ramnit | fbfd677c0d09fe28c0933cdce9f503d02ba474b9198fc3977971f9e0fb2f00e3

General

Target

JaffaCakes118_6607bec622b3ec7c13395e5846c10399.dll
Size

380KB
MD5

6607bec622b3ec7c13395e5846c10399
SHA1

26623e9f4c09f3c41c0f32032fb3e8b393cdb18b
SHA256

fbfd677c0d09fe28c0933cdce9f503d02ba474b9198fc3977971f9e0fb2f00e3
SHA512

1822cbd3cc5a5851d8ecfe994f4e4e85a4f25d7ab94e3391882ea861fd723984393d70a05260aebf4b7de460f887e43bc15a2029219c01363ab594327cc44404
SSDEEP

6144:84y8gOl29x2QpFc87KWMeWpCddo7uaOiRRUJ1g+HlfLzgAU9oF3:hy8g5pnhk2o7un5J1VHxfgDyF3

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 3 IoCs

pid	Process
2264	rundll32mgr.exe
1680	rundll32mgrmgr.exe
3752	rundll32mgrmgrmgr.exe

Loads dropped DLL 3 IoCs

pid	Process
2264	rundll32mgr.exe
1680	rundll32mgrmgr.exe
3752	rundll32mgrmgrmgr.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\rundll32mgrmgr.exe	rundll32mgr.exe
File created	C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe	rundll32mgrmgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1680-24-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/2264-14-0x0000000000400000-0x0000000000475000-memory.dmp	upx
behavioral2/memory/3752-27-0x0000000000400000-0x0000000000444000-memory.dmp	upx

Program crash 3 IoCs

pid	pid_target	Process	procid_target
368	2264	WerFault.exe	83
3404	3752	WerFault.exe	85
2752	1680	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgrmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgrmgrmgr.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3928 wrote to memory of 5008	3928	rundll32.exe	82
PID 3928 wrote to memory of 5008	3928	rundll32.exe	82
PID 3928 wrote to memory of 5008	3928	rundll32.exe	82
PID 5008 wrote to memory of 2264	5008	rundll32.exe	83
PID 5008 wrote to memory of 2264	5008	rundll32.exe	83
PID 5008 wrote to memory of 2264	5008	rundll32.exe	83
PID 2264 wrote to memory of 1680	2264	rundll32mgr.exe	84
PID 2264 wrote to memory of 1680	2264	rundll32mgr.exe	84
PID 2264 wrote to memory of 1680	2264	rundll32mgr.exe	84
PID 1680 wrote to memory of 3752	1680	rundll32mgrmgr.exe	85
PID 1680 wrote to memory of 3752	1680	rundll32mgrmgr.exe	85
PID 1680 wrote to memory of 3752	1680	rundll32mgrmgr.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6607bec622b3ec7c13395e5846c10399.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6607bec622b3ec7c13395e5846c10399.dll,#1
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Windows\SysWOW64\rundll32mgrmgr.exe
      C:\Windows\SysWOW64\rundll32mgrmgr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1680
    - - C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe
        
        C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3752
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 10176
        6⤵
        Program crash
        
        PID:3404
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 10184
        5⤵
        Program crash
        
        PID:2752
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 10184
      4⤵
      Program crash
      PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3752 -ip 3752
1⤵
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2264 -ip 2264
1⤵
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1680 -ip 1680
1⤵
PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~TMA2A8.tmp

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
289KB

MD5
d07edbbae9a308d8651654640f6cd7f9

SHA1
c4374cf595579be79e330f631c3c1916eeec03dc

SHA256
f4d649051332e6ae71b07bc430008b80940d6b5941a804a45d3a0e55aba43057

SHA512
08b77c8b567a018a17b00c141a8551aa0e6879df70c7c76c29214846824e75ca9120d042545a1ba64e031958e5f51ddf60589eb265c5b0607826dfde1458af70

Download Submit
C:\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
191KB

MD5
fa0191c6ae7da8f0b4d86e96dc650fa8

SHA1
3e8d50738555bb0c6bae8f63ea76dc1534ae07c7

SHA256
43fa6d485c7834067e5d9cc223b902b2ed629494dd7d19528ee093a180608fae

SHA512
6a9469c3fe620e93afdb2d040e011f249bddd603584d56836565de9b6c4ad0f3bc28471c5c33793a066d97b1272351b4e13fc84fa666b9d4d29ffe8101e7ae64

Download Submit
C:\Windows\SysWOW64\rundll32mgrmgrmgr.exe

Filesize
94KB

MD5
8b5f2036288762602f2916929b1ab9d8

SHA1
351a0157960c3b009a9814a6e8b7f788ba798988

SHA256
55751df54d8d54e5bb8edab83bd57fd599b2e9aa313233d6aa084cde167e6951

SHA512
41a45bd5ff492cf2a01ad156f763854b1d5371d1a41cee4cad977c4ff25a561c1b3fbb067463e2b7278ac6878af139ff7fd695bed1f5883516a70031e9758bc1

Download Submit
memory/1680-24-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1680-18-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1680-13-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2264-5-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2264-14-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2264-11-0x0000000002080000-0x00000000020F5000-memory.dmp

Filesize
468KB

Download
memory/3752-25-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3752-27-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5008-0-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing