08-10-2017 – Rig Exploit Kit Leads to Ramnit aka "demetra" Banker via CVE-2015-8651

Goal: Reverse the Rig Exploit Kit infection chain leading to Ramnit “demetra” banking Trojan.
Source: Malicious traffic
Tools: Fiddler, JPEXS, OllyDBG

Traffic Chain: 

Seamless gate ->
-> Rig EK Landing ->  
-> Rig EK CVE-2015-8651 Adobe Flash exploit
-> Ramnit Payload
-> Ramnit Payload (via its getexec command)

I. RigEK’s observed URI parameters are as follows (User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E)):

  • MTUzNzcy (base64 landing)
  • NDYzMzgw (base64 exploit)
  • man
  • pan
  • work
  • shop
II. Adobe Flash Player Exploit (CVE-2015-8651):
Upon successful exploitation of the integer overflow vulnerability (si32 and li32), the exploit runs a shellcode downloading and executing the Ramnit banker. See more here.
Interesting function name


Ramnit aka “demetra” banking Trojan (dropped in %TEMP%; concatenates :Zone.Identifier as svchost[.]exe to the string and attempts to remove it as an anti-analysis trick, and leverages User Account Control (UAC) bypass method using application compatibility databases based on sdbinst[.]exe):

  • AvTrust
  • Antivirus Trusted Module v2.0 (AVG, Avast, Nod32, Norton, Bitdefender)
  • XX’S
  • Chrome reinstall
  • Chrome reinstall module (x64-x86) v0.1
  • CookieGrabber
  • Cookie Grabber v0.2 (no mask)
  • FtpGrabber2
  • Ftp Grabber v2.0
  • XX’S
  • Hooker
  • Spy module (Zeus, SE, Rootkit, Ignore SPDY) v4
  • VNC IFSB x64-x86

Ramnit anti-virus exclusion registry script:

  • REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  ” /v svchost.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  ” /v consent.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  ” /v rundll32.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  ” /v spoolsv.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  ” /v explorer.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  ” /v rgjdu.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  ” /v afwqs.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions  ” /v *.tmp /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions  ” /v *.dll /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions  ” /v *.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  ” /v svchost.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  ” /v consent.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  ” /v rundll32.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  ” /v spoolsv.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  ” /v explorer.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  ” /v rgjdu.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  ” /v afwqs.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions  ” /v *.tmp /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions  ” /v *.dll /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions  ” /v *.exe /t  REG_DWORD /d 0 

Targets US-based financial institutions leveraging its webinjects (same as 8-7-2017):
Indicators of compromise (IOCs):
Rig EK Landing:
Rig EK CVE-2015-8651 Exploit Flash integer overflow vulnerability:

Ramnit initial:

Ramnit getexec payload: 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: