ramnit | 812cb4006242646e120310a2076dc89107f030de4c072fe8c03b6be9113c65e9

Analysis

max time kernel
120s
max time network
130s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec5e03453c9c2a5443e1c4ecfb31e9e4_JaffaCakes118.exe
Size

127KB
MD5

ec5e03453c9c2a5443e1c4ecfb31e9e4
SHA1

e3a0b92a72851432250e749ce735b30fd85750bb
SHA256

812cb4006242646e120310a2076dc89107f030de4c072fe8c03b6be9113c65e9
SHA512

a2b9d78c0c04fab8b5bc9825fc95a834e27560f3e99860b2d43a56de3addec3a2cfb8efbf842657f904b12a929d1c65b6f70dc0492acf184b0e8821383b2fe2b
SSDEEP

1536:9OC0FvV4OguHxjhpA4Bm7uW0vSUsghQevBFkutIbgTuFqKRr0aF5frleGhd9TfBi:9wV4OgSzBmh04eZFkz3Rr0gwGj9Tf8

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1128-1-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1128-0-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1128-5-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1128-4-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1128-6-0x0000000000400000-0x0000000000468000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec5e03453c9c2a5443e1c4ecfb31e9e4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440268876"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{94A57821-B96E-11EF-BDF2-7E918DD97D05} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1128	ec5e03453c9c2a5443e1c4ecfb31e9e4_JaffaCakes118.exe
1128	ec5e03453c9c2a5443e1c4ecfb31e9e4_JaffaCakes118.exe
1128	ec5e03453c9c2a5443e1c4ecfb31e9e4_JaffaCakes118.exe
1128	ec5e03453c9c2a5443e1c4ecfb31e9e4_JaffaCakes118.exe
1128	ec5e03453c9c2a5443e1c4ecfb31e9e4_JaffaCakes118.exe
1128	ec5e03453c9c2a5443e1c4ecfb31e9e4_JaffaCakes118.exe
1128	ec5e03453c9c2a5443e1c4ecfb31e9e4_JaffaCakes118.exe
1128	ec5e03453c9c2a5443e1c4ecfb31e9e4_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1128	ec5e03453c9c2a5443e1c4ecfb31e9e4_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2496	iexplore.exe
2496	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2496	iexplore.exe
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
2240	IEXPLORE.EXE
2240	IEXPLORE.EXE
2240	IEXPLORE.EXE
2240	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 1160	1128	ec5e03453c9c2a5443e1c4ecfb31e9e4_JaffaCakes118.exe	31
PID 1128 wrote to memory of 1160	1128	ec5e03453c9c2a5443e1c4ecfb31e9e4_JaffaCakes118.exe	31
PID 1128 wrote to memory of 1160	1128	ec5e03453c9c2a5443e1c4ecfb31e9e4_JaffaCakes118.exe	31
PID 1128 wrote to memory of 1160	1128	ec5e03453c9c2a5443e1c4ecfb31e9e4_JaffaCakes118.exe	31
PID 1128 wrote to memory of 2496	1128	ec5e03453c9c2a5443e1c4ecfb31e9e4_JaffaCakes118.exe	32
PID 1128 wrote to memory of 2496	1128	ec5e03453c9c2a5443e1c4ecfb31e9e4_JaffaCakes118.exe	32
PID 1128 wrote to memory of 2496	1128	ec5e03453c9c2a5443e1c4ecfb31e9e4_JaffaCakes118.exe	32
PID 1128 wrote to memory of 2496	1128	ec5e03453c9c2a5443e1c4ecfb31e9e4_JaffaCakes118.exe	32
PID 2496 wrote to memory of 2028	2496	iexplore.exe	33
PID 2496 wrote to memory of 2028	2496	iexplore.exe	33
PID 2496 wrote to memory of 2028	2496	iexplore.exe	33
PID 2496 wrote to memory of 2028	2496	iexplore.exe	33
PID 2496 wrote to memory of 2240	2496	iexplore.exe	34
PID 2496 wrote to memory of 2240	2496	iexplore.exe	34
PID 2496 wrote to memory of 2240	2496	iexplore.exe	34
PID 2496 wrote to memory of 2240	2496	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\ec5e03453c9c2a5443e1c4ecfb31e9e4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec5e03453c9c2a5443e1c4ecfb31e9e4_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1160
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2496 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2028
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2496 CREDAT:472067 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fbc563f7eb30aeee1dc3b18f53ceba6

SHA1
359f25ac49289988f637cf72eaa8bdca190326dc

SHA256
c10521364dd6197102651946cc01a4ebc45e51e4bffab61f74d6519f09c893ec

SHA512
692c4e5a130a76a15dfcddff0e6c4883036806918dc2a5fc2160eed505243665cdb714ca2c42c32b3a0861fe705985b38fe52eef6f48a0243099bc312d852f11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f65e4bcac118159c31d62a8e98ba886

SHA1
28c937bc9a6834e0e902b3be33ea70ab8b2cef06

SHA256
ef58f353087a9f676d8fc372c6058f83ad45b91af5153c68df07d21aa09762fa

SHA512
2e9c8d3dadf05e8b6f6875b735e902ff0a66ef37b968a12ad5de1aeb190aeb301bb355de3fdced52a116014b9f577f7314d865e481204812241c0693975e745e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a281e984b8ad8fcb98cc427f3bb2f4d

SHA1
da5397f31d9d2d408f7a28dd7d6e0b52bec8c1aa

SHA256
209fcaba51eb1ff4ebd4064243ee4c9b31ae53b53d6898bb059cd755b7785483

SHA512
eab51b69c5cc2d1d54d53bb98dbad1be89e2dc78892f3fa26e139fca1bc40bb99d9da88c01fa8817ddf7ca1289fb45665b2c73c9099fc419270f478a076fd700

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc3b384b659bee70b3cbe5ca02941046

SHA1
1b18e8dbc61021ea770f5551bde8ac2736b05469

SHA256
b19ff4cd997e4927c0630bef894f945b504d09e359e0e1b8fb0061ff69d8c3c3

SHA512
506cc514c648fbc869df93dc49e2d240c044ceefc9a7a27991800394ee9e5f7629449aef674f058392d166b5539d78e14fa8c6447c27374255708d317f94b00b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44b2d24410204202b1351e071cdf4d88

SHA1
0af153c7ac885e224c37fb2c9e44453e56b35b1a

SHA256
be66fbc5644e29259cf5355fc292f8c2dec0b8b38410fffdac05ab37e1fe1d82

SHA512
5635b644a9b933ba51b9f7eaf66839d2d47dd9c92a706f5d367a1964d9498720c8e65f8103d870dd06b321cb8f67ea2b0e3967e5d12359ba6ea2bdb0aa61c3ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be577b67c24b56e4264f10784248347a

SHA1
3292b8326ef2090dda722bf5aab13a1486b2c463

SHA256
b4ae1ae647b33c4f391faecb6c0d94ade47157b6145be68ef83eeda3411c8869

SHA512
f2d09a6d4690cf774fe6dd584585b2e48eba2222865784a3a6a31b44f8b7f6b3c0a5b0ca355b172c9ea37ffcf2040c6e98725f4e15315dcc5e60ea58730eb231

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93a47591c69dffc265402c8c8ebcffdd

SHA1
6bb6e37a75a3cdd5a7f9c9ace40fe1bada72995d

SHA256
2ecdade813a3d34a1741a3343cc07cb94c55164e15e79f941330012ef46ce99e

SHA512
01942e809128b1764957f4243df7556a57c2c368fb8b6bd3f63dbf38f519b0db923642ca6ad1eaa3a4f3eb874ec0dab6473b7885a22cd83bdd2e58808d1d8caf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3909fa15706bef88357f458e48940e1e

SHA1
5c9d314ae6df64f3a53abfc37a45e8a35594a976

SHA256
b6511ffb4d3d24621f127f22338a7e536c048fd757a6d6c97367efcb50ab857c

SHA512
b56617cf1eb744b2ea556c641425196e3b580c9d38678485e077cb2743e881ca916f3c8c644f82e5742d09dcb5a9890a987c4a691db9f4bf52f33bb2fa7c1b0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75257ca0158ad49c22f204cbb80ce1fe

SHA1
5c72d5f3a5330eba408a3f25264b636f69dd0b9d

SHA256
204db93fe2945835438d42323102fd2b4b4dcb5506c49d06528b16d068ca21ba

SHA512
ca776bf01306ec95451a951464e9cfb3cced6c24ff0016eade2d281386980f777cc978b720866141a7259f481a53b628f6f694fcc3a539297a1ccd02fb5b3a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE541.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE5C2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1128-1-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1128-6-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1128-2-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1128-3-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1128-4-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1128-5-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1128-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download