Malware Analysis Report

2025-01-19 07:07

Sample ID 240625-3mw9sstbmj
Target 0ff33c146ff7c55fb3b95f35c0f3f265_JaffaCakes118
SHA256 30a595af4395567d2b78f969b94e183a1a989f470aa373b8ac96320933e7df6a
Tags
ramnit banker persistence spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

30a595af4395567d2b78f969b94e183a1a989f470aa373b8ac96320933e7df6a

Threat Level: Known bad

The file 0ff33c146ff7c55fb3b95f35c0f3f265_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker persistence spyware stealer trojan upx worm

Ramnit

Modifies WinLogon for persistence

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Program crash

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 23:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 23:38

Reported

2024-06-25 23:40

Platform

win7-20240221-en

Max time kernel

150s

Max time network

143s

Command Line

\SystemRoot\System32\smss.exe

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" C:\Windows\SysWOW64\svchost.exe N/A

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\dmlconf.dat C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\dmlconf.dat C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Journal\MSPVWCTL.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\msadcf.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxslt.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\profilerinterface.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspeex_resampler_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\keystore\libmemory_keystore_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_flac_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\settings.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libnetsync_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\eula.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\VISSHE.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdtv_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ahclient.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEREP.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEWDAT.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\IPSEventLogMsg.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Net.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libaes3_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgaussianblur_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libvdummy_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VC\msdia100.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\deployJava1.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jfxwebkit.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationProvider.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\librotate_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEEXCH.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\oledb32r.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libheadphone_channel_mixer_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipres.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEXBE.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\msvcp140.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libtcp_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\vdk150.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\dicjp.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\WindowsBase.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libflaschen_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\hxdsui.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dcpr.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kcms.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libnfs_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\currency.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IdentityModel.Selectors.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.RunTime.Serialization.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 912 wrote to memory of 1260 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 912 wrote to memory of 1260 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 912 wrote to memory of 1260 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 912 wrote to memory of 1260 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 912 wrote to memory of 1260 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 912 wrote to memory of 1260 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 912 wrote to memory of 1260 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1260 wrote to memory of 1168 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 1260 wrote to memory of 1168 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 1260 wrote to memory of 1168 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 1260 wrote to memory of 1168 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 1168 wrote to memory of 2604 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 1168 wrote to memory of 2604 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 1168 wrote to memory of 2604 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 1168 wrote to memory of 2604 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2604 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2604 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2604 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2604 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2604 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2604 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2604 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2604 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2604 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2604 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2604 wrote to memory of 556 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2604 wrote to memory of 556 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2604 wrote to memory of 556 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2604 wrote to memory of 556 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2604 wrote to memory of 556 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2604 wrote to memory of 556 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2604 wrote to memory of 556 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2604 wrote to memory of 556 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2604 wrote to memory of 556 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2604 wrote to memory of 556 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 556 wrote to memory of 260 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 556 wrote to memory of 260 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 556 wrote to memory of 260 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 556 wrote to memory of 260 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 556 wrote to memory of 260 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 556 wrote to memory of 336 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 556 wrote to memory of 336 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 556 wrote to memory of 336 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 556 wrote to memory of 336 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 556 wrote to memory of 336 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 556 wrote to memory of 388 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 556 wrote to memory of 388 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 556 wrote to memory of 388 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 556 wrote to memory of 388 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 556 wrote to memory of 388 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 556 wrote to memory of 400 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 556 wrote to memory of 400 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 556 wrote to memory of 400 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 556 wrote to memory of 400 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 556 wrote to memory of 400 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 556 wrote to memory of 436 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 556 wrote to memory of 436 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 556 wrote to memory of 436 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 556 wrote to memory of 436 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 556 wrote to memory of 436 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 556 wrote to memory of 480 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 556 wrote to memory of 480 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 556 wrote to memory of 480 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 556 wrote to memory of 480 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe

Processes

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\wininit.exe

wininit.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ff33c146ff7c55fb3b95f35c0f3f265_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ff33c146ff7c55fb3b95f35c0f3f265_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

Network

Country Destination Domain Proto
NL 91.220.62.30:443 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.179.238:80 google.com tcp
NL 91.220.62.30:443 tcp
US 8.8.8.8:53 rterybrstutnrsbberve.com udp
IE 34.253.216.9:443 rterybrstutnrsbberve.com tcp
IE 34.253.216.9:443 rterybrstutnrsbberve.com tcp
US 8.8.8.8:53 erwbtkidthetcwerc.com udp
IE 34.253.216.9:443 erwbtkidthetcwerc.com tcp
IE 34.253.216.9:443 erwbtkidthetcwerc.com tcp
US 8.8.8.8:53 rvbwtbeitwjeitv.com udp
US 204.95.99.221:443 rvbwtbeitwjeitv.com tcp
US 204.95.99.221:443 rvbwtbeitwjeitv.com tcp
GB 142.250.179.238:80 google.com tcp
GB 142.250.179.238:80 google.com tcp

Files

\Windows\SysWOW64\rundll32mgr.exe

MD5 9d5d609dc8e2554054733d19eed45c5c
SHA1 ce72453fca9f477940a9def32bd8463549c6e1e4
SHA256 7a85b3db04beb0c4b6a8929fdf79726bcf1084efab0a9f04a8ebaa0a2bc9e0b1
SHA512 012cabde17ed1c1d1a48b5bc136591ff9c8e261e5da8bc7f67d0bd235a32150f63274362cdeef2376d2d5a38dfb0c9acc7cd3aa5244c1858b88b183f8cbe550b

memory/1260-1-0x0000000010000000-0x0000000010026000-memory.dmp

memory/1260-3-0x0000000000110000-0x0000000000139000-memory.dmp

memory/1260-10-0x0000000000110000-0x0000000000139000-memory.dmp

memory/1168-11-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1168-12-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1168-16-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1168-17-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1168-15-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1168-21-0x0000000000140000-0x0000000000141000-memory.dmp

memory/1168-20-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1168-29-0x00000000001A0000-0x00000000001C9000-memory.dmp

memory/1168-14-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1168-13-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2604-42-0x00000000776BF000-0x00000000776C0000-memory.dmp

memory/2604-41-0x0000000000050000-0x0000000000051000-memory.dmp

memory/2604-40-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2084-46-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/2084-44-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2084-55-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/2084-54-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2084-56-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2084-66-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2084-61-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2084-69-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2084-68-0x00000000000D0000-0x00000000000D1000-memory.dmp

memory/2604-72-0x0000000000060000-0x0000000000061000-memory.dmp

memory/556-74-0x0000000020010000-0x000000002001B000-memory.dmp

memory/2604-83-0x00000000776BF000-0x00000000776C0000-memory.dmp

memory/556-88-0x0000000020010000-0x000000002001B000-memory.dmp

memory/556-84-0x0000000020010000-0x000000002001B000-memory.dmp

memory/556-89-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/556-90-0x0000000020010000-0x000000002001B000-memory.dmp

memory/556-92-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/556-93-0x0000000020010000-0x000000002001B000-memory.dmp

memory/556-91-0x0000000020010000-0x000000002001B000-memory.dmp

memory/556-94-0x00000000776C0000-0x00000000776C1000-memory.dmp

memory/2604-559-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2604-562-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2084-1003-0x0000000020010000-0x0000000020022000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 a43602413708f34ded639b669ddd2efc
SHA1 e330b2d0a1d424b9cd87148d41f18267e166db2e
SHA256 62fb77bcdf7d157a5ec048fcd40c6615d8da08ab21317bc03f75129bd94bc5f0
SHA512 d57d917ec97743f5dede9fb2ab2b0da17152bbc0bbf96d673b1a74eed8b8ffd5654162522228ea27c7e06b25490172764fdbf6566375f9ea74fa12ba09bf99aa

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 5b325baa2cc23ab6cea275b24c801bff
SHA1 b88141d440570b54db5090da580fe4c604f04416
SHA256 6d01b2ec9e3981cf72e90a62e1d3e0569d04c2a9e081cfd0317104bb09f5bf3b
SHA512 d72d72468043034bd8324db3f2cba91fffed1afd4dfec1813a33d8ecfcb6e3c511fa820f277f64687d6fb5edd3b39dfee755238ad3e476b9e1d5e16f9a53e40d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 23:38

Reported

2024-06-25 23:40

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ff33c146ff7c55fb3b95f35c0f3f265_JaffaCakes118.dll,#1

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rundll32mgr.exe C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px43DF.tmp C:\Windows\SysWOW64\rundll32mgr.exe N/A
File created C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\rundll32mgr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\rundll32mgr.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425520589" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{07464806-334C-11EF-BCA5-DAA7D34B912A} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0748AA69-334C-11EF-BCA5-DAA7D34B912A} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32mgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3160 wrote to memory of 4604 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3160 wrote to memory of 4604 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3160 wrote to memory of 4604 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4604 wrote to memory of 4528 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 4604 wrote to memory of 4528 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 4604 wrote to memory of 4528 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32mgr.exe
PID 4528 wrote to memory of 1180 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 4528 wrote to memory of 1180 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 4528 wrote to memory of 1180 N/A C:\Windows\SysWOW64\rundll32mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 1180 wrote to memory of 460 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1180 wrote to memory of 460 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1180 wrote to memory of 460 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1180 wrote to memory of 460 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1180 wrote to memory of 460 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1180 wrote to memory of 460 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1180 wrote to memory of 460 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1180 wrote to memory of 460 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1180 wrote to memory of 460 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1180 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1180 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1180 wrote to memory of 1532 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1180 wrote to memory of 1532 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1532 wrote to memory of 1924 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1532 wrote to memory of 1924 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1532 wrote to memory of 1924 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4496 wrote to memory of 2604 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4496 wrote to memory of 2604 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4496 wrote to memory of 2604 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ff33c146ff7c55fb3b95f35c0f3f265_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ff33c146ff7c55fb3b95f35c0f3f265_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Windows\SysWOW64\rundll32mgr.exe

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 460 -ip 460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 204

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1532 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4496 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp

Files

memory/4604-0-0x0000000010000000-0x0000000010026000-memory.dmp

C:\Windows\SysWOW64\rundll32mgr.exe

MD5 9d5d609dc8e2554054733d19eed45c5c
SHA1 ce72453fca9f477940a9def32bd8463549c6e1e4
SHA256 7a85b3db04beb0c4b6a8929fdf79726bcf1084efab0a9f04a8ebaa0a2bc9e0b1
SHA512 012cabde17ed1c1d1a48b5bc136591ff9c8e261e5da8bc7f67d0bd235a32150f63274362cdeef2376d2d5a38dfb0c9acc7cd3aa5244c1858b88b183f8cbe550b

memory/4528-4-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4528-7-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4528-8-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4528-9-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4528-11-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4528-22-0x00000000008B0000-0x00000000008B1000-memory.dmp

memory/1180-23-0x0000000000400000-0x0000000000429000-memory.dmp

memory/460-32-0x0000000000450000-0x0000000000451000-memory.dmp

memory/460-31-0x0000000000470000-0x0000000000471000-memory.dmp

memory/1180-30-0x0000000077162000-0x0000000077163000-memory.dmp

memory/1180-29-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1180-27-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1180-26-0x0000000000890000-0x0000000000891000-memory.dmp

memory/4528-14-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4528-10-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4528-6-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1180-33-0x0000000000070000-0x0000000000071000-memory.dmp

memory/1180-34-0x0000000077162000-0x0000000077163000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{07464806-334C-11EF-BCA5-DAA7D34B912A}.dat

MD5 9d93af859b454b6b9234f1fbf1a4849d
SHA1 740c031341b17638d49daa1875b5042e2226dca0
SHA256 38e7c11e7e662903a7a7aa347bb9b839f4b7f3c326baa61fb4af28bb29fca427
SHA512 0cbbdead52d026302a6856ba17c569d993c63cff3f90b63d694ed3d19fddecb847e5d298b8cb2f89ce8dbab85eece5c9c61ae572fab8e7969e104597647f1249

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0748AA69-334C-11EF-BCA5-DAA7D34B912A}.dat

MD5 cb9fd615434666aa98ad3afa272687af
SHA1 fe8a1407065b3de36e093d81a9c5719c1acd4e22
SHA256 4f25550fea9bbe5a9bb5e8ada680ddd2543dd361618357eeb812e2c60b30dd54
SHA512 9347251fd037e5e51d6e4b4607dd7d16c542af1545f2ac7512b6932e577b312402841833201e5641deac7839b0dcaa81d3369da3d9dd4fcdbf3d82fd336a34c4

memory/1180-37-0x0000000000400000-0x0000000000421000-memory.dmp