ramnit | 1e3818ca8b66cfae092f94e6a55c840759d28ac76d08bc5eb2b7e5f3b8c3ad73 | Triage

Submit
Reports

Overview

overview

Static

static

3

17e5f525e5...18.exe

windows7-x64

17e5f525e5...18.exe

windows10-2004-x64

Sharing

General

Target

17e5f525e5c5853a71f3238ee0a12e41_JaffaCakes118
Size

113KB
Sample

240627-28mf2szekk
MD5

17e5f525e5c5853a71f3238ee0a12e41
SHA1

f4bae783f1a5abae35c5ef8e6ad87bd1ed099004
SHA256

1e3818ca8b66cfae092f94e6a55c840759d28ac76d08bc5eb2b7e5f3b8c3ad73
SHA512

1fd3d915c9a1d6b6e57b941006b2d78a2fca2890fff401d15c7c35f634c59abf2b129ece39354872a0e2bbc80dc325be1781d8a616931aa48986a83f6a5b7096
SSDEEP

3072:kE7YdXFjJHu5puorSE5/fTNjliDs+TseWBy2D5:p7ITcFrSE5/LVlms+weWBBD

Score

10^/10

ramnit banker defense_evasion evasion persistence spyware stealer trojan worm

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

17e5f525e5c5853a71f3238ee0a12e41_JaffaCakes118.exe

Resource

win7-20240419-en

ramnit banker defense_evasion evasion persistence spyware stealer trojan worm

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

17e5f525e5c5853a71f3238ee0a12e41_JaffaCakes118.exe

Resource

win10v2004-20240226-en

ramnit banker spyware stealer trojan worm

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Targets

- Target
  
  17e5f525e5c5853a71f3238ee0a12e41_JaffaCakes118
- Size
  
  113KB
- MD5
  
  17e5f525e5c5853a71f3238ee0a12e41
- SHA1
  
  f4bae783f1a5abae35c5ef8e6ad87bd1ed099004
- SHA256
  
  1e3818ca8b66cfae092f94e6a55c840759d28ac76d08bc5eb2b7e5f3b8c3ad73
- SHA512
  
  1fd3d915c9a1d6b6e57b941006b2d78a2fca2890fff401d15c7c35f634c59abf2b129ece39354872a0e2bbc80dc325be1781d8a616931aa48986a83f6a5b7096
- SSDEEP
  
  3072:kE7YdXFjJHu5puorSE5/fTNjliDs+TseWBy2D5:p7ITcFrSE5/LVlms+weWBBD
Score

10^/10

ramnit banker defense_evasion evasion persistence spyware stealer trojan worm
- Modifies WinLogon for persistence
  persistence
- Ramnit
  Ramnit is a versatile family that holds viruses, worms, and Trojans.
  trojan spyware stealer worm banker ramnit
- UAC bypass
  evasion trojan
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
  defense_evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Abuse Elevation Control Mechanism

Bypass User Account Control

Defense Evasion

Modify Registry

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Safe Mode Boot

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

ramnitbankerdefense_evasionevasionpersistencespywarestealertrojanworm

behavioral2

ramnitbankerspywarestealertrojanworm

© 2018-2024

Terms | Privacy