ramnit | ccbd6b3f267fd2d2b07e90e3ab66d4fd6343c82073e08e9576e977f915dba8f5

General

Target

92a680ce5333a3345222a0473c826364_JaffaCakes118.dll
Size

335KB
MD5

92a680ce5333a3345222a0473c826364
SHA1

999b1d8738ec80e024c5019e84920d8a2fb47a1d
SHA256

ccbd6b3f267fd2d2b07e90e3ab66d4fd6343c82073e08e9576e977f915dba8f5
SHA512

d45818b49c5cba38eda40c461b8cf0078e768503a24947dcd231b2120844f1e4902caf23e793a3e8116eb40192fe12b11a26731e54e1737ba522a1da13beddef
SSDEEP

3072:dBgPPL4wmm/OXj1OGd8z6K98ymI+qaIQBLbXarOx/g1ul916e0Y56FPO7uCopSXd:DgPPMW2hv8zN8LI+qadBLTZKQGNquC5N

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit
Executes dropped EXE 1 IoCs

Processes:

regsvr32mgr.exe

pid process

5032 regsvr32mgr.exe
Loads dropped DLL 1 IoCs

Processes:

regsvr32mgr.exe

pid process

5032 regsvr32mgr.exe
Drops file in System32 directory 1 IoCs

Processes:

regsvr32.exe

description ioc process

File created C:\Windows\SysWOW64\regsvr32mgr.exe regsvr32.exe

pid	process
5032	regsvr32mgr.exe

pid	process
5032	regsvr32mgr.exe

description	ioc	process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5032-7-0x0000000000400000-0x000000000044A000-memory.dmp	upx

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2276 5032 WerFault.exe regsvr32mgr.exe

pid	pid_target	process	target process
2276	5032	WerFault.exe	regsvr32mgr.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

regsvr32.exeregsvr32mgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32mgr.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8AA720BF-7468-4DA1-97DA-66D2E41B3DDA}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\92a680ce5333a3345222a0473c826364_JaffaCakes118.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EA69F99-F8FF-415E-8B90-35D6DFAF160E}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{760C4B82-E211-11D2-BF3E-00805FBE84A6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{760C4B82-E211-11D2-BF3E-00805FBE84A6}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{760C4B82-E211-11D2-BF3E-00805FBE84A6}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9FC132B-096D-460B-B7D5-1DB0FAE0C062}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{760C4B83-E211-11D2-BF3E-00805FBE84A6}\Version	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{760C4B83-E211-11D2-BF3E-00805FBE84A6}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9FC132B-096D-460B-B7D5-1DB0FAE0C062}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9FC132B-096D-460B-B7D5-1DB0FAE0C062}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EA69F99-F8FF-415E-8B90-35D6DFAF160E}\TypeLib\ = "{8AA720BF-7468-4DA1-97DA-66D2E41B3DDA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{760C4B82-E211-11D2-BF3E-00805FBE84A6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DRM.GetLicense.1\ = "RMGetLicense Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9FC132B-096D-460B-B7D5-1DB0FAE0C062}\TypeLib\ = "{8AA720BF-7468-4DA1-97DA-66D2E41B3DDA}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{760C4B83-E211-11D2-BF3E-00805FBE84A6}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{760C4B83-E211-11D2-BF3E-00805FBE84A6}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8AA720BF-7468-4DA1-97DA-66D2E41B3DDA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9EA69F99-F8FF-415E-8B90-35D6DFAF160E}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9EA69F99-F8FF-415E-8B90-35D6DFAF160E}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DRM.GetLicense.1\CLSID\ = "{A9FC132B-096D-460B-B7D5-1DB0FAE0C062}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9FC132B-096D-460B-B7D5-1DB0FAE0C062}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{760C4B83-E211-11D2-BF3E-00805FBE84A6}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9FC132B-096D-460B-B7D5-1DB0FAE0C062}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9FC132B-096D-460B-B7D5-1DB0FAE0C062}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9FC132B-096D-460B-B7D5-1DB0FAE0C062}\ = "RMGetLicense Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9FC132B-096D-460B-B7D5-1DB0FAE0C062}\ProgID\ = "DRM.GetLicense.1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9FC132B-096D-460B-B7D5-1DB0FAE0C062}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9EA69F99-F8FF-415E-8B90-35D6DFAF160E}\TypeLib\ = "{8AA720BF-7468-4DA1-97DA-66D2E41B3DDA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9FC132B-096D-460B-B7D5-1DB0FAE0C062}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\92a680ce5333a3345222a0473c826364_JaffaCakes118.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{760C4B83-E211-11D2-BF3E-00805FBE84A6}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9EA69F99-F8FF-415E-8B90-35D6DFAF160E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{760C4B82-E211-11D2-BF3E-00805FBE84A6}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DRM.GetLicense.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9FC132B-096D-460B-B7D5-1DB0FAE0C062}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EA69F99-F8FF-415E-8B90-35D6DFAF160E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DRM.GetLicense\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9FC132B-096D-460B-B7D5-1DB0FAE0C062}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9EA69F99-F8FF-415E-8B90-35D6DFAF160E}\ = "IRMGetLicense"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EA69F99-F8FF-415E-8B90-35D6DFAF160E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{760C4B82-E211-11D2-BF3E-00805FBE84A6}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{760C4B82-E211-11D2-BF3E-00805FBE84A6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9FC132B-096D-460B-B7D5-1DB0FAE0C062}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{760C4B83-E211-11D2-BF3E-00805FBE84A6}\ = "Windows Media Services DRM Storage object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{760C4B83-E211-11D2-BF3E-00805FBE84A6}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{760C4B83-E211-11D2-BF3E-00805FBE84A6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8AA720BF-7468-4DA1-97DA-66D2E41B3DDA}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DRM.GetLicense.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{760C4B83-E211-11D2-BF3E-00805FBE84A6}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9FC132B-096D-460B-B7D5-1DB0FAE0C062}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9FC132B-096D-460B-B7D5-1DB0FAE0C062}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8AA720BF-7468-4DA1-97DA-66D2E41B3DDA}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EA69F99-F8FF-415E-8B90-35D6DFAF160E}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DRM.GetLicense	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DRM.GetLicense\ = "RMGetLicense Class"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9FC132B-096D-460B-B7D5-1DB0FAE0C062}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8AA720BF-7468-4DA1-97DA-66D2E41B3DDA}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8AA720BF-7468-4DA1-97DA-66D2E41B3DDA}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9FC132B-096D-460B-B7D5-1DB0FAE0C062}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DRM.GetLicense\CurVer\ = "DRM.GetLicense.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{760C4B83-E211-11D2-BF3E-00805FBE84A6}\Version\ = "1.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{760C4B83-E211-11D2-BF3E-00805FBE84A6}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8AA720BF-7468-4DA1-97DA-66D2E41B3DDA}\1.0\ = "msnetobj 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9EA69F99-F8FF-415E-8B90-35D6DFAF160E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EA69F99-F8FF-415E-8B90-35D6DFAF160E}\ = "IRMGetLicense"	regsvr32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 2988 wrote to memory of 408	2988	regsvr32.exe	regsvr32.exe
PID 2988 wrote to memory of 408	2988	regsvr32.exe	regsvr32.exe
PID 2988 wrote to memory of 408	2988	regsvr32.exe	regsvr32.exe
PID 408 wrote to memory of 5032	408	regsvr32.exe	regsvr32mgr.exe
PID 408 wrote to memory of 5032	408	regsvr32.exe	regsvr32mgr.exe
PID 408 wrote to memory of 5032	408	regsvr32.exe	regsvr32mgr.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\92a680ce5333a3345222a0473c826364_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\92a680ce5333a3345222a0473c826364_JaffaCakes118.dll
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Windows\SysWOW64\regsvr32mgr.exe
    C:\Windows\SysWOW64\regsvr32mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5032
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 528
      4⤵
      Program crash
      PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5032 -ip 5032
1⤵
PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~TMD040.tmp

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
157KB

MD5
349ae3b8b734f11c55226e86815e45a4

SHA1
422c76c1954ca083a7234c6cd5287ac018613ba4

SHA256
790eda030503f9ffc189aec8f69ba439b5997e7c76661c7c3bd82d90a82d57cc

SHA512
a24d3b9045b11c0213c89035af787d7958c464b0d9f1f5c37874ca2ebf74a9539239d5351e76411ec3e355df899c36bcfe765aa22fccfb41cd830e1404b616cd

Download Submit
memory/408-0-0x0000000074C90000-0x0000000074CE7000-memory.dmp

Filesize
348KB

Download
memory/5032-4-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/5032-6-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/5032-7-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads