ramnit | b78a3f3c34e573d38c6d3ff71fd4c6b98c2b1bc98a870e1d819cb5a864981f0c

Analysis

max time kernel
132s
max time network
134s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e22e853ed125b80f93ad63cf26723199_JaffaCakes118.html
Size

158KB
MD5

e22e853ed125b80f93ad63cf26723199
SHA1

a7dac64690ab46d23427503dd9d9f20ce0ff3467
SHA256

b78a3f3c34e573d38c6d3ff71fd4c6b98c2b1bc98a870e1d819cb5a864981f0c
SHA512

057f7a67bb28521f4dca2c94e1f46dd255c29d98d1551421aa3481a50e0086a1ac264bd54401f31f30026bd096fa5ee99849b06d9c4f3d55dafbf75c547eab22
SSDEEP

1536:i7RTpLp5sZmjcDavtknsyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09wee:iVGWv6nsyfkMY+BES09JXAnyrZalI+YQ

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2220	svchost.exe
596	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
1732	IEXPLORE.EXE
2220	svchost.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00340000000191f3-430.dat	upx
behavioral1/memory/2220-434-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2220-437-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/596-448-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/596-446-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/596-444-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/596-450-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxBB44.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440156390"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AF0395A1-B868-11EF-94CC-EE9D5ADBD8E3} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
596	DesktopLayer.exe
596	DesktopLayer.exe
596	DesktopLayer.exe
596	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1848	iexplore.exe
1848	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1848	iexplore.exe
1848	iexplore.exe
1732	IEXPLORE.EXE
1732	IEXPLORE.EXE
1732	IEXPLORE.EXE
1732	IEXPLORE.EXE
1848	iexplore.exe
1848	iexplore.exe
1264	IEXPLORE.EXE
1264	IEXPLORE.EXE
1264	IEXPLORE.EXE
1264	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 1732	1848	iexplore.exe	30
PID 1848 wrote to memory of 1732	1848	iexplore.exe	30
PID 1848 wrote to memory of 1732	1848	iexplore.exe	30
PID 1848 wrote to memory of 1732	1848	iexplore.exe	30
PID 1732 wrote to memory of 2220	1732	IEXPLORE.EXE	35
PID 1732 wrote to memory of 2220	1732	IEXPLORE.EXE	35
PID 1732 wrote to memory of 2220	1732	IEXPLORE.EXE	35
PID 1732 wrote to memory of 2220	1732	IEXPLORE.EXE	35
PID 2220 wrote to memory of 596	2220	svchost.exe	36
PID 2220 wrote to memory of 596	2220	svchost.exe	36
PID 2220 wrote to memory of 596	2220	svchost.exe	36
PID 2220 wrote to memory of 596	2220	svchost.exe	36
PID 596 wrote to memory of 572	596	DesktopLayer.exe	37
PID 596 wrote to memory of 572	596	DesktopLayer.exe	37
PID 596 wrote to memory of 572	596	DesktopLayer.exe	37
PID 596 wrote to memory of 572	596	DesktopLayer.exe	37
PID 1848 wrote to memory of 1264	1848	iexplore.exe	38
PID 1848 wrote to memory of 1264	1848	iexplore.exe	38
PID 1848 wrote to memory of 1264	1848	iexplore.exe	38
PID 1848 wrote to memory of 1264	1848	iexplore.exe	38

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\e22e853ed125b80f93ad63cf26723199_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1848 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:596
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:572
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1848 CREDAT:275476 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57148f6a466ab6c7e8b7b40e02d2ce60

SHA1
f83425aa632f9b6b47f2df83db10eeefcf783eb5

SHA256
67d053ad992b3a3579ca63a75e4f08884997a5d6bc5e01f484613338aa37ba6e

SHA512
6efc96ef82982789931aca1c3347ee8c38778396d6aec6657d07225ea1a989edbb378757defc04225ae585f13baf04c5b6a3663cfa2470c84a366a131723c8ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0abff1566aca530964c7e2e8999b1b2d

SHA1
35264420480a12a3cd5530509bf57dbb383c0d80

SHA256
feb0a1babf212ed0d302daad90993623e6574e690ff4efd94e150d1132d3fdce

SHA512
f0b184976cec58078887d9bc157adfbef8611de83e5b8f4ef9457cd3d10a4c29667bf91d4e05e4b807553aea1fb8fc6d3395bfdc12f659cc73943f5e0589b011

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa49cf8248a134584b6054b507d1ef0c

SHA1
4ccf03da96da98ab31c086979358b571aa2b69da

SHA256
e4a5c976d31999a6ab98421fa142388492d28f657e1166e9061a480c9eb812f3

SHA512
d9019fd417fea2f16fc7212b219e23da31a9974a65d45d72db540e4a441c50d30a2b723fd6d9b62cda88800584f2f1b04a0a83f08b83e9c1b1c715b278453f4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7845c59fd3e45359051d3fb5f9f0205

SHA1
6fecf6a926a7ac4be56ce2ece51ef56604f6105b

SHA256
59bcba599cda1d6048b5dfd7ffac0032781cefa8f8c22f6d270171bc3c51f87a

SHA512
c05f1f8e85d237f95e6c19c0a5674959e0076323567918a6548153d3e9032ded42531a9a75d76efb81c24b469ac480af2d1d72527318e6c075ba8f6462cb015f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6316510fd0693d6baf5c823e9e3948a

SHA1
d2be8c6081a7aa31b6a3d587b3bb070b23230661

SHA256
1d3f259003778e33e13646ffaf52ead7a7a22204d150325450df056763de77f4

SHA512
de53912fe1d2fe4b89cbeac88e4852a3e4a57f5ec8763df4d74eb2ba50252f8708d7a8e790c4be95b696e43ca2e32043756d2065207a1a86bd53078fa8eba3b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
930cef9e99fe2a79d97cc0b56103384e

SHA1
9c833ff20b5cc7feedf2ff3f2427458e18eb8ad2

SHA256
1f4f71176a141480f67230a91503d312167d18619e61cd48be72ba9a68a4d5a2

SHA512
21b60b584d17b9460429b21d5319281ef84acbe12f711c19fdd24f215b1fc5e9b564667f27ab93941b821b3ac133ebf7af03e504a38f2ae5ed4132a48cc16a4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa7b8041b7655c3b455bee0bfd432f62

SHA1
f66fe92a89ceb0b6295dd7df5db17d7849be127d

SHA256
09fd2b5a9fdcdfcf633dede7b5b4b779fe1222e83b14d844e051781da93aa5bd

SHA512
60afc56ff55e2c7f0d7c1e925f229c80a2b174d399ac57ad504323a021d98c04a77e46b7ba7574375d316a41438effcc09a55bffc8acb72e96762e2c85fa0cc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
487e3ab6d357b2370d64490a8d84ea8f

SHA1
a31bcdf0d5e0df03601e4db48d47ff41355a1569

SHA256
47edeede766bf0373ee176bba1f62487ad1fdf2a5b83ac891b0b6a14910c851f

SHA512
52081bd103ba1fe515462dea18e5b30c83b73f7eb52144a04ad444c9e659b37f7ecd87631c20332051e01baadcc68bb97a6b779c3c5a86b2ad5e327964f736d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e0d1ac48236109ecae3a771e63a7b10

SHA1
52ce6b20eca0d5fb41fe97b5b4319fb4ae84d072

SHA256
da442714e21ee2ad30a21c37f85805a5b7e057a4f7b48e3877a77403fe85b219

SHA512
bee48658f34377db485301a7410617f8d1db500c343c50f86e06e4e6063de173920a3e2cec07d62ea1db16425fc4c3229f3929e38d8dcd1da383aa22c2e73f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCFAE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD03F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/596-444-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/596-450-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/596-446-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/596-447-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/596-448-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2220-437-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2220-435-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/2220-434-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download