Ramnit Malware
I started to investigate this malware with html file.
This File was downloaded from VirusShare.com.
Delivery stage
As we can see bellow, we browse to page that have content with VBScript. So we can understand that the target is only Internet Explorer victims. In the screen bellow we can understand that the VBScript generate a file “svchost.exe” and run it.
For the next step i want to run the VBScript in single file so i copied the specific of code of the VBScript and create single file and run it (without line 46),because i want the vbs script generate the exe without run it.
With the Process monitor i can understand the the wscript.exe create a file in in temp folder with name svchost.exe
We can understand that svchost.exe is the payload malware,Let’s start to explore it.
For start from static analysis with pestudio we can see that file has a lot of malicious topics:
Form now i want to know deeper what the purpose of the malware and what he did.
Let’s start with Dynamic analysis, Now we can run the sysinternal tool “process monitor”, and export it to csv file,After we can use with procdot tool to import the csv file and we got this.
We can in the above screenshot “virus.exe” create two process of “iexplore.exe” and did process injection . The malware did a requests to a malicious ip’s and add exe file to get persistence in operation system.
In the bellow image we can see that iexplore.exe listening to ftp port
After i did an nmap scan to myself and find that the ftp service it of a Ramnit malware.
For conclusion, i think that we can see what the malware did and learn it for the next malware!
