ramnit | e05798f1baba0ff63175225d77849e36d3de8fefead6ad0b375c93849ba878b8

Analysis

max time kernel
142s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f490c7009c7a6ed72ffc48e781d1803d_JaffaCakes118.html
Size

164KB
MD5

f490c7009c7a6ed72ffc48e781d1803d
SHA1

983cb0a348a190e0d9f30ad01f7b819aa7f279db
SHA256

e05798f1baba0ff63175225d77849e36d3de8fefead6ad0b375c93849ba878b8
SHA512

6945a654927b7f83499546ec87682a2eb194caaec657058ad94575754b2b6ae85d5d1ed266f2cb4c927dfe0bab4ebffd7560fe5f990408706f861e682050a719
SSDEEP

3072:iE3EgzFUeGXyfkMY+BES09JXAnyrZalI+YQ:iuEgzeeGisMYod+X3oI+YQ

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2476	svchost.exe
2984	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
2772	IEXPLORE.EXE
2476	svchost.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x002d000000004ed7-430.dat	upx
behavioral1/memory/2476-437-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2476-435-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2984-446-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px34B7.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440437618"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{78827231-BAF7-11EF-ACDF-5EE01BAFE073} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2984	DesktopLayer.exe
2984	DesktopLayer.exe
2984	DesktopLayer.exe
2984	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2636	iexplore.exe
2636	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2636	iexplore.exe
2636	iexplore.exe
2772	IEXPLORE.EXE
2772	IEXPLORE.EXE
2772	IEXPLORE.EXE
2772	IEXPLORE.EXE
2636	iexplore.exe
2636	iexplore.exe
1936	IEXPLORE.EXE
1936	IEXPLORE.EXE
1936	IEXPLORE.EXE
1936	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2772	2636	iexplore.exe	30
PID 2636 wrote to memory of 2772	2636	iexplore.exe	30
PID 2636 wrote to memory of 2772	2636	iexplore.exe	30
PID 2636 wrote to memory of 2772	2636	iexplore.exe	30
PID 2772 wrote to memory of 2476	2772	IEXPLORE.EXE	35
PID 2772 wrote to memory of 2476	2772	IEXPLORE.EXE	35
PID 2772 wrote to memory of 2476	2772	IEXPLORE.EXE	35
PID 2772 wrote to memory of 2476	2772	IEXPLORE.EXE	35
PID 2476 wrote to memory of 2984	2476	svchost.exe	36
PID 2476 wrote to memory of 2984	2476	svchost.exe	36
PID 2476 wrote to memory of 2984	2476	svchost.exe	36
PID 2476 wrote to memory of 2984	2476	svchost.exe	36
PID 2984 wrote to memory of 2516	2984	DesktopLayer.exe	37
PID 2984 wrote to memory of 2516	2984	DesktopLayer.exe	37
PID 2984 wrote to memory of 2516	2984	DesktopLayer.exe	37
PID 2984 wrote to memory of 2516	2984	DesktopLayer.exe	37
PID 2636 wrote to memory of 1936	2636	iexplore.exe	38
PID 2636 wrote to memory of 1936	2636	iexplore.exe	38
PID 2636 wrote to memory of 1936	2636	iexplore.exe	38
PID 2636 wrote to memory of 1936	2636	iexplore.exe	38

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\f490c7009c7a6ed72ffc48e781d1803d_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2636 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2984
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2516
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2636 CREDAT:209942 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9df29e7b0f58aa386dda762789f2e4ac

SHA1
7725b25848960cf25ebbc1876492997a3e8639df

SHA256
e34d686577c8ea1a28216e7048756cf7e1d835c6ca87a16ffe23b4fda1101907

SHA512
b82ec61f316295dbccd70e3280af34bd18a232590b598ac7066fbe595f508fedfd05602c8e98e1b120dedce7f8819efd530043055cce6733c74f83cb73e9cadb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83730c5e21a6307d30affa04009a981d

SHA1
3a28ce5357fc394c6504882df56a803c176e27f6

SHA256
1dc8f9775226891c2bc931f75e0ddc5fb84e59fd7f485b3c48c9fb4de7c4be61

SHA512
176b019cca6e03830d2d3d39702dd4ffd3295e804a45fce1325ce80990f3a22198bbee4c49ecde6d47946eced889bf00b54f3b3c882b3487c20c1affee157d35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fdb9782590bc38fe42ea0118d871771

SHA1
d5fd7337024c5923c692722ab6aa92bd0013ba62

SHA256
18194d67c3bbf8bd0fc90b852dc1c32cc8a0e6c198a5689e553a3bbbe5538df8

SHA512
e66b9e8f127ee7ec91a27d57b6e20290cf7b68f171eda849ce7f617ef8fa3eb67c1e60dd567f23d4090983835cd59f4775b4a51d10de7697c7188f05b3f0f361

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f301e82632aad5b2e219a6f18d9b119

SHA1
118902a5ecdf8c13b098e14584b02880d2d77ec8

SHA256
cc7dbbc860b39024c8065a73fe2860bc60f89d3737ec292ddb68068788fe9ca3

SHA512
2d93433ae88562a7204fa0734c5af11f56184e4c1031e083e696899a1689c7dcb0eb177cdd71f4570ba3e0b9b87f4de7731e07f655830265953653ce23d5abb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2888c08526a9c2185100b900b3b1c85d

SHA1
026d76a19bfbbbf6b9527bf436b68cc711055b08

SHA256
77ef5ce4abfbc7f3a7ceb69d0e83b520923195ff178f79aa4b9405f742f7d9bc

SHA512
d873aada3eb5ccce6ce32fd3c51daf10c96cd60e04a54899dfa46307af5eea22839f965635934392c393d9225da0696e278d1e592e390044555fe0f8d3df8983

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efedd34c0499dae950c3c7ec08485e95

SHA1
e7fb98477f8663340da229a83a82fb97638534e9

SHA256
8227732f8b4f941fe8b05e1893e0cd3820a11f73a5638b27cfe24e1ddef80b5b

SHA512
aa4eb8bc05850608e6b39ad6358493e2072971bfb7499bbb6663bda9100e4520eb0e58d26f1ca5dd4566bbf90a0d6e272be823cfb6348db84826f7e858d9f6d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b9a2a840b91083d424f21f023e15b14

SHA1
e7154b496c3962248f40fc15aa067bd0d7512de2

SHA256
d79111b9553a20078069d91a816daa4517217043b9eee8d434d595c557f6c52f

SHA512
bc95136e1850d23185ebca951a96720495a396d4f268af42732a3b1cb2b44f262b9f2a2b75bf3d6560ce707e750a7ccc2f3fece8d565e336cd84e437fe3973d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9c19c8ed40bab6bafece71cd8f01cb4

SHA1
cf054167685b9625c054b565516b9d30edded71d

SHA256
9df72608bc8648e2cf7cbbb19978e95358409d9a7bb660d64bacda279f0541c2

SHA512
66611b2bcf2f6a0e0cce6614c97a1925cf83c7f612393200a3f36b0973941f12f4552cf61c16707c4dd91cbe6f4a2ddc5be9030516e3ff359e7697dd418d4b75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ad10ffaeb55f67a5797e37dd6f7fc93

SHA1
d257f6235ea3b3d27464bbad9514184098911a37

SHA256
0896f818a219fbab5a3da80a425f0f8f6ab5cb5d77c7e5ecd6ce4f3af0ee957b

SHA512
e2f381b99b134c3b67528802d6fc0e0dd4471a550a93a9f35952ad308fbd351c5c830381e43b3c72d2e2ce452e7ef2673a9b7d0354f1986194ae1f1d65ece6ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4fe7825c38fd8f05679ad259eb77d5b

SHA1
c87252c8348bdad63cd73bc35f02a96baf50956f

SHA256
9a6a4e85495fa3b06169a0af48834e222ca3c551c299647e5b91261e342196a8

SHA512
96897afa07dc656a4f9a8f91a6600fc0710926877609554aaa6c8d32ac2b33f67c87cc6a5d0dbb1c30df0415fd011a723b7c37fad879d1758d70ca9e6d5071ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3d68fb0142bca56f375ecdbea8d7036

SHA1
47cb85d8934b3446f442fec69255ae80de957688

SHA256
dab5959e2a018e19ebbcda26530ae2eb89e42e21ba27f03cb3e0341fc2a963ad

SHA512
0304b00ad2d4f8dcfcaa269ebca537bca3595d3776077657485f5dea3dbe77c69b331788476af90c4b00e7343ad7df3f52c48f6c4fabfd73e4f7fae84d8f16a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5360.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar53D0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/2476-437-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2476-435-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2984-444-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2984-446-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download