Malware Analysis Report

2025-01-19 07:06

Sample ID 240625-2y2szsyfqc
Target 0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118
SHA256 15b77509dd9a565a94678c590ff9c451df621f8f7ca4ec36534f010c49849665
Tags
ramnit banker persistence spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

15b77509dd9a565a94678c590ff9c451df621f8f7ca4ec36534f010c49849665

Threat Level: Known bad

The file 0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker persistence spyware stealer trojan upx worm

Modifies WinLogon for persistence

Ramnit

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Program crash

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 23:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 23:00

Reported

2024-06-25 23:02

Platform

win7-20240419-en

Max time kernel

150s

Max time network

145s

Command Line

\SystemRoot\System32\smss.exe

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" C:\Windows\SysWOW64\svchost.exe N/A

Ramnit

trojan spyware stealer worm banker ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\dmlconf.dat C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\dmlconf.dat C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Games\More Games\MoreGames.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\Shvl.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\liboldmovie_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\settings.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\deploy.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libmad_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libwebvtt_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\ReachFramework.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClientsideProviders.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Linq.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\hxdsui.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\tabskb.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libtextst_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jpeg.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_imem_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jdwp.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libjpeg_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libhds_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_nv12_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msado15.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\prism-d3d.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\lgpllibs.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Web.Entity.Design.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmirror_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeLinguistic.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mshwjpnr.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\msadcf.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Internet Explorer\DiagnosticsTap.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.DataSetExtensions.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.DirectoryServices.AccountManagement.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libadjust_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libsmb_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_a52_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mlp_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\profilerinterface.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsBase.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\librecord_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mraut.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\logger\libfile_logger_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpostproc_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\msdasql.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\nio.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_concat_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Journal\NBDoc.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Mail\wabimp.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\msvcr100.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\hprof.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe
PID 2976 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe
PID 2976 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe
PID 2976 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe
PID 3048 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 3048 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 3048 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 3048 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2708 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2728 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2568 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 2568 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 2568 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 2568 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 2568 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 2568 wrote to memory of 332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2568 wrote to memory of 332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2568 wrote to memory of 332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2568 wrote to memory of 332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2568 wrote to memory of 332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2568 wrote to memory of 380 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 2568 wrote to memory of 380 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 2568 wrote to memory of 380 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 2568 wrote to memory of 380 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 2568 wrote to memory of 380 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 2568 wrote to memory of 396 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2568 wrote to memory of 396 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2568 wrote to memory of 396 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2568 wrote to memory of 396 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2568 wrote to memory of 396 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2568 wrote to memory of 432 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 2568 wrote to memory of 432 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 2568 wrote to memory of 432 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 2568 wrote to memory of 432 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 2568 wrote to memory of 432 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 2568 wrote to memory of 476 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 2568 wrote to memory of 476 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 2568 wrote to memory of 476 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 2568 wrote to memory of 476 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 2568 wrote to memory of 476 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 2568 wrote to memory of 492 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsass.exe
PID 2568 wrote to memory of 492 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsass.exe
PID 2568 wrote to memory of 492 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsass.exe
PID 2568 wrote to memory of 492 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsass.exe
PID 2568 wrote to memory of 492 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsass.exe
PID 2568 wrote to memory of 500 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsm.exe

Processes

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\wininit.exe

wininit.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe

C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

Network

Country Destination Domain Proto
NL 91.220.62.30:443 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.179.238:80 google.com tcp
NL 91.220.62.30:443 tcp
US 8.8.8.8:53 rterybrstutnrsbberve.com udp
IE 34.253.216.9:443 rterybrstutnrsbberve.com tcp
IE 34.253.216.9:443 rterybrstutnrsbberve.com tcp
US 8.8.8.8:53 erwbtkidthetcwerc.com udp
IE 34.253.216.9:443 erwbtkidthetcwerc.com tcp
IE 34.253.216.9:443 erwbtkidthetcwerc.com tcp
US 8.8.8.8:53 rvbwtbeitwjeitv.com udp
US 204.95.99.221:443 rvbwtbeitwjeitv.com tcp
US 204.95.99.221:443 rvbwtbeitwjeitv.com tcp
US 8.8.8.8:53 google.com udp
GB 142.250.179.238:80 google.com tcp
GB 142.250.179.238:80 google.com tcp

Files

memory/2976-0-0x0000000000970000-0x000000000099C000-memory.dmp

\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe

MD5 8c51fd9d6daa7b6137634de19a49452c
SHA1 db2a11cca434bacad2bf42adeecae38e99cf64f8
SHA256 528d190fc376cff62a83391a5ba10ae4ef0c02bedabd0360274ddc2784e11da3
SHA512 b93dd6c86d0618798a11dbaa2ded7dac659f6516ca4a87da7297601c27f340fffa4126a852c257654d562529273d8a3f639ec020ab54b879c68226deae549837

memory/2976-11-0x0000000000970000-0x000000000099C000-memory.dmp

memory/3048-12-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2976-9-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2976-8-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3048-16-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3048-22-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3048-21-0x00000000000D0000-0x00000000000D1000-memory.dmp

memory/3048-18-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3048-17-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3048-15-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3048-14-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3048-13-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3048-26-0x0000000000050000-0x0000000000085000-memory.dmp

memory/2708-40-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2708-43-0x00000000771AF000-0x00000000771B0000-memory.dmp

memory/2708-42-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2728-47-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2728-55-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2728-45-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2728-64-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2728-62-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2728-61-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2728-60-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2728-59-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2728-68-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2708-73-0x0000000000060000-0x0000000000061000-memory.dmp

memory/2568-75-0x0000000020010000-0x000000002001B000-memory.dmp

memory/2708-84-0x00000000771AF000-0x00000000771B0000-memory.dmp

memory/2568-85-0x0000000020010000-0x000000002001B000-memory.dmp

memory/2568-89-0x0000000020010000-0x000000002001B000-memory.dmp

memory/2568-90-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2568-94-0x0000000020010000-0x000000002001B000-memory.dmp

memory/2568-93-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2568-92-0x0000000020010000-0x000000002001B000-memory.dmp

memory/2568-91-0x0000000020010000-0x000000002001B000-memory.dmp

memory/2568-109-0x00000000771B0000-0x00000000771B1000-memory.dmp

memory/2708-554-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2728-995-0x0000000020010000-0x0000000020022000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 7c6cd54465d84e3f366d564860802209
SHA1 0ff9657d25a4ece30a9931b76ff1717d5be04336
SHA256 6c784bb99d9f9e1b7a395d13e50da6cf1ebe5494eda53d397c9ec335ad23e03b
SHA512 605beb905a726e0303553dbb164c026ad5d1de65f5b17adaada67d15c9d894e8a1234e08039f2f5384f045ab06d7f62b9c1653c8da3b0a2b101fae8a4144fa38

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 52bcd1ac1a6e6b1db552801525b76132
SHA1 0660d9792c617df6bb6642fa23c894216198216e
SHA256 383ae2710e49239a15c4b3712e011288b16e014c5af0e0551f672e20514a5089
SHA512 55e574eaa733999794e6af842689b6ae8417c639e94c1b02a071ff5938c3b9cce9015c64f7eeb92589558b8830871689e10c314d29a7c8d0d1fd9af542cfffb3

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 23:00

Reported

2024-06-25 23:02

Platform

win10v2004-20240508-en

Max time kernel

81s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px4FC6.tmp C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe N/A
File created C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B3922B52-3346-11EF-BCA5-6E6D447F5FDC} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425518301" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B3948DFE-3346-11EF-BCA5-6E6D447F5FDC} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 756 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe
PID 756 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe
PID 756 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe
PID 1184 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 1184 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 1184 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 3812 wrote to memory of 4092 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 3812 wrote to memory of 4092 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 3812 wrote to memory of 4092 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 3812 wrote to memory of 4092 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 3812 wrote to memory of 4092 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 3812 wrote to memory of 4092 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 3812 wrote to memory of 4092 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 3812 wrote to memory of 4092 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 3812 wrote to memory of 4092 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 3812 wrote to memory of 4968 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3812 wrote to memory of 4968 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3812 wrote to memory of 1524 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3812 wrote to memory of 1524 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1524 wrote to memory of 1840 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1524 wrote to memory of 1840 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1524 wrote to memory of 1840 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4968 wrote to memory of 1392 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4968 wrote to memory of 1392 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4968 wrote to memory of 1392 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe

C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4092 -ip 4092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 204

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1524 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4968 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp

Files

memory/756-0-0x0000000000C40000-0x0000000000C6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe

MD5 8c51fd9d6daa7b6137634de19a49452c
SHA1 db2a11cca434bacad2bf42adeecae38e99cf64f8
SHA256 528d190fc376cff62a83391a5ba10ae4ef0c02bedabd0360274ddc2784e11da3
SHA512 b93dd6c86d0618798a11dbaa2ded7dac659f6516ca4a87da7297601c27f340fffa4126a852c257654d562529273d8a3f639ec020ab54b879c68226deae549837

memory/756-4-0x0000000000C40000-0x0000000000C6C000-memory.dmp

memory/1184-5-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1184-7-0x0000000000401000-0x0000000000402000-memory.dmp

memory/1184-8-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1184-11-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1184-13-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1184-12-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1184-10-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1184-16-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1184-9-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3812-31-0x00000000775A2000-0x00000000775A3000-memory.dmp

memory/3812-30-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3812-29-0x0000000000430000-0x0000000000431000-memory.dmp

memory/3812-25-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4092-34-0x0000000000640000-0x0000000000641000-memory.dmp

memory/4092-33-0x0000000000660000-0x0000000000661000-memory.dmp

memory/1184-24-0x00000000008B0000-0x00000000008B1000-memory.dmp

memory/3812-35-0x0000000000070000-0x0000000000071000-memory.dmp

memory/3812-36-0x00000000775A2000-0x00000000775A3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B3922B52-3346-11EF-BCA5-6E6D447F5FDC}.dat

MD5 f894a8c35e9d0c0457edb2c3b790914a
SHA1 5cbbf02e1ade749336b572a9bc9411008393fed9
SHA256 c9cd1e6ee66b51661710d93b6cef3b496e681c1f1fa8e28139ef6dd9d18301c8
SHA512 a4349da65b233b3e116915e2d694df212d3ebd3a6ce0c75059fbe702b2a990ff4ec6b74bffc88160ba7b2a4d187506641fc7f8bf517f65a63c28d370fdba9e9c

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B3948DFE-3346-11EF-BCA5-6E6D447F5FDC}.dat

MD5 d74778961790dcad4b1b08bcd92d8c04
SHA1 46d2c52a6f465ed1ae7c95207776462d9ca76006
SHA256 8adcaa8253624a3f24f9d7c585ac3a4297f3399bdce9280c2b8ffeb5ad68046b
SHA512 7e5a3ddb12074c4c14894b0c12e11f3ea8e5c76d4ccfbb8126e1cbb55d6707c9b742f39fcce1b150bb818699599161246d4355d080e245b3eaa155a0d2657dd6

memory/3812-40-0x0000000000400000-0x0000000000421000-memory.dmp