ramnit | d57d4ffe738d908dfb69694bb0dcde9a78519ed86494c8f002835673ce1d2906

General

Target

JaffaCakes118_b24c7398af0e444a4081e455d80a6651.dll
Size

234KB
MD5

b24c7398af0e444a4081e455d80a6651
SHA1

10506c5e669ac33e57ff5806b7d98648479dad07
SHA256

d57d4ffe738d908dfb69694bb0dcde9a78519ed86494c8f002835673ce1d2906
SHA512

e0bcf67828421804f0072fa6c635eb1458f77e2010ba1e6684da6cc4b92c89b1753051e6c59603d50036aef5f300d6e6f49ed9f571a37b387435f22e9b5c6c8f
SSDEEP

6144:QqK86JU5xhG+npxA1oGzDK/0OlEa6ETMhS5yfZahy4yYAVt/GS:FK86JmG+YzDKMAEa6SMw/hypYA//GS

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
5272	rundll32mgr.exe
4128	rundll32mgr.exe

Loads dropped DLL 1 IoCs

pid	Process
4128	rundll32mgr.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5272 set thread context of 4128	5272	rundll32mgr.exe	89

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4128-9-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/4128-13-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/4128-12-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/4128-14-0x0000000000400000-0x0000000000463000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4964	4128	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5272	rundll32mgr.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 5220 wrote to memory of 2208	5220	rundll32.exe	84
PID 5220 wrote to memory of 2208	5220	rundll32.exe	84
PID 5220 wrote to memory of 2208	5220	rundll32.exe	84
PID 2208 wrote to memory of 5272	2208	rundll32.exe	85
PID 2208 wrote to memory of 5272	2208	rundll32.exe	85
PID 2208 wrote to memory of 5272	2208	rundll32.exe	85
PID 5272 wrote to memory of 4128	5272	rundll32mgr.exe	89
PID 5272 wrote to memory of 4128	5272	rundll32mgr.exe	89
PID 5272 wrote to memory of 4128	5272	rundll32mgr.exe	89
PID 5272 wrote to memory of 4128	5272	rundll32mgr.exe	89
PID 5272 wrote to memory of 4128	5272	rundll32mgr.exe	89
PID 5272 wrote to memory of 4128	5272	rundll32mgr.exe	89
PID 5272 wrote to memory of 4128	5272	rundll32mgr.exe	89
PID 5272 wrote to memory of 4128	5272	rundll32mgr.exe	89

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b24c7398af0e444a4081e455d80a6651.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5220
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b24c7398af0e444a4081e455d80a6651.dll,#1
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5272
  - - C:\Windows\SysWOW64\rundll32mgr.exe
      "C:\Windows\SysWOW64\rundll32mgr.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4128
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 296
        5⤵
        Program crash
        
        PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4128 -ip 4128
1⤵
PID:4704

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~TM8201.tmp

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
169KB

MD5
9ab7e251afa8bfa4c390573239ba892b

SHA1
b0a4219bdfb689a7be1c2500a80a2e8a3eb128fa

SHA256
17b354d9e702155a8e58e15ba7cf978a7b9391e609800b33462d2e79bb5b67f4

SHA512
7e714234d08472d7c29cf12971f00371296044978020608f7ee0b988d0c7fedffe502c3f92abb3d09dedec42a821b756d004693dad02cde7f8566f964679cd22

Download Submit
memory/2208-0-0x0000000074F50000-0x0000000074F8E000-memory.dmp

Filesize
248KB

Download
memory/4128-9-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4128-13-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4128-12-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4128-14-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/5272-6-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/5272-5-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/5272-19-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/5272-20-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing