ramnit | 3de1963e7b3059b8bdc478488eb223b68809750f136ec59979d4667a69fdc204

Analysis

max time kernel
105s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
14/04/2025, 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b86a36df8d86ef63d40fd590498740e0.dll
Size

428KB
MD5

b86a36df8d86ef63d40fd590498740e0
SHA1

d195ee140eea6305d611cd113b09fd9f90bcee0f
SHA256

3de1963e7b3059b8bdc478488eb223b68809750f136ec59979d4667a69fdc204
SHA512

2f739ef10829b120a1559fcfa3a62299111c5f892dbf319c1c5445d2df846730600fea9140d08fe61a7eb91fbded969c0f9eac8165b53b67c76411ff275ea2f1
SSDEEP

12288:epsye6NII3ZecCxJ4SVTk5Je1fHnYBhNOO5mml7p1SuZVf6d6EOGRjO70LvgSnTi:mFBLD4LvNnwJLVg

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 4 IoCs

pid	Process
720	rundll32Srv.exe
4104	rundll32Srv.exe
5704	WaterMark.exe
5008	WaterMark.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32Srv.exe	rundll32.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 720 set thread context of 4104	720	rundll32Srv.exe	88
PID 5704 set thread context of 5008	5704	WaterMark.exe	91

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4104-9-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/4104-14-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/4104-12-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/4104-13-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/5008-31-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/5008-33-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/5008-43-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	rundll32Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px55C1.tmp	rundll32Srv.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4084	1608	WerFault.exe	84
5284	3344	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 20 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "451414966"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E11CC721-1951-11F0-AA58-7EA8B19A0055} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5008	WaterMark.exe
5008	WaterMark.exe
5008	WaterMark.exe
5008	WaterMark.exe
5008	WaterMark.exe
5008	WaterMark.exe
5008	WaterMark.exe
5008	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5008	WaterMark.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
216	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
720	rundll32Srv.exe
5704	WaterMark.exe
216	iexplore.exe
216	iexplore.exe
4676	IEXPLORE.EXE
4676	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 1608	3456	rundll32.exe	84
PID 3456 wrote to memory of 1608	3456	rundll32.exe	84
PID 3456 wrote to memory of 1608	3456	rundll32.exe	84
PID 1608 wrote to memory of 720	1608	rundll32.exe	85
PID 1608 wrote to memory of 720	1608	rundll32.exe	85
PID 1608 wrote to memory of 720	1608	rundll32.exe	85
PID 720 wrote to memory of 4104	720	rundll32Srv.exe	88
PID 720 wrote to memory of 4104	720	rundll32Srv.exe	88
PID 720 wrote to memory of 4104	720	rundll32Srv.exe	88
PID 720 wrote to memory of 4104	720	rundll32Srv.exe	88
PID 720 wrote to memory of 4104	720	rundll32Srv.exe	88
PID 720 wrote to memory of 4104	720	rundll32Srv.exe	88
PID 720 wrote to memory of 4104	720	rundll32Srv.exe	88
PID 720 wrote to memory of 4104	720	rundll32Srv.exe	88
PID 4104 wrote to memory of 5704	4104	rundll32Srv.exe	89
PID 4104 wrote to memory of 5704	4104	rundll32Srv.exe	89
PID 4104 wrote to memory of 5704	4104	rundll32Srv.exe	89
PID 5704 wrote to memory of 5008	5704	WaterMark.exe	91
PID 5704 wrote to memory of 5008	5704	WaterMark.exe	91
PID 5704 wrote to memory of 5008	5704	WaterMark.exe	91
PID 5704 wrote to memory of 5008	5704	WaterMark.exe	91
PID 5704 wrote to memory of 5008	5704	WaterMark.exe	91
PID 5704 wrote to memory of 5008	5704	WaterMark.exe	91
PID 5704 wrote to memory of 5008	5704	WaterMark.exe	91
PID 5704 wrote to memory of 5008	5704	WaterMark.exe	91
PID 5008 wrote to memory of 3344	5008	WaterMark.exe	92
PID 5008 wrote to memory of 3344	5008	WaterMark.exe	92
PID 5008 wrote to memory of 3344	5008	WaterMark.exe	92
PID 5008 wrote to memory of 3344	5008	WaterMark.exe	92
PID 5008 wrote to memory of 3344	5008	WaterMark.exe	92
PID 5008 wrote to memory of 3344	5008	WaterMark.exe	92
PID 5008 wrote to memory of 3344	5008	WaterMark.exe	92
PID 5008 wrote to memory of 3344	5008	WaterMark.exe	92
PID 5008 wrote to memory of 3344	5008	WaterMark.exe	92
PID 5008 wrote to memory of 216	5008	WaterMark.exe	102
PID 5008 wrote to memory of 216	5008	WaterMark.exe	102
PID 216 wrote to memory of 4676	216	iexplore.exe	103
PID 216 wrote to memory of 4676	216	iexplore.exe	103
PID 216 wrote to memory of 4676	216	iexplore.exe	103

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b86a36df8d86ef63d40fd590498740e0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b86a36df8d86ef63d40fd590498740e0.dll,#1
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\SysWOW64\rundll32Srv.exe
    C:\Windows\SysWOW64\rundll32Srv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:720
  - - C:\Windows\SysWOW64\rundll32Srv.exe
      "C:\Windows\SysWOW64\rundll32Srv.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4104
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5704
      - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        7⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 204
        8⤵
        Program crash
        
        PID:5284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:216 CREDAT:17410 /prefetch:2
        8⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 640
    3⤵
    - Program crash
    PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1608 -ip 1608
1⤵
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3344 -ip 3344
1⤵
PID:5156

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
d9e0b437587fc16df735e81bd8664814

SHA1
378e1ddfe081e992f77f85a51fcc607f7f0c60e4

SHA256
71fd77be59db04b79ee56549a4016b972c2b37ffdae785d1eb57279bcff4319b

SHA512
8f64e3065ecbcafb29c68f1804a63cb7e477d8901771a2a283baf041eba3bc4b3ebc2ea8aa5073b22d82388889bfe7912870802c69996c1d13083ea3c8da2c75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
bc068c6715a113d726d156ad0880f16d

SHA1
70ef081c8965d6df619bc9653fbc4253188a153d

SHA256
5ca47b98322de0c44f2e4873b342c6b582cc9e911a4fb5f0573f6c1d25a4c3d5

SHA512
e1b4143c700ef9e8bfe07bdce64355f38852bd0084d4362b1d099a2952c7d32ac64438b7926fe62b3320007bada367a6a6269437199fce3dcb8a1bafe7fa120f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\A0YW8B0D\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe

Filesize
69KB

MD5
3284b0d95ae1f80355da5e04e79a6be1

SHA1
642bbb026f238a4eed9931772869b637621d98c8

SHA256
f2cf33052bb9ed658351e1ff0687d0602a1f619e0976cd45852d3eb109aacf60

SHA512
13712a19409818ecb66ecb2bb045a5800e4362f0ff0e9b2d158590fd501c35861ceae195f8171301ef6e72dd3b6f28184af31188836d92c171bfa6bedeb98547

Download Submit
memory/720-4-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/720-6-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/720-19-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1608-0-0x0000000064190000-0x00000000641FF000-memory.dmp

Filesize
444KB

Download
memory/1608-37-0x0000000064190000-0x00000000641FF000-memory.dmp

Filesize
444KB

Download
memory/3344-39-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/3344-38-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/4104-14-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4104-13-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4104-12-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4104-9-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5008-32-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/5008-33-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5008-31-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5008-40-0x0000000077312000-0x0000000077313000-memory.dmp

Filesize
4KB

Download
memory/5008-43-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5704-36-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5704-23-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download