Malware Analysis Report

2025-01-19 07:07

Sample ID 240626-ak8ktsseqc
Target 100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118
SHA256 b0dc77c71f44e23480c3293493e9d5de9da43de6fec80c67db6f69ccc7fe4ddf
Tags
ramnit banker persistence spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b0dc77c71f44e23480c3293493e9d5de9da43de6fec80c67db6f69ccc7fe4ddf

Threat Level: Known bad

The file 100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker persistence spyware stealer trojan upx worm

Modifies WinLogon for persistence

Ramnit

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Program crash

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of UnmapMainImage

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 00:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 00:17

Reported

2024-06-26 00:20

Platform

win7-20240419-en

Max time kernel

150s

Max time network

148s

Command Line

\SystemRoot\System32\smss.exe

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" C:\Windows\SysWOW64\svchost.exe N/A

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\dmlconf.dat C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\dmlconf.dat C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libcache_read_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\settings.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\rtscom.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Selectors.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\decora-sse.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libvhs_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\mozavutil.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.Client.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libwin_msg_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\WindowsAccessBridge-64.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\Mahjong.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jfxwebkit.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libwall_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\attach.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Mail\WinMail.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\oledb32r.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_mms_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Net.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libvdr_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\librawvideo_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\liboldrc_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\librtp_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\liba52_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\logger\libconsole_logger_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\settings.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\MSCDM.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\gstreamer-lite.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libgnutls_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_record_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXEV.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MUOPTIN.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jawt.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Conversion.v3.5.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libbluescreen_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\hxdsui.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\java_crw_demo.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\libsubsdelay_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Engine.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.DataSetExtensions.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i420_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\settings.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\nssckbi.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\ucrtbase.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libg711_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libspdif_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libflacsys_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libfingerprinter_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_avi_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libdirectsound_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libball_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Mail\wabmig.exe C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2440 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2440 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2440 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2440 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2712 wrote to memory of 1416 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 1416 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 1416 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 1416 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 1416 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 1416 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 1416 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 1416 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 1416 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 1416 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 2540 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 2540 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 2540 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 2540 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 2540 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 2540 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 2540 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 2540 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 2540 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2712 wrote to memory of 2540 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 2540 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 2540 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 2540 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 2540 wrote to memory of 256 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 2540 wrote to memory of 332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2540 wrote to memory of 332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2540 wrote to memory of 332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2540 wrote to memory of 332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2540 wrote to memory of 332 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2540 wrote to memory of 384 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 2540 wrote to memory of 384 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 2540 wrote to memory of 384 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 2540 wrote to memory of 384 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 2540 wrote to memory of 384 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 2540 wrote to memory of 392 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2540 wrote to memory of 392 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2540 wrote to memory of 392 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2540 wrote to memory of 392 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2540 wrote to memory of 392 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 2540 wrote to memory of 432 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 2540 wrote to memory of 432 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 2540 wrote to memory of 432 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 2540 wrote to memory of 432 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 2540 wrote to memory of 432 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 2540 wrote to memory of 476 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 2540 wrote to memory of 476 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 2540 wrote to memory of 476 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 2540 wrote to memory of 476 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 2540 wrote to memory of 476 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 2540 wrote to memory of 492 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsass.exe
PID 2540 wrote to memory of 492 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsass.exe
PID 2540 wrote to memory of 492 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsass.exe
PID 2540 wrote to memory of 492 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsass.exe
PID 2540 wrote to memory of 492 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsass.exe
PID 2540 wrote to memory of 500 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsm.exe
PID 2540 wrote to memory of 500 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsm.exe
PID 2540 wrote to memory of 500 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsm.exe
PID 2540 wrote to memory of 500 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsm.exe
PID 2540 wrote to memory of 500 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsm.exe

Processes

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\wininit.exe

wininit.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Users\Admin\AppData\Local\Temp\100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

Network

Country Destination Domain Proto
NL 91.220.62.30:443 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.179.238:80 google.com tcp
NL 91.220.62.30:443 tcp
US 8.8.8.8:53 rterybrstutnrsbberve.com udp
IE 34.253.216.9:443 rterybrstutnrsbberve.com tcp
IE 34.253.216.9:443 rterybrstutnrsbberve.com tcp
US 8.8.8.8:53 erwbtkidthetcwerc.com udp
IE 34.253.216.9:443 erwbtkidthetcwerc.com tcp
IE 34.253.216.9:443 erwbtkidthetcwerc.com tcp
US 8.8.8.8:53 rvbwtbeitwjeitv.com udp
US 204.95.99.221:443 rvbwtbeitwjeitv.com tcp
US 204.95.99.221:443 rvbwtbeitwjeitv.com tcp
US 8.8.8.8:53 google.com udp
GB 142.250.179.238:80 google.com tcp
GB 142.250.179.238:80 google.com tcp

Files

memory/2440-0-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2440-2-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2440-6-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2440-10-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2440-7-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2440-4-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2440-8-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Program Files (x86)\Microsoft\WaterMark.exe

MD5 100f36a7d29d60a09c7a517a9611bb10
SHA1 bff8809dba549f5843d2abf080afe6382e5eff7d
SHA256 b0dc77c71f44e23480c3293493e9d5de9da43de6fec80c67db6f69ccc7fe4ddf
SHA512 d1ed88778f6d91e6fdfba007cca83291fb96a7c3255350a2d28797a5e307e7008b067f0405fdd60dc6cb021e96b04f7d55258f62dbdd5dbfc2043140db34e98c

memory/2712-23-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2440-3-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2440-1-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2712-27-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2712-28-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2712-30-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2712-31-0x0000000077E3F000-0x0000000077E40000-memory.dmp

memory/1416-33-0x0000000020010000-0x0000000020022000-memory.dmp

memory/1416-35-0x0000000000080000-0x0000000000081000-memory.dmp

memory/1416-42-0x0000000020010000-0x0000000020022000-memory.dmp

memory/1416-47-0x0000000000080000-0x0000000000081000-memory.dmp

memory/1416-49-0x0000000020010000-0x0000000020022000-memory.dmp

memory/1416-48-0x0000000000090000-0x0000000000091000-memory.dmp

memory/1416-46-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/1416-51-0x0000000020010000-0x0000000020022000-memory.dmp

memory/1416-56-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2712-60-0x0000000000060000-0x0000000000061000-memory.dmp

memory/2540-62-0x0000000020010000-0x000000002001B000-memory.dmp

memory/2540-76-0x0000000020010000-0x000000002001B000-memory.dmp

memory/2540-72-0x0000000020010000-0x000000002001B000-memory.dmp

memory/2712-71-0x0000000077E3F000-0x0000000077E40000-memory.dmp

memory/2540-77-0x0000000000170000-0x0000000000171000-memory.dmp

memory/2540-78-0x0000000020010000-0x000000002001B000-memory.dmp

memory/2540-79-0x0000000020010000-0x000000002001B000-memory.dmp

memory/2540-81-0x0000000020010000-0x000000002001B000-memory.dmp

memory/2540-80-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2540-82-0x0000000077E40000-0x0000000077E41000-memory.dmp

memory/2712-533-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2712-536-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1416-757-0x0000000020010000-0x0000000020022000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 55cfc58d18a6166f8f1c141903b32656
SHA1 246640bf0650c0a6b6d174980d02a6514e4d034f
SHA256 75bcc61065230cbaa369a20371240e933923eafaeb391d8cfa10b29fcd7fa5a6
SHA512 b40f01fefc4e1bc6c579f869312ea5813a07f341057df38796f1a5e37215c0be8ec67aeca80f748c3ffd7dc76bfa59f15538cecd78ffc3b22e8efc28fa4cd6ee

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 56ffcef1fe4f30d61c7ab0aad61eabf4
SHA1 3575efe1f68f26c4030e62778ca9f3d11f521cf1
SHA256 3647fed7d3fcdbeec01c28b4382157e7375835c3658e7ae622d3a0da65834131
SHA512 12eba173ddc8357e3b5b423d2912f77f0f619d2842c1e833a76e0c16099c67890fda30b03d64b450275e5ac3fa5531459b438472dc816d843fc6efc803009e4e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 00:17

Reported

2024-06-26 00:19

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px465F.tmp C:\Users\Admin\AppData\Local\Temp\100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Users\Admin\AppData\Local\Temp\100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Users\Admin\AppData\Local\Temp\100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{795FE5E9-3351-11EF-BCA5-56103091DE06} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425522928" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{795D8455-3351-11EF-BCA5-56103091DE06} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3128 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 3128 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 3128 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 3608 wrote to memory of 972 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 3608 wrote to memory of 972 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 3608 wrote to memory of 972 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 3608 wrote to memory of 972 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 3608 wrote to memory of 972 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 3608 wrote to memory of 972 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 3608 wrote to memory of 972 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 3608 wrote to memory of 972 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 3608 wrote to memory of 972 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 3608 wrote to memory of 4624 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3608 wrote to memory of 4624 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3608 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3608 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4624 wrote to memory of 2112 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4624 wrote to memory of 2112 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4624 wrote to memory of 2112 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4808 wrote to memory of 1420 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4808 wrote to memory of 1420 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4808 wrote to memory of 1420 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 972 -ip 972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 204

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4808 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4624 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp

Files

memory/3128-0-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3128-1-0x0000000000401000-0x0000000000402000-memory.dmp

memory/3128-2-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3128-4-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3128-6-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3128-7-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Program Files (x86)\Microsoft\WaterMark.exe

MD5 100f36a7d29d60a09c7a517a9611bb10
SHA1 bff8809dba549f5843d2abf080afe6382e5eff7d
SHA256 b0dc77c71f44e23480c3293493e9d5de9da43de6fec80c67db6f69ccc7fe4ddf
SHA512 d1ed88778f6d91e6fdfba007cca83291fb96a7c3255350a2d28797a5e307e7008b067f0405fdd60dc6cb021e96b04f7d55258f62dbdd5dbfc2043140db34e98c

memory/3128-11-0x00000000008B0000-0x00000000008B1000-memory.dmp

memory/3608-26-0x0000000077572000-0x0000000077573000-memory.dmp

memory/3608-25-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3608-30-0x0000000000400000-0x0000000000421000-memory.dmp

memory/972-29-0x0000000000B50000-0x0000000000B51000-memory.dmp

memory/972-28-0x0000000000B70000-0x0000000000B71000-memory.dmp

memory/3608-24-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3608-23-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3608-22-0x0000000000430000-0x0000000000431000-memory.dmp

memory/3128-10-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3128-5-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3128-3-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3608-31-0x0000000000070000-0x0000000000071000-memory.dmp

memory/3608-32-0x0000000077572000-0x0000000077573000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{795D8455-3351-11EF-BCA5-56103091DE06}.dat

MD5 9becd12ab477ae2987a6426397f09380
SHA1 aa899889d66fdde6bac8ab45ad0c2c34ccea8b3d
SHA256 ad056ff06825728b1aad8ba18b0bda8301f92ce1d5d0b0d09d6e37e660eb0c1e
SHA512 a3b156e5a31809d787b6ea98645f0dcc93af94863f053d687a28162169451ad1af0a6d7642ed8472519232fb193da1d50189439239989f8f772e8c7a743d3691

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{795FE5E9-3351-11EF-BCA5-56103091DE06}.dat

MD5 269a27d080c734bdacc30835a7dee18a
SHA1 cfa614f59b8061a1148368f5971096a7c1dae86f
SHA256 d5e3f0d64094980acf1dc6d52a2e11e108bb412c55da8b1979be683fa1ebcb6f
SHA512 d5f877c434da051333c62da715fe4c6e30f50c2b544482ff4ccf9d549b67824f22b281264bac3952f0d4322b865b5df04fc76a8f0a7db5c5420b061378ef8189

memory/3608-35-0x0000000000400000-0x0000000000421000-memory.dmp