04f0a6889_JaffaCakes118mgr.exe

Loads dropped DLL 4 IoCs

pid	Process
2524	e1e038644262e3d6878ebee04f0a6889_JaffaCakes118.exe
2524	e1e038644262e3d6878ebee04f0a6889_JaffaCakes118.exe
1596	e1e038644262e3d6878ebee04f0a6889_JaffaCakes118mgr.exe
1596	e1e038644262e3d6878ebee04f0a6889_JaffaCakes118mgr.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1596-12-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1596-18-0x0000000000400000-0x0000000000468000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1e038644262e3d6878ebee04f0a6889_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1e038644262e3d6878ebee04f0a6889_JaffaCakes118mgr.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 1596	2524	e1e038644262e3d6878ebee04f0a6889_JaffaCakes118.exe	30
PID 2524 wrote to memory of 1596	2524	e1e038644262e3d6878ebee04f0a6889_JaffaCakes118.exe	30
PID 2524 wrote to memory of 1596	2524	e1e038644262e3d6878ebee04f0a6889_JaffaCakes118.exe	30
PID 2524 wrote to memory of 1596	2524	e1e038644262e3d6878ebee04f0a6889_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\e1e038644262e3d6878ebee04f0a6889_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e1e038644262e3d6878ebee04f0a6889_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\e1e038644262e3d6878ebee04f0a6889_JaffaCakes118mgr.exe
  C:\Users\Admin\AppData\Local\Temp\e1e038644262e3d6878ebee04f0a6889_JaffaCakes118mgr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e1e038644262e3d6878ebee04f0a6889_JaffaCakes118mgr.exe

Filesize
163KB

MD5
32e2446e5ea8b44ee87ed1dec23ea040

SHA1
1341be8ec8be902630fc92657b10016c5d83c14b

SHA256
1f261c1a1c5e7c051cbc0332db237c8e7335661251af2d950b05edd6d515f170

SHA512
95b36862faec87482a2dd6aa16a2bbcfe73dcd30796d4d98db7ae6b46ec73c4f6de9880c7e8042697ffc5fddb296bd4610e69b0fb8275566c5cd3e85d9e693f6

Download Submit
\Users\Admin\AppData\Local\Temp\~TMCD6D.tmp

Filesize
1.2MB

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\~TMCD7D.tmp

Filesize
1.1MB

MD5
9b98d47916ead4f69ef51b56b0c2323c

SHA1
290a80b4ded0efc0fd00816f373fcea81a521330

SHA256
96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

SHA512
68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

Download Submit
memory/1596-12-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1596-11-0x0000000000300000-0x0000000000368000-memory.dmp

Filesize
416KB

Download
memory/1596-18-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2524-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2524-9-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download