ramnit | fddd8a1155040392de6207873bb353228237ae61f0026a35dba6efd5fdf3329e

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a1b268d10ffcdc3200a42370ce7ac99_JaffaCakes118.dll
Size

787KB
MD5

1a1b268d10ffcdc3200a42370ce7ac99
SHA1

ddcf5b4e5350f6af84f1f35072e887909c538157
SHA256

fddd8a1155040392de6207873bb353228237ae61f0026a35dba6efd5fdf3329e
SHA512

82558bbc7f48de0a8a3c5f1eb7d70acb5a06957bc35cda2632c0b22e5503fc21f7e22eab9c5e9d5b7fbef40adf9341209f5eae41a533f6fdfd5ba61e5ef10498
SSDEEP

12288:Q7Cx0aLl21dgY5Ax5q09jpZ4AAf4jB5th6ZgvkoSVRDFLJ+3Y4:Q7Cx7Ll21+g+j1Bd6ZgvwhG3

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 1 IoCs

Processes:

rundll32mgr.exe

pid process

2356 rundll32mgr.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

1684 rundll32.exe
1684 rundll32.exe

pid	process
1684	rundll32.exe
1684	rundll32.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\SysWOW64\rundll32mgr.exe	upx
behavioral1/memory/1684-9-0x0000000010000000-0x0000000010381000-memory.dmp	upx
behavioral1/memory/1684-2-0x0000000010000000-0x0000000010381000-memory.dmp	upx
behavioral1/memory/2356-13-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/1684-10-0x0000000010000000-0x0000000010381000-memory.dmp	upx
behavioral1/memory/1684-22-0x0000000010000000-0x0000000010381000-memory.dmp	upx
behavioral1/memory/2356-21-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

rundll32mgr.exe

pid process

2356 rundll32mgr.exe
2356 rundll32mgr.exe
2356 rundll32mgr.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Suspicious behavior: MapViewOfSection 23 IoCs

Processes:

rundll32mgr.exe

pid	process
2356	rundll32mgr.exe
2356	rundll32mgr.exe
2356	rundll32mgr.exe
2356	rundll32mgr.exe
2356	rundll32mgr.exe
2356	rundll32mgr.exe
2356	rundll32mgr.exe
2356	rundll32mgr.exe
2356	rundll32mgr.exe
2356	rundll32mgr.exe
2356	rundll32mgr.exe
2356	rundll32mgr.exe
2356	rundll32mgr.exe
2356	rundll32mgr.exe
2356	rundll32mgr.exe
2356	rundll32mgr.exe
2356	rundll32mgr.exe
2356	rundll32mgr.exe
2356	rundll32mgr.exe
2356	rundll32mgr.exe
2356	rundll32mgr.exe
2356	rundll32mgr.exe
2356	rundll32mgr.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rundll32mgr.exe

description pid process

Token: SeDebugPrivilege 2356 rundll32mgr.exe
Token: SeDebugPrivilege 2356 rundll32mgr.exe

description	pid	process
Token: SeDebugPrivilege	2356	rundll32mgr.exe
Token: SeDebugPrivilege	2356	rundll32mgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exerundll32mgr.exe

description	pid	process	target process
PID 2028 wrote to memory of 1684	2028	rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 1684	2028	rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 1684	2028	rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 1684	2028	rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 1684	2028	rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 1684	2028	rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 1684	2028	rundll32.exe	rundll32.exe
PID 1684 wrote to memory of 2356	1684	rundll32.exe	rundll32mgr.exe
PID 1684 wrote to memory of 2356	1684	rundll32.exe	rundll32mgr.exe
PID 1684 wrote to memory of 2356	1684	rundll32.exe	rundll32mgr.exe
PID 1684 wrote to memory of 2356	1684	rundll32.exe	rundll32mgr.exe
PID 2356 wrote to memory of 388	2356	rundll32mgr.exe	wininit.exe
PID 2356 wrote to memory of 388	2356	rundll32mgr.exe	wininit.exe
PID 2356 wrote to memory of 388	2356	rundll32mgr.exe	wininit.exe
PID 2356 wrote to memory of 388	2356	rundll32mgr.exe	wininit.exe
PID 2356 wrote to memory of 388	2356	rundll32mgr.exe	wininit.exe
PID 2356 wrote to memory of 388	2356	rundll32mgr.exe	wininit.exe
PID 2356 wrote to memory of 388	2356	rundll32mgr.exe	wininit.exe
PID 2356 wrote to memory of 396	2356	rundll32mgr.exe	csrss.exe
PID 2356 wrote to memory of 396	2356	rundll32mgr.exe	csrss.exe
PID 2356 wrote to memory of 396	2356	rundll32mgr.exe	csrss.exe
PID 2356 wrote to memory of 396	2356	rundll32mgr.exe	csrss.exe
PID 2356 wrote to memory of 396	2356	rundll32mgr.exe	csrss.exe
PID 2356 wrote to memory of 396	2356	rundll32mgr.exe	csrss.exe
PID 2356 wrote to memory of 396	2356	rundll32mgr.exe	csrss.exe
PID 2356 wrote to memory of 436	2356	rundll32mgr.exe	winlogon.exe
PID 2356 wrote to memory of 436	2356	rundll32mgr.exe	winlogon.exe
PID 2356 wrote to memory of 436	2356	rundll32mgr.exe	winlogon.exe
PID 2356 wrote to memory of 436	2356	rundll32mgr.exe	winlogon.exe
PID 2356 wrote to memory of 436	2356	rundll32mgr.exe	winlogon.exe
PID 2356 wrote to memory of 436	2356	rundll32mgr.exe	winlogon.exe
PID 2356 wrote to memory of 436	2356	rundll32mgr.exe	winlogon.exe
PID 2356 wrote to memory of 480	2356	rundll32mgr.exe	services.exe
PID 2356 wrote to memory of 480	2356	rundll32mgr.exe	services.exe
PID 2356 wrote to memory of 480	2356	rundll32mgr.exe	services.exe
PID 2356 wrote to memory of 480	2356	rundll32mgr.exe	services.exe
PID 2356 wrote to memory of 480	2356	rundll32mgr.exe	services.exe
PID 2356 wrote to memory of 480	2356	rundll32mgr.exe	services.exe
PID 2356 wrote to memory of 480	2356	rundll32mgr.exe	services.exe
PID 2356 wrote to memory of 492	2356	rundll32mgr.exe	lsass.exe
PID 2356 wrote to memory of 492	2356	rundll32mgr.exe	lsass.exe
PID 2356 wrote to memory of 492	2356	rundll32mgr.exe	lsass.exe
PID 2356 wrote to memory of 492	2356	rundll32mgr.exe	lsass.exe
PID 2356 wrote to memory of 492	2356	rundll32mgr.exe	lsass.exe
PID 2356 wrote to memory of 492	2356	rundll32mgr.exe	lsass.exe
PID 2356 wrote to memory of 492	2356	rundll32mgr.exe	lsass.exe
PID 2356 wrote to memory of 504	2356	rundll32mgr.exe	lsm.exe
PID 2356 wrote to memory of 504	2356	rundll32mgr.exe	lsm.exe
PID 2356 wrote to memory of 504	2356	rundll32mgr.exe	lsm.exe
PID 2356 wrote to memory of 504	2356	rundll32mgr.exe	lsm.exe
PID 2356 wrote to memory of 504	2356	rundll32mgr.exe	lsm.exe
PID 2356 wrote to memory of 504	2356	rundll32mgr.exe	lsm.exe
PID 2356 wrote to memory of 504	2356	rundll32mgr.exe	lsm.exe
PID 2356 wrote to memory of 612	2356	rundll32mgr.exe	svchost.exe
PID 2356 wrote to memory of 612	2356	rundll32mgr.exe	svchost.exe
PID 2356 wrote to memory of 612	2356	rundll32mgr.exe	svchost.exe
PID 2356 wrote to memory of 612	2356	rundll32mgr.exe	svchost.exe
PID 2356 wrote to memory of 612	2356	rundll32mgr.exe	svchost.exe
PID 2356 wrote to memory of 612	2356	rundll32mgr.exe	svchost.exe
PID 2356 wrote to memory of 612	2356	rundll32mgr.exe	svchost.exe
PID 2356 wrote to memory of 688	2356	rundll32mgr.exe	svchost.exe
PID 2356 wrote to memory of 688	2356	rundll32mgr.exe	svchost.exe
PID 2356 wrote to memory of 688	2356	rundll32mgr.exe	svchost.exe
PID 2356 wrote to memory of 688	2356	rundll32mgr.exe	svchost.exe

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:388

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
2⤵
PID:480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
3⤵
PID:612

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
4⤵
PID:1976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
3⤵
PID:688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
3⤵
PID:756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
3⤵
PID:828

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
4⤵
PID:1188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
3⤵
PID:864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
3⤵
PID:988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
3⤵
PID:300

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
3⤵
PID:1028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
3⤵
PID:1096

C:\Windows\system32\taskhost.exe
"taskhost.exe"
3⤵
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
3⤵
PID:1456

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
3⤵
PID:2212

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
2⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:504

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:396

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a1b268d10ffcdc3200a42370ce7ac99_JaffaCakes118.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a1b268d10ffcdc3200a42370ce7ac99_JaffaCakes118.dll,#1
3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgr.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\rundll32mgr.exe
Filesize
127KB

MD5
0ef920d7712d21dda563cab92b29b216

SHA1
643c7ae3eb3e8b89cdeba3bbb15604e7f210040c

SHA256
7cfaf531184febc33eb4c3de5f9bbeb4d946020ed1ad6b7e3fccefd121dd8e86

SHA512
948d74f9b9997354b256fe2b3545a564d5a3683bf274900e92e32d374e2e708685ac1f85d710cf09514cfd9cec4323509fd9598a8620078f074182b384e33bfe

Download Submit
memory/1684-10-0x0000000010000000-0x0000000010381000-memory.dmp

Filesize
3.5MB

Download
memory/1684-9-0x0000000010000000-0x0000000010381000-memory.dmp

Filesize
3.5MB

Download
memory/1684-2-0x0000000010000000-0x0000000010381000-memory.dmp

Filesize
3.5MB

Download
memory/1684-17-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

Filesize
48KB

Download
memory/1684-22-0x0000000010000000-0x0000000010381000-memory.dmp

Filesize
3.5MB

Download
memory/1684-23-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

Filesize
48KB

Download
memory/1684-12-0x0000000000190000-0x00000000001EB000-memory.dmp

Filesize
364KB

Download
memory/1684-11-0x0000000000190000-0x00000000001EB000-memory.dmp

Filesize
364KB

Download
memory/2356-16-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2356-13-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2356-14-0x0000000077D90000-0x0000000077D91000-memory.dmp

Filesize
4KB

Download
memory/2356-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2356-19-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2356-15-0x0000000077D8F000-0x0000000077D90000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads