ramnit | 1eb6fa51a9017304effc614382481601b25fc633cb198bc7b2cc7e5a5bc5e428

General

Target

JaffaCakes118_6bf6b9971d471f26ead0ddb1338cec00.dll
Size

434KB
MD5

6bf6b9971d471f26ead0ddb1338cec00
SHA1

cd639977df6a545e7f8441bf22bd7a77650cdb18
SHA256

1eb6fa51a9017304effc614382481601b25fc633cb198bc7b2cc7e5a5bc5e428
SHA512

d83c5ea16065a085ca2c94dc3c0ca0ac31a81b9b1c6a38da691fd92b82f3ff58e2645960c58d84867673f6d4d159ec7237aaea16a5a85076e038382301f2d25f
SSDEEP

12288:Rn2QK/lGRgOUqmq9kR6lhKXPqljtOBZh1/k7LDm6q8:Rn2QK/cRgOnmq9g6uqKLhlUo8

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 3 IoCs

pid	Process
4788	rundll32mgr.exe
2840	hrl7A41.tmp
4392	ogiqci.exe

Loads dropped DLL 2 IoCs

pid	Process
4788	rundll32mgr.exe
4392	ogiqci.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\gei33.dll	ogiqci.exe
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\ogiqci.exe	hrl7A41.tmp
File opened for modification	C:\Windows\SysWOW64\ogiqci.exe	hrl7A41.tmp

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4788-11-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4788-10-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4788-18-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4788-21-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4788-17-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4788-15-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4788-9-0x0000000000400000-0x000000000042A000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
908	4788	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hrl7A41.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogiqci.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4788	rundll32mgr.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 3916	4612	rundll32.exe	83
PID 4612 wrote to memory of 3916	4612	rundll32.exe	83
PID 4612 wrote to memory of 3916	4612	rundll32.exe	83
PID 3916 wrote to memory of 4788	3916	rundll32.exe	84
PID 3916 wrote to memory of 4788	3916	rundll32.exe	84
PID 3916 wrote to memory of 4788	3916	rundll32.exe	84
PID 3916 wrote to memory of 2840	3916	rundll32.exe	85
PID 3916 wrote to memory of 2840	3916	rundll32.exe	85
PID 3916 wrote to memory of 2840	3916	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6bf6b9971d471f26ead0ddb1338cec00.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6bf6b9971d471f26ead0ddb1338cec00.dll,#1
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of UnmapMainImage
    PID:4788
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 356
      4⤵
      Program crash
      PID:908
- - C:\Users\Admin\AppData\Local\Temp\hrl7A41.tmp
    C:\Users\Admin\AppData\Local\Temp\hrl7A41.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2840

C:\Windows\SysWOW64\ogiqci.exe
C:\Windows\SysWOW64\ogiqci.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4788 -ip 4788
1⤵
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hrl7A41.tmp

Filesize
338KB

MD5
9e5a94f2b4b378b2f50805cdd1efe405

SHA1
e56fce2eedf674218165bdf53da7943f47875835

SHA256
0a7ec6b90c8c4842f8348297b3cb61ec0ed4545e6f33a07089c9470ead25570b

SHA512
21d8095183bfbc582a829af2c1f35c07ce2ebb120bece797f6e067f7c69c86beeaf7911f447d33540290504a8ad0318041743ee17ba2df3099b2729841a22827

Download Submit
C:\Users\Admin\AppData\Local\Temp\~TM7A7F.tmp

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Windows\SysWOW64\gei33.dll

Filesize
9KB

MD5
655d12e373b5891981111e48da1f0a88

SHA1
db346a8879c226b2a6fb13300a8cccb089326b04

SHA256
3eecef36be5dcb9c81ebbbd2eb0bdcd456d81592673fae46f043d5423b8d7748

SHA512
0a27696905df67638e43ae479e376f89657475675711c9d1b292da629520cc36dfafca12232308b232a7ccc3e9e47b39baf1b9d0b597c8d1c6946aa827aaeeea

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
84KB

MD5
a6ee7aab6b8f8268bf9eb763949d5c8b

SHA1
4600e17eb8fa4a11170aaa2c54d98126e58290e0

SHA256
9030a2ec813b5a70b898aacd81378c941bc5f62e78cc1a958f93106ede81228c

SHA512
00569ed578d3f0b535b0c17dc131131e4aaf73b8b5235c70fcf8de649e8a942f48a013e8c687c6abab05a8f7516dabed41309da6ce7c9eb26992183e4794afb8

Download Submit
memory/2840-31-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/2840-28-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/2840-14-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2840-36-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/2840-20-0x00000000021C0000-0x0000000002220000-memory.dmp

Filesize
384KB

Download
memory/2840-43-0x00000000021C0000-0x0000000002220000-memory.dmp

Filesize
384KB

Download
memory/2840-42-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2840-35-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/2840-34-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2840-26-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/2840-33-0x00000000032E0000-0x00000000032E2000-memory.dmp

Filesize
8KB

Download
memory/2840-32-0x00000000032F0000-0x00000000032F1000-memory.dmp

Filesize
4KB

Download
memory/2840-27-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/2840-30-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/2840-29-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/3916-1-0x0000000010000000-0x0000000010071000-memory.dmp

Filesize
452KB

Download
memory/3916-44-0x0000000010000000-0x0000000010071000-memory.dmp

Filesize
452KB

Download
memory/4392-40-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4392-54-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4788-17-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4788-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4788-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4788-24-0x0000000077E32000-0x0000000077E34000-memory.dmp

Filesize
8KB

Download
memory/4788-16-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/4788-15-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4788-21-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4788-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4788-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4788-25-0x0000000077E32000-0x0000000077E33000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing