Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
03/07/2024, 16:07
Behavioral task
behavioral1
Sample
22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe
-
Size
219KB
-
MD5
22fb1e950351d9f82c635d4a57ca47e6
-
SHA1
895c909a49673cace18ae8ba4b7ac9f4fbf5fae9
-
SHA256
6a338f0e939989e73e964f2a8817d5e757b2b790ecd00f7b918fa3fe81ea77bb
-
SHA512
754c3ef5c76c79cebcb681c90965ab9368018e523bae540af4f2b38c719f898b2a036f40ca21c6ccf3eb257abcb602e2ac6867f8cb61624a16852879d4a2fa0e
-
SSDEEP
3072:EAxPVBcJj5dTEpyP65+2WojHSoqA7geAdzMVZ0rHBUSBWLuXHlvQYG4ncU:EAP2JjIpPpbmS0WLuX144cU
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 1028 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118mgr.exe 2692 WaterMark.exe 2784 cetrdeje.exe 2900 cetrdeje.exe -
Loads dropped DLL 7 IoCs
pid Process 1752 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe 1752 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe 1028 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118mgr.exe 1028 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118mgr.exe 2656 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe 2656 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe 2784 cetrdeje.exe -
resource yara_rule behavioral1/memory/1752-0-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/1028-18-0x0000000000400000-0x0000000000421F7C-memory.dmp upx behavioral1/memory/1028-21-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1028-23-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1028-20-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1028-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1028-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1028-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1028-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2692-43-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2692-42-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1752-67-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/1752-79-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/files/0x00360000000141bb-83.dat upx behavioral1/memory/2784-92-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/2784-105-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral1/memory/2692-416-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2692-639-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Driver Control Manager v7.1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cetrdeje.exe" 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver Control Manager v7.1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cetrdeje.exe" 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1752 set thread context of 2656 1752 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe 31 PID 2784 set thread context of 2900 2784 cetrdeje.exe 33 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Linq.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libx264_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe svchost.exe File opened for modification C:\Program Files\Internet Explorer\F12.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Selectors.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libkate_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\JdbcOdbc.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Design.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\libvlc.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_bridge_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\tipresx.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunec.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\Chkr.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IdentityModel.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Web.Entity.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\liba52_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdirectory_demux_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libskiptags_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\picturePuzzle.html svchost.exe File opened for modification C:\Program Files\7-Zip\7z.dll svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationCore.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libclone_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libaom_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe svchost.exe File opened for modification C:\Program Files\Common Files\System\wab32res.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\perf_nt.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dcpr.dll svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\MAPISHELL.DLL svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\index.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_udp_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_standard_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\lgpllibs.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\WindowsFormsIntegration.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.Design.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libsubstx3g_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\d3d11\libdirect3d11_filters_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libprefetch_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MsMpCom.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CoolType.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mshwjpnr.dll svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118mgr.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\WindowsFormsIntegration.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\WindowsBase.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Xml.Linq.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\keystore\libfile_keystore_plugin.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\eventlog_provider.dll svchost.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2692 WaterMark.exe 2692 WaterMark.exe 2692 WaterMark.exe 2692 WaterMark.exe 2692 WaterMark.exe 2692 WaterMark.exe 2692 WaterMark.exe 2692 WaterMark.exe 864 svchost.exe 864 svchost.exe 864 svchost.exe 864 svchost.exe 864 svchost.exe 864 svchost.exe 864 svchost.exe 864 svchost.exe 864 svchost.exe 864 svchost.exe 864 svchost.exe 864 svchost.exe 864 svchost.exe 864 svchost.exe 864 svchost.exe 864 svchost.exe 864 svchost.exe 864 svchost.exe 864 svchost.exe 864 svchost.exe 864 svchost.exe 864 svchost.exe 864 svchost.exe 864 svchost.exe 864 svchost.exe 864 svchost.exe 864 svchost.exe 864 svchost.exe 864 svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2692 WaterMark.exe Token: SeDebugPrivilege 864 svchost.exe Token: SeDebugPrivilege 2692 WaterMark.exe Token: SeDebugPrivilege 2900 cetrdeje.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1752 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe 2784 cetrdeje.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1028 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118mgr.exe 2692 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1752 wrote to memory of 1028 1752 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe 28 PID 1752 wrote to memory of 1028 1752 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe 28 PID 1752 wrote to memory of 1028 1752 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe 28 PID 1752 wrote to memory of 1028 1752 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe 28 PID 1028 wrote to memory of 2692 1028 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118mgr.exe 29 PID 1028 wrote to memory of 2692 1028 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118mgr.exe 29 PID 1028 wrote to memory of 2692 1028 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118mgr.exe 29 PID 1028 wrote to memory of 2692 1028 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118mgr.exe 29 PID 2692 wrote to memory of 2652 2692 WaterMark.exe 30 PID 2692 wrote to memory of 2652 2692 WaterMark.exe 30 PID 2692 wrote to memory of 2652 2692 WaterMark.exe 30 PID 2692 wrote to memory of 2652 2692 WaterMark.exe 30 PID 2692 wrote to memory of 2652 2692 WaterMark.exe 30 PID 2692 wrote to memory of 2652 2692 WaterMark.exe 30 PID 2692 wrote to memory of 2652 2692 WaterMark.exe 30 PID 2692 wrote to memory of 2652 2692 WaterMark.exe 30 PID 2692 wrote to memory of 2652 2692 WaterMark.exe 30 PID 2692 wrote to memory of 2652 2692 WaterMark.exe 30 PID 1752 wrote to memory of 2656 1752 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe 31 PID 1752 wrote to memory of 2656 1752 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe 31 PID 1752 wrote to memory of 2656 1752 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe 31 PID 1752 wrote to memory of 2656 1752 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe 31 PID 1752 wrote to memory of 2656 1752 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe 31 PID 1752 wrote to memory of 2656 1752 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe 31 PID 1752 wrote to memory of 2656 1752 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe 31 PID 1752 wrote to memory of 2656 1752 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe 31 PID 1752 wrote to memory of 2656 1752 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe 31 PID 2656 wrote to memory of 2784 2656 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe 32 PID 2656 wrote to memory of 2784 2656 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe 32 PID 2656 wrote to memory of 2784 2656 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe 32 PID 2656 wrote to memory of 2784 2656 22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe 32 PID 2784 wrote to memory of 2900 2784 cetrdeje.exe 33 PID 2784 wrote to memory of 2900 2784 cetrdeje.exe 33 PID 2784 wrote to memory of 2900 2784 cetrdeje.exe 33 PID 2784 wrote to memory of 2900 2784 cetrdeje.exe 33 PID 2784 wrote to memory of 2900 2784 cetrdeje.exe 33 PID 2784 wrote to memory of 2900 2784 cetrdeje.exe 33 PID 2784 wrote to memory of 2900 2784 cetrdeje.exe 33 PID 2784 wrote to memory of 2900 2784 cetrdeje.exe 33 PID 2784 wrote to memory of 2900 2784 cetrdeje.exe 33 PID 2692 wrote to memory of 864 2692 WaterMark.exe 34 PID 2692 wrote to memory of 864 2692 WaterMark.exe 34 PID 2692 wrote to memory of 864 2692 WaterMark.exe 34 PID 2692 wrote to memory of 864 2692 WaterMark.exe 34 PID 2692 wrote to memory of 864 2692 WaterMark.exe 34 PID 2692 wrote to memory of 864 2692 WaterMark.exe 34 PID 2692 wrote to memory of 864 2692 WaterMark.exe 34 PID 2692 wrote to memory of 864 2692 WaterMark.exe 34 PID 2692 wrote to memory of 864 2692 WaterMark.exe 34 PID 2692 wrote to memory of 864 2692 WaterMark.exe 34 PID 864 wrote to memory of 256 864 svchost.exe 1 PID 864 wrote to memory of 256 864 svchost.exe 1 PID 864 wrote to memory of 256 864 svchost.exe 1 PID 864 wrote to memory of 256 864 svchost.exe 1 PID 864 wrote to memory of 256 864 svchost.exe 1 PID 864 wrote to memory of 336 864 svchost.exe 2 PID 864 wrote to memory of 336 864 svchost.exe 2 PID 864 wrote to memory of 336 864 svchost.exe 2 PID 864 wrote to memory of 336 864 svchost.exe 2 PID 864 wrote to memory of 336 864 svchost.exe 2 PID 864 wrote to memory of 384 864 svchost.exe 3 PID 864 wrote to memory of 384 864 svchost.exe 3 PID 864 wrote to memory of 384 864 svchost.exe 3 PID 864 wrote to memory of 384 864 svchost.exe 3
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:336
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:608
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1760
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵PID:2552
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:692
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:760
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:828
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1172
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:868
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:2828
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:980
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:268
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:924
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1084
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1112
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2100
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2376
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:488
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:496
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:392
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118mgr.exeC:\Users\Admin\AppData\Local\Temp\22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118mgr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2652
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\22fb1e950351d9f82c635d4a57ca47e6_JaffaCakes118.exe"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\cetrdeje.exe"C:\Users\Admin\AppData\Local\Temp\cetrdeje.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Users\Admin\AppData\Local\Temp\cetrdeje.exe"C:\Users\Admin\AppData\Local\Temp\cetrdeje.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize205KB
MD5665af705712aa6369b9d18527031edef
SHA1e21d0666231127fa0cd7e8838eef3edecedc99e3
SHA256698ecdd71e3443a8883d6c5d5bbc10632290d45c266cacec305d3563e331cdc2
SHA51259c1f942e149be0f6a9185a9093f39e1fef714599ea93637c9a90365cc7d6351b3cd9be1a6efcf6a8d7a634f84f2513e3d7926c8cd377521bcce23a4fe9e46ae
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize201KB
MD525face2aaccbfed000d0b5ab09ae5c6a
SHA1061547d48c354f6abf33fd107b467799862ff600
SHA25659fbf47a28ad6ed1f5de53c11d2b54701bd0d6fbcdefc504462fa9273e620f99
SHA51207bbb452c3a7a09b45ed4c0936ed67bb06efcdf2e6a7fe73fe519ff0dcad0a4d479f2a0e8e271e3be28396ad22a5e69bd189466dce2c600829deb68baae3f8da
-
Filesize
95KB
MD5ccc539594215c448acbc3ca068769135
SHA1373e5208902f5f33a975c7f64982bd95e181e796
SHA2567d25069bfd5b079d60ad7e990d9143ec145cb6a304ece06448cdf29fbd2d19c5
SHA512122b94ce4138fae9f80877d8876841bb2a58df70a1df0d82ebc5c6d4f7a06e1544dff398a99316b630d4a2e647560f3fbf7c85682e4913dfd54b42e55b65fc0f
-
Filesize
219KB
MD522fb1e950351d9f82c635d4a57ca47e6
SHA1895c909a49673cace18ae8ba4b7ac9f4fbf5fae9
SHA2566a338f0e939989e73e964f2a8817d5e757b2b790ecd00f7b918fa3fe81ea77bb
SHA512754c3ef5c76c79cebcb681c90965ab9368018e523bae540af4f2b38c719f898b2a036f40ca21c6ccf3eb257abcb602e2ac6867f8cb61624a16852879d4a2fa0e