ramnit | 8ad320293c9d12aacbc33004f8996ac8fb6d42bf4eeaa608c7d5b53994a8a7bf

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe1e4c1c18acc9b79a142c29a22e6ca4_JaffaCakes118.dll
Size

136KB
MD5

fe1e4c1c18acc9b79a142c29a22e6ca4
SHA1

ad19c29ffeb39aa4df47bcd32a620a450d2150ce
SHA256

8ad320293c9d12aacbc33004f8996ac8fb6d42bf4eeaa608c7d5b53994a8a7bf
SHA512

710ae889eecdb24f2826a0b613cf2546c99abea26fb50fca0f9a865f1c39c897c2e0c1dd94792c6ff6217392bc267bfbf1646914676e27cd2daeaf2ff17eb2fd
SSDEEP

3072:6uIIPhvpE6cXjA8iVUAWGaqqqBSpXuWMfujoMITjWS:6/EFpkXsDePGaqqqBmMfujPC

Score

10^/10

ramnit banker defense_evasion discovery evasion persistence spyware stealer trojan worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\qovotnbl\\yunbeqkc.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yunbeqkc.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yunbeqkc.exe	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
2668	rundll32mgr.exe
1284	qalvgsmilupjiptg.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	svchost.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	svchost.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
1272	rundll32.exe
1272	rundll32.exe
2668	rundll32mgr.exe
2668	rundll32mgr.exe
2668	rundll32mgr.exe
2668	rundll32mgr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\YunBeqkc = "C:\\Users\\Admin\\AppData\\Local\\qovotnbl\\yunbeqkc.exe"	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qalvgsmilupjiptg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2668	rundll32mgr.exe
Token: SeDebugPrivilege	2668	rundll32mgr.exe
Token: SeSecurityPrivilege	2916	svchost.exe
Token: SeSecurityPrivilege	2844	svchost.exe
Token: SeDebugPrivilege	2844	svchost.exe
Token: SeRestorePrivilege	2844	svchost.exe
Token: SeBackupPrivilege	2844	svchost.exe
Token: SeRestorePrivilege	2844	svchost.exe
Token: SeBackupPrivilege	2844	svchost.exe
Token: SeRestorePrivilege	2844	svchost.exe
Token: SeBackupPrivilege	2844	svchost.exe
Token: SeRestorePrivilege	2844	svchost.exe
Token: SeBackupPrivilege	2844	svchost.exe
Token: SeRestorePrivilege	2844	svchost.exe
Token: SeBackupPrivilege	2844	svchost.exe
Token: SeRestorePrivilege	2844	svchost.exe
Token: SeBackupPrivilege	2844	svchost.exe
Token: SeSecurityPrivilege	1284	qalvgsmilupjiptg.exe
Token: SeLoadDriverPrivilege	1284	qalvgsmilupjiptg.exe
Token: SeRestorePrivilege	2844	svchost.exe
Token: SeBackupPrivilege	2844	svchost.exe
Token: SeRestorePrivilege	2844	svchost.exe
Token: SeBackupPrivilege	2844	svchost.exe
Token: SeRestorePrivilege	2844	svchost.exe
Token: SeBackupPrivilege	2844	svchost.exe
Token: SeRestorePrivilege	2844	svchost.exe
Token: SeBackupPrivilege	2844	svchost.exe
Token: SeRestorePrivilege	2844	svchost.exe
Token: SeBackupPrivilege	2844	svchost.exe
Token: SeRestorePrivilege	2844	svchost.exe
Token: SeBackupPrivilege	2844	svchost.exe
Token: SeRestorePrivilege	2844	svchost.exe
Token: SeBackupPrivilege	2844	svchost.exe
Token: SeRestorePrivilege	2844	svchost.exe
Token: SeBackupPrivilege	2844	svchost.exe
Token: SeRestorePrivilege	2844	svchost.exe
Token: SeBackupPrivilege	2844	svchost.exe
Token: SeRestorePrivilege	2844	svchost.exe
Token: SeBackupPrivilege	2844	svchost.exe
Token: SeRestorePrivilege	2844	svchost.exe
Token: SeBackupPrivilege	2844	svchost.exe
Token: SeRestorePrivilege	2844	svchost.exe
Token: SeBackupPrivilege	2844	svchost.exe
Token: SeRestorePrivilege	2844	svchost.exe
Token: SeBackupPrivilege	2844	svchost.exe
Token: SeRestorePrivilege	2844	svchost.exe
Token: SeBackupPrivilege	2844	svchost.exe
Token: SeRestorePrivilege	2844	svchost.exe
Token: SeBackupPrivilege	2844	svchost.exe
Token: SeRestorePrivilege	2844	svchost.exe
Token: SeBackupPrivilege	2844	svchost.exe
Token: SeRestorePrivilege	2844	svchost.exe
Token: SeBackupPrivilege	2844	svchost.exe
Token: SeRestorePrivilege	2844	svchost.exe
Token: SeBackupPrivilege	2844	svchost.exe
Token: SeRestorePrivilege	2844	svchost.exe
Token: SeBackupPrivilege	2844	svchost.exe
Token: SeRestorePrivilege	2844	svchost.exe
Token: SeBackupPrivilege	2844	svchost.exe
Token: SeRestorePrivilege	2844	svchost.exe
Token: SeBackupPrivilege	2844	svchost.exe
Token: SeRestorePrivilege	2844	svchost.exe
Token: SeBackupPrivilege	2844	svchost.exe
Token: SeRestorePrivilege	2844	svchost.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 1272	2060	rundll32.exe	30
PID 2060 wrote to memory of 1272	2060	rundll32.exe	30
PID 2060 wrote to memory of 1272	2060	rundll32.exe	30
PID 2060 wrote to memory of 1272	2060	rundll32.exe	30
PID 2060 wrote to memory of 1272	2060	rundll32.exe	30
PID 2060 wrote to memory of 1272	2060	rundll32.exe	30
PID 2060 wrote to memory of 1272	2060	rundll32.exe	30
PID 1272 wrote to memory of 2668	1272	rundll32.exe	31
PID 1272 wrote to memory of 2668	1272	rundll32.exe	31
PID 1272 wrote to memory of 2668	1272	rundll32.exe	31
PID 1272 wrote to memory of 2668	1272	rundll32.exe	31
PID 2668 wrote to memory of 2916	2668	rundll32mgr.exe	32
PID 2668 wrote to memory of 2916	2668	rundll32mgr.exe	32
PID 2668 wrote to memory of 2916	2668	rundll32mgr.exe	32
PID 2668 wrote to memory of 2916	2668	rundll32mgr.exe	32
PID 2668 wrote to memory of 2916	2668	rundll32mgr.exe	32
PID 2668 wrote to memory of 2916	2668	rundll32mgr.exe	32
PID 2668 wrote to memory of 2916	2668	rundll32mgr.exe	32
PID 2668 wrote to memory of 2916	2668	rundll32mgr.exe	32
PID 2668 wrote to memory of 2916	2668	rundll32mgr.exe	32
PID 2668 wrote to memory of 2916	2668	rundll32mgr.exe	32
PID 2668 wrote to memory of 2844	2668	rundll32mgr.exe	33
PID 2668 wrote to memory of 2844	2668	rundll32mgr.exe	33
PID 2668 wrote to memory of 2844	2668	rundll32mgr.exe	33
PID 2668 wrote to memory of 2844	2668	rundll32mgr.exe	33
PID 2668 wrote to memory of 2844	2668	rundll32mgr.exe	33
PID 2668 wrote to memory of 2844	2668	rundll32mgr.exe	33
PID 2668 wrote to memory of 2844	2668	rundll32mgr.exe	33
PID 2668 wrote to memory of 2844	2668	rundll32mgr.exe	33
PID 2668 wrote to memory of 2844	2668	rundll32mgr.exe	33
PID 2668 wrote to memory of 2844	2668	rundll32mgr.exe	33
PID 2668 wrote to memory of 1284	2668	rundll32mgr.exe	34
PID 2668 wrote to memory of 1284	2668	rundll32mgr.exe	34
PID 2668 wrote to memory of 1284	2668	rundll32mgr.exe	34
PID 2668 wrote to memory of 1284	2668	rundll32mgr.exe	34

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fe1e4c1c18acc9b79a142c29a22e6ca4_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\fe1e4c1c18acc9b79a142c29a22e6ca4_JaffaCakes118.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2916
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      UAC bypass
      Checks BIOS information in registry
      Drops startup file
      Impair Defenses: Safe Mode Boot
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2844
  - - C:\Users\Admin\AppData\Local\Temp\qalvgsmilupjiptg.exe
      "C:\Users\Admin\AppData\Local\Temp\qalvgsmilupjiptg.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\rundll32mgr.exe

Filesize
111KB

MD5
10d2e087710c80d11a2e482cd3a13731

SHA1
5623e43b4ac7c528449e67bc11cedabe369df54c

SHA256
607b206b4baecc7a0be6c0518b8733fb5c4364b7098a262a03befbbfd0d30335

SHA512
68b991baad83dc781e8a5ba69d0edfad7e90122618b5c1f178a01a0481a8f43e200cbd7f5702449ec758361ac8f1a1596e7400bd9561a86cbeff31a876a2f65a

Download Submit
memory/1272-5-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1272-1-0x0000000010000000-0x0000000010022000-memory.dmp

Filesize
136KB

Download
memory/1272-0-0x0000000010000000-0x0000000010022000-memory.dmp

Filesize
136KB

Download
memory/1272-11-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1284-94-0x0000000000400000-0x0000000000437E08-memory.dmp

Filesize
223KB

Download
memory/1284-99-0x0000000000400000-0x0000000000437E08-memory.dmp

Filesize
223KB

Download
memory/2668-101-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2668-92-0x0000000002900000-0x0000000002938000-memory.dmp

Filesize
224KB

Download
memory/2668-15-0x0000000000400000-0x0000000000437E08-memory.dmp

Filesize
223KB

Download
memory/2668-18-0x0000000000400000-0x0000000000437E08-memory.dmp

Filesize
223KB

Download
memory/2668-13-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2668-12-0x0000000000400000-0x0000000000437E08-memory.dmp

Filesize
223KB

Download
memory/2668-91-0x0000000002900000-0x0000000002938000-memory.dmp

Filesize
224KB

Download
memory/2668-17-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2668-90-0x0000000077B9F000-0x0000000077BA0000-memory.dmp

Filesize
4KB

Download
memory/2668-82-0x00000000028F0000-0x0000000002928000-memory.dmp

Filesize
224KB

Download
memory/2668-37-0x0000000077B9F000-0x0000000077BA0000-memory.dmp

Filesize
4KB

Download
memory/2668-83-0x00000000028F0000-0x0000000002928000-memory.dmp

Filesize
224KB

Download
memory/2668-74-0x0000000000400000-0x0000000000437E08-memory.dmp

Filesize
223KB

Download
memory/2668-73-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2844-54-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/2844-110-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/2844-55-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/2844-61-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/2844-63-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/2844-62-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/2844-111-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/2844-45-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/2844-39-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/2844-103-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/2844-109-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/2844-108-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/2844-107-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/2844-106-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/2844-105-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/2844-104-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/2844-102-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/2916-35-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/2916-20-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/2916-22-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2916-27-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2916-26-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2916-28-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/2916-32-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2916-33-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/2916-34-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download