ramnit | b31f9e879f925d8673689b81d13d704b394e11b0a42c07b240a028e515d15b66

Analysis

max time kernel
134s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Size

168KB
MD5

1a8aa62af9b15a08d02d77923c2fce81
SHA1

6e88b873b56a23a7c8e53fef9e4ef00695caf72b
SHA256

b31f9e879f925d8673689b81d13d704b394e11b0a42c07b240a028e515d15b66
SHA512

c19f22e2b5b10e5c19031dcf97a042b7df088fa9fd3fdc67edd91106448867a409516b5232c1c94229784cfc831b72a4efcdc289d64db6d2dffa2e16a800673b
SSDEEP

3072:8kVD1BSqao9c3HwsanTdgyOxsP+f+D5/oOh+9oKTMEFFJIeC6Pbl3UVaz0lm:JSqjc3HsTaxoqWl+jIEPC6DRXz0Q

Score

10^/10

ramnit sality backdoor banker evasion spyware stealer trojan upx worm

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

Processes:

1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe

pid process

3532 1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe

pid	process
3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3532-8-0x00000000031D0000-0x000000000425E000-memory.dmp	upx
behavioral2/memory/3532-3-0x00000000031D0000-0x000000000425E000-memory.dmp	upx
behavioral2/memory/3532-17-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral2/memory/3532-16-0x00000000031D0000-0x000000000425E000-memory.dmp	upx
behavioral2/memory/3532-12-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral2/memory/3532-11-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral2/memory/3532-1-0x00000000031D0000-0x000000000425E000-memory.dmp	upx
behavioral2/memory/3532-7-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral2/memory/3532-6-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral2/memory/3532-5-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral2/memory/3532-4-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral2/memory/3532-27-0x00000000031D0000-0x000000000425E000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Drops file in Windows directory 1 IoCs

Processes:

1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI 1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4952 3532 WerFault.exe 1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe

pid process

3532 1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
3532 1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe

pid	pid_target	process	target process
4952	3532	WerFault.exe	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe

pid	process
3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
Token: SeDebugPrivilege	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe

pid process

3532 1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe

pid	process
3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe

description	pid	process	target process
PID 3532 wrote to memory of 768	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe	fontdrvhost.exe
PID 3532 wrote to memory of 772	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe	fontdrvhost.exe
PID 3532 wrote to memory of 336	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe	dwm.exe
PID 3532 wrote to memory of 2536	3532	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe	sihost.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:768

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:772

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:336

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1a8aa62af9b15a08d02d77923c2fce81_JaffaCakes118.exe"
1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 476
2⤵
- Program crash
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3532 -ip 3532
1⤵
PID:3704

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~TM4594.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
memory/3532-16-0x00000000031D0000-0x000000000425E000-memory.dmp

Filesize
16.6MB

Download
memory/3532-19-0x0000000077A6C000-0x0000000077A6D000-memory.dmp

Filesize
4KB

Download
memory/3532-12-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3532-20-0x0000000077A92000-0x0000000077A94000-memory.dmp

Filesize
8KB

Download
memory/3532-11-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3532-18-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/3532-17-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3532-8-0x00000000031D0000-0x000000000425E000-memory.dmp

Filesize
16.6MB

Download
memory/3532-21-0x0000000077A92000-0x0000000077A93000-memory.dmp

Filesize
4KB

Download
memory/3532-3-0x00000000031D0000-0x000000000425E000-memory.dmp

Filesize
16.6MB

Download
memory/3532-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3532-1-0x00000000031D0000-0x000000000425E000-memory.dmp

Filesize
16.6MB

Download
memory/3532-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3532-6-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3532-5-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3532-4-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3532-27-0x00000000031D0000-0x000000000425E000-memory.dmp

Filesize
16.6MB

Download