ramnit | a30632f77ef9942d20ca201115af2275e86e2cdc593f877b62c5b202ef44d4e7 | Triage

Sharing

General

Target

JaffaCakes118_61fe0a37b0de1bc3ce52aec777073cb9
Size

103KB
Sample

250102-chbt7azkgk
MD5

61fe0a37b0de1bc3ce52aec777073cb9
SHA1

d06c021be37a026bf9b9270806353fe9a1cfb254
SHA256

a30632f77ef9942d20ca201115af2275e86e2cdc593f877b62c5b202ef44d4e7
SHA512

9c4368d0df25ac5b96d1900f7a67419805f0df7a14d0a53c4c7f73cdf367462a9fd42bcf0943bf5f712aa6475eded42e5f26578d5e03ba415073d8fbc7d4bf5e
SSDEEP

3072:RIVVK4jGRAMhi8lWODGuIkFRXMFn1hLjQW/:RIVVKefMhV0ODGuIKFMF1hLjQ

Score

10^/10

ramnit banker discovery evasion persistence spyware stealer trojan worm

Malware Config

Targets

- Target
  
  JaffaCakes118_61fe0a37b0de1bc3ce52aec777073cb9
- Size
  
  103KB
- MD5
  
  61fe0a37b0de1bc3ce52aec777073cb9
- SHA1
  
  d06c021be37a026bf9b9270806353fe9a1cfb254
- SHA256
  
  a30632f77ef9942d20ca201115af2275e86e2cdc593f877b62c5b202ef44d4e7
- SHA512
  
  9c4368d0df25ac5b96d1900f7a67419805f0df7a14d0a53c4c7f73cdf367462a9fd42bcf0943bf5f712aa6475eded42e5f26578d5e03ba415073d8fbc7d4bf5e
- SSDEEP
  
  3072:RIVVK4jGRAMhi8lWODGuIkFRXMFn1hLjQW/:RIVVKefMhV0ODGuIKFMF1hLjQ
Score

10^/10

ramnit banker discovery evasion persistence spyware stealer trojan worm
- Modifies WinLogon for persistence
  persistence
- Ramnit
  Ramnit is a versatile family that holds viruses, worms, and Trojans.
  trojan spyware stealer worm banker ramnit
- Ramnit family
  ramnit
- UAC bypass
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ramnitbankerdiscoveryevasionpersistencespywarestealertrojanworm

behavioral2

ramnitbankerdiscoveryevasionspywarestealertrojanworm