ramnit | 09020a8d64e1bfa4e061c63c3250fc4cd563e96a625e0d2a6cf0f1a658c33547

Analysis

max time kernel
90s
max time network
85s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe
Size

111KB
MD5

1e54f5f969cc19fde67ba03e92694105
SHA1

2a3840d9cfa01738846247b51c38e40dd67adf3d
SHA256

09020a8d64e1bfa4e061c63c3250fc4cd563e96a625e0d2a6cf0f1a658c33547
SHA512

233e1b7bb3cc10cc8bc309640b135dec28754c5f5dade0c2219422d3de128be054b38c5c50c68211c6de9030584cbbeef99af6fbe8b1a31c2ce228732134faff
SSDEEP

3072:7kYvLxQxIa+DvY+1j2qOix4J2vNbGfvGnd3gW5ZM4/uci4+D:7Hx0AQ+40NdndPZMTch

Score

10^/10

ramnit banker spyware stealer trojan worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe
Executes dropped EXE 1 IoCs

Processes:

rjcjfapncnukfcjf.exe

pid process

3180 rjcjfapncnukfcjf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4400 940 WerFault.exe svchost.exe
3344 3612 WerFault.exe svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe

pid	process
3180	rjcjfapncnukfcjf.exe

pid	pid_target	process	target process
4400	940	WerFault.exe	svchost.exe
3344	3612	WerFault.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426064115"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8D22CC6E-383D-11EF-BCA5-D6AA8B0874BD} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

648

pid	process
648

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exerjcjfapncnukfcjf.exe

description	pid	process
Token: SeSecurityPrivilege	2768	1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe
Token: SeDebugPrivilege	2768	1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe
Token: SeSecurityPrivilege	3180	rjcjfapncnukfcjf.exe
Token: SeLoadDriverPrivilege	3180	rjcjfapncnukfcjf.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

IEXPLORE.EXE

pid process

2900 IEXPLORE.EXE
2900 IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2900	IEXPLORE.EXE
2900	IEXPLORE.EXE
4500	IEXPLORE.EXE
4500	IEXPLORE.EXE
4500	IEXPLORE.EXE
4500	IEXPLORE.EXE
2900	IEXPLORE.EXE
2900	IEXPLORE.EXE
3236	IEXPLORE.EXE
3236	IEXPLORE.EXE
3236	IEXPLORE.EXE
3236	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exeiexplore.exeIEXPLORE.EXEiexplore.exe

description	pid	process	target process
PID 2768 wrote to memory of 940	2768	1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe	svchost.exe
PID 2768 wrote to memory of 940	2768	1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe	svchost.exe
PID 2768 wrote to memory of 940	2768	1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe	svchost.exe
PID 2768 wrote to memory of 940	2768	1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe	svchost.exe
PID 2768 wrote to memory of 940	2768	1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe	svchost.exe
PID 2768 wrote to memory of 940	2768	1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe	svchost.exe
PID 2768 wrote to memory of 940	2768	1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe	svchost.exe
PID 2768 wrote to memory of 940	2768	1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe	svchost.exe
PID 2768 wrote to memory of 940	2768	1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe	svchost.exe
PID 2768 wrote to memory of 2128	2768	1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe	iexplore.exe
PID 2768 wrote to memory of 2128	2768	1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe	iexplore.exe
PID 2768 wrote to memory of 2128	2768	1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe	iexplore.exe
PID 2128 wrote to memory of 2900	2128	iexplore.exe	IEXPLORE.EXE
PID 2128 wrote to memory of 2900	2128	iexplore.exe	IEXPLORE.EXE
PID 2900 wrote to memory of 4500	2900	IEXPLORE.EXE	IEXPLORE.EXE
PID 2900 wrote to memory of 4500	2900	IEXPLORE.EXE	IEXPLORE.EXE
PID 2900 wrote to memory of 4500	2900	IEXPLORE.EXE	IEXPLORE.EXE
PID 2768 wrote to memory of 3612	2768	1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe	svchost.exe
PID 2768 wrote to memory of 3612	2768	1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe	svchost.exe
PID 2768 wrote to memory of 3612	2768	1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe	svchost.exe
PID 2768 wrote to memory of 3612	2768	1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe	svchost.exe
PID 2768 wrote to memory of 3612	2768	1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe	svchost.exe
PID 2768 wrote to memory of 3612	2768	1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe	svchost.exe
PID 2768 wrote to memory of 3612	2768	1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe	svchost.exe
PID 2768 wrote to memory of 3612	2768	1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe	svchost.exe
PID 2768 wrote to memory of 3612	2768	1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe	svchost.exe
PID 2768 wrote to memory of 3152	2768	1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe	iexplore.exe
PID 2768 wrote to memory of 3152	2768	1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe	iexplore.exe
PID 2768 wrote to memory of 3152	2768	1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe	iexplore.exe
PID 3152 wrote to memory of 1124	3152	iexplore.exe	IEXPLORE.EXE
PID 3152 wrote to memory of 1124	3152	iexplore.exe	IEXPLORE.EXE
PID 2900 wrote to memory of 3236	2900	IEXPLORE.EXE	IEXPLORE.EXE
PID 2900 wrote to memory of 3236	2900	IEXPLORE.EXE	IEXPLORE.EXE
PID 2900 wrote to memory of 3236	2900	IEXPLORE.EXE	IEXPLORE.EXE
PID 2768 wrote to memory of 3180	2768	1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe	rjcjfapncnukfcjf.exe
PID 2768 wrote to memory of 3180	2768	1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe	rjcjfapncnukfcjf.exe
PID 2768 wrote to memory of 3180	2768	1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe	rjcjfapncnukfcjf.exe

C:\Users\Admin\AppData\Local\Temp\1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1e54f5f969cc19fde67ba03e92694105_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 204
3⤵
- Program crash
PID:4400

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2128

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2900

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2900 CREDAT:17410 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4500

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2900 CREDAT:17416 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3236

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 208
3⤵
- Program crash
PID:3344

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3152

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
3⤵
- Modifies Internet Explorer settings
PID:1124

C:\Users\Admin\AppData\Local\Temp\rjcjfapncnukfcjf.exe
"C:\Users\Admin\AppData\Local\Temp\rjcjfapncnukfcjf.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 940 -ip 940
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3612 -ip 3612
1⤵
PID:2008

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rjcjfapncnukfcjf.exe
Filesize
111KB

MD5
1e54f5f969cc19fde67ba03e92694105

SHA1
2a3840d9cfa01738846247b51c38e40dd67adf3d

SHA256
09020a8d64e1bfa4e061c63c3250fc4cd563e96a625e0d2a6cf0f1a658c33547

SHA512
233e1b7bb3cc10cc8bc309640b135dec28754c5f5dade0c2219422d3de128be054b38c5c50c68211c6de9030584cbbeef99af6fbe8b1a31c2ce228732134faff

Download Submit
memory/940-10-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/940-9-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/2768-1-0x0000000000400000-0x0000000000437C84-memory.dmp

Filesize
223KB

Download
memory/2768-14-0x0000000000400000-0x0000000000437C84-memory.dmp

Filesize
223KB

Download
memory/2768-6-0x0000000001F20000-0x0000000001F21000-memory.dmp

Filesize
4KB

Download
memory/2768-7-0x0000000000400000-0x0000000000437C84-memory.dmp

Filesize
223KB

Download
memory/2768-2-0x000000000042A000-0x0000000000438000-memory.dmp

Filesize
56KB

Download
memory/2768-3-0x0000000000400000-0x0000000000437C84-memory.dmp

Filesize
223KB

Download
memory/2768-11-0x0000000000400000-0x0000000000437C84-memory.dmp

Filesize
223KB

Download
memory/2768-0-0x000000000042A000-0x0000000000438000-memory.dmp

Filesize
56KB

Download
memory/2768-15-0x0000000077562000-0x0000000077563000-memory.dmp

Filesize
4KB

Download
memory/2768-17-0x0000000000400000-0x0000000000437C84-memory.dmp

Filesize
223KB

Download
memory/2768-18-0x0000000077562000-0x0000000077563000-memory.dmp

Filesize
4KB

Download
memory/2768-4-0x0000000000400000-0x0000000000437C84-memory.dmp

Filesize
223KB

Download
memory/3180-27-0x0000000000400000-0x0000000000437C84-memory.dmp

Filesize
223KB

Download
memory/3180-31-0x0000000000400000-0x0000000000437C84-memory.dmp

Filesize
223KB

Download
memory/3180-30-0x000000000042A000-0x0000000000438000-memory.dmp

Filesize
56KB

Download
memory/3180-34-0x0000000000400000-0x0000000000437C84-memory.dmp

Filesize
223KB

Download