ramnit | b4cef6757f3b21b6509ad23736a9230b24955994f7e49eb5b948611a0fed6a6b

Analysis

max time kernel
134s
max time network
136s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98b7cb7db405de10b9787136478eee8a_JaffaCakes118.html
Size

159KB
MD5

98b7cb7db405de10b9787136478eee8a
SHA1

afd8e6435ea93e1393cf81ea7672756c0dad621b
SHA256

b4cef6757f3b21b6509ad23736a9230b24955994f7e49eb5b948611a0fed6a6b
SHA512

50b3d053a78088215d02e6a28174f8507fa147369659f2356db7783749c7cd6f419631f7d148ee2702419d1033cda693997a94a58a485cf84d0461ed345215b8
SSDEEP

1536:iORT+ZZ23567UyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJruH:iEVpGUyfkMY+BES09JXAnyrZalI+YQ

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2108	svchost.exe
1680	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
1280	IEXPLORE.EXE
2108	svchost.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x002f000000016cf0-430.dat	upx
behavioral1/memory/2108-434-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2108-438-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1680-447-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px8749.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AA9484B1-AAD6-11EF-9D9B-465533733A50} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438664311"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1680	DesktopLayer.exe
1680	DesktopLayer.exe
1680	DesktopLayer.exe
1680	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3056	iexplore.exe
3056	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3056	iexplore.exe
3056	iexplore.exe
1280	IEXPLORE.EXE
1280	IEXPLORE.EXE
1280	IEXPLORE.EXE
1280	IEXPLORE.EXE
3056	iexplore.exe
3056	iexplore.exe
2552	IEXPLORE.EXE
2552	IEXPLORE.EXE
2552	IEXPLORE.EXE
2552	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 1280	3056	iexplore.exe	30
PID 3056 wrote to memory of 1280	3056	iexplore.exe	30
PID 3056 wrote to memory of 1280	3056	iexplore.exe	30
PID 3056 wrote to memory of 1280	3056	iexplore.exe	30
PID 1280 wrote to memory of 2108	1280	IEXPLORE.EXE	35
PID 1280 wrote to memory of 2108	1280	IEXPLORE.EXE	35
PID 1280 wrote to memory of 2108	1280	IEXPLORE.EXE	35
PID 1280 wrote to memory of 2108	1280	IEXPLORE.EXE	35
PID 2108 wrote to memory of 1680	2108	svchost.exe	36
PID 2108 wrote to memory of 1680	2108	svchost.exe	36
PID 2108 wrote to memory of 1680	2108	svchost.exe	36
PID 2108 wrote to memory of 1680	2108	svchost.exe	36
PID 1680 wrote to memory of 2400	1680	DesktopLayer.exe	37
PID 1680 wrote to memory of 2400	1680	DesktopLayer.exe	37
PID 1680 wrote to memory of 2400	1680	DesktopLayer.exe	37
PID 1680 wrote to memory of 2400	1680	DesktopLayer.exe	37
PID 3056 wrote to memory of 2552	3056	iexplore.exe	38
PID 3056 wrote to memory of 2552	3056	iexplore.exe	38
PID 3056 wrote to memory of 2552	3056	iexplore.exe	38
PID 3056 wrote to memory of 2552	3056	iexplore.exe	38

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\98b7cb7db405de10b9787136478eee8a_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3056 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1680
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2400
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3056 CREDAT:537611 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eab879013b3082f35cc560625f268fa7

SHA1
c214383814e6f9b4b37fc33019ee8b52f1246900

SHA256
f13413575e331136aa67f953bb4145a27273e1651f8a59fb4f6bdbdc87dafa3f

SHA512
7a58a062916936911a08d08a048e6bd39283f042598287f53107e32b2b6228b615ad244d393519129162ca2b9855bd591578480ca2b8dce3dadf73cb103ecc80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68b63856f8d367cbb6b627977b7d1812

SHA1
9ae7a0301786ac9f61746bc9c8829944d824fe4c

SHA256
ccea7c58398b862523ebcd7df4e192c129ccd846749521ae40ce50e183992c41

SHA512
ca3b653493e7d76b11e90ad022b376c476a65f0ce224995709b025bce806ab861bca403cf502fe63771d3df68ede005d24190f3b93803bcfdafac58441bf73b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0f5187ab4194ff06895c876e03ace47

SHA1
f92809508ab64bf855d734a455756dfa5e295bd2

SHA256
30d3b47b83f3400c6ba4dd91e91c34b0bfdd4ee33de930fe54d366eb128d2351

SHA512
a87a897267b9a857fa4f5ed56090a9b67260b47d389a4995a8b274bf89a40687c17a85ee4ceaba31730cd21d401af0ae9e7637169d198a21bed1b44a2d05ab03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be04e0e8b39a5d4d856465ae138fec47

SHA1
e1592489810b33dda29826e0ab1204e793eb49c4

SHA256
9b95181cef415b8ab9c423b757736917fb0dcd2efcdd98bec43cae54185bb271

SHA512
59f110b61ebb569680dc5f607fe3cddbc75e95452dcd9510abed34ba4dd79f41cf17e09298b111b457a470848fdb7c5eccd411fe21ef2eb89ab9714bfbf49ebb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fba5e742a1cca240b0404d6667ce6753

SHA1
65ddd9d124bcc7b169b5e195be71578512af2cbd

SHA256
51d5160d55d06ef4bf23d87cfe6e8d6f22b2a0eceb90a15b87b642d21c28e734

SHA512
7a8dc7e7ad369b51e2a90ceb6bf215a1c3a5fc9420edcefe6d03321fdbf2082ab3cb97ecdb7e2f031155162cce1caf0415198d399372d09b5aeed68035c968f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43486be874cad6cf0b41b12603115f53

SHA1
d6b6c90ea637c7e0e3ab67e5593c16a94e5fff3c

SHA256
7e35f4c7ba46fcfabf0070f4b5f1613c4e85ccd2ba25ba059b28b03da8b1abb9

SHA512
fec14f47252e9e5837bfca03e4bca5fe3da017bab551ddbedf31441440492c3a66389a33e454cedacb1854ae28ccefdd6c9117a9c02c6f9763e9c5392c9aec14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e43b8258a68e2bf4c60b889e20da31bb

SHA1
ce5a651c0e1d93fd5f470bc2b3f319733616124b

SHA256
c880919e5334585146d5f465e6ead4727d0a51132f93a6665746ab24201a4c8c

SHA512
d9c791848cf24282f9c4291cceb9abca0250b8be057215a9b8386f5316d6adcc9077d0ef29452bcd3544a58fb028e793457d8c5d44c93cf6f92784b9f3d21e72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef5b1198f64363a49a76b1e26e62197d

SHA1
6ed136199deab50fee6bc2f3f01850917d49d75f

SHA256
d2dcf11aa67da64b4e86176aedca9d8a3c2026e9d8835422e160040d7f6a6b6c

SHA512
ee52cc53e37dac641a9de2068f10db124cf84e40e9ac5997f7822f673adcf42e820d995cb5113b4b64f5e849b412647dc78da232c6cb1d171d210d64e5dbb639

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3fb4435ffd5fca1435e0fce3a954084c

SHA1
74e2ae8eb75b6292709e34d012d35c7478c4eb41

SHA256
c93a90adcdfe410dd3afa65b65e4de90567a30122890c959164619a009966b07

SHA512
4e94681adf74f38dce4bd50083038b6a75fb06b6e2533fdd704287d6839606924252479e229ebc971c2799feb6d426da2e4f3dfb6f0e8f0cb34aaa2761a4c103

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
acbdd2e5a58faf02af208d56c9aad1a1

SHA1
ea2a242862369f9bc8519837d75b91d04c3777eb

SHA256
d89a63000545a26ad7db5da684c5022a54544b4023017f465e5bc5d36eb93ea4

SHA512
63e3d50e77617bd0303ba21c65c554d52a208d972c48673bbf2278cdb07c56981212f0e23a7acae9046a7e5c69a07bc7a7be7e6051b92f3bc5cf11615c279470

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97cef3da0454a79e26d2bef3fd94b562

SHA1
359dbf0c95ecb30efae907e64fb5078ce879dcda

SHA256
2667920f1fdcd9637f72aaa6c55a3f813541897fd5b21ded04d0c5398cd32f21

SHA512
39b554541c5c68e0d61a739d0fbd2b26ed479526a95d89ae2139c778b5162968476d8c9af73d29cb4d1b195cd9cf2693800292f2349b4eedd5cfa9f5ee25f067

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9D6A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9DF9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1680-445-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1680-447-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2108-435-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2108-438-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2108-434-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download