ramnit | c526cb59f58c54a03823cd99af2579319560fa4244e2818c5f2ea5ec330aeead

Reason

Machine shutdown

General

Target

f6f8ebb4df7bc3d77b3d53677c4d48cb_JaffaCakes118.exe
Size

180KB
MD5

f6f8ebb4df7bc3d77b3d53677c4d48cb
SHA1

f3e342c6be5ac445a1e46c27711061f77a787e02
SHA256

c526cb59f58c54a03823cd99af2579319560fa4244e2818c5f2ea5ec330aeead
SHA512

7902b542fa99eb0ac18bdb55b6243616b283f126248b4610b08d44ae44925b5e40bd857ec06fdab311caa3df402bc76d49eb66fd71340ab0dd922450b070c87d
SSDEEP

3072:BDbWOntusSGID19zQoMeyYX5KHn7g6VfJn5f6KdhWaA8:B2OIsSbxSnm2tRJnP

Score

10^/10

ramnit banker discovery spyware stealer trojan worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 1 IoCs

pid	Process
4708	f6f8ebb4df7bc3d77b3d53677c4d48cb_JaffaCakes118mgr.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3912	4444	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6f8ebb4df7bc3d77b3d53677c4d48cb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6f8ebb4df7bc3d77b3d53677c4d48cb_JaffaCakes118mgr.exe

Modifies Internet Explorer settings 1 TTPs 13 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C52E9BF1-7B8C-11EF-BB4F-6ADB259EA846} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "91"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4708	f6f8ebb4df7bc3d77b3d53677c4d48cb_JaffaCakes118mgr.exe
Token: SeDebugPrivilege	4708	f6f8ebb4df7bc3d77b3d53677c4d48cb_JaffaCakes118mgr.exe
Token: SeShutdownPrivilege	3584	f6f8ebb4df7bc3d77b3d53677c4d48cb_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3200	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3584	f6f8ebb4df7bc3d77b3d53677c4d48cb_JaffaCakes118.exe
3200	IEXPLORE.EXE
3200	IEXPLORE.EXE
4160	IEXPLORE.EXE
4160	IEXPLORE.EXE
4160	IEXPLORE.EXE
4160	IEXPLORE.EXE
1736	LogonUI.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 4708	3584	f6f8ebb4df7bc3d77b3d53677c4d48cb_JaffaCakes118.exe	81
PID 3584 wrote to memory of 4708	3584	f6f8ebb4df7bc3d77b3d53677c4d48cb_JaffaCakes118.exe	81
PID 3584 wrote to memory of 4708	3584	f6f8ebb4df7bc3d77b3d53677c4d48cb_JaffaCakes118.exe	81
PID 4708 wrote to memory of 4444	4708	f6f8ebb4df7bc3d77b3d53677c4d48cb_JaffaCakes118mgr.exe	82
PID 4708 wrote to memory of 4444	4708	f6f8ebb4df7bc3d77b3d53677c4d48cb_JaffaCakes118mgr.exe	82
PID 4708 wrote to memory of 4444	4708	f6f8ebb4df7bc3d77b3d53677c4d48cb_JaffaCakes118mgr.exe	82
PID 4708 wrote to memory of 4444	4708	f6f8ebb4df7bc3d77b3d53677c4d48cb_JaffaCakes118mgr.exe	82
PID 4708 wrote to memory of 4444	4708	f6f8ebb4df7bc3d77b3d53677c4d48cb_JaffaCakes118mgr.exe	82
PID 4708 wrote to memory of 4444	4708	f6f8ebb4df7bc3d77b3d53677c4d48cb_JaffaCakes118mgr.exe	82
PID 4708 wrote to memory of 4444	4708	f6f8ebb4df7bc3d77b3d53677c4d48cb_JaffaCakes118mgr.exe	82
PID 4708 wrote to memory of 4444	4708	f6f8ebb4df7bc3d77b3d53677c4d48cb_JaffaCakes118mgr.exe	82
PID 4708 wrote to memory of 4444	4708	f6f8ebb4df7bc3d77b3d53677c4d48cb_JaffaCakes118mgr.exe	82
PID 4708 wrote to memory of 4892	4708	f6f8ebb4df7bc3d77b3d53677c4d48cb_JaffaCakes118mgr.exe	92
PID 4708 wrote to memory of 4892	4708	f6f8ebb4df7bc3d77b3d53677c4d48cb_JaffaCakes118mgr.exe	92
PID 4708 wrote to memory of 4892	4708	f6f8ebb4df7bc3d77b3d53677c4d48cb_JaffaCakes118mgr.exe	92
PID 4892 wrote to memory of 3200	4892	iexplore.exe	93
PID 4892 wrote to memory of 3200	4892	iexplore.exe	93
PID 3200 wrote to memory of 4160	3200	IEXPLORE.EXE	94
PID 3200 wrote to memory of 4160	3200	IEXPLORE.EXE	94
PID 3200 wrote to memory of 4160	3200	IEXPLORE.EXE	94

C:\Users\Admin\AppData\Local\Temp\f6f8ebb4df7bc3d77b3d53677c4d48cb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6f8ebb4df7bc3d77b3d53677c4d48cb_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Users\Admin\AppData\Local\Temp\f6f8ebb4df7bc3d77b3d53677c4d48cb_JaffaCakes118mgr.exe
  C:\Users\Admin\AppData\Local\Temp\f6f8ebb4df7bc3d77b3d53677c4d48cb_JaffaCakes118mgr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4708
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:4444
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 204
      4⤵
      Program crash
      PID:3912
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3200
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3200 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4444 -ip 4444
1⤵
PID:1944

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39fd055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3584 -ip 3584
1⤵
PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f6f8ebb4df7bc3d77b3d53677c4d48cb_JaffaCakes118mgr.exe

Filesize
111KB

MD5
7b3937ba0cd79cb981ed7b9d0c6b339c

SHA1
a3af75465e95755aaa71aa7fbc65054cde91d9a6

SHA256
cb920c3bc8a7c6afb29be87021f296845e9312f40df424d1bf2047d056b202d2

SHA512
81282176368c27da4941afeab8728f5797ac0491cfb42796733a5ebc235c46e3f35ca636de71be265c4faac8f73bd3c3d76eec9801242c6aa41b7c732377104a

Download Submit
memory/3584-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3584-20-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4444-12-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/4444-13-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/4708-4-0x0000000000400000-0x0000000000437D08-memory.dmp

Filesize
223KB

Download
memory/4708-6-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4708-7-0x0000000000400000-0x0000000000437D08-memory.dmp

Filesize
223KB

Download
memory/4708-9-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/4708-10-0x0000000000400000-0x0000000000437D08-memory.dmp

Filesize
223KB

Download
memory/4708-14-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4708-15-0x0000000000400000-0x0000000000437D08-memory.dmp

Filesize
223KB

Download

Analysis

Sharing

Errors