ramnit | fa52dc3e1e2645eaec969002e8e7201739a7199fd470a10ebdec3db45c290f53

Analysis

max time kernel
118s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_403f7a4243beff2210937ce1c9cacde0.exe
Size

181KB
MD5

403f7a4243beff2210937ce1c9cacde0
SHA1

72282827ccd52b19241cdeb8bacd22cbf9372c23
SHA256

fa52dc3e1e2645eaec969002e8e7201739a7199fd470a10ebdec3db45c290f53
SHA512

f570af3f55e00c81d55c7b0f0cb0536d435addcfd04ed2e70e52c93fdf601351bbc73aa173d6c3ed74d4f6f00e9de943aceb4a894b6d46fa97f8f9c49c404e68
SSDEEP

3072:M+o3ToKq3PBaXyduQef+amHCJlIhbXrB/4jQaDQuG6Wxbt:QjzqpaXydCPDIl7BwZDwR

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2264	JaffaCakes118_403f7a4243beff2210937ce1c9cacde0Srv.exe
3008	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
2516	JaffaCakes118_403f7a4243beff2210937ce1c9cacde0.exe
2264	JaffaCakes118_403f7a4243beff2210937ce1c9cacde0Srv.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2516-4-0x0000000000290000-0x00000000002BE000-memory.dmp	upx
behavioral1/files/0x000c000000012263-2.dat	upx
behavioral1/memory/2264-10-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/3008-20-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/3008-18-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/3008-17-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px866F.tmp	JaffaCakes118_403f7a4243beff2210937ce1c9cacde0Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_403f7a4243beff2210937ce1c9cacde0Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_403f7a4243beff2210937ce1c9cacde0Srv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_403f7a4243beff2210937ce1c9cacde0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_403f7a4243beff2210937ce1c9cacde0Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BA4F1DA1-C7D4-11EF-A02E-FA59FB4FA467} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441852062"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3008	DesktopLayer.exe
3008	DesktopLayer.exe
3008	DesktopLayer.exe
3008	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3032	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3032	iexplore.exe
3032	iexplore.exe
2780	IEXPLORE.EXE
2780	IEXPLORE.EXE
2780	IEXPLORE.EXE
2780	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2264	2516	JaffaCakes118_403f7a4243beff2210937ce1c9cacde0.exe	30
PID 2516 wrote to memory of 2264	2516	JaffaCakes118_403f7a4243beff2210937ce1c9cacde0.exe	30
PID 2516 wrote to memory of 2264	2516	JaffaCakes118_403f7a4243beff2210937ce1c9cacde0.exe	30
PID 2516 wrote to memory of 2264	2516	JaffaCakes118_403f7a4243beff2210937ce1c9cacde0.exe	30
PID 2264 wrote to memory of 3008	2264	JaffaCakes118_403f7a4243beff2210937ce1c9cacde0Srv.exe	31
PID 2264 wrote to memory of 3008	2264	JaffaCakes118_403f7a4243beff2210937ce1c9cacde0Srv.exe	31
PID 2264 wrote to memory of 3008	2264	JaffaCakes118_403f7a4243beff2210937ce1c9cacde0Srv.exe	31
PID 2264 wrote to memory of 3008	2264	JaffaCakes118_403f7a4243beff2210937ce1c9cacde0Srv.exe	31
PID 3008 wrote to memory of 3032	3008	DesktopLayer.exe	32
PID 3008 wrote to memory of 3032	3008	DesktopLayer.exe	32
PID 3008 wrote to memory of 3032	3008	DesktopLayer.exe	32
PID 3008 wrote to memory of 3032	3008	DesktopLayer.exe	32
PID 3032 wrote to memory of 2780	3032	iexplore.exe	33
PID 3032 wrote to memory of 2780	3032	iexplore.exe	33
PID 3032 wrote to memory of 2780	3032	iexplore.exe	33
PID 3032 wrote to memory of 2780	3032	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_403f7a4243beff2210937ce1c9cacde0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_403f7a4243beff2210937ce1c9cacde0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_403f7a4243beff2210937ce1c9cacde0Srv.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_403f7a4243beff2210937ce1c9cacde0Srv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3032 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2c43c54395440c054ddc6ed865cd701

SHA1
656d63726669e880e2bc0c40ea8bbf55aaad4102

SHA256
e2d2158ec83a236bee8e9d6c6865a9f2db8bb9956aa301157eee90ddc42210f4

SHA512
7a7c22d6e4405395186272be3607fa432b6cdb37cb80b6789276cf6fa3b7aa949b76b0de880b92f32157eed764f57187f1c75df2aed00e4f394df3c20bffda51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67d9fdbd8a18779cf7b6c6678cc72fc5

SHA1
87ae5a0fe5c191c84da50a1b598bc47c6a8914c4

SHA256
fd8c571f09b1a84d28366873f2284c5f41fd489129e7ab1a4c8478500bcb2e57

SHA512
ba778a728471f295a4462f27eed65f02a79644823024c55215d3394d3373cc0e2c1322ba9883df41b74a44492b4404d2f04fe0f3d8399b5576e6c60f577d2900

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e70c7e8739eda87a784e100e75d940d9

SHA1
17d37cdaaee8d5fea0bbd6ccdc9cf98003609229

SHA256
9fbfef0a3dbe5ce556315bc123fbb6df4d88b00e1b1fae8000c1dea6b765951c

SHA512
fee848c31f6954e3a480d104f35915879b217b0c53f5044754f53e57ad89e9e20b75b9735bf7ec01748c9a16a6c9d9f4a519891be38bc8885f6d4b48231a6af3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b8f73f05d2e8da1fb025c657eee780c

SHA1
1bd55b1df8a0d3bc0132b7ba80d0f51fe9cf27ce

SHA256
6d6c565d517b120ccf7d27b6fa752fae6be63b8d5ccf49f04dc99ddf1289c908

SHA512
88abb8f826da965b1b64c24b918a2193c3db63f74313d5c73b74f4b0a4542d188658f748232744b01ec63bb83ebd62ed23be5c71989f34a68d3a61c5b9b80ede

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86d16c76d587cf4454b0b8a99ee5b349

SHA1
b108293fc1a782a20d770de72a29eee8ae6b2fc3

SHA256
af6dafc664b15aa20560763efa08ed539bf78ab6509a0558be4885fb2ad83e12

SHA512
d177c1c7141c2229a5c46126100a0a76e174d333ef7093de8e6203619eeb659dd56b0737a9f4a705264c89cff9b18c6d089725bd06aab75f2ade1953b106eaa8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14d74a05f4c07affac345b9ee5ef1beb

SHA1
ea4d840df9e27e560f42b1f9c9f5d4127c7168d1

SHA256
160d75acc2603abbffde4f7efb43756639c57922b233d5a86d3470b47b5e80c4

SHA512
616322342d33094045b03d2d791c3931a0a1fa2c2026a197cc69dd789b1fb65c22944434d6f93af6e75a3a25e6fba97106455b3cf39767b9894d05e83b3d9b4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8af77d7e21a7692504019766adea286e

SHA1
ea63344639f2403c0808651ec0e7f87157483fda

SHA256
336ed727b0cddd79ad24afa91c51da8da7487bf50fe3eacf4122a04a8a80bfc4

SHA512
a246cc2e469b9260dbbf8eab4939922c1d75476c0ed7a8e17403653d16077efb18079e85e1417563b56a44bd02cc9a40d6bb70fa1961f7e186f09d6a9f15d91c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b98677df1095a941253ac14a6b275121

SHA1
e7e0fe211ac9df76e0faeb5298b9c7670c4f0426

SHA256
c601a2950d4675356c9e735abdad0caf9293c22f4f5936e2bfae95fc71ed74c0

SHA512
acab5083b61eb334719911c54d120af9dd5938f2eb6a4765de6cb47b6d28275fd3e832fa026cbe1ef256184ae5c10922bab27dda62d0e2b22d93659777887cd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64b9369fb963d5d0465a9ad5dc65e541

SHA1
06fb16bdaa7354a47482321b912926f1b11ae833

SHA256
1709c99c68922fa044e0afd8dcf2e4e0bc4aac4d25a4c8c33fd0ff9fcaee0d84

SHA512
36a859a1ec8e526e9c0af1feaa1b03637f2f610a4aef5558d0935212e819663209653c997fd89698f27d9e71e7ffc0c1b3da36b4d28e77465ac028362d1a6fbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e2a9e451cae2f5af66dbca3b1fb328b

SHA1
73f7b01ace404a7465560d5d58c6d6e83bdbf5b1

SHA256
91d478ced30507ca7b50bb0adb623c72de38c1d27c9062b540814ce5d80b40ab

SHA512
d0533cc41b8709274ff3b82686a4ee0367262e082ab2800c45ededef157f26e911f77df09c328e1b6db29d22a264ef54629bb1b907bfd6c6a5180a7148d13fc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79660829a53d97c7a32e966e1396c175

SHA1
410f93db8b881de794a4ac77958020aa0dcd76cd

SHA256
e54b051ae28c35009638ec32471c6d8b48d50e03a788b5393f2761ca6f3be41b

SHA512
7600659d96d1404674faf61b44151383872efb9d1336a3b160ed6d26ba78805903466a08312ca854a15bb019c65c156b673444bf7ac4533246c5c7efe4e5fbfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB3B6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBC24.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\JaffaCakes118_403f7a4243beff2210937ce1c9cacde0Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/2264-8-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2264-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2516-4-0x0000000000290000-0x00000000002BE000-memory.dmp

Filesize
184KB

Download
memory/2516-0-0x00000000010D0000-0x0000000001108000-memory.dmp

Filesize
224KB

Download
memory/2516-343-0x00000000010D0000-0x0000000001108000-memory.dmp

Filesize
224KB

Download
memory/2516-22-0x00000000010D0000-0x0000000001108000-memory.dmp

Filesize
224KB

Download
memory/3008-19-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3008-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3008-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3008-18-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download