Malware Analysis Report

2025-01-19 07:09

Sample ID 240624-ybm5jazarf
Target 0a745aeddb83ec4d137dfcc0f3d1ccad_JaffaCakes118
SHA256 d28522f5a1bdd4cc70d29ce457e9bfcbb75d6d5fd2537ff15877ee2a502dd907
Tags
ramnit banker persistence spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d28522f5a1bdd4cc70d29ce457e9bfcbb75d6d5fd2537ff15877ee2a502dd907

Threat Level: Known bad

The file 0a745aeddb83ec4d137dfcc0f3d1ccad_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker persistence spyware stealer trojan upx worm

Ramnit

Modifies WinLogon for persistence

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-24 19:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 19:36

Reported

2024-06-24 19:39

Platform

win7-20240221-en

Max time kernel

150s

Max time network

143s

Command Line

\SystemRoot\System32\smss.exe

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" C:\Windows\SysWOW64\svchost.exe N/A

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\dmlconf.dat C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\dmlconf.dat C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libdrawable_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\calendar.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java_crw_demo.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.ServiceModel.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Design.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_gather_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\librotate_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TabIpsps.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEEXCL.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jawt.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdtv_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libnetsync_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEES.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\awt.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jfxwebkit.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\sunmscapi.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationTypes.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jawt.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\BCSLaunch.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsFormsIntegration.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VC\msdia100.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Windows.Presentation.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\librawvideo_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\OSETUPUI.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\CsiSoap.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jp2native.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Conversion.v3.5.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACETXT.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libxa_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Defender\MpSvc.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IdentityModel.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\management.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationFramework.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_mmx_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextService.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\settings.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Internet Explorer\pdmproxy100.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFPrevHndlr.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ALRTINTL.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmjpeg_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\vcruntime140.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\NewPublish.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Printing.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_shout_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libx265_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\libsubsdelay_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Defender\MpEvMsg.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\PhotoViewer.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\imjplm.dll C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a745aeddb83ec4d137dfcc0f3d1ccad_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\0a745aeddb83ec4d137dfcc0f3d1ccad_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 1244 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\0a745aeddb83ec4d137dfcc0f3d1ccad_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 1244 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\0a745aeddb83ec4d137dfcc0f3d1ccad_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 1244 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\0a745aeddb83ec4d137dfcc0f3d1ccad_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2080 wrote to memory of 2628 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2080 wrote to memory of 2628 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2080 wrote to memory of 2628 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2080 wrote to memory of 2628 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2080 wrote to memory of 2628 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2080 wrote to memory of 2628 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2080 wrote to memory of 2628 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2080 wrote to memory of 2628 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2080 wrote to memory of 2628 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2080 wrote to memory of 2628 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2080 wrote to memory of 2420 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2080 wrote to memory of 2420 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2080 wrote to memory of 2420 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2080 wrote to memory of 2420 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2080 wrote to memory of 2420 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2080 wrote to memory of 2420 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2080 wrote to memory of 2420 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2080 wrote to memory of 2420 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2080 wrote to memory of 2420 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2080 wrote to memory of 2420 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2420 wrote to memory of 260 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 2420 wrote to memory of 260 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 2420 wrote to memory of 260 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 2420 wrote to memory of 260 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 2420 wrote to memory of 260 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 2420 wrote to memory of 336 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2420 wrote to memory of 336 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2420 wrote to memory of 336 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2420 wrote to memory of 336 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2420 wrote to memory of 336 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2420 wrote to memory of 384 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 2420 wrote to memory of 384 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 2420 wrote to memory of 384 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 2420 wrote to memory of 384 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 2420 wrote to memory of 384 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 2420 wrote to memory of 400 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2420 wrote to memory of 400 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2420 wrote to memory of 400 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2420 wrote to memory of 400 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2420 wrote to memory of 400 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2420 wrote to memory of 436 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 2420 wrote to memory of 436 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 2420 wrote to memory of 436 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 2420 wrote to memory of 436 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 2420 wrote to memory of 436 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 2420 wrote to memory of 480 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 2420 wrote to memory of 480 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 2420 wrote to memory of 480 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 2420 wrote to memory of 480 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 2420 wrote to memory of 480 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 2420 wrote to memory of 492 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsass.exe
PID 2420 wrote to memory of 492 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsass.exe
PID 2420 wrote to memory of 492 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsass.exe
PID 2420 wrote to memory of 492 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsass.exe
PID 2420 wrote to memory of 492 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsass.exe
PID 2420 wrote to memory of 500 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsm.exe
PID 2420 wrote to memory of 500 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsm.exe
PID 2420 wrote to memory of 500 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsm.exe
PID 2420 wrote to memory of 500 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsm.exe
PID 2420 wrote to memory of 500 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsm.exe

Processes

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\wininit.exe

wininit.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Users\Admin\AppData\Local\Temp\0a745aeddb83ec4d137dfcc0f3d1ccad_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0a745aeddb83ec4d137dfcc0f3d1ccad_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

Network

Country Destination Domain Proto
NL 91.220.62.30:443 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.178.14:80 google.com tcp
NL 91.220.62.30:443 tcp
US 8.8.8.8:53 rterybrstutnrsbberve.com udp
IE 34.253.216.9:443 rterybrstutnrsbberve.com tcp
IE 34.253.216.9:443 rterybrstutnrsbberve.com tcp
US 8.8.8.8:53 erwbtkidthetcwerc.com udp
IE 34.253.216.9:443 erwbtkidthetcwerc.com tcp
IE 34.253.216.9:443 erwbtkidthetcwerc.com tcp
US 8.8.8.8:53 rvbwtbeitwjeitv.com udp
US 204.95.99.221:443 rvbwtbeitwjeitv.com tcp
US 204.95.99.221:443 rvbwtbeitwjeitv.com tcp
GB 142.250.178.14:80 google.com tcp
US 8.8.8.8:53 google.com udp
GB 142.250.178.14:80 google.com tcp

Files

memory/1244-0-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1244-3-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1244-2-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1244-1-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1244-5-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1244-9-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1244-8-0x0000000000140000-0x0000000000141000-memory.dmp

memory/1244-7-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1244-6-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1244-4-0x0000000000400000-0x0000000000421000-memory.dmp

\Program Files (x86)\Microsoft\WaterMark.exe

MD5 0a745aeddb83ec4d137dfcc0f3d1ccad
SHA1 bc9f3298a33b71a6a26dc56408eca55d313800ab
SHA256 d28522f5a1bdd4cc70d29ce457e9bfcbb75d6d5fd2537ff15877ee2a502dd907
SHA512 85be6d620235ac9447ab8a65055cbf4d29ef0b6dbffc5d38bfd35071c26622fd0c48729daf4323d7c58e34b0204ba131792b40c9ec38bb4a597f5693e5ba2eaf

memory/2080-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2080-29-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2080-30-0x00000000777FF000-0x0000000077800000-memory.dmp

memory/2080-27-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2628-34-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/2628-32-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2080-31-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2628-56-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2628-55-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2628-54-0x00000000000D0000-0x00000000000D1000-memory.dmp

memory/2628-53-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/2628-52-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2628-47-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2628-42-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2080-60-0x0000000000060000-0x0000000000061000-memory.dmp

memory/2420-62-0x0000000020010000-0x000000002001B000-memory.dmp

memory/2080-71-0x00000000777FF000-0x0000000077800000-memory.dmp

memory/2420-72-0x0000000020010000-0x000000002001B000-memory.dmp

memory/2420-76-0x0000000020010000-0x000000002001B000-memory.dmp

memory/2420-81-0x0000000020010000-0x000000002001B000-memory.dmp

memory/2420-80-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2420-79-0x0000000020010000-0x000000002001B000-memory.dmp

memory/2420-78-0x0000000020010000-0x000000002001B000-memory.dmp

memory/2420-77-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2420-305-0x0000000077800000-0x0000000077801000-memory.dmp

memory/2080-536-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2628-977-0x0000000020010000-0x0000000020022000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 d7751dd1e45573a79013c508e4640432
SHA1 ac4000758d25878c876d4ad2c7767d2acff85ce8
SHA256 77f6696064386b2908af9c5e650836c0a6359273fc7743043bf05a30c79b524d
SHA512 cc1354c4a55e52a84481c10ca5970ad323da9394c954786ebe179256f97a6325477e2cc6eafffca5e8cf6035cf3ac7c88763502854771d80d4d8a19a7a3a79cc

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 528b4eca8097b5a1790a81d990cdb130
SHA1 dfb311fe5863677f8768c527bc43a66d7ee47459
SHA256 c7218ebb9593969994aa8de76a1dbbbd5b25feedb812f27ab7cf9e91bf8e0f70
SHA512 3af85618d3a0583a17d27f79824a968eab88de1b083877e0d7f27b738cf12b26bcddb1433086fb9698024762f544f79fcce1bcc2c36910700af65ea94f555be2

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-24 19:36

Reported

2024-06-24 19:39

Platform

win10v2004-20240226-en

Max time kernel

137s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a745aeddb83ec4d137dfcc0f3d1ccad_JaffaCakes118.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px1865.tmp C:\Users\Admin\AppData\Local\Temp\0a745aeddb83ec4d137dfcc0f3d1ccad_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Users\Admin\AppData\Local\Temp\0a745aeddb83ec4d137dfcc0f3d1ccad_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Users\Admin\AppData\Local\Temp\0a745aeddb83ec4d137dfcc0f3d1ccad_JaffaCakes118.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4215007530" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2629166B-3261-11EF-B9F7-DA3E94F6CD86} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426022816" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "46291223" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "46291223" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4215007530" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4215007530" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114862" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{262DDC91-3261-11EF-B9F7-DA3E94F6CD86} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114861" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114861" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31114861" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4215163593" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114862" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31114861" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a745aeddb83ec4d137dfcc0f3d1ccad_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4768 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\0a745aeddb83ec4d137dfcc0f3d1ccad_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 4768 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\0a745aeddb83ec4d137dfcc0f3d1ccad_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 4768 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\0a745aeddb83ec4d137dfcc0f3d1ccad_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 4128 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4128 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4128 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4128 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4128 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4128 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4128 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4128 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4128 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 4128 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4128 wrote to memory of 4520 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4128 wrote to memory of 5044 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4128 wrote to memory of 5044 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 5044 wrote to memory of 4052 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 5044 wrote to memory of 4052 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 5044 wrote to memory of 4052 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4520 wrote to memory of 4088 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4520 wrote to memory of 4088 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4520 wrote to memory of 4088 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\0a745aeddb83ec4d137dfcc0f3d1ccad_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0a745aeddb83ec4d137dfcc0f3d1ccad_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1704 -ip 1704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 204

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5044 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4520 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 89.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 113.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 74.90.14.23.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

memory/4768-0-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4768-1-0x0000000000401000-0x0000000000402000-memory.dmp

memory/4768-4-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4768-7-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4768-8-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/4768-5-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4768-3-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4768-2-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4768-13-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4768-12-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4768-9-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Program Files (x86)\Microsoft\WaterMark.exe

MD5 0a745aeddb83ec4d137dfcc0f3d1ccad
SHA1 bc9f3298a33b71a6a26dc56408eca55d313800ab
SHA256 d28522f5a1bdd4cc70d29ce457e9bfcbb75d6d5fd2537ff15877ee2a502dd907
SHA512 85be6d620235ac9447ab8a65055cbf4d29ef0b6dbffc5d38bfd35071c26622fd0c48729daf4323d7c58e34b0204ba131792b40c9ec38bb4a597f5693e5ba2eaf

memory/4128-25-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4128-28-0x0000000077A12000-0x0000000077A13000-memory.dmp

memory/4128-27-0x0000000000060000-0x0000000000061000-memory.dmp

memory/1704-31-0x00000000006C0000-0x00000000006C1000-memory.dmp

memory/1704-30-0x00000000006E0000-0x00000000006E1000-memory.dmp

memory/4128-32-0x0000000077A12000-0x0000000077A13000-memory.dmp

memory/4128-33-0x0000000000070000-0x0000000000071000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2629166B-3261-11EF-B9F7-DA3E94F6CD86}.dat

MD5 50964d1f774964f68a03785959a2a39a
SHA1 eff49c2f67030754bee5b526e6434cb8c9d1f8ea
SHA256 8c136bbbd737ee49ecbd95e7557aa7c7225e0ac3653ced9417a52df1d76d18bb
SHA512 8dbe39dca13d20226686b471e347505690b023fecb0978d3707ee680131c86abf9bb1ececdcbb5f8d23149ee2831263df3183fe7736320a4f31ff2c0830d2ffa

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{262DDC91-3261-11EF-B9F7-DA3E94F6CD86}.dat

MD5 5dcf37bc84b73d2cbb2ce7ae55d90bb5
SHA1 4468143924f4e71703141ab465d34b8677f6f3ae
SHA256 b027352c64323ae1073b4289b5912d13e3ca22f41aa9eb8109408e9015263739
SHA512 503ee770c23085482b1ecbbaad23249371f901e84c98557343a3cc74f40d3c8d559bd1c777b4cc4709d667cb459d239d2bf81cea66181f945f3c655bbdb0072a

memory/4128-36-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4128-37-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 06f5f3f6abfa0faa19dac83b5346ccb5
SHA1 28c8b2b412b44c21726132ce9f51aa9e2207f328
SHA256 1f08ea567a623c9f9015efd9b209b823cd5bce6d474256440ffceb4f5ccffd8e
SHA512 dd94f4ddc9e6cd90f1f4ae6c9175d16a6687329b2d1b928d24510229001a5539966b5ac1685d527606084a2cadc1ea856d14209c2e61b7434a699a293ebba448

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 3dc8d8144108cbaaafb7fcff3a0963d9
SHA1 6f8f6d3c003d5dd1cb5c3d3eeccc1b6ca117ec1c
SHA256 0f49c651029f755724eebce680241d0905af192ff78c5538b0e4fc4a038a1400
SHA512 8e778cf8bd88e57af465be98558dac8c38ff280dce5e75c71a3dd9cdfc670f97b1371d7767c29fddb90ac0a8cbac8fba631b61c0972062087a2d9f00f1ffbe2b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 61be1acc5c74dfb29f59985fa32bcb0b
SHA1 42e7898d46104e5b9354b40ad87a6083dbdf18ad
SHA256 0b894c1bbc3bd472943e5c277caab8429e88a78b8932d828fa8fe28e5fe5f3ac
SHA512 1c02d7fd30e3607646adf3423dcb059b4222dbe3fa61d73e38d8ce08dc3a177d82e0ad9cd3590845e3c77b7c81be622c938c1a52c5171077e4debb657319cd14

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verA207.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee