ramnit | 906023b80330b4b4a9753e8e057057d78ddd581bdf68e0fb32370168758d1125

Analysis

max time kernel
130s
max time network
145s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fba233ec539415611df7e510a7817e30_JaffaCakes118.html
Size

354KB
MD5

fba233ec539415611df7e510a7817e30
SHA1

0c923ccf25e9c95b20e6b82d0c5fd0873211e50a
SHA256

906023b80330b4b4a9753e8e057057d78ddd581bdf68e0fb32370168758d1125
SHA512

a7a2641397b54acd009fb5cf20c39dc3d9be8a0dc30fda99b5bd57f0eba1a4d3262dbe34995a56a5f4453cba845e06b8f9c344d38c34e3ef0f9b875dc8414324
SSDEEP

6144:SGI0WLsMYod+X3oI+YqsMYod+X3oI+YXsMYod+X3oI+YQ:A5d+X3u5d+X315d+X3+

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 3 IoCs

pid	Process
2324	svchost.exe
3064	svchost.exe
2480	DesktopLayer.exe

Loads dropped DLL 3 IoCs

pid	Process
3000	IEXPLORE.EXE
3000	IEXPLORE.EXE
2324	svchost.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b000000016cab-2.dat	upx
behavioral1/memory/2324-6-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2324-9-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/3064-15-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2480-24-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxA60F.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxA5F0.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440688683"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{054252E1-BD40-11EF-B985-56CF32F83AF3} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3064	svchost.exe
3064	svchost.exe
3064	svchost.exe
3064	svchost.exe
2480	DesktopLayer.exe
2480	DesktopLayer.exe
2480	DesktopLayer.exe
2480	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2116	iexplore.exe
2116	iexplore.exe
2116	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2116	iexplore.exe
2116	iexplore.exe
3000	IEXPLORE.EXE
3000	IEXPLORE.EXE
2116	iexplore.exe
2116	iexplore.exe
2116	iexplore.exe
2116	iexplore.exe
2828	IEXPLORE.EXE
2828	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 3000	2116	iexplore.exe	30
PID 2116 wrote to memory of 3000	2116	iexplore.exe	30
PID 2116 wrote to memory of 3000	2116	iexplore.exe	30
PID 2116 wrote to memory of 3000	2116	iexplore.exe	30
PID 3000 wrote to memory of 2324	3000	IEXPLORE.EXE	31
PID 3000 wrote to memory of 2324	3000	IEXPLORE.EXE	31
PID 3000 wrote to memory of 2324	3000	IEXPLORE.EXE	31
PID 3000 wrote to memory of 2324	3000	IEXPLORE.EXE	31
PID 3000 wrote to memory of 3064	3000	IEXPLORE.EXE	32
PID 3000 wrote to memory of 3064	3000	IEXPLORE.EXE	32
PID 3000 wrote to memory of 3064	3000	IEXPLORE.EXE	32
PID 3000 wrote to memory of 3064	3000	IEXPLORE.EXE	32
PID 3064 wrote to memory of 2968	3064	svchost.exe	33
PID 3064 wrote to memory of 2968	3064	svchost.exe	33
PID 3064 wrote to memory of 2968	3064	svchost.exe	33
PID 3064 wrote to memory of 2968	3064	svchost.exe	33
PID 2324 wrote to memory of 2480	2324	svchost.exe	34
PID 2324 wrote to memory of 2480	2324	svchost.exe	34
PID 2324 wrote to memory of 2480	2324	svchost.exe	34
PID 2324 wrote to memory of 2480	2324	svchost.exe	34
PID 2480 wrote to memory of 2848	2480	DesktopLayer.exe	35
PID 2480 wrote to memory of 2848	2480	DesktopLayer.exe	35
PID 2480 wrote to memory of 2848	2480	DesktopLayer.exe	35
PID 2480 wrote to memory of 2848	2480	DesktopLayer.exe	35
PID 2116 wrote to memory of 2920	2116	iexplore.exe	36
PID 2116 wrote to memory of 2920	2116	iexplore.exe	36
PID 2116 wrote to memory of 2920	2116	iexplore.exe	36
PID 2116 wrote to memory of 2920	2116	iexplore.exe	36
PID 2116 wrote to memory of 2828	2116	iexplore.exe	37
PID 2116 wrote to memory of 2828	2116	iexplore.exe	37
PID 2116 wrote to memory of 2828	2116	iexplore.exe	37
PID 2116 wrote to memory of 2828	2116	iexplore.exe	37

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\fba233ec539415611df7e510a7817e30_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2116 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2848
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2968
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2116 CREDAT:472069 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2920
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2116 CREDAT:799748 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cece8ebf312d7ed26b4f85dcabbb3ad

SHA1
c1f56fc10ecf0cad3d988ea6102099265954888a

SHA256
89099bcf9c96e9e1929c68d977c0507334627fa0873f2bbc14de6374d0b39a15

SHA512
4226bec2cbe279d5ab00695961db2770aeccc2718665b438ea3685cafc4fcc1997b8c309301e6e016f7b200d31d9bd622d54561ccc5b12d0e587c99265163f37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96a4b27705f9d8b2ff1042bfa9b5bfe9

SHA1
7e912296946468248afc427598ee8c11813a37fc

SHA256
64ceeec893483fb5449979827a2b28afc5317fc0ccd4e56118e43327c05e16e1

SHA512
47e9103d4fbb549d9f1ad10da5fc3a085efbc79d208957933548e59747e3eb297dfb39a388b655ddfcccbba5216eed3c08b09a4fa502eb385b135e05e196ed99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f655781f139e49423ca8594fd13472ba

SHA1
9a96210905a7dc777e26183f9e21a87f466b6d87

SHA256
7670b0d1b46984ed818d2ec2454ac91130f63354bad252fda38c1d28e9b0ce72

SHA512
deb8d76e64dcd7a2da8d1030ac20e606eaa6cabf23b2dcb15eb7cb92a711027ee66c1f82913d701f6a00b4bc7f3a638390296822858592f2b08865e09ed6706d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17470ef8f39dd78f80c306e1dd86393f

SHA1
f474d37d17f07f46e3931a351b62d524c33f387f

SHA256
f2c3e33c8b9e8d371fe96d1bc283d4ee228f8c9acbc387de49c3fe75a64233dc

SHA512
ad9335e0599bcc163d3fc489ace7d6a3869d88cb2d363452a23590124f23fb8fdc42faf131348a07002ba8801601fb7bd72074b104cf8276d659c4cd6305c64e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ef47a356d92c5711fbb54f2951838b6

SHA1
a9640609a762bef3a74ddf2b630b8af2cfedef9a

SHA256
8c35e1cecd12f3a6a401acc80dbde2e7719c708b47dcb05348e0ec3308bcaa48

SHA512
cd0ed69df7dc24b9435418ef11db1444df4bb097c2938615de2855eee4031c2258cafdc87b5cdd5412084b70e24a2bd99e650d44122bd8bbb61b97d3995ad2c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39bb6f2ef96ad7cffdbf9082ac4c7ea2

SHA1
d76a59385aa5dbdb5aec93148649bcd35d965532

SHA256
87ce026612bb831f6ad8afe508cbbdf836ed87a4fcf3db07984d46d840692fa7

SHA512
3b8769adf2fbcec84e37fb67b58e253953866ecc7a874f966e10d23ef81df34d5dab6c5dea3fb38b2e5a4675731ee6a7715809393d6ea987d57f54f2cfa7fde0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c45d639ebbcbc43066429b8fd44dbd9

SHA1
9264fbba53dcb99fc5be8857ac80923bcdd96603

SHA256
a91a647854c606de6008c683db534990017158e42f1c2f53504af5e25d4c977a

SHA512
3d4d814ef54a422e1b09d4fc5af4ab46fc94e288722eb3e71848113cbc5a7755f0f1fc47bfd9c6b4cccf5639854e9a9471f2d58c24f23a94ae16986ec5d9d07f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aaf148b94ea0c67ee4d7641ea4d59836

SHA1
f8d02cbc90600a2eaabdfd8c2d5367dc0ff7904a

SHA256
75f44619e302f1159576dfd4416c8991f316e845000615ad904364188f6b9438

SHA512
9136215fa3b552b06580e27562ebf9eeae65bc205c6b557a0866e3daa7c4e0b6715bcec41a1416c458406ce45b6a5da754dd1be634c87687e740343529215546

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA047.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA105.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/2324-8-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2324-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2324-6-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2480-24-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3064-13-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3064-15-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download