Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
25-06-2024 22:04
Static task
static1
Behavioral task
behavioral1
Sample
0fb1a7240eab9efc434ea194f24d88cc_JaffaCakes118.dll
Resource
win7-20240611-en
General
-
Target
0fb1a7240eab9efc434ea194f24d88cc_JaffaCakes118.dll
-
Size
193KB
-
MD5
0fb1a7240eab9efc434ea194f24d88cc
-
SHA1
bc809cbeaf20d4374dda28de7e1a2c855efcc677
-
SHA256
37d2b2f53c521f82a286a0df2267452cba0f7432998e0876ceaf2cf6998459ea
-
SHA512
3d7d4ad25106133617739b2584da3894d12c1a1763b8c6feea759bb23889e4bcc77febd0c2a921dd6c5f0bc680d35a1a4d4e0bc94e181862c5670ac5dedd30aa
-
SSDEEP
3072:x73MITL/9oSmkbx3ZtffjBTnIwanLMw5H45ACgR3MWr:9dTpountf75Iwkj5HwAv3r
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 2212 regsvr32mgr.exe 2680 WaterMark.exe -
Loads dropped DLL 4 IoCs
pid Process 2192 regsvr32.exe 2192 regsvr32.exe 2212 regsvr32mgr.exe 2212 regsvr32mgr.exe -
resource yara_rule behavioral1/memory/2212-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2212-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2212-16-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2212-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2212-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2212-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2212-20-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2680-41-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2680-40-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2680-566-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\regsvr32mgr.exe regsvr32.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Games\Purble Place\PurblePlace2.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\ReachFramework.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libmono_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MpRTP.dll svchost.exe File opened for modification C:\Program Files\Windows Journal\PDIALOG.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libcache_read_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGM.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\WMPDMCCore.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\cpu.html svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jsdt.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\kcms.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Client.resources.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\liblpcm_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\librv32_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\cpu.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\eula.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\lgpllibs.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationCore.resources.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\settings.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\tipresx.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxwebkit.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\ipcclientcerts.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\settings.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_socket.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\gstreamer-lite.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libedgedetection_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\hxdsui.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libfluidsynth_plugin.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationProvider.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libaudioscrobbler_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_record_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\lua\liblua_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_hevc_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\fontmanager.dll svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationFramework.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libnfs_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libvorbis_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libantiflicker_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\micaut.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\notificationserver.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsdec_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libmicrodns_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libsapi_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeLinguistic.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXP_XPS.DLL svchost.exe -
Modifies registry class 45 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand.1\CLSID\ = "{0A4286EA-E355-44FB-8086-AF3DF7645BD9}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\ = "WMPDeskBand 1.0 Type Library" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\MenuText = "@C:\\Users\\Admin\\AppData\\Local\\Temp\\0fb1a7240eab9efc434ea194f24d88cc_JaffaCakes118.dll,-101" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ = "IWMPDeskBandDispatch" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand.1\ = "&Windows Media Player" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\LocalizedString = "@C:\\Users\\Admin\\AppData\\Local\\Temp\\0fb1a7240eab9efc434ea194f24d88cc_JaffaCakes118.dll,-101" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0fb1a7240eab9efc434ea194f24d88cc_JaffaCakes118.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib\ = "{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand\ = "&Windows Media Player" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand\CLSID\ = "{0A4286EA-E355-44FB-8086-AF3DF7645BD9}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0fb1a7240eab9efc434ea194f24d88cc_JaffaCakes118.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ = "IWMPDeskBandDispatch" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\ = "&Windows Media Player" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\ProgID\ = "WMP.DeskBand.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\Implemented Categories\{00021492-0000-0000-C000-000000000046} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib\ = "{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\VersionIndependentProgID\ = "WMP.DeskBand" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2680 WaterMark.exe 2680 WaterMark.exe 2680 WaterMark.exe 2680 WaterMark.exe 2680 WaterMark.exe 2680 WaterMark.exe 2680 WaterMark.exe 2680 WaterMark.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2680 WaterMark.exe Token: SeDebugPrivilege 2484 svchost.exe Token: SeDebugPrivilege 2680 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2212 regsvr32mgr.exe 2680 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1176 wrote to memory of 2192 1176 regsvr32.exe 28 PID 1176 wrote to memory of 2192 1176 regsvr32.exe 28 PID 1176 wrote to memory of 2192 1176 regsvr32.exe 28 PID 1176 wrote to memory of 2192 1176 regsvr32.exe 28 PID 1176 wrote to memory of 2192 1176 regsvr32.exe 28 PID 1176 wrote to memory of 2192 1176 regsvr32.exe 28 PID 1176 wrote to memory of 2192 1176 regsvr32.exe 28 PID 2192 wrote to memory of 2212 2192 regsvr32.exe 29 PID 2192 wrote to memory of 2212 2192 regsvr32.exe 29 PID 2192 wrote to memory of 2212 2192 regsvr32.exe 29 PID 2192 wrote to memory of 2212 2192 regsvr32.exe 29 PID 2212 wrote to memory of 2680 2212 regsvr32mgr.exe 30 PID 2212 wrote to memory of 2680 2212 regsvr32mgr.exe 30 PID 2212 wrote to memory of 2680 2212 regsvr32mgr.exe 30 PID 2212 wrote to memory of 2680 2212 regsvr32mgr.exe 30 PID 2680 wrote to memory of 2656 2680 WaterMark.exe 31 PID 2680 wrote to memory of 2656 2680 WaterMark.exe 31 PID 2680 wrote to memory of 2656 2680 WaterMark.exe 31 PID 2680 wrote to memory of 2656 2680 WaterMark.exe 31 PID 2680 wrote to memory of 2656 2680 WaterMark.exe 31 PID 2680 wrote to memory of 2656 2680 WaterMark.exe 31 PID 2680 wrote to memory of 2656 2680 WaterMark.exe 31 PID 2680 wrote to memory of 2656 2680 WaterMark.exe 31 PID 2680 wrote to memory of 2656 2680 WaterMark.exe 31 PID 2680 wrote to memory of 2656 2680 WaterMark.exe 31 PID 2680 wrote to memory of 2484 2680 WaterMark.exe 32 PID 2680 wrote to memory of 2484 2680 WaterMark.exe 32 PID 2680 wrote to memory of 2484 2680 WaterMark.exe 32 PID 2680 wrote to memory of 2484 2680 WaterMark.exe 32 PID 2680 wrote to memory of 2484 2680 WaterMark.exe 32 PID 2680 wrote to memory of 2484 2680 WaterMark.exe 32 PID 2680 wrote to memory of 2484 2680 WaterMark.exe 32 PID 2680 wrote to memory of 2484 2680 WaterMark.exe 32 PID 2680 wrote to memory of 2484 2680 WaterMark.exe 32 PID 2680 wrote to memory of 2484 2680 WaterMark.exe 32 PID 2484 wrote to memory of 256 2484 svchost.exe 1 PID 2484 wrote to memory of 256 2484 svchost.exe 1 PID 2484 wrote to memory of 256 2484 svchost.exe 1 PID 2484 wrote to memory of 256 2484 svchost.exe 1 PID 2484 wrote to memory of 256 2484 svchost.exe 1 PID 2484 wrote to memory of 336 2484 svchost.exe 2 PID 2484 wrote to memory of 336 2484 svchost.exe 2 PID 2484 wrote to memory of 336 2484 svchost.exe 2 PID 2484 wrote to memory of 336 2484 svchost.exe 2 PID 2484 wrote to memory of 336 2484 svchost.exe 2 PID 2484 wrote to memory of 384 2484 svchost.exe 3 PID 2484 wrote to memory of 384 2484 svchost.exe 3 PID 2484 wrote to memory of 384 2484 svchost.exe 3 PID 2484 wrote to memory of 384 2484 svchost.exe 3 PID 2484 wrote to memory of 384 2484 svchost.exe 3 PID 2484 wrote to memory of 396 2484 svchost.exe 4 PID 2484 wrote to memory of 396 2484 svchost.exe 4 PID 2484 wrote to memory of 396 2484 svchost.exe 4 PID 2484 wrote to memory of 396 2484 svchost.exe 4 PID 2484 wrote to memory of 396 2484 svchost.exe 4 PID 2484 wrote to memory of 432 2484 svchost.exe 5 PID 2484 wrote to memory of 432 2484 svchost.exe 5 PID 2484 wrote to memory of 432 2484 svchost.exe 5 PID 2484 wrote to memory of 432 2484 svchost.exe 5 PID 2484 wrote to memory of 432 2484 svchost.exe 5 PID 2484 wrote to memory of 476 2484 svchost.exe 6 PID 2484 wrote to memory of 476 2484 svchost.exe 6 PID 2484 wrote to memory of 476 2484 svchost.exe 6 PID 2484 wrote to memory of 476 2484 svchost.exe 6
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:336
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:596
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:2040
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵PID:2996
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:672
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:752
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:804
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1292
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:832
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:2988
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:980
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:268
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:904
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:324
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1224
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2152
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2416
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:396
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1336
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\0fb1a7240eab9efc434ea194f24d88cc_JaffaCakes118.dll2⤵
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\0fb1a7240eab9efc434ea194f24d88cc_JaffaCakes118.dll3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\regsvr32mgr.exeC:\Windows\SysWOW64\regsvr32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2656
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize206KB
MD54a88ee35b6866a35fc08f64043fd0485
SHA1d5b580a1c8e0c95ee677c6bff565cfe938c25e12
SHA2562bb2bb23b2690f3e11457119f6ffdbcc20474120841c14db2a94a0e0435bf99d
SHA512aa1a613b3e30cdd3c537654407a900863fcb31574e92b247f9f6103a68a8ecb50af5d73c4a55b1b5d4f40fd415504cfc7991523f58f265abce550cc6d719dc09
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize202KB
MD5eb2159e96f62deb8a0097b4176986901
SHA1f3a3c273119f9f1007026597293cee3c77f3b687
SHA25618a5c6504ab2c8c9be70a679d1e827a39b9aa62457b55391c71ad9045c00dccb
SHA512a9da28ed874505f1b9c181bd0cd60e43fa4ff46c0bb763353fd445d5e0e4d572fe0437b0a9e36b56307a828c03f288c96f28e5339bb1a38bfb4e4f5f4a40ad4b
-
Filesize
96KB
MD58c51fd9d6daa7b6137634de19a49452c
SHA1db2a11cca434bacad2bf42adeecae38e99cf64f8
SHA256528d190fc376cff62a83391a5ba10ae4ef0c02bedabd0360274ddc2784e11da3
SHA512b93dd6c86d0618798a11dbaa2ded7dac659f6516ca4a87da7297601c27f340fffa4126a852c257654d562529273d8a3f639ec020ab54b879c68226deae549837