Malware Analysis Report

2025-01-19 07:06

Sample ID 240626-h473eavelq
Target 1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118
SHA256 72af033ddfe9ad63fecc9121a96b2e502667160e0c0a71743bb7c591eb82d0c6
Tags
ramnit banker persistence spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

72af033ddfe9ad63fecc9121a96b2e502667160e0c0a71743bb7c591eb82d0c6

Threat Level: Known bad

The file 1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker persistence spyware stealer trojan upx worm

Modifies WinLogon for persistence

Ramnit

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 07:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 07:18

Reported

2024-06-26 07:21

Platform

win7-20240221-en

Max time kernel

150s

Max time network

143s

Command Line

\SystemRoot\System32\smss.exe

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" C:\Windows\SysWOW64\svchost.exe N/A

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\dmlconf.dat C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\dmlconf.dat C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libsapi_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mshwgst.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEES.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\optimization_guide_internal.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\msvcr100.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationProvider.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\cpu.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\attach.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.DataSetExtensions.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\lua\liblua_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxslt.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\server\jvm.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Design.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libstereo_widen_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libedummy_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Defender\MpClient.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Internet Explorer\JSProfilerCore.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\settings.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Defender\MpSvc.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckg.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_es_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblendbench_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Journal\NBDoc.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Journal\NBMapTIP.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\msdaprst.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_socket.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jawt.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\mozwer.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationProvider.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libugly_resampler_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mraut.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.Client.resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegaudio_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\d3d11\libdirect3d11_filters_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdvdnav_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libdxva2_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libx264_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libaiff_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblend_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mlp_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\librv32_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libvhs_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGM.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ALRTINTL.DLL C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\System\DirectDB.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Design.Resources.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_livehttp_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\librawvideo_plugin.dll C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmprph.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1812 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 1812 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 1812 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 1812 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2540 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 2720 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 3052 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 3052 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 3052 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 3052 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 3052 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 3052 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 3052 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 3052 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 3052 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 2540 wrote to memory of 3052 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 3052 wrote to memory of 260 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 3052 wrote to memory of 260 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 3052 wrote to memory of 260 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 3052 wrote to memory of 260 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 3052 wrote to memory of 260 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\smss.exe
PID 3052 wrote to memory of 336 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 3052 wrote to memory of 336 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 3052 wrote to memory of 336 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 3052 wrote to memory of 336 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 3052 wrote to memory of 336 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 3052 wrote to memory of 388 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 3052 wrote to memory of 388 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 3052 wrote to memory of 388 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 3052 wrote to memory of 388 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 3052 wrote to memory of 388 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\csrss.exe
PID 3052 wrote to memory of 396 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 3052 wrote to memory of 396 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 3052 wrote to memory of 396 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 3052 wrote to memory of 396 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 3052 wrote to memory of 396 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\wininit.exe
PID 3052 wrote to memory of 428 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 3052 wrote to memory of 428 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 3052 wrote to memory of 428 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 3052 wrote to memory of 428 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 3052 wrote to memory of 428 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\winlogon.exe
PID 3052 wrote to memory of 480 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 3052 wrote to memory of 480 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 3052 wrote to memory of 480 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 3052 wrote to memory of 480 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 3052 wrote to memory of 480 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\services.exe
PID 3052 wrote to memory of 496 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsass.exe
PID 3052 wrote to memory of 496 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsass.exe
PID 3052 wrote to memory of 496 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsass.exe
PID 3052 wrote to memory of 496 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsass.exe
PID 3052 wrote to memory of 496 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsass.exe
PID 3052 wrote to memory of 504 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsm.exe
PID 3052 wrote to memory of 504 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsm.exe
PID 3052 wrote to memory of 504 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsm.exe
PID 3052 wrote to memory of 504 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsm.exe
PID 3052 wrote to memory of 504 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\lsm.exe

Processes

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\wininit.exe

wininit.exe

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Users\Admin\AppData\Local\Temp\1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

Network

Country Destination Domain Proto
NL 91.220.62.30:443 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.179.238:80 google.com tcp
NL 91.220.62.30:443 tcp
US 8.8.8.8:53 rterybrstutnrsbberve.com udp
IE 34.253.216.9:443 rterybrstutnrsbberve.com tcp
IE 34.253.216.9:443 rterybrstutnrsbberve.com tcp
US 8.8.8.8:53 erwbtkidthetcwerc.com udp
IE 34.253.216.9:443 erwbtkidthetcwerc.com tcp
IE 34.253.216.9:443 erwbtkidthetcwerc.com tcp
US 8.8.8.8:53 rvbwtbeitwjeitv.com udp
US 204.95.99.221:443 rvbwtbeitwjeitv.com tcp
US 204.95.99.221:443 rvbwtbeitwjeitv.com tcp
US 8.8.8.8:53 google.com udp
GB 142.250.179.238:80 google.com tcp
GB 142.250.179.238:80 google.com tcp

Files

C:\Program Files (x86)\Microsoft\WaterMark.exe

MD5 1128a69bef2a54b8c04e4232db4cf045
SHA1 d51dc1c53356399c2cfac0b3398d684015663dd8
SHA256 72af033ddfe9ad63fecc9121a96b2e502667160e0c0a71743bb7c591eb82d0c6
SHA512 46b8231e3a8d87c36dc5dba0f097aeb1b2f135434991b18eb99c6ff2d562f2e3f32cc1c73de6380787e903ee5cb3efa870dfe8acd4c1c4a6ace9086a1ca0a108

memory/2540-29-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2540-28-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1812-13-0x0000000000700000-0x00000000007B0000-memory.dmp

memory/1812-9-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1812-8-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1812-7-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1812-6-0x0000000000140000-0x0000000000141000-memory.dmp

memory/1812-5-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1812-3-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1812-2-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1812-1-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1812-0-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2540-31-0x00000000774BF000-0x00000000774C0000-memory.dmp

memory/2540-30-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2720-35-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2720-47-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2720-54-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2720-55-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2720-53-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2720-52-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2720-51-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/2720-42-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2720-33-0x0000000020010000-0x0000000020022000-memory.dmp

memory/2540-60-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/3052-62-0x0000000020010000-0x000000002001B000-memory.dmp

memory/2540-71-0x00000000774BF000-0x00000000774C0000-memory.dmp

memory/3052-72-0x0000000020010000-0x000000002001B000-memory.dmp

memory/3052-76-0x0000000020010000-0x000000002001B000-memory.dmp

memory/3052-77-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/3052-81-0x0000000020010000-0x000000002001B000-memory.dmp

memory/3052-80-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3052-79-0x0000000020010000-0x000000002001B000-memory.dmp

memory/3052-78-0x0000000020010000-0x000000002001B000-memory.dmp

memory/3052-324-0x00000000774C0000-0x00000000774C1000-memory.dmp

memory/2540-551-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2540-554-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2720-775-0x0000000020010000-0x0000000020022000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 58b7dcd5bbb2761eb3efe8882147f83d
SHA1 7d639303163ba87b3667ba7942df18aaa2e90342
SHA256 c1fcc4e9fc1fe356ccc8b6b47bd9dfab72ad6d5f42afc5acf2aa46d6b7534c60
SHA512 0946f3b44fe3838c4deccb0940e78b4207d83c7ca0907570d49921aef86a12f2c6b749209b6876308ca2fedb8fe9d14c6f07b87d1c58cfb59009a7a3b985befb

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 499eaae9fad91a8c2fe3f0eddfdb70e5
SHA1 92dbdd446f89b303281663317f89bcb71b2701d0
SHA256 e313bf2d56dd44b44fe5c4ba34fa4b949473ebba55f02d7d0bec2958a2427b27
SHA512 a015f50d91182e5f49af36bc38129b7381ea0acddfa6aa203875f5cd1137e43264d217f20015b9fdfb21bb25efe62a67364eaacbd635acfd5f168656a3058a0d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 07:18

Reported

2024-06-26 07:21

Platform

win10v2004-20240508-en

Max time kernel

81s

Max time network

91s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Users\Admin\AppData\Local\Temp\1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\px41AC.tmp C:\Users\Admin\AppData\Local\Temp\1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Users\Admin\AppData\Local\Temp\1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4E51C2EE-338C-11EF-BA70-F2AC8AF4D319} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425548196" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4E4F60CB-338C-11EF-BA70-F2AC8AF4D319} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\WaterMark.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2196 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 2196 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\WaterMark.exe
PID 764 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 764 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 764 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 764 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 764 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 764 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 764 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 764 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 764 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Windows\SysWOW64\svchost.exe
PID 764 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 764 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 764 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 764 wrote to memory of 1252 N/A C:\Program Files (x86)\Microsoft\WaterMark.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1252 wrote to memory of 4936 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1252 wrote to memory of 4936 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1252 wrote to memory of 4936 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4900 wrote to memory of 548 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4900 wrote to memory of 548 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4900 wrote to memory of 548 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\WaterMark.exe

"C:\Program Files (x86)\Microsoft\WaterMark.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2964 -ip 2964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 204

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4900 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1252 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp

Files

memory/2196-0-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2196-1-0x0000000000401000-0x0000000000402000-memory.dmp

memory/2196-4-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2196-5-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2196-7-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2196-6-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2196-3-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2196-2-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2196-8-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2196-9-0x00000000028D0000-0x00000000028D1000-memory.dmp

C:\Program Files (x86)\Microsoft\WaterMark.exe

MD5 1128a69bef2a54b8c04e4232db4cf045
SHA1 d51dc1c53356399c2cfac0b3398d684015663dd8
SHA256 72af033ddfe9ad63fecc9121a96b2e502667160e0c0a71743bb7c591eb82d0c6
SHA512 46b8231e3a8d87c36dc5dba0f097aeb1b2f135434991b18eb99c6ff2d562f2e3f32cc1c73de6380787e903ee5cb3efa870dfe8acd4c1c4a6ace9086a1ca0a108

memory/764-22-0x0000000000400000-0x0000000000421000-memory.dmp

memory/764-23-0x0000000000400000-0x0000000000421000-memory.dmp

memory/764-27-0x0000000000400000-0x0000000000421000-memory.dmp

memory/764-26-0x00000000777E2000-0x00000000777E3000-memory.dmp

memory/2964-28-0x0000000000E70000-0x0000000000E71000-memory.dmp

memory/2964-29-0x0000000000E50000-0x0000000000E51000-memory.dmp

memory/764-24-0x0000000000470000-0x0000000000471000-memory.dmp

memory/764-31-0x00000000777E2000-0x00000000777E3000-memory.dmp

memory/764-30-0x0000000000070000-0x0000000000071000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4E4F60CB-338C-11EF-BA70-F2AC8AF4D319}.dat

MD5 b471e17a33ea3e6f2589e1a1ee2dd927
SHA1 8492a8375ea662ddaffa964c2cdce5cc6f65dd87
SHA256 9bd830ee1b3c7060ee716ed18183df3b36338022066dbd58aa9f6fac76af6bbd
SHA512 398a31f14649f952d4cf688d52030fe2409e69bae583330a02225cf5f76b66012ca9b54dbf075bfa040ab6bc724f0e1ca0cc47d7acfe86694bf71b00874d0828

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4E51C2EE-338C-11EF-BA70-F2AC8AF4D319}.dat

MD5 812924d45332ef34cd141728d613c88f
SHA1 1bce12bc403e2c824e4f74369749d6fe87f23453
SHA256 ff284d20537d834ce1c05206e1d034d02f40b80b33d58b2129ae6a35467f7a26
SHA512 507e4d1fa806397f1d76b5ca0df9975526a99615e634c2042586c2e3ee7b8855b41d0ffc8bd0c97def245705a99da56b55c3d4d1f9fde28d9590b8147b45f2af

memory/764-34-0x0000000000400000-0x0000000000421000-memory.dmp

memory/764-35-0x0000000000400000-0x0000000000421000-memory.dmp