Ramnit.D is a multicomponent malware that targets Microsoft Windows operating systems. It was first seen in January 2010. It steals sensitive information such as banking credentials and infects executables, HTML and Microsoft Office files. It opens a backdoor and communicates with the C&C server for updates. It propagates via removable drives. File Related Changes It drops the following file(s) on the system: - "c:\Users\Admin\AppData\Local\Temp\yhvbteknujtldjir.exe"
- "c:\Users\Admin\AppData\Local\yvgteycq\hyxgoclh.exe"
- "c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyxgoclh.exe"
Process Related Changes It creates the following mutex(es): - "{54521A76-89E7-D5D6-94CC-53CFCEA1470A}"
- "{54521A77-89E7-D5D6-94CC-53CFCEA1470A}"
- "{54522463-89E7-D5D6-94CC-53CFCEA1470A}"
- "{54520D92-89E7-D5D6-94CC-53CFCEA1470A}"
- "{545219A0-89E7-D5D6-94CC-53CFDB7D470A}"
It creates the following process(es): - C:\Users\Admin\AppData\Local\Temp\yhvbteknujtldjir.exe
- C:\Windows\system32\svchost.exe
Network Activity It attempts to connect to the following remote servers: - google.com:80 (74.125.xxxxxx)
- ihoxyanyker.com:443 (69.164.xxxxxx)
- anxpepxpukbfmh.com:443 (69.164.xxxxxx)
- fssuatmti.com:443 (190.93.xxxxxx)
- vxpxgorqkihafv.com:443 (69.164.xxxxxx)
- ouwwtmcnuiudw.com:443 (94.126.xxxxxx)
- mstwcsnvylmullkqh.com:443 (69.43.1xxxxxx)
- oaifpapl.com:443 (166.78xxxxxx)
We observed the following DNS query/queries: - oaifpapl.com
- ihoxyanyker.com
- qdfgqwiovjlfegdcepm.com
- ouwwtmcnuiudw.com
- gqmrhecnntccmawclmq.com
- vlupfbsuppipkrvbsdy.com
- fssuatmti.com
- anxpepxpukbfmh.com
- mstwcsnvylmullkqh.com
- vxpxgorqkihafv.com
- carrerfullezz.com
Registry Related Changes It makes the following registry modifications to ensure infection after system reboot: - HKCU\Software\Microsoft\Windows\CurrentVersion\Run\hyxgoclh = C:\Users\Admin\AppData\Local\yvgteycq\hyxgoclh.exe
|