ramnit | 6a338f0e939989e73e964f2a8817d5e757b2b790ecd00f7b918fa3fe81ea77bb

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe
Size

219KB
MD5

22fb1e950351d9f82c635d4a57ca47e6
SHA1

895c909a49673cace18ae8ba4b7ac9f4fbf5fae9
SHA256

6a338f0e939989e73e964f2a8817d5e757b2b790ecd00f7b918fa3fe81ea77bb
SHA512

754c3ef5c76c79cebcb681c90965ab9368018e523bae540af4f2b38c719f898b2a036f40ca21c6ccf3eb257abcb602e2ac6867f8cb61624a16852879d4a2fa0e
SSDEEP

3072:EAxPVBcJj5dTEpyP65+2WojHSoqA7geAdzMVZ0rHBUSBWLuXHlvQYG4ncU:EAP2JjIpPpbmS0WLuX144cU

Score

10^/10

ramnit banker persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 4 IoCs

pid	Process
1028	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118mgr.exe
2692	WaterMark.exe
2784	cetrdeje.exe
2900	cetrdeje.exe

Loads dropped DLL 7 IoCs

pid	Process
1752	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe
1752	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe
1028	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118mgr.exe
1028	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118mgr.exe
2656	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe
2656	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe
2784	cetrdeje.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1752-0-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/1028-18-0x0000000000400000-0x0000000000421F7C-memory.dmp	upx
behavioral1/memory/1028-21-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1028-23-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1028-20-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1028-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1028-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1028-11-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1028-12-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2692-43-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2692-42-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1752-67-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/1752-79-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/files/0x00360000000141bb-83.dat	upx
behavioral1/memory/2784-92-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/2784-105-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral1/memory/2692-416-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2692-639-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Driver Control Manager v7.1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cetrdeje.exe"	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver Control Manager v7.1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cetrdeje.exe"	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1752 set thread context of 2656	1752	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe	31
PID 2784 set thread context of 2900	2784	cetrdeje.exe	33

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Linq.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libx264_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\F12.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Selectors.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libkate_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\JdbcOdbc.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Design.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\libvlc.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_bridge_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tipresx.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunec.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\Chkr.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IdentityModel.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Web.Entity.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\liba52_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libdirectory_demux_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libskiptags_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\picturePuzzle.html	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationCore.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libclone_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libaom_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\wab32res.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\perf_nt.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dcpr.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MAPISHELL.DLL	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\index.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_udp_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_standard_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\lgpllibs.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\WindowsFormsIntegration.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.Design.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libsubstx3g_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d11\libdirect3d11_filters_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libprefetch_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CoolType.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mshwjpnr.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118mgr.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\WindowsFormsIntegration.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\WindowsBase.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Xml.Linq.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\keystore\libfile_keystore_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\eventlog_provider.dll	svchost.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2692	WaterMark.exe
2692	WaterMark.exe
2692	WaterMark.exe
2692	WaterMark.exe
2692	WaterMark.exe
2692	WaterMark.exe
2692	WaterMark.exe
2692	WaterMark.exe
864	svchost.exe
864	svchost.exe
864	svchost.exe
864	svchost.exe
864	svchost.exe
864	svchost.exe
864	svchost.exe
864	svchost.exe
864	svchost.exe
864	svchost.exe
864	svchost.exe
864	svchost.exe
864	svchost.exe
864	svchost.exe
864	svchost.exe
864	svchost.exe
864	svchost.exe
864	svchost.exe
864	svchost.exe
864	svchost.exe
864	svchost.exe
864	svchost.exe
864	svchost.exe
864	svchost.exe
864	svchost.exe
864	svchost.exe
864	svchost.exe
864	svchost.exe
864	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	WaterMark.exe
Token: SeDebugPrivilege	864	svchost.exe
Token: SeDebugPrivilege	2692	WaterMark.exe
Token: SeDebugPrivilege	2900	cetrdeje.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1752	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe
2784	cetrdeje.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1028	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118mgr.exe
2692	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 1028	1752	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe	28
PID 1752 wrote to memory of 1028	1752	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe	28
PID 1752 wrote to memory of 1028	1752	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe	28
PID 1752 wrote to memory of 1028	1752	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe	28
PID 1028 wrote to memory of 2692	1028	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118mgr.exe	29
PID 1028 wrote to memory of 2692	1028	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118mgr.exe	29
PID 1028 wrote to memory of 2692	1028	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118mgr.exe	29
PID 1028 wrote to memory of 2692	1028	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118mgr.exe	29
PID 2692 wrote to memory of 2652	2692	WaterMark.exe	30
PID 2692 wrote to memory of 2652	2692	WaterMark.exe	30
PID 2692 wrote to memory of 2652	2692	WaterMark.exe	30
PID 2692 wrote to memory of 2652	2692	WaterMark.exe	30
PID 2692 wrote to memory of 2652	2692	WaterMark.exe	30
PID 2692 wrote to memory of 2652	2692	WaterMark.exe	30
PID 2692 wrote to memory of 2652	2692	WaterMark.exe	30
PID 2692 wrote to memory of 2652	2692	WaterMark.exe	30
PID 2692 wrote to memory of 2652	2692	WaterMark.exe	30
PID 2692 wrote to memory of 2652	2692	WaterMark.exe	30
PID 1752 wrote to memory of 2656	1752	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe	31
PID 1752 wrote to memory of 2656	1752	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe	31
PID 1752 wrote to memory of 2656	1752	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe	31
PID 1752 wrote to memory of 2656	1752	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe	31
PID 1752 wrote to memory of 2656	1752	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe	31
PID 1752 wrote to memory of 2656	1752	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe	31
PID 1752 wrote to memory of 2656	1752	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe	31
PID 1752 wrote to memory of 2656	1752	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe	31
PID 1752 wrote to memory of 2656	1752	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe	31
PID 2656 wrote to memory of 2784	2656	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe	32
PID 2656 wrote to memory of 2784	2656	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe	32
PID 2656 wrote to memory of 2784	2656	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe	32
PID 2656 wrote to memory of 2784	2656	22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe	32
PID 2784 wrote to memory of 2900	2784	cetrdeje.exe	33
PID 2784 wrote to memory of 2900	2784	cetrdeje.exe	33
PID 2784 wrote to memory of 2900	2784	cetrdeje.exe	33
PID 2784 wrote to memory of 2900	2784	cetrdeje.exe	33
PID 2784 wrote to memory of 2900	2784	cetrdeje.exe	33
PID 2784 wrote to memory of 2900	2784	cetrdeje.exe	33
PID 2784 wrote to memory of 2900	2784	cetrdeje.exe	33
PID 2784 wrote to memory of 2900	2784	cetrdeje.exe	33
PID 2784 wrote to memory of 2900	2784	cetrdeje.exe	33
PID 2692 wrote to memory of 864	2692	WaterMark.exe	34
PID 2692 wrote to memory of 864	2692	WaterMark.exe	34
PID 2692 wrote to memory of 864	2692	WaterMark.exe	34
PID 2692 wrote to memory of 864	2692	WaterMark.exe	34
PID 2692 wrote to memory of 864	2692	WaterMark.exe	34
PID 2692 wrote to memory of 864	2692	WaterMark.exe	34
PID 2692 wrote to memory of 864	2692	WaterMark.exe	34
PID 2692 wrote to memory of 864	2692	WaterMark.exe	34
PID 2692 wrote to memory of 864	2692	WaterMark.exe	34
PID 2692 wrote to memory of 864	2692	WaterMark.exe	34
PID 864 wrote to memory of 256	864	svchost.exe	1
PID 864 wrote to memory of 256	864	svchost.exe	1
PID 864 wrote to memory of 256	864	svchost.exe	1
PID 864 wrote to memory of 256	864	svchost.exe	1
PID 864 wrote to memory of 256	864	svchost.exe	1
PID 864 wrote to memory of 336	864	svchost.exe	2
PID 864 wrote to memory of 336	864	svchost.exe	2
PID 864 wrote to memory of 336	864	svchost.exe	2
PID 864 wrote to memory of 336	864	svchost.exe	2
PID 864 wrote to memory of 336	864	svchost.exe	2
PID 864 wrote to memory of 384	864	svchost.exe	3
PID 864 wrote to memory of 384	864	svchost.exe	3
PID 864 wrote to memory of 384	864	svchost.exe	3
PID 864 wrote to memory of 384	864	svchost.exe	3

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:336

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:608
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1760
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      4⤵
      PID:2552
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:692
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:760
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:828
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1172
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:868
  - - C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:2828
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:980
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:268
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:924
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1084
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1112
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2100
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2376
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:488
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:496

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Users\Admin\AppData\Local\Temp\22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118mgr.exe
    C:\Users\Admin\AppData\Local\Temp\22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:2652
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:864
- - C:\Users\Admin\AppData\Local\Temp\22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\cetrdeje.exe
      "C:\Users\Admin\AppData\Local\Temp\cetrdeje.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Users\Admin\AppData\Local\Temp\cetrdeje.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cetrdeje.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
205KB

MD5
665af705712aa6369b9d18527031edef

SHA1
e21d0666231127fa0cd7e8838eef3edecedc99e3

SHA256
698ecdd71e3443a8883d6c5d5bbc10632290d45c266cacec305d3563e331cdc2

SHA512
59c1f942e149be0f6a9185a9093f39e1fef714599ea93637c9a90365cc7d6351b3cd9be1a6efcf6a8d7a634f84f2513e3d7926c8cd377521bcce23a4fe9e46ae

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
201KB

MD5
25face2aaccbfed000d0b5ab09ae5c6a

SHA1
061547d48c354f6abf33fd107b467799862ff600

SHA256
59fbf47a28ad6ed1f5de53c11d2b54701bd0d6fbcdefc504462fa9273e620f99

SHA512
07bbb452c3a7a09b45ed4c0936ed67bb06efcdf2e6a7fe73fe519ff0dcad0a4d479f2a0e8e271e3be28396ad22a5e69bd189466dce2c600829deb68baae3f8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118mgr.exe

Filesize
95KB

MD5
ccc539594215c448acbc3ca068769135

SHA1
373e5208902f5f33a975c7f64982bd95e181e796

SHA256
7d25069bfd5b079d60ad7e990d9143ec145cb6a304ece06448cdf29fbd2d19c5

SHA512
122b94ce4138fae9f80877d8876841bb2a58df70a1df0d82ebc5c6d4f7a06e1544dff398a99316b630d4a2e647560f3fbf7c85682e4913dfd54b42e55b65fc0f

Download Submit
\Users\Admin\AppData\Local\Temp\cetrdeje.exe

Filesize
219KB

MD5
22fb1e950351d9f82c635d4a57ca47e6

SHA1
895c909a49673cace18ae8ba4b7ac9f4fbf5fae9

SHA256
6a338f0e939989e73e964f2a8817d5e757b2b790ecd00f7b918fa3fe81ea77bb

SHA512
754c3ef5c76c79cebcb681c90965ab9368018e523bae540af4f2b38c719f898b2a036f40ca21c6ccf3eb257abcb602e2ac6867f8cb61624a16852879d4a2fa0e

Download Submit
memory/864-111-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/864-121-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1028-23-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1028-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1028-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1028-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1028-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1028-21-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1028-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1028-18-0x0000000000400000-0x0000000000421F7C-memory.dmp

Filesize
135KB

Download
memory/1028-19-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1752-15-0x0000000000250000-0x0000000000272000-memory.dmp

Filesize
136KB

Download
memory/1752-67-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1752-17-0x0000000000250000-0x0000000000272000-memory.dmp

Filesize
136KB

Download
memory/1752-71-0x0000000000250000-0x00000000002B1000-memory.dmp

Filesize
388KB

Download
memory/1752-79-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1752-0-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2652-60-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2652-70-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2652-69-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2652-68-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2652-55-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2652-47-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2652-65-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2652-49-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2652-861-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2656-76-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2656-94-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2656-80-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2656-72-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2656-74-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2692-416-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2692-109-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2692-43-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2692-33-0x0000000000400000-0x0000000000421F7C-memory.dmp

Filesize
135KB

Download
memory/2692-45-0x000000007721F000-0x0000000077220000-memory.dmp

Filesize
4KB

Download
memory/2692-639-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2692-42-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2692-44-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2784-105-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2784-92-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download