ramnit | f5825f486a1580aa26c6058ff4d887c99a908f14e36cab8c5157e25420e3fdc3

Analysis

max time kernel
141s
max time network
143s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

826f328f2b79fde249c38c8bf787b600_JaffaCakes118.html
Size

155KB
MD5

826f328f2b79fde249c38c8bf787b600
SHA1

3cef7bd8ab14600c5ec562f00552e22bfbe85f7b
SHA256

f5825f486a1580aa26c6058ff4d887c99a908f14e36cab8c5157e25420e3fdc3
SHA512

84065f33219a5d947b9689cf7f770081566bf2780495d5877538a95e37fa535606301e0f03e819193c0e7fd140956a5b4525ffd277d697fe4262fedb620ff039
SSDEEP

1536:iARTt88IiEBwX1VYanyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXAZ:iqkwlVDnyfkMY+BES09JXAnyrZalI+YQ

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2208	svchost.exe
2184	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
2584	IEXPLORE.EXE
2208	svchost.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2208-435-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x002900000001a4b5-434.dat	upx
behavioral1/memory/2208-437-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2184-444-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2184-446-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxB693.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436525329"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{75886931-9762-11EF-AC67-6252F262FB8A} = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2184	DesktopLayer.exe
2184	DesktopLayer.exe
2184	DesktopLayer.exe
2184	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2032	iexplore.exe
2032	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2032	iexplore.exe
2032	iexplore.exe
2584	IEXPLORE.EXE
2584	IEXPLORE.EXE
2584	IEXPLORE.EXE
2584	IEXPLORE.EXE
2032	iexplore.exe
2032	iexplore.exe
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2584	2032	iexplore.exe	30
PID 2032 wrote to memory of 2584	2032	iexplore.exe	30
PID 2032 wrote to memory of 2584	2032	iexplore.exe	30
PID 2032 wrote to memory of 2584	2032	iexplore.exe	30
PID 2584 wrote to memory of 2208	2584	IEXPLORE.EXE	35
PID 2584 wrote to memory of 2208	2584	IEXPLORE.EXE	35
PID 2584 wrote to memory of 2208	2584	IEXPLORE.EXE	35
PID 2584 wrote to memory of 2208	2584	IEXPLORE.EXE	35
PID 2208 wrote to memory of 2184	2208	svchost.exe	36
PID 2208 wrote to memory of 2184	2208	svchost.exe	36
PID 2208 wrote to memory of 2184	2208	svchost.exe	36
PID 2208 wrote to memory of 2184	2208	svchost.exe	36
PID 2184 wrote to memory of 2316	2184	DesktopLayer.exe	37
PID 2184 wrote to memory of 2316	2184	DesktopLayer.exe	37
PID 2184 wrote to memory of 2316	2184	DesktopLayer.exe	37
PID 2184 wrote to memory of 2316	2184	DesktopLayer.exe	37
PID 2032 wrote to memory of 1588	2032	iexplore.exe	38
PID 2032 wrote to memory of 1588	2032	iexplore.exe	38
PID 2032 wrote to memory of 1588	2032	iexplore.exe	38
PID 2032 wrote to memory of 1588	2032	iexplore.exe	38

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\826f328f2b79fde249c38c8bf787b600_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2032 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2184
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2316
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2032 CREDAT:3093518 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8f09b500750ea76e6815912379394ef

SHA1
b81320af1257cd51ae68c3e7887482e72bf74f1f

SHA256
1b0d45f406523147b35d77670cb4364a02944024db11264c0463f2dbec67388c

SHA512
67289f39fdf78bf0c2125381b826d16a8ee772d77d9250013605964dbdd1009c54f28b2787a812af14efd2b1332271f528c9bedcb77753e36b6315e0a63388d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f428ad0f793df09d6712be7a114c91be

SHA1
e8aff69f8f286801b4036765e67f76047448488a

SHA256
5bcb99759a0904e7ed8acd0c3deb539d085accd0d1ac787aa46bda9b2c9b1178

SHA512
6ed1bdba5eb3c52fb30c4c6b71924faae6b516a985699ac37903b3a530b8c2bb3894dd113679ac6b939f4001ec7d07f12b017fcb918c9d514865f9abd169e3a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7f2dab5fe085a2fb643aeca5f5fb79a

SHA1
26fc5bed57a3149ace3a76302bec9928a30aaf12

SHA256
006aba5c6821ff01cfc24f1b1895eaa0133a30d3c94fdaa4aa2b130abe068842

SHA512
88502964e40b4fbfc34690a17d109cc939c6f6450087dd71298d21d19e67129cf5b8206adcf0729a7d7baf92dcf0334b81380f2fce957f85acc2f77b986aedab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15b0f977e2ba7e3d2204dcbdf70e2a2b

SHA1
99624b0d53e3db530d2c9818bd6bae498d9d5d70

SHA256
8002d2fbe3fa538924a80d576e6099e3931dc4e1665ae72b16af1da01943003d

SHA512
b05c4ba99de98723605a95db468ce6e18e17b9a054aa0a151e65174c2dcbbbdd10aee934f610a538eff090118f27e3962537e5ba7ceaac90493c6ee7f3b375a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a542e8339d7a6e51ae4ab75f8fbf3bd

SHA1
d7c63837c658bfd9454206d428f85dfd0c1dfeca

SHA256
c8faed81137f1181ba47b2995466b7eca36aa26b79a47b6285ef5ae4dce40983

SHA512
2d317c6c65aaba81383c006ea426daa10aab544995f02e9fbaaa6c37d2fdbb86888397250cbcb7579f1d280009590968eb537fc82c5780520916ad3344a6917c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee9e726fc03c5f9d240956a1b4cb6425

SHA1
00749d90cd7f93337c4990d8dff45b4bd6fb115d

SHA256
da741957524ef539bbf6829ebd02282838af54731275257e1885c7996cc47cb1

SHA512
16a085503f92bfdb6ef6b6a5d0ffde1e82ece966da72e579ba154710dee9ec2eaf06541429cedb885e82aaab9398fd8b32fbc15696b5ccfa545b1a0c3b3d2583

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca04dde30d20a30be19841350ec52412

SHA1
29213b8b9c3bc6d43ed6c9b4e48f05291cc2db31

SHA256
54d4eb6e4dc57a99b14dd92d73bf1adb0ff9b771acaa654efedb5303714eb69a

SHA512
593cbc912a4c405a1310a969c41a9877ba74bc89a6d5e9f8ae35488a511feb02d3a9f8b059f23448b637e559287d11bb1d6d1cc63cb4f3fc45903a3bd38e3fa1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
049c1b78e8a3237e59db9ed35b119d7d

SHA1
5e92eacf3f1684de377a799be62f61f57984d4bb

SHA256
f946f95c02a9c1f82e87aeeb9baa57b7059da2123c532e96b5fc29f79575c797

SHA512
819906c7bf6a0137f18bb601e9481fbf760d22c90ced941e1f4ce8dd8ee3c5bfc7101555348fa9af1be7eee0c1c144187b4ab3b835cd607e81dcd98f43f75b96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3e034a9261057170a86973c1e13b367

SHA1
380f3fc66f823eab2a1eb52d4fe4747e98e3e5f5

SHA256
ed0e75f51629525f024b242e874dad0b4722afdb3bf6a58b6151f8c1272fe3f9

SHA512
eab14898c421f936077278a0a836fd5b1e1485c45f724efc63071bba6e33ebf2c898c63be11a8dca9b72b38b8881680f6da33d48a6131b73279533d729ab24b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
208b3dcf5cb91caa46714fd666621a3c

SHA1
72e8c9cbc570570433dde0ce70052ecd288a8516

SHA256
87e23ea25bde1fb267e88e2cc465e432dd5a2328bc6a146dbb626ebb2670e04c

SHA512
fc30205881231288569e75cca2e7d1a09bb9805d4ff107788bbab205cc3f187ba1571db5f839307b39f8e06274cf5ffe287de4cab76234df03ec1ea5993f7f6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b11fe25bc29957159bc90cd205c795b

SHA1
4d25ebda53f7323f2592237fc6f31e0fef8440df

SHA256
80730bd6cc898d11029850e25445042472b1aad8bd96bc2be3b701639d1eba08

SHA512
3159e354f848f8999c27336e444b9ec3329ecadc25284553f0f2236e43227de8a605cec7c38b695a9554c626510bbd20d8503e231c6df5294318b8a774cf5e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC7A5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC844.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/2184-444-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2184-447-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2184-446-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2208-436-0x0000000000240000-0x000000000024F000-memory.dmp

Filesize
60KB

Download
memory/2208-435-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2208-437-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download