ramnit | 5650241f11ce2b5ba60daf57c1ebdd7f4fc474bd665de8b584e20ae49eaee99b

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21/01/2025, 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe
Size

97KB
MD5

0575f0df1ee321d86b6cd0fc3b5c01ea
SHA1

ce8317c732f3aea23a9147c4a95a7b189c857ff0
SHA256

5650241f11ce2b5ba60daf57c1ebdd7f4fc474bd665de8b584e20ae49eaee99b
SHA512

e8d012e3aaaf79a7800a60f356604c115c72f67b345952f8babb59c2d80356a694e8b05c07b463c4d8ea5119629472540d1f720dc3263b74dee471e471579b4e
SSDEEP

3072:RSovDE/VxvSumPXcmCahoxWjwaaHw7Koj4ruR:pDE/xmPwaL

Score

10^/10

ramnit banker defense_evasion discovery persistence spyware stealer trojan worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\cjugvent\\kpmsgetg.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kpmsgetg.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kpmsgetg.exe	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
380	cukqigvqbnfckqdk.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	svchost.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	svchost.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	svchost.exe

Loads dropped DLL 4 IoCs

pid	Process
2328	JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe
2328	JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe
2328	JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe
2328	JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\KpmSgetg = "C:\\Users\\Admin\\AppData\\Local\\cjugvent\\kpmsgetg.exe"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe
2780	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2328	JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe
Token: SeDebugPrivilege	2328	JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe
Token: SeSecurityPrivilege	1704	svchost.exe
Token: SeSecurityPrivilege	2780	svchost.exe
Token: SeDebugPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeSecurityPrivilege	380	cukqigvqbnfckqdk.exe
Token: SeLoadDriverPrivilege	380	cukqigvqbnfckqdk.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1704	2328	JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe	31
PID 2328 wrote to memory of 1704	2328	JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe	31
PID 2328 wrote to memory of 1704	2328	JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe	31
PID 2328 wrote to memory of 1704	2328	JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe	31
PID 2328 wrote to memory of 1704	2328	JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe	31
PID 2328 wrote to memory of 1704	2328	JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe	31
PID 2328 wrote to memory of 1704	2328	JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe	31
PID 2328 wrote to memory of 1704	2328	JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe	31
PID 2328 wrote to memory of 1704	2328	JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe	31
PID 2328 wrote to memory of 1704	2328	JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe	31
PID 2328 wrote to memory of 2780	2328	JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe	32
PID 2328 wrote to memory of 2780	2328	JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe	32
PID 2328 wrote to memory of 2780	2328	JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe	32
PID 2328 wrote to memory of 2780	2328	JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe	32
PID 2328 wrote to memory of 2780	2328	JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe	32
PID 2328 wrote to memory of 2780	2328	JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe	32
PID 2328 wrote to memory of 2780	2328	JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe	32
PID 2328 wrote to memory of 2780	2328	JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe	32
PID 2328 wrote to memory of 2780	2328	JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe	32
PID 2328 wrote to memory of 2780	2328	JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe	32
PID 2328 wrote to memory of 380	2328	JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe	33
PID 2328 wrote to memory of 380	2328	JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe	33
PID 2328 wrote to memory of 380	2328	JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe	33
PID 2328 wrote to memory of 380	2328	JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0575f0df1ee321d86b6cd0fc3b5c01ea.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Checks BIOS information in registry
  - Drops startup file
  - Impair Defenses: Safe Mode Boot
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Users\Admin\AppData\Local\Temp\cukqigvqbnfckqdk.exe
  "C:\Users\Admin\AppData\Local\Temp\cukqigvqbnfckqdk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\cjugvent\kpmsgetg.exe

Filesize
97KB

MD5
0575f0df1ee321d86b6cd0fc3b5c01ea

SHA1
ce8317c732f3aea23a9147c4a95a7b189c857ff0

SHA256
5650241f11ce2b5ba60daf57c1ebdd7f4fc474bd665de8b584e20ae49eaee99b

SHA512
e8d012e3aaaf79a7800a60f356604c115c72f67b345952f8babb59c2d80356a694e8b05c07b463c4d8ea5119629472540d1f720dc3263b74dee471e471579b4e

Download Submit
memory/380-94-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/380-95-0x0000000000400000-0x0000000000438F20-memory.dmp

Filesize
227KB

Download
memory/380-88-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/380-89-0x0000000000400000-0x0000000000438F20-memory.dmp

Filesize
227KB

Download
memory/380-90-0x0000000000400000-0x0000000000438F20-memory.dmp

Filesize
227KB

Download
memory/1704-22-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/1704-23-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/1704-15-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/1704-14-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/1704-20-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1704-16-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/1704-7-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/1704-21-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/1704-9-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/2328-5-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2328-2-0x0000000000400000-0x0000000000438F20-memory.dmp

Filesize
227KB

Download
memory/2328-27-0x0000000077C1F000-0x0000000077C20000-memory.dmp

Filesize
4KB

Download
memory/2328-28-0x0000000077C20000-0x0000000077C21000-memory.dmp

Filesize
4KB

Download
memory/2328-36-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2328-37-0x0000000000400000-0x0000000000438F20-memory.dmp

Filesize
227KB

Download
memory/2328-1-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2328-24-0x0000000077C20000-0x0000000077C21000-memory.dmp

Filesize
4KB

Download
memory/2328-86-0x0000000000400000-0x0000000000438F20-memory.dmp

Filesize
227KB

Download
memory/2328-0-0x0000000000400000-0x0000000000438F20-memory.dmp

Filesize
227KB

Download
memory/2328-4-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2328-13-0x0000000000400000-0x0000000000438F20-memory.dmp

Filesize
227KB

Download
memory/2328-87-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2328-82-0x0000000002250000-0x0000000002289000-memory.dmp

Filesize
228KB

Download
memory/2328-83-0x0000000002250000-0x0000000002289000-memory.dmp

Filesize
228KB

Download
memory/2328-67-0x0000000077C1F000-0x0000000077C20000-memory.dmp

Filesize
4KB

Download
memory/2328-71-0x0000000002250000-0x0000000002289000-memory.dmp

Filesize
228KB

Download
memory/2780-30-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2780-98-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2780-62-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2780-59-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2780-48-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2780-54-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2780-47-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2780-38-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2780-57-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2780-64-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2780-97-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2780-99-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2780-100-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2780-101-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2780-102-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2780-103-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2780-104-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download
memory/2780-105-0x0000000020010000-0x000000002002C000-memory.dmp

Filesize
112KB

Download