API tools faq
paste
Advertisement
James_inthe_box

Ramnit

James_inthe_box
Sep 2nd, 2017
606
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 0.80 KB | None | 0 0
raw download clone embed print report
  1. Sample and other info:
  2. https://www.hybrid-analysis.com/sample/8be30a1c015b36cea789f830466362f64fc6589238e24343816decef6ba3394a?environmentId=100
  3. https://packettotal.com/cgi-bin/view-analysis.cgi?id=1ac871b3cf3197d0fd26dc7acf0a3668
  4. https://threatintel.proofpoint.com/sid/2018558
  5.  
  6. After execution dumps itself into:
  7. C:\Users\<username>\AppDate\Local\<rnddir>\<rnd>.exe
  8. C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\<rnd>.exe
  9.  
  10. After reboot:
  11. Injects into svchost.exe
  12. Fires off to several DGA domains (ET sid 2018558)
  13. Modifies several registry settings, pretty much nukes MS Security Center
  14. Sets a TRUE flag (am I installed?)
  15. Set userinit as another method of persistence (by my count I see 3...this thing REALLY wants to run..)
  16. Watchdogs svchost and will restart if terminated
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!