Malware Analysis Report

2025-01-19 07:07

Sample ID 240626-dwrm8svcrp
Target 108e9934b04e62f29361fa23c57023a2_JaffaCakes118
SHA256 8e7e171f1f84d83de0e174bca33baf72289a7d90645d2079c26238e0dbbf18f7
Tags
aspackv2 persistence ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8e7e171f1f84d83de0e174bca33baf72289a7d90645d2079c26238e0dbbf18f7

Threat Level: Known bad

The file 108e9934b04e62f29361fa23c57023a2_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence ramnit banker spyware stealer trojan upx worm

Ramnit

UPX packed file

Loads dropped DLL

ASPack v2.12-2.42

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 03:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 03:21

Reported

2024-06-26 03:24

Platform

win7-20240508-en

Max time kernel

122s

Max time network

126s

Command Line

C:\Windows\Explorer.EXE

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\king_mg = "C:\\Windows\\system32\\mgking.exe" C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\mgking.exe C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mgking.exe C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\mgking0.dll C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mgking0.dll C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1932 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe
PID 1932 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe
PID 1932 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe
PID 1932 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe
PID 1996 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe C:\Windows\SysWOW64\WerFault.exe
PID 1996 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe C:\Windows\SysWOW64\WerFault.exe
PID 1996 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe C:\Windows\SysWOW64\WerFault.exe
PID 1996 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe C:\Windows\SysWOW64\WerFault.exe
PID 1932 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe

C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 100

Network

N/A

Files

memory/1932-1-0x0000000000400000-0x000000000049E000-memory.dmp

\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe

MD5 94f2f6ffbba8e7644668b51b39983916
SHA1 63357bbdf90101969117983dbc0d4ed0e713c4d7
SHA256 ede7603855cb37082c241c720a6650988c684eb3bcb263e5dd7b457458940fed
SHA512 d04430ceac70c6fa71d07d9ee82ac2bb5e6c0641d5c9e7e5a3ed39d342e8b198f367676516a55f0653e0b88635a027b9ad220e223145b8be8df281bb6faf7156

memory/1932-19-0x0000000000401000-0x0000000000402000-memory.dmp

memory/1064-21-0x00000000024E0000-0x00000000024E1000-memory.dmp

\Windows\SysWOW64\mgking0.dll

MD5 21c8f7083a59c407226363950804c4f8
SHA1 8a6b1d0942afa365ab4b7cd0e82c13bd9cae2524
SHA256 015fc0b2cdaf8c7f2fd3b0ee1a0e03e1c4589ef21c1781a60a8ce90a8e16bde5
SHA512 eb7253e85f77cc45c02bfbab25cd0324cc4b59d484bf8807561f69edfc69713330299308aace3ba3671b34bc9c852d42344d5f5c64181184f2f71bd7ced782f8

memory/1932-24-0x0000000010000000-0x0000000010084000-memory.dmp

memory/1932-25-0x0000000000400000-0x000000000049E000-memory.dmp

memory/1932-27-0x0000000010000000-0x0000000010084000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 03:21

Reported

2024-06-26 03:24

Platform

win10v2004-20240508-en

Max time kernel

80s

Max time network

90s

Command Line

C:\Windows\Explorer.EXE

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\king_mg = "C:\\Windows\\system32\\mgking.exe" C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\mgking.exe C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mgking.exe C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\mgking0.dll C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\mgking0.dll C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\px43EE.tmp C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425533991" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3C07A3B1-336B-11EF-BA70-66D3FDB32ECD} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1368 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe
PID 1368 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe
PID 1368 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe
PID 1028 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 1028 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 1028 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 1012 wrote to memory of 4176 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1012 wrote to memory of 4176 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1012 wrote to memory of 4176 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1012 wrote to memory of 4176 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1012 wrote to memory of 4176 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1012 wrote to memory of 4176 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1012 wrote to memory of 4176 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1012 wrote to memory of 4176 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1012 wrote to memory of 4176 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 1368 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1012 wrote to memory of 4580 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1012 wrote to memory of 4580 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1012 wrote to memory of 4092 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1012 wrote to memory of 4092 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4580 wrote to memory of 2224 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4580 wrote to memory of 2224 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4580 wrote to memory of 2224 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe

C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1368 -ip 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4176 -ip 4176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1368 -ip 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1368 -ip 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 516

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4580 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp

Files

memory/1368-1-0x0000000000400000-0x000000000049E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe

MD5 94f2f6ffbba8e7644668b51b39983916
SHA1 63357bbdf90101969117983dbc0d4ed0e713c4d7
SHA256 ede7603855cb37082c241c720a6650988c684eb3bcb263e5dd7b457458940fed
SHA512 d04430ceac70c6fa71d07d9ee82ac2bb5e6c0641d5c9e7e5a3ed39d342e8b198f367676516a55f0653e0b88635a027b9ad220e223145b8be8df281bb6faf7156

memory/1028-10-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1028-16-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1012-25-0x0000000000A20000-0x0000000000A21000-memory.dmp

memory/1028-17-0x00000000008A0000-0x00000000008A1000-memory.dmp

memory/4176-31-0x0000000000B70000-0x0000000000B71000-memory.dmp

memory/4176-30-0x0000000000B90000-0x0000000000B91000-memory.dmp

memory/1012-28-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1012-29-0x0000000077BB2000-0x0000000077BB3000-memory.dmp

memory/1028-9-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1028-8-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1028-7-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1028-6-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1028-5-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Windows\SysWOW64\mgking0.dll

MD5 21c8f7083a59c407226363950804c4f8
SHA1 8a6b1d0942afa365ab4b7cd0e82c13bd9cae2524
SHA256 015fc0b2cdaf8c7f2fd3b0ee1a0e03e1c4589ef21c1781a60a8ce90a8e16bde5
SHA512 eb7253e85f77cc45c02bfbab25cd0324cc4b59d484bf8807561f69edfc69713330299308aace3ba3671b34bc9c852d42344d5f5c64181184f2f71bd7ced782f8

memory/1368-39-0x0000000010000000-0x0000000010084000-memory.dmp

memory/1368-40-0x0000000000400000-0x000000000049E000-memory.dmp

memory/1368-41-0x0000000010000000-0x0000000010084000-memory.dmp

memory/1012-43-0x0000000077BB2000-0x0000000077BB3000-memory.dmp

memory/1012-42-0x0000000000070000-0x0000000000071000-memory.dmp

memory/1012-44-0x0000000000400000-0x0000000000421000-memory.dmp