ramnit | 4d50c7bf89ffb7db0c01fe43a715a9bddddae1f55e0d13c439a640daf4225e76

Analysis

max time kernel
66s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea389a3b847d173293621951056781a3_JaffaCakes118.html
Size

192KB
MD5

ea389a3b847d173293621951056781a3
SHA1

42ef48aad41ed6dfc4b94ff92b1b0d02930d867a
SHA256

4d50c7bf89ffb7db0c01fe43a715a9bddddae1f55e0d13c439a640daf4225e76
SHA512

a7e20b5a258e92f05bec39ea0c4d3f7dade1406911b1fe195a8fddfdf220f5a93cc95a9f659bd839f016d5cfe67de8e52f641c28fd190df754662cf3b5e96b44
SSDEEP

3072:S5gYxtrsrtyfkMY+BES09JXAnyrZalI+Ye47uM9f7UL:SaYxtrsr4sMYod+X3oI+Ye4pf7UL

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/884-434-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/memory/884-441-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/files/0x000e0000000194bd-440.dat	upx
behavioral1/memory/884-439-0x0000000000400000-0x0000000000436000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{795775C1-B917-11EF-9D09-F245C6AC432F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2772	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2772	iexplore.exe
2772	iexplore.exe
2836	IEXPLORE.EXE
2836	IEXPLORE.EXE
2836	IEXPLORE.EXE
2836	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2836	2772	iexplore.exe	30
PID 2772 wrote to memory of 2836	2772	iexplore.exe	30
PID 2772 wrote to memory of 2836	2772	iexplore.exe	30
PID 2772 wrote to memory of 2836	2772	iexplore.exe	30

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\ea389a3b847d173293621951056781a3_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2772 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
84KB

MD5
cc9104bc71a23e14787188f3634a4d05

SHA1
0b537406933abc1738ef32b96069961d024f1b8e

SHA256
aa797033a44b0ab42e6428552b5e85bc735c84082493f63b4b3ad0843859b28c

SHA512
023b9655cef044082ceb44c6644d834e4ba9af088843674cc8e816cb4f4981bf0958b0c82002c1597c8818e57af0f80d4cf3ab771e68af5a33cff752363c7df3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eed6ed265b769379bb3ee508907bc3e7

SHA1
ca98d8331c40a08185ea6356ded4ec7f7fac4e5e

SHA256
04aee9b79df76cf9fca301faed4360f97ac9e3ad08074a128ca99a071eba8ecc

SHA512
f9fea41f224fd3f70de1a25f2da2054b402d61635d9483664aa3f83fea808c90c2939ce56f83dba4d55cbe48be7bd854c0428d97cd4e3bec3f6515daba8ef1a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a13e29e1b0eac897f8d28ffb9e3a663

SHA1
567abbe9a6aa2a350cc75d6ad93219b292ccd350

SHA256
69771fd3ff580cd08e1a39f054e9691dbd2ace2f953c1d3dc8398d994000eccc

SHA512
cae7f1e271c667a85f8a2203285902d04c436bcd53ad43502b509324636f710a470045c03d6cd0fd82ff3f7a13aafd30992a025c87010c3653cf8d7ed084fbfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93ad35b5763588fe2be83452fbfa65c5

SHA1
2854dfa099bbda4ae2355bd3618a2d013f9d525c

SHA256
de195e2b24c6a50599a4ef27646af882f91fdef6dc6bf50f509bc730648272b5

SHA512
c091e81a88a4edab20e36b2cc7623bd10ec7e7c92e9d49543f34b978f847a2cdd3739c53638741b2f971a003cd3108ec694570512926b6bc3b365e2aa96443db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f40ae14c7837af24539585ffe1f50368

SHA1
aaa650c7ae7d1fe081954f527d67afac46786aa6

SHA256
b306fe479f95280744ba202514ef3f261d962f7c8ba8a54180b8709aad0a66ee

SHA512
d5c878462a2b2d42d0a7677f3668438c8caf008125ce1bbb64f60ad1eb9ca49252262427c1b8930606a3500e603167ebb9ddb2f9719736cb9c8306b24b553fa9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
198c7dad2d1e3887a7725afea493fae9

SHA1
9a6447e1b16cf088be6f2e259a6651af8f94724e

SHA256
b5a86537496ab6be7a9eaa6ad102c1cfaff08c784fb3bb621eee0d293a1d7f0e

SHA512
a7bc1458f2c32c0754ac28f9b45b9b6ae5da9321c7c7155c4172b5951f37f6547faffd06cbd19bb69e0ec19d6006db997b35117b0bb138c1285d5f9976681c88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5a2776c4aeffebe65ab156b4fe141e0

SHA1
e760e1aaf2294c78c6ba3e56b846395ba28aec5b

SHA256
7569a3feceefbfcdcd9744bd8a4516c64d2c6692cbb2db9e6a45fc13b48f3fde

SHA512
0c6d258fa379bf0ae30640ad9cf4f717b8728c38aaf6d3548691ed522852bead31654df175787c264c9eb612209805fe7495f58ea13724affbd5477e7b749b91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60951070ff154f3cbb43fc7fa18a725f

SHA1
50f2e7c33d17c953e37c9c3336b2a246be437792

SHA256
ea024359d0f42f247e62576a05d4504e74a8ee66a27eb0131478a3a72f07973c

SHA512
6513f69791d7c69180b9606788e068561bcd4123202c54e2e9a718fd0075dc94b08632944cd3d857073dcd5187c9ced62c865c89954906d35416cddb1f870516

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f8f8868bcce950dd103d6dcd4f8a3bb

SHA1
09b461bacb87909be9e0b1fb9aea3a5a59b941da

SHA256
6387222a0dc8d77211aea7c78f557f1b349e28952595a1525ba9b16f6e5e4e23

SHA512
1b9d9ccdb15e29c2f6412dc1c5cf787f6ee3fff30d4f26c741f35c6528fa34ecddc197f1ee94a3a8f8f084bb4688dab1aa5055f763edc75e278a3b9c660cf085

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
989b3a8bd5a15e4c817463738206bf0d

SHA1
42b63b42342c4e378b9c716ce2fa2be5c5c9010e

SHA256
fe72fd3ef43b0d834c7dbb95835f2d30191942f1604742a41fbe589561047bd1

SHA512
978a8055a4fbdb55d91ad3638c26a6c02aeabaa0027156c57353707710fdd9dea5d8544e4a68c366445f167c47242134aea81e01e6315c38ce45961736a65b03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e27058aa7e0aa39e84ff67ac17fabd0

SHA1
99af03e5171a79c730c1d8ee01e0bae4f79485e8

SHA256
dd43bb2b6efdf81c7c5354ebd375603c972050d7e4f19928b4bb170b725c41a0

SHA512
d219c47c278d67ebb127dce8f62bf7940def97f32772f21a7992deba5d88b0b62c5578d45e52ab0706b5deeea38519dabec25f685c6d2addf58839ff4d8d50a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
541eacb4fe389f245fbc382795faa6ff

SHA1
a0cbfa4211ae06aed851801f79853ea7e0176658

SHA256
e3e1be8bda3eb42ee01802c14e822577c80eb6bf2ac962fe380cb3ec429ee189

SHA512
481b9afd17a4997603b5b9da12d67d6c1f1fcda30523d665f06ba4b920ce15fed907edc9fa130efc10d6c3238424bffc13ff78a2ddfbbe3e2a37ae3bd790ff36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64d6838da8e970f95062fdbf5c417f28

SHA1
a4cf81bc786bb5f6c943253ca64340c5957c9fd8

SHA256
0a25c0e6a7d081db8c4d3215842cd4a4678f7385b3ecf92bc40a38d581568399

SHA512
5dd4975d315409082cd6b607168fe878ed83f4521d5aa710b98a70ff465f5ed89b4685180163482736e5dbfab5db836b25c9732bfd2fb5d1678a3a209b569b3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e49ba2f6e025a25fba4aa3f8e49c428

SHA1
8f24c2100de1b02ea43d43c3a7f966de23ae5800

SHA256
e13dce89f1913b53bea8a0cfe0cde3ec8e789d2b485fc7a8458b31390513ca71

SHA512
2e7303912508f3b2be6023da64558a6703f805a096faec4eea3102fc212a272e92f2589616064c56e1f16d9e651a9e822a3b678f3d98563c1d4a4c67412cad88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bcce27c75def94e21ba51abe291240a4

SHA1
346b7eb80312c347df42f09751d6027c50f68f57

SHA256
b79ef833ded5c7dfecc3a03d39a070e54963b7a077f6d13e5d59090e4092ebe4

SHA512
d7a8cdd2dfb50a3a9d5e591944e098a231defaa0217ad390066d8019ca6c97dc7aa11e1b51fb2876b9ee95b23dd98a3d7944ab9565a940bc1e5400aeb67a4f02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28231fddf715f8c415bc2bff131e4c6f

SHA1
c8c723f38ea2c2bcf8e926fe845e011a658ae039

SHA256
3523eac63ba71eb6798c638500be13897df74c6d8b922142657b8af0bbd6dd06

SHA512
a8dfcba197a32912cb570d703dc85d29ae3f9d7212df8a388197b9783a50d63387c792002980d367d36ccf77fa73f89a068be0e7fa89e983563c6845ed796988

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d6de40371ca35757599a08352630460

SHA1
a333eb77e56daca9fe6a150e295ecd2a222ffbec

SHA256
7f15de49619f65f5cca9a456acf64c8518a4850d2d2398c84293b00b2277b8c5

SHA512
94f8c934f0257c3e22b1967321356d05906c2d76bd4c221ea60809f70fda05d876c6fabaf202bffc26e3b6ff06a05ea05708bdeeaa2fa735a04316e41d6447f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d0fbe46fb6a6ab4ade7aa92d6907ae7

SHA1
01161b3dcfd5a3826ade769105712f6f245267b6

SHA256
f3901351dfb1e9a1e031cae27a94e13d8c2e200b2a148179b449ba276ae8b0e5

SHA512
af81e5b5a785a3f32532f82438cf9dbe2b0daa4657d084dee6f57d185563a75666da05b821d36f900b1c289abc6e914887fb9538b3b356f104a5260261d3a5cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3060b860c4623e6dc7c67a57bcc501f0

SHA1
181a8c044e8dd04e3471620e85ae64aed64f4171

SHA256
6de9da0cc6177a68c303f53f16b2b7cb1539345856d138d4631b0e145a4fe000

SHA512
ff6d040dc038bbce591fa15511f6e54157da2f63f4bd293bac5851a731fab2224d917ea23e547093b25d868f872d057023f1a8d567b56f3837a4e6197f73054d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98058e5f1188fcbc4d12e0bd7c31a944

SHA1
11e0e750462ba6ee75b97ad899402f317c2ec98f

SHA256
f1b53ba21080a01ec12b47a83b0262125dc34c93a44b58936145602bb671bd79

SHA512
ee451f13c4261389001c4859f966101ae27218b32a8bb4d7c0b13be2807d10fdb13e67086b61cb6170bf8deb13e2282f92c78cd67729585f85f0d2c05f9dcbbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF172.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF221.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/884-435-0x00000000775DF000-0x00000000775E0000-memory.dmp

Filesize
4KB

Download
memory/884-434-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/884-441-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/884-436-0x00000000775E0000-0x00000000775E1000-memory.dmp

Filesize
4KB

Download
memory/884-437-0x0000000000440000-0x000000000044F000-memory.dmp

Filesize
60KB

Download
memory/884-439-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download