Malware Analysis Report

2025-01-19 07:10

Sample ID 240624-vk87kstame
Target 09c0aaf5419b447ae990518148636f65_JaffaCakes118
SHA256 655f483dc97875d5f8896ac47524d4732017085ceb2b374ccb33bae9c47ea9b9
Tags
ramnit banker persistence spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

655f483dc97875d5f8896ac47524d4732017085ceb2b374ccb33bae9c47ea9b9

Threat Level: Known bad

The file 09c0aaf5419b447ae990518148636f65_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker persistence spyware stealer trojan upx worm

Modifies WinLogon for persistence

Ramnit

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Program crash

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-24 17:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 17:04

Reported

2024-06-24 17:06

Platform

win7-20240611-en

Max time kernel

150s

Max time network

142s

Command Line

\SystemRoot\System32\smss.exe

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" C:\Windows\SysWOW64\svchost.exe N/A

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\dmlconf.dat C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\dmlconf.dat C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\System\Ole DB\oledb32.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.DataSetExtensions.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\RSSFeeds.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mshwjpn.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpeg4video_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeXMP.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSFrontendENU.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\lgpllibs.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libaraw_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\WindowsAccessBridge-64.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Selectors.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationClient.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libx26410b_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\rundll32mgr.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\1033\BHOINTL.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Management.Instrumentation.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Design.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libtextst_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Client.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libamem_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libfolder_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblend_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Internet Explorer\DiagnosticsTap.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Internet Explorer\JSProfilerCore.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\mozwer.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.IO.Log.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\DESIGNER\MSADDNDR.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libx265_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libtaglib_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libmicrodns_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libvhs_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\hxdsui.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\msdaprsr.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClient.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libtimecode_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgrain_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Internet Explorer\D3DCompiler_47.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libsftp_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libdolby_surround_decoder_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXPSRV.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msadomd.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\msadcer.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdemuxdump_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libtdummy_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\settings.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\libmosaic_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libwgl_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Classic.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Utilities.v3.5.resources.dll C:\Windows\SysWOW64\svchost.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2112 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2112 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2112 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2112 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2112 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2112 wrote to memory of 2052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2052 wrote to memory of 2296 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 2052 wrote to memory of 2296 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 2052 wrote to memory of 2296 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 2052 wrote to memory of 2296 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 2052 wrote to memory of 2096 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2052 wrote to memory of 2096 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2052 wrote to memory of 2096 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2052 wrote to memory of 2096 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2296 wrote to memory of 2392 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2296 wrote to memory of 2392 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2296 wrote to memory of 2392 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2296 wrote to memory of 2392 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2392 wrote to memory of 2768 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2392 wrote to memory of 2768 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2392 wrote to memory of 2768 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2392 wrote to memory of 2768 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2392 wrote to memory of 2768 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2392 wrote to memory of 2768 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2392 wrote to memory of 2768 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2392 wrote to memory of 2768 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2392 wrote to memory of 2768 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2392 wrote to memory of 2768 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2392 wrote to memory of 2968 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2392 wrote to memory of 2968 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2392 wrote to memory of 2968 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2392 wrote to memory of 2968 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2392 wrote to memory of 2968 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2392 wrote to memory of 2968 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2392 wrote to memory of 2968 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2392 wrote to memory of 2968 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2392 wrote to memory of 2968 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2392 wrote to memory of 2968 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2968 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 2968 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 2968 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 2968 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 2968 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 2968 wrote to memory of 332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2968 wrote to memory of 332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2968 wrote to memory of 332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2968 wrote to memory of 332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2968 wrote to memory of 332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2968 wrote to memory of 380 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 2968 wrote to memory of 380 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 2968 wrote to memory of 380 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 2968 wrote to memory of 380 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 2968 wrote to memory of 380 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 2968 wrote to memory of 392 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2968 wrote to memory of 392 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2968 wrote to memory of 392 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2968 wrote to memory of 392 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2968 wrote to memory of 392 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2968 wrote to memory of 428 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 2968 wrote to memory of 428 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 2968 wrote to memory of 428 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 2968 wrote to memory of 428 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 2968 wrote to memory of 428 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe

Processes

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\wininit.exe

wininit.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\09c0aaf5419b447ae990518148636f65_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\09c0aaf5419b447ae990518148636f65_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 236

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

Network

Country Destination Domain Proto
NL 91.220.62.30:443 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.178.14:80 google.com tcp
NL 91.220.62.30:443 tcp
US 8.8.8.8:53 rterybrstutnrsbberve.com udp
IE 34.253.216.9:443 rterybrstutnrsbberve.com tcp
IE 34.253.216.9:443 rterybrstutnrsbberve.com tcp
US 8.8.8.8:53 erwbtkidthetcwerc.com udp
IE 34.253.216.9:443 erwbtkidthetcwerc.com tcp
IE 34.253.216.9:443 erwbtkidthetcwerc.com tcp
US 8.8.8.8:53 rvbwtbeitwjeitv.com udp
US 204.95.99.221:443 rvbwtbeitwjeitv.com tcp
US 204.95.99.221:443 rvbwtbeitwjeitv.com tcp
GB 142.250.178.14:80 google.com tcp
GB 142.250.178.14:80 google.com tcp

Files

memory/2052-3-0x0000000010000000-0x0000000010028000-memory.dmp

memory/2052-2-0x0000000010000000-0x0000000010028000-memory.dmp

memory/2052-0-0x0000000010000000-0x0000000010028000-memory.dmp

\Windows\SysWOW64\rundll32mgr.exe

MD5 58ae04d47a7587cba542671907b6a9af
SHA1 1f1e13105f87605281aac5666e8e448ab388b113
SHA256 aaaccf3120e3a27abb632e12c69b5e21056ec88780f001605d763eed9a2d1709
SHA512 78e2ecd54578cf8413f025f060412df7855ba661c07fafe0891a6827295a80caa8c3eae2be771786bc49ef5492163530319b86eba10cc6627d40b1677a496401

memory/2052-5-0x00000000001E0000-0x000000000020B000-memory.dmp

memory/2296-12-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2296-15-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2296-17-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2296-16-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2296-19-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2296-20-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2296-14-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2296-13-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2296-30-0x0000000000050000-0x000000000007B000-memory.dmp

memory/2392-32-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2392-40-0x0000000000830000-0x0000000000831000-memory.dmp

memory/2392-41-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2392-43-0x00000000770BF000-0x00000000770C0000-memory.dmp

memory/2768-47-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2768-45-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2768-55-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2768-68-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2768-67-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2768-66-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2768-64-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2768-60-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2392-83-0x00000000770BF000-0x00000000770C0000-memory.dmp

memory/2968-74-0x0000000020010000-0x000000002001B000-memory.dmp

memory/2392-72-0x0000000000060000-0x0000000000061000-memory.dmp

memory/2968-88-0x0000000020010000-0x000000002001B000-memory.dmp

memory/2968-84-0x0000000020010000-0x000000002001B000-memory.dmp

memory/2968-91-0x0000000020010000-0x000000002001B000-memory.dmp

memory/2968-93-0x0000000020010000-0x000000002001B000-memory.dmp

memory/2968-92-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2968-90-0x0000000020010000-0x000000002001B000-memory.dmp

memory/2968-89-0x0000000000170000-0x0000000000171000-memory.dmp

memory/2968-336-0x00000000770C0000-0x00000000770C1000-memory.dmp

memory/2392-620-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2768-1081-0x0000000020010000-0x0000000020022000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 8b45792dc359e105f70db5f3b39679fc
SHA1 6389e065e547e4c81404854f07acc2789062eaf3
SHA256 453807a378a2ce6c253eadc0867ecf17c7cdf7fdecb31697b32416311b42dd63
SHA512 2c325aca5983ef7a028204a976ad8a77e69aedfed31621bb6334ec9fb98b59fc4d79523d1c824419f83fa4bba9be75aa9266a2b4acc53b431b35c3bc682ddbb5

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 e032fec9f8b3ef0f92cd4ab576f6ad6f
SHA1 3ab84fd18478ddbd23c5e7d88b3a3bd1d6cae422
SHA256 e24c4b0324d36cf9e02e4b3fa84b5f2308e4308dc880e5ef6cee2ec5e3cc0f7e
SHA512 f0caa6631027b9d0982c1a4600bb5c822e2fed41ccd1c61af9190a0fe13bf43bf7e17d515b3e8e1b7fe7abcc6c52fb8f45878be5ff52c97c5d0dbd700b47ebd9

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-24 17:04

Reported

2024-06-24 17:06

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\09c0aaf5419b447ae990518148636f65_JaffaCakes118.dll,#1

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px13E1.tmp C:\Windows\SysWOW64\rundll32mgr.exe N/A
File created C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\rundll32mgr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\rundll32mgr.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CD924416-324B-11EF-B9F7-CA9969386483} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31114840" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CD8B209D-324B-11EF-B9F7-CA9969386483} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2721853256" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114840" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114840" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114840" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2721853256" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2721853256" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31114840" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114840" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426013641" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2757009294" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2721853256" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2757009294" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 224 wrote to memory of 4436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 224 wrote to memory of 4436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 224 wrote to memory of 4436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4436 wrote to memory of 2964 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 4436 wrote to memory of 2964 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 4436 wrote to memory of 2964 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 2964 wrote to memory of 1836 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2964 wrote to memory of 1836 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2964 wrote to memory of 1836 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 1836 wrote to memory of 2232 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1836 wrote to memory of 2232 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1836 wrote to memory of 2232 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1836 wrote to memory of 2232 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1836 wrote to memory of 2232 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1836 wrote to memory of 2232 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1836 wrote to memory of 2232 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1836 wrote to memory of 2232 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1836 wrote to memory of 2232 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1836 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1836 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1836 wrote to memory of 1324 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1836 wrote to memory of 1324 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3948 wrote to memory of 1028 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1324 wrote to memory of 4240 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3948 wrote to memory of 1028 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1324 wrote to memory of 4240 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3948 wrote to memory of 1028 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1324 wrote to memory of 4240 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\09c0aaf5419b447ae990518148636f65_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\09c0aaf5419b447ae990518148636f65_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2232 -ip 2232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4436 -ip 4436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 636

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3948 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1324 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3980 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
GB 172.217.169.74:443 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

memory/4436-0-0x0000000010000000-0x0000000010028000-memory.dmp

C:\Windows\SysWOW64\rundll32mgr.exe

MD5 58ae04d47a7587cba542671907b6a9af
SHA1 1f1e13105f87605281aac5666e8e448ab388b113
SHA256 aaaccf3120e3a27abb632e12c69b5e21056ec88780f001605d763eed9a2d1709
SHA512 78e2ecd54578cf8413f025f060412df7855ba661c07fafe0891a6827295a80caa8c3eae2be771786bc49ef5492163530319b86eba10cc6627d40b1677a496401

memory/2964-4-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2964-6-0x0000000000401000-0x0000000000405000-memory.dmp

memory/2964-7-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2964-10-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2964-9-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2964-8-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2964-11-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2964-13-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2964-12-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2964-16-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2964-15-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1836-21-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1836-26-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1836-29-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2964-31-0x0000000000401000-0x0000000000405000-memory.dmp

memory/1836-32-0x0000000000060000-0x0000000000061000-memory.dmp

memory/1836-33-0x0000000077C32000-0x0000000077C33000-memory.dmp

memory/2232-36-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/2232-35-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/1836-37-0x0000000077C32000-0x0000000077C33000-memory.dmp

memory/1836-38-0x0000000000070000-0x0000000000071000-memory.dmp

memory/1836-39-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CD8B209D-324B-11EF-B9F7-CA9969386483}.dat

MD5 4b959657e369b75926d5f0139faf8cdd
SHA1 a2d92d08fd7351ba094173db5c72768848ce1d2c
SHA256 771ea33c0816819e601b3e6d6968529e2e8e369a32fe2006ea6c151f33c85f0d
SHA512 64cda0e34806c6746824ef02866b121985c4773a42955be57a06bda5e10e3dbb9b843b870823bdc629424d72516418d1812d577d50c14f1e916645dd84d8ea7f

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CD924416-324B-11EF-B9F7-CA9969386483}.dat

MD5 a4c8cd753e9f13f8a53379864d0d136b
SHA1 bc81c752e4eb37f8e145d4486c108e58b8bbcaeb
SHA256 a4d882c0809534d86e87be7b43a504539f87b0eacb5f313597aa615116e87fca
SHA512 28a59b87b30bec474cc6d6753aaf58fcfa7d1497db192c1b17f38999a175317a07e35946dfdf617c49d13379763d680118ce198eff451b0e1c63edc78dc58ec6

memory/4436-42-0x0000000010000000-0x0000000010028000-memory.dmp

memory/1836-43-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1836-44-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 20b0959d0f82acd40449a5822c1346df
SHA1 e814813985da89e6535c1540e0ca9651432aa3ff
SHA256 bafc0049d0efab3c5c4d3591b635178f8f95237ffa5e07f4dba4929a36e179d3
SHA512 3c7984f5f538e98d64be84643d8517f31fca547e716b8902a20bae90acc2b4fdb93bef90876e318da89cf42b95e40ffe9d6eefd328c5068b589722a478d3c359

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 06f5f3f6abfa0faa19dac83b5346ccb5
SHA1 28c8b2b412b44c21726132ce9f51aa9e2207f328
SHA256 1f08ea567a623c9f9015efd9b209b823cd5bce6d474256440ffceb4f5ccffd8e
SHA512 dd94f4ddc9e6cd90f1f4ae6c9175d16a6687329b2d1b928d24510229001a5539966b5ac1685d527606084a2cadc1ea856d14209c2e61b7434a699a293ebba448

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver9BDE.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee