Software Development && UnEthical Hacking
inicio hacking WiFu WiBOG MDB

Ramnit.A
General

Es un troyano/gusano que infecta archivos ejecutables y roba información personal del usuario en la maquina afectada. En las últimas versiones se han identificado también otras características como robo de información financiera e información del Facebook.

MD5: 607b2219fbcfbfe8e6ac9d7f3fb8d50e
SHA256: f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c
SHA1: a7771cd3b99f7201b331323f03e2d596778b610e
Tamaño: 132.5 KB ( 135680 bytes )

TrID:
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)

F-Prot packer identifier
UPX

Alias:

Avast

Win32:Trojan-gen

AVG

Generic27.MBL

BitDefender

Trojan.Generic.KD.504269

Comodo

TrojWare.Win32.Remex.bfja

DrWeb

Trojan.Rmnet.8

Emsisoft

DDoS.Win32.Dofoil!IK

ESET-NOD32

Win32/Ramnit.A

F-Prot

W32/Downldr2.IXID

F-Secure

Trojan.Generic.KD.504269

Fortinet

W32/Lebag.A!tr

Kaspersky

Trojan.Win32.Lebag.klg

McAfee-GW-Edition

Generic.il

Microsoft

Trojan:Win32/Ramnit.A

Norman

W32/Krypt.CI

Panda

Trj/Agent.NOK

PCTools

Trojan.Generic

Sophos

Mal/ZboCheMan-F

Symantec

Trojan Horse

TheHacker

Trojan/Lebag.klg

TrendMicro

TSPY_SINOWAL.WC

 

Información del archivo en ejecución

El archivo se copia a sí mismo en las carpetas:

C:\Documents and Settings\Administrador\Configuración local\Temp
C:\Documents and Settings\Administrador\Configuración local\Datos de programa
C:\Documents and Settings\Administrador\Menú Inicio\Programas\Inicio

El rootkit se extrae en la carpeta

C:\Documents and Settings\Administrador\Configuración local\Temp

Se inyecta a sí mismo en el proceso svchost.exe

 

 

Modificaciones en el registro de Windows DESCARGAR ARCHIVO TXT

La clave creada para el rootkit

HKLM\SYSTEM\ControlSet001\Services\Micorsoft Windows Service\ImagePath: "\??\C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\epvbgppd.sys"

La clave creada específicamente para el equipo afectado, la cual contiene la llave para cifrar los archivos.

HKLM\SYSTEM\CurrentControlSet\Services\Micorsoft Windows Service\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00

La idea de las siguientes llaves es impedir que se inicialicen los objetos cuando el PC se ejecuta en modo seguro.

HKLM\SYSTEM\ControlSet001\Control\SafeBoot\AlternateShell: "cmd.exe"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}\: "Human Interface Devices"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\: "Volume"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}\: "Floppy disk drive"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}\: "System"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}\: "SCSIAdapter"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}\: "PCMCIA Adapters"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}\: "Mouse"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}\: "Keyboard"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}\: "Hdc"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}\: "Standard floppy disk controller"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}\: "DiskDrive"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}\: "CD-ROM Drive"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}\: "Universal Serial Bus controllers"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinMgmt\: "Service"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vgasave.sys\: "Driver"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vga.sys\: "Driver"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\System Bus Extender\: "Driver Group"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SRService\: "Service"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sr.sys\: "FSFilter System Recovery"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sermouse.sys\: "Driver"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SCSI Class\: "Driver Group"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\RpcSs\: "Service"

…..

HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}\: "Human Interface Devices"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\: "Volume"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}\: "Floppy disk drive"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}\: "System"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}\: "SCSIAdapter"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}\: "PCMCIA Adapters"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\: "NetTrans"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\: "NetService"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}\: "NetClient"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\: "Net"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}\: "Mouse"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}\: "Keyboard"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}\: "Hdc"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}\: "Standard floppy disk controller"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\: "DiskDrive"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}\: "CD-ROM Drive"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}\: "Universal Serial Bus controllers"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\WZCSVC\: "Service"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\WinMgmt\: "Service"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\vgasave.sys\: "Driver"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\vga.sys\: "Driver"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\termservice\: "Service"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdtcp.sys\: "Driver"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdpipe.sys\: "Driver"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\TDI\: "Driver Group"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Tcpip\: "Service"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\System Bus Extender\: "Driver Group"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Streams Drivers\: "Driver Group"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\SRService\: "Service"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\sr.sys\: "FSFilter System Recovery"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\SharedAccess\: "Service"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\sermouse.sys\: "Driver"

……

 

Información de red

Direcciones IP con las cuales intenta realizar conexiones:

74.125.229.96
74.125.229.98
74.125.229.103
74.125.229.97
74.125.229.102
74.125.229.167
96.126.106.156

Ramnit realiza muchas peticiones DNS a servidores encargados de enviar las instrucciones a realizar.

Inicio       ||       Comunidad       ||      Servicios       ||      Proyectos       ||      Hacking       ||      Contáctenos