Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
25-06-2024 21:14
Static task
static1
Behavioral task
behavioral1
Sample
0f8cce0109033862ed107f468eb73d52_JaffaCakes118.dll
Resource
win7-20240611-en
General
-
Target
0f8cce0109033862ed107f468eb73d52_JaffaCakes118.dll
-
Size
193KB
-
MD5
0f8cce0109033862ed107f468eb73d52
-
SHA1
f48e3a4d8186c078efbcebbba2e8250c822220ec
-
SHA256
8fe2520c274ec8bfbf683f60d5396895697b3ac359e7bc28c6002126cb7c1f0a
-
SHA512
86723ceecd6ef1bf31756187e1027e139a597fa401f646a941443b9a909baef11340809ce86c868eba3731f166c80eb40a0ffea85dfde4464b67ee123ffae54c
-
SSDEEP
3072:B73MITL/9oSmkbx3ZtffjBTnIwanLMb6fewiVWFZWm7TR1uNZJ:tdTpountf75IwkjfGWyK83
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 1644 regsvr32mgr.exe 2656 WaterMark.exe -
Loads dropped DLL 4 IoCs
pid Process 2400 regsvr32.exe 2400 regsvr32.exe 1644 regsvr32mgr.exe 1644 regsvr32mgr.exe -
resource yara_rule behavioral1/memory/1644-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1644-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1644-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1644-21-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1644-16-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1644-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1644-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2656-39-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2656-564-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\regsvr32mgr.exe regsvr32.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\Welcome.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libchain_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libalphamask_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libwin_hotkeys_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmpgv_plugin.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\IEShims.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\dt_socket.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Chess\Chess.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\mlib_image.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libfolder_plugin.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\perf_nt.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\Timeline.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_vc1_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\npt.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Web.Entity.Design.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i420_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libvmem_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\RSSFeeds.html svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\softokn3.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libgain_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libdxva2_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libcaf_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmirror_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\authplay.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libavcodec_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmagnify_plugin.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Linq.Resources.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\DESIGNER\MSADDNDR.DLL svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\profilerinterface.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IdentityModel.Selectors.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Entity.Design.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libx265_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libsapi_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libtransform_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\JdbcOdbc.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\cpu.html svchost.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSCommon.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\zip.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Design.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationCore.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.DataSetExtensions.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Xml.Linq.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcolorthres_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msado15.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\settings.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Xml.Linq.Resources.dll svchost.exe -
Modifies registry class 45 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\VersionIndependentProgID\ = "WMP.DeskBand" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0f8cce0109033862ed107f468eb73d52_JaffaCakes118.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\Implemented Categories\{00021492-0000-0000-C000-000000000046} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand.1\CLSID\ = "{0A4286EA-E355-44FB-8086-AF3DF7645BD9}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\LocalizedString = "@C:\\Users\\Admin\\AppData\\Local\\Temp\\0f8cce0109033862ed107f468eb73d52_JaffaCakes118.dll,-101" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\MenuText = "@C:\\Users\\Admin\\AppData\\Local\\Temp\\0f8cce0109033862ed107f468eb73d52_JaffaCakes118.dll,-101" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\ProgID\ = "WMP.DeskBand.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\ = "WMPDeskBand 1.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib\ = "{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib\ = "{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand\CLSID\ = "{0A4286EA-E355-44FB-8086-AF3DF7645BD9}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ = "IWMPDeskBandDispatch" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand\ = "&Windows Media Player" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\ = "&Windows Media Player" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0f8cce0109033862ed107f468eb73d52_JaffaCakes118.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand.1\ = "&Windows Media Player" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ = "IWMPDeskBandDispatch" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2656 WaterMark.exe 2656 WaterMark.exe 2656 WaterMark.exe 2656 WaterMark.exe 2656 WaterMark.exe 2656 WaterMark.exe 2656 WaterMark.exe 2656 WaterMark.exe 1964 svchost.exe 1964 svchost.exe 1964 svchost.exe 1964 svchost.exe 1964 svchost.exe 1964 svchost.exe 1964 svchost.exe 1964 svchost.exe 1964 svchost.exe 1964 svchost.exe 1964 svchost.exe 1964 svchost.exe 1964 svchost.exe 1964 svchost.exe 1964 svchost.exe 1964 svchost.exe 1964 svchost.exe 1964 svchost.exe 1964 svchost.exe 1964 svchost.exe 1964 svchost.exe 1964 svchost.exe 1964 svchost.exe 1964 svchost.exe 1964 svchost.exe 1964 svchost.exe 1964 svchost.exe 1964 svchost.exe 1964 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2656 WaterMark.exe Token: SeDebugPrivilege 1964 svchost.exe Token: SeDebugPrivilege 2656 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1644 regsvr32mgr.exe 2656 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2000 wrote to memory of 2400 2000 regsvr32.exe 28 PID 2000 wrote to memory of 2400 2000 regsvr32.exe 28 PID 2000 wrote to memory of 2400 2000 regsvr32.exe 28 PID 2000 wrote to memory of 2400 2000 regsvr32.exe 28 PID 2000 wrote to memory of 2400 2000 regsvr32.exe 28 PID 2000 wrote to memory of 2400 2000 regsvr32.exe 28 PID 2000 wrote to memory of 2400 2000 regsvr32.exe 28 PID 2400 wrote to memory of 1644 2400 regsvr32.exe 29 PID 2400 wrote to memory of 1644 2400 regsvr32.exe 29 PID 2400 wrote to memory of 1644 2400 regsvr32.exe 29 PID 2400 wrote to memory of 1644 2400 regsvr32.exe 29 PID 1644 wrote to memory of 2656 1644 regsvr32mgr.exe 30 PID 1644 wrote to memory of 2656 1644 regsvr32mgr.exe 30 PID 1644 wrote to memory of 2656 1644 regsvr32mgr.exe 30 PID 1644 wrote to memory of 2656 1644 regsvr32mgr.exe 30 PID 2656 wrote to memory of 2696 2656 WaterMark.exe 31 PID 2656 wrote to memory of 2696 2656 WaterMark.exe 31 PID 2656 wrote to memory of 2696 2656 WaterMark.exe 31 PID 2656 wrote to memory of 2696 2656 WaterMark.exe 31 PID 2656 wrote to memory of 2696 2656 WaterMark.exe 31 PID 2656 wrote to memory of 2696 2656 WaterMark.exe 31 PID 2656 wrote to memory of 2696 2656 WaterMark.exe 31 PID 2656 wrote to memory of 2696 2656 WaterMark.exe 31 PID 2656 wrote to memory of 2696 2656 WaterMark.exe 31 PID 2656 wrote to memory of 2696 2656 WaterMark.exe 31 PID 2656 wrote to memory of 1964 2656 WaterMark.exe 32 PID 2656 wrote to memory of 1964 2656 WaterMark.exe 32 PID 2656 wrote to memory of 1964 2656 WaterMark.exe 32 PID 2656 wrote to memory of 1964 2656 WaterMark.exe 32 PID 2656 wrote to memory of 1964 2656 WaterMark.exe 32 PID 2656 wrote to memory of 1964 2656 WaterMark.exe 32 PID 2656 wrote to memory of 1964 2656 WaterMark.exe 32 PID 2656 wrote to memory of 1964 2656 WaterMark.exe 32 PID 2656 wrote to memory of 1964 2656 WaterMark.exe 32 PID 2656 wrote to memory of 1964 2656 WaterMark.exe 32 PID 1964 wrote to memory of 256 1964 svchost.exe 1 PID 1964 wrote to memory of 256 1964 svchost.exe 1 PID 1964 wrote to memory of 256 1964 svchost.exe 1 PID 1964 wrote to memory of 256 1964 svchost.exe 1 PID 1964 wrote to memory of 256 1964 svchost.exe 1 PID 1964 wrote to memory of 332 1964 svchost.exe 2 PID 1964 wrote to memory of 332 1964 svchost.exe 2 PID 1964 wrote to memory of 332 1964 svchost.exe 2 PID 1964 wrote to memory of 332 1964 svchost.exe 2 PID 1964 wrote to memory of 332 1964 svchost.exe 2 PID 1964 wrote to memory of 368 1964 svchost.exe 3 PID 1964 wrote to memory of 368 1964 svchost.exe 3 PID 1964 wrote to memory of 368 1964 svchost.exe 3 PID 1964 wrote to memory of 368 1964 svchost.exe 3 PID 1964 wrote to memory of 368 1964 svchost.exe 3 PID 1964 wrote to memory of 384 1964 svchost.exe 4 PID 1964 wrote to memory of 384 1964 svchost.exe 4 PID 1964 wrote to memory of 384 1964 svchost.exe 4 PID 1964 wrote to memory of 384 1964 svchost.exe 4 PID 1964 wrote to memory of 384 1964 svchost.exe 4 PID 1964 wrote to memory of 420 1964 svchost.exe 5 PID 1964 wrote to memory of 420 1964 svchost.exe 5 PID 1964 wrote to memory of 420 1964 svchost.exe 5 PID 1964 wrote to memory of 420 1964 svchost.exe 5 PID 1964 wrote to memory of 420 1964 svchost.exe 5 PID 1964 wrote to memory of 464 1964 svchost.exe 6 PID 1964 wrote to memory of 464 1964 svchost.exe 6 PID 1964 wrote to memory of 464 1964 svchost.exe 6 PID 1964 wrote to memory of 464 1964 svchost.exe 6
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:368
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:464
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:596
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:2160
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵PID:2744
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:676
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:760
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:808
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1236
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:844
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:2424
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:992
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:292
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:284
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1040
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1128
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2308
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:1356
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:480
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:488
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:384
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:420
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1284
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\0f8cce0109033862ed107f468eb73d52_JaffaCakes118.dll2⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\0f8cce0109033862ed107f468eb73d52_JaffaCakes118.dll3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\regsvr32mgr.exeC:\Windows\SysWOW64\regsvr32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2696
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize206KB
MD5b28900d6081d01c727dc874c27ddae4b
SHA1de26dea9e0b90c54fa0760802f83d606626bc5be
SHA256941741934d069bd471d97e362e15a4a1b58cf1ae61b031d7fdfaa0f335fd36b8
SHA512f7e6042feb5fbdbfffda6f46cfb078b99b3f1fdd3161353b0a03168e87d8462c3e6d7a3f04d3e28ffd65a2bfb2e28c04b13c09441e00587ba4b5ba31406815ec
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize202KB
MD519f9fa1db048e847cc12d9745ae52287
SHA18a01f13eaf0bcb2662977f3301744b5d4a4d4515
SHA256a5245d727279850ae1868815d13ee6e74a8f09ca7532afa2935a1bec84d00846
SHA5121b5d0a4c75bf5a5a351477ffa870d435fc7d5ad57a0977d3c7107eaf6438085adde501842fa6f57de2e14635ffedf4e91e07c301b7baaf0550684721a1be6220
-
Filesize
96KB
MD58c51fd9d6daa7b6137634de19a49452c
SHA1db2a11cca434bacad2bf42adeecae38e99cf64f8
SHA256528d190fc376cff62a83391a5ba10ae4ef0c02bedabd0360274ddc2784e11da3
SHA512b93dd6c86d0618798a11dbaa2ded7dac659f6516ca4a87da7297601c27f340fffa4126a852c257654d562529273d8a3f639ec020ab54b879c68226deae549837