Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
25-06-2024 22:14
Static task
static1
Behavioral task
behavioral1
Sample
0fb826a66826e677e1d4e4afa87faaf3_JaffaCakes118.dll
Resource
win7-20240508-en
General
-
Target
0fb826a66826e677e1d4e4afa87faaf3_JaffaCakes118.dll
-
Size
193KB
-
MD5
0fb826a66826e677e1d4e4afa87faaf3
-
SHA1
344a0fddd8a8a4ea503bc1a21e58eebaa88674ff
-
SHA256
4e9ea3d42fe632b08b77b4a05c7c7f4de451d8a3eda6525f458a9dd35bebc22f
-
SHA512
3f9b0f7bd49e8bd3c423cce39443e71535d6349a0cf97b276cf0cdb50fe3688f71d8700f15a44c93bbf6b48408a221e5725dc6b505ee8038fcad4bb9df4fc7b9
-
SSDEEP
3072:j73MITL/9oSmkbx3ZtffjBTnIwanLMGL99ZgyXf9MWebpjMGlDCdrM:/dTpountf75Iwkz7vBsGdM
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 1796 regsvr32mgr.exe 2620 WaterMark.exe -
Loads dropped DLL 4 IoCs
pid Process 1524 regsvr32.exe 1524 regsvr32.exe 1796 regsvr32mgr.exe 1796 regsvr32mgr.exe -
resource yara_rule behavioral1/memory/1796-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1796-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1796-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1796-16-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1796-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1796-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1796-20-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2620-41-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2620-40-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2620-565-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\regsvr32mgr.exe regsvr32.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Selectors.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdshow_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libscreen_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_cycle_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_standard_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\DirectDB.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationClientsideProviders.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationClient.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_sse2_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows NT\Accessories\WordpadFilter.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\xlsrvintl.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\keystore\libmemory_keystore_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\setup_wm.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Windows.Presentation.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_sse2_plugin.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\libEGL.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGM.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Royale.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\atl.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\settings.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libtwolame_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d9_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MsMpCom.dll svchost.exe File opened for modification C:\Program Files\Windows Journal\Journal.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Selectors.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_concat_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmpc_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Linq.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libgme_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_mmx_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\ITIRCL55.DLL svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\management.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libidummy_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ts_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libfreeze_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Filters\odffilt.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ACEODBCI.DLL svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libdummy_plugin.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.Contract.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libes_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_a52_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\weather.html svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\settings.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java_crw_demo.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Speech.resources.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ACEWSTR.DLL svchost.exe -
Modifies registry class 45 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand.1\CLSID\ = "{0A4286EA-E355-44FB-8086-AF3DF7645BD9}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\MenuText = "@C:\\Users\\Admin\\AppData\\Local\\Temp\\0fb826a66826e677e1d4e4afa87faaf3_JaffaCakes118.dll,-101" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ = "IWMPDeskBandDispatch" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand\CLSID\ = "{0A4286EA-E355-44FB-8086-AF3DF7645BD9}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\ = "&Windows Media Player" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand\ = "&Windows Media Player" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\ProgID\ = "WMP.DeskBand.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\VersionIndependentProgID\ = "WMP.DeskBand" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\Implemented Categories\{00021492-0000-0000-C000-000000000046} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\ = "WMPDeskBand 1.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0fb826a66826e677e1d4e4afa87faaf3_JaffaCakes118.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ = "IWMPDeskBandDispatch" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib\ = "{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib\ = "{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand.1\ = "&Windows Media Player" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\LocalizedString = "@C:\\Users\\Admin\\AppData\\Local\\Temp\\0fb826a66826e677e1d4e4afa87faaf3_JaffaCakes118.dll,-101" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0fb826a66826e677e1d4e4afa87faaf3_JaffaCakes118.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib\Version = "1.0" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2620 WaterMark.exe 2620 WaterMark.exe 2620 WaterMark.exe 2620 WaterMark.exe 2620 WaterMark.exe 2620 WaterMark.exe 2620 WaterMark.exe 2620 WaterMark.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe 2368 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2620 WaterMark.exe Token: SeDebugPrivilege 2368 svchost.exe Token: SeDebugPrivilege 2620 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1796 regsvr32mgr.exe 2620 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1824 wrote to memory of 1524 1824 regsvr32.exe 28 PID 1824 wrote to memory of 1524 1824 regsvr32.exe 28 PID 1824 wrote to memory of 1524 1824 regsvr32.exe 28 PID 1824 wrote to memory of 1524 1824 regsvr32.exe 28 PID 1824 wrote to memory of 1524 1824 regsvr32.exe 28 PID 1824 wrote to memory of 1524 1824 regsvr32.exe 28 PID 1824 wrote to memory of 1524 1824 regsvr32.exe 28 PID 1524 wrote to memory of 1796 1524 regsvr32.exe 29 PID 1524 wrote to memory of 1796 1524 regsvr32.exe 29 PID 1524 wrote to memory of 1796 1524 regsvr32.exe 29 PID 1524 wrote to memory of 1796 1524 regsvr32.exe 29 PID 1796 wrote to memory of 2620 1796 regsvr32mgr.exe 30 PID 1796 wrote to memory of 2620 1796 regsvr32mgr.exe 30 PID 1796 wrote to memory of 2620 1796 regsvr32mgr.exe 30 PID 1796 wrote to memory of 2620 1796 regsvr32mgr.exe 30 PID 2620 wrote to memory of 1240 2620 WaterMark.exe 31 PID 2620 wrote to memory of 1240 2620 WaterMark.exe 31 PID 2620 wrote to memory of 1240 2620 WaterMark.exe 31 PID 2620 wrote to memory of 1240 2620 WaterMark.exe 31 PID 2620 wrote to memory of 1240 2620 WaterMark.exe 31 PID 2620 wrote to memory of 1240 2620 WaterMark.exe 31 PID 2620 wrote to memory of 1240 2620 WaterMark.exe 31 PID 2620 wrote to memory of 1240 2620 WaterMark.exe 31 PID 2620 wrote to memory of 1240 2620 WaterMark.exe 31 PID 2620 wrote to memory of 1240 2620 WaterMark.exe 31 PID 2620 wrote to memory of 2368 2620 WaterMark.exe 32 PID 2620 wrote to memory of 2368 2620 WaterMark.exe 32 PID 2620 wrote to memory of 2368 2620 WaterMark.exe 32 PID 2620 wrote to memory of 2368 2620 WaterMark.exe 32 PID 2620 wrote to memory of 2368 2620 WaterMark.exe 32 PID 2620 wrote to memory of 2368 2620 WaterMark.exe 32 PID 2620 wrote to memory of 2368 2620 WaterMark.exe 32 PID 2620 wrote to memory of 2368 2620 WaterMark.exe 32 PID 2620 wrote to memory of 2368 2620 WaterMark.exe 32 PID 2620 wrote to memory of 2368 2620 WaterMark.exe 32 PID 2368 wrote to memory of 256 2368 svchost.exe 1 PID 2368 wrote to memory of 256 2368 svchost.exe 1 PID 2368 wrote to memory of 256 2368 svchost.exe 1 PID 2368 wrote to memory of 256 2368 svchost.exe 1 PID 2368 wrote to memory of 256 2368 svchost.exe 1 PID 2368 wrote to memory of 332 2368 svchost.exe 2 PID 2368 wrote to memory of 332 2368 svchost.exe 2 PID 2368 wrote to memory of 332 2368 svchost.exe 2 PID 2368 wrote to memory of 332 2368 svchost.exe 2 PID 2368 wrote to memory of 332 2368 svchost.exe 2 PID 2368 wrote to memory of 380 2368 svchost.exe 3 PID 2368 wrote to memory of 380 2368 svchost.exe 3 PID 2368 wrote to memory of 380 2368 svchost.exe 3 PID 2368 wrote to memory of 380 2368 svchost.exe 3 PID 2368 wrote to memory of 380 2368 svchost.exe 3 PID 2368 wrote to memory of 388 2368 svchost.exe 4 PID 2368 wrote to memory of 388 2368 svchost.exe 4 PID 2368 wrote to memory of 388 2368 svchost.exe 4 PID 2368 wrote to memory of 388 2368 svchost.exe 4 PID 2368 wrote to memory of 388 2368 svchost.exe 4 PID 2368 wrote to memory of 428 2368 svchost.exe 5 PID 2368 wrote to memory of 428 2368 svchost.exe 5 PID 2368 wrote to memory of 428 2368 svchost.exe 5 PID 2368 wrote to memory of 428 2368 svchost.exe 5 PID 2368 wrote to memory of 428 2368 svchost.exe 5 PID 2368 wrote to memory of 472 2368 svchost.exe 6 PID 2368 wrote to memory of 472 2368 svchost.exe 6 PID 2368 wrote to memory of 472 2368 svchost.exe 6 PID 2368 wrote to memory of 472 2368 svchost.exe 6
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:380
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:596
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1032
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵PID:1248
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:676
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:740
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:808
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1148
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:844
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:2472
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:968
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:236
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:1012
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1040
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1100
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2088
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:1276
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:488
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:496
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:388
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:428
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1180
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\0fb826a66826e677e1d4e4afa87faaf3_JaffaCakes118.dll2⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\0fb826a66826e677e1d4e4afa87faaf3_JaffaCakes118.dll3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\regsvr32mgr.exeC:\Windows\SysWOW64\regsvr32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1240
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize206KB
MD5e9affe56b387472fd2757fe3729f8b0a
SHA15ebd290a2f880368a4cf2d40a598c8e1fbf23caa
SHA2564c964dec1934f09c00d667e4094cd61dd841b6feca3cc7e0caddf2b46da1d7be
SHA512374961634430a17c70aa8dfbcb8a2fdb758636be4ff1c07d5eaea27da5f5f8d274d4848adac1c5fcb356322cd5291bd8f571df755dc4eb8d9ba5a85e81ae93d8
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize202KB
MD5322cac8421adb316be900b48efd03981
SHA1ac71e8f9a0c2b1d4ef22bf35b5f1c6b71b9b1408
SHA2563b8d770e433579e70d5ae8642db02b552e9431fc2b286a78a712a478065b8bc8
SHA512ff8c0d3ec09eb66ee3b7d574c3ca67c0a176ad6db787c3039ffb4be82ef656ea6c0c068b9967007339142dbd615a6ed7b1b2e71ce8999a0edcc3f9a0d7888a00
-
Filesize
96KB
MD58c51fd9d6daa7b6137634de19a49452c
SHA1db2a11cca434bacad2bf42adeecae38e99cf64f8
SHA256528d190fc376cff62a83391a5ba10ae4ef0c02bedabd0360274ddc2784e11da3
SHA512b93dd6c86d0618798a11dbaa2ded7dac659f6516ca4a87da7297601c27f340fffa4126a852c257654d562529273d8a3f639ec020ab54b879c68226deae549837