ramnit | 5ee02f22e26369efa70b1e020ac6fd2557800c4870095f7776e36a6eb78f041b

Analysis

max time kernel
129s
max time network
130s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3b57c95399c7eb522d668c9b47e883f_JaffaCakes118.html
Size

158KB
MD5

f3b57c95399c7eb522d668c9b47e883f
SHA1

3a7c17257b0dc13d52bdcc7c54c9d8307f02819a
SHA256

5ee02f22e26369efa70b1e020ac6fd2557800c4870095f7776e36a6eb78f041b
SHA512

7ca1ec07614ca24afbdc9283c9e4d900da97beacd4452ee8a95f50d49078d1fca3fb15912dcd0a99cf5c80bbe9dc9894101ad77695f3d5cf8057295d73825bf2
SSDEEP

1536:ipRTdEwI+BsCbTyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJrk:iPzBsCbTyfkMY+BES09JXAnyrZalI+YQ

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2248	svchost.exe
1936	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
2840	IEXPLORE.EXE
2248	svchost.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x003600000001961e-430.dat	upx
behavioral1/memory/2248-434-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2248-437-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2248-436-0x0000000000230000-0x000000000023F000-memory.dmp	upx
behavioral1/memory/1936-447-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxA3CE.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440422640"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{97BA2A81-BAD4-11EF-A9B2-6AA32409C124} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1936	DesktopLayer.exe
1936	DesktopLayer.exe
1936	DesktopLayer.exe
1936	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2316	iexplore.exe
2316	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2316	iexplore.exe
2316	iexplore.exe
2840	IEXPLORE.EXE
2840	IEXPLORE.EXE
2840	IEXPLORE.EXE
2840	IEXPLORE.EXE
2316	iexplore.exe
2316	iexplore.exe
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2840	2316	iexplore.exe	30
PID 2316 wrote to memory of 2840	2316	iexplore.exe	30
PID 2316 wrote to memory of 2840	2316	iexplore.exe	30
PID 2316 wrote to memory of 2840	2316	iexplore.exe	30
PID 2840 wrote to memory of 2248	2840	IEXPLORE.EXE	34
PID 2840 wrote to memory of 2248	2840	IEXPLORE.EXE	34
PID 2840 wrote to memory of 2248	2840	IEXPLORE.EXE	34
PID 2840 wrote to memory of 2248	2840	IEXPLORE.EXE	34
PID 2248 wrote to memory of 1936	2248	svchost.exe	35
PID 2248 wrote to memory of 1936	2248	svchost.exe	35
PID 2248 wrote to memory of 1936	2248	svchost.exe	35
PID 2248 wrote to memory of 1936	2248	svchost.exe	35
PID 1936 wrote to memory of 988	1936	DesktopLayer.exe	36
PID 1936 wrote to memory of 988	1936	DesktopLayer.exe	36
PID 1936 wrote to memory of 988	1936	DesktopLayer.exe	36
PID 1936 wrote to memory of 988	1936	DesktopLayer.exe	36
PID 2316 wrote to memory of 1988	2316	iexplore.exe	37
PID 2316 wrote to memory of 1988	2316	iexplore.exe	37
PID 2316 wrote to memory of 1988	2316	iexplore.exe	37
PID 2316 wrote to memory of 1988	2316	iexplore.exe	37

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\f3b57c95399c7eb522d668c9b47e883f_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2316 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1936
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:988
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2316 CREDAT:472082 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d7564563690aaffc564bc015ed8d1ec

SHA1
a6f1527d5ee78fcaf720b26bac835f2340781248

SHA256
f5b8dd778b371291b37528d9e68fcb1df3d6fe9e763aa70872bf443ec2c8117b

SHA512
bd0d5d1e3247defd87e811cb774149d8261d166d421637030c9190323a625fcd6cdf3464ce6b8173143bbdfc80e917f0834149ef35b11020f95fd7b09458742a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da4903200fa52aaff1c3e905f9d5446e

SHA1
7670d35b03092a381a2bbe02c477753b7e3d33d1

SHA256
6eb64959c6ccdfc6ae2b622c17e8339b2631452c37cd16c938d49293c8b38c32

SHA512
0bcaea46a3c24efe70d4e784641f21e5a45067ef5f2df78642a10f3a65c69ee7a319cb2cc33a20c50eef46047cc4a5d2e0c53173f3688e1c6c625cc00a3df431

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99e9aaa46131cebb6867946598f04408

SHA1
a7d12e76ff85cfad75b086330e8140a30fe6b2f5

SHA256
046d81e31a307d006f9b87c84c7a74d8a07c0b7c31f640bd866a5706a7b62b3b

SHA512
53a0a1398d494f352b8de603438889cba2f262b8d3a8b6162a91d5881f352e755455368e841c6b270444c022a528b3e4af808a23d9d5eef63902ad026dca1fbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b49293c755f0435c3366ea9a8c6d8990

SHA1
2e078be62ae4896be51844723b5d2451bf20b58e

SHA256
ae9fe07120ce97ee49757a8a062487b72c60158ff17abdbd0b6802aece39972f

SHA512
c426947a08f85c821b3b71537867ccf980b017ad966aa6cc960e66f8948047c153c25bf73e2b3656bc1797ce3942a8463f8e1d801217ed8904d7d631dd8e3c30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53ead4b022fef70f5ba5a4089ecf30d1

SHA1
9d54d77519171ccd59dd91023609cecd9a4e9268

SHA256
bc396d3dcce46c1ac0729736e02f0023d1d949b0aa951a2748a9a3a09cf4a484

SHA512
d5df8956151796af948e88666c57437ae3fa43fdc96e6d78ba944dabcefd6968fd883dd557c1ad079735555fc9e8fef6dc1313cb264f76cce34d062e2ed1a081

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99a65672840b90edbc5bc568f619b0a7

SHA1
3732859339adef25f0398f8d18458710b7e48483

SHA256
ba06c8aeafd3c90aed198392fac753c06639d0468563f9a381a555841129aa8e

SHA512
dcb5ffd683e74d61087195421327d233df35e572ac7af3d793d4fa34dfa2a82539163dd70f31c6cedd7845f7c047aff4b48d0b41ae2c5cee8af3d33194d059d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3efd66b8ee48dd6112b07ee6b3b27f8

SHA1
c18655d07d6cf450a78e1a247c7ce38351a547aa

SHA256
564daafa651bf5561a668109f951fc0bb9cecbea29f68decae66414d61268c08

SHA512
4017b692605cfc0af511a7115d1efba4406a07151411b0db936bcdc8c02c507483bcae9971ed163fd7d00a45d19f6dc719a12f88f211a6af88d2a695f8ab255c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3658cbb079862362ca9a51dfcb449677

SHA1
953cdbd2fd0dc903ffcc2fb972510eb408794cf1

SHA256
7fd84c97b80c9bb150d47080e7657469b5dc0353b6ee4a969d80c50173c5c33e

SHA512
903dc2c65eaf65e53e9046a23b1f4d23232fb1be60f27be8759e69d854f3a6099b46ae9b528b64d8f6fdc2183c8865865972d9645ca63ba9ebde1045385374c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
436f7a2e1203dfbde84991f00c2eaa05

SHA1
9b28b5beb041190578f3ccbfa08962351d5d7c20

SHA256
77181d7f7a1531db4d0d8c372072bcd520ecc2bfb651398129497a714b7bd0d0

SHA512
14510e9325b5c2d261b72c4dbb52322b1ded893fa403a6212bd3ea9a3a727626278cf70321b7d9b4af1d84d9705ed4b0c41ad78743eb8e820ac710d5ef42dc40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e12bc9d51bba5f567c9b310981fcebb9

SHA1
50703b7b97e05e3da7c305c4af4052cafa10e194

SHA256
3d6a3b71e2d783aa0c639d3f1730fcf8bc89a8cef4a3d1eb98961d54e767bd31

SHA512
3edeb1918c3e940d663f2f4f49c8e541e599479cdef4f95dda62bcc4ae1e322004385e1bdb8e33aa9f44e01eaf3faaaa868ad7b9bdd2ee59061cb0c77869bf66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04f62daf34379926be2d2333f1c72ff7

SHA1
89e4f1acb82f8e9ee703a0652464cb83e42be169

SHA256
8d5c00582a3064e5587b6cadc281be33b7b810363479c16972d93241b225e38d

SHA512
abb8153e4f699c622bd4f1ee6a416ae1e4dcc7ac59708c7df5b7c28e48e72b386abf2a30f836e356ad353a99a716c0e1291b391f2d6f004800a91012ae29eeed

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC4F4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC586.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1936-445-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1936-447-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2248-436-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2248-437-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2248-434-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download