ramnit | b216b9317543d81809c70ee5ac025c993b818cd4ba447d334465e999770b7ce6 | Triage

Sharing

General

Target

6fdca9ec26d487977619704fb3003b36_JaffaCakes118
Size

105KB
Sample

241023-tyq3gs1hqk
MD5

6fdca9ec26d487977619704fb3003b36
SHA1

cac1ab7c2f553345aea6aaae447a396d36a46635
SHA256

b216b9317543d81809c70ee5ac025c993b818cd4ba447d334465e999770b7ce6
SHA512

bc30d887f50aaf175cf5552b9dd37040ae56ebd499de62b353c669127dd23f4c9d0d1b3015c2045e6ff21f52034e4df2627bcf8b1d8778bfa6e746136ff37958
SSDEEP

3072:WJ6dMMfkqGIlxvu/JzMejSO1sJ6CaKMFFk8jwaaHw7Koj4r+H:JdMITlD2SOe05HF

Score

10^/10

ramnit banker defense_evasion discovery evasion persistence spyware stealer trojan worm

Malware Config

Targets

- Target
  
  6fdca9ec26d487977619704fb3003b36_JaffaCakes118
- Size
  
  105KB
- MD5
  
  6fdca9ec26d487977619704fb3003b36
- SHA1
  
  cac1ab7c2f553345aea6aaae447a396d36a46635
- SHA256
  
  b216b9317543d81809c70ee5ac025c993b818cd4ba447d334465e999770b7ce6
- SHA512
  
  bc30d887f50aaf175cf5552b9dd37040ae56ebd499de62b353c669127dd23f4c9d0d1b3015c2045e6ff21f52034e4df2627bcf8b1d8778bfa6e746136ff37958
- SSDEEP
  
  3072:WJ6dMMfkqGIlxvu/JzMejSO1sJ6CaKMFFk8jwaaHw7Koj4r+H:JdMITlD2SOe05HF
Score

10^/10

ramnit banker defense_evasion discovery evasion persistence spyware stealer trojan worm
- Modifies WinLogon for persistence
  persistence
- Ramnit
  Ramnit is a versatile family that holds viruses, worms, and Trojans.
  trojan spyware stealer worm banker ramnit
- UAC bypass
  evasion trojan
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
  defense_evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Safe Mode Boot

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ramnitbankerdefense_evasiondiscoveryevasionpersistencespywarestealertrojanworm

behavioral2

ramnitbankerdiscoveryspywarestealertrojanworm