ramnit | 4191ad86b4f36151de4931114f33fd1130dec31d40131db3f4a690c73fa50938

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 10:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4974615476e90e97538ce50f3441935d_JaffaCakes118.dll
Size

296KB
MD5

4974615476e90e97538ce50f3441935d
SHA1

7f2a7c1dabf2c9303f4f37da962fd28a0f4a9bcd
SHA256

4191ad86b4f36151de4931114f33fd1130dec31d40131db3f4a690c73fa50938
SHA512

7a94f74436d59f3f19bb6b7a3fd6e9bbd8e07e89f75f66790431b4c0f9d6428b0f380c2ced598bf6c9d11fbd863d47f76daef5b41d4e6de047f6e7b865a7456a
SSDEEP

3072:1BVnFg5zv4cC+Gssoe8vdvAupG9c07i7XdyZdfBN9TF:9O2+DdY32onZNtB

Score

10^/10

ramnit banker persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
1996	regsvr32mgr.exe
2984	WaterMark.exe

Loads dropped DLL 4 IoCs

pid	Process
3040	regsvr32.exe
3040	regsvr32.exe
1996	regsvr32mgr.exe
1996	regsvr32mgr.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1996-17-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1996-16-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1996-11-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1996-12-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1996-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1996-21-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1996-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2984-38-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2984-627-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\jsdt.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Utilities.v3.5.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libswscale_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ViewerPS.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\hxdsui.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libcaca_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\wmprph.exe	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\RSSFeeds.html	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\d3dcompiler_47.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssv.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-string-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libadf_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.Speech.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jli.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dt_shmem.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\ONFILTER.DLL	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\MSCDM.DLL	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\perfcore.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\liblpcm_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libdvbsub_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libzvbi_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSPTLS.DLL	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\JSProfilerCore.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleHandler.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Utilities.v3.5.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\libwin_msg_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libprefetch_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\perf_nt.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\management.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Client.resources.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEREP.DLL	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpuzzle_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libwgl_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\picturePuzzle.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\hxdsui.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcroppadd_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\iedvtool.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationFramework.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Royale.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.resources.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\msitss55.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\fontmanager.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\eclipse_1665.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssv.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tabskb.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libdolby_surround_decoder_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libau_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\gstreamer-lite.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\ipcclientcerts.dll	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AE1250CD-F527-4B55-BE4A-5CC211216C49}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AE1250CD-F527-4B55-BE4A-5CC211216C49}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68C93223-1B9E-4BBC-9F32-AD4928C0ECAB}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA1F512C-85D2-4A68-9DC9-BD3B10E625BA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RtlCP.RtlCP	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9F1F599-7B14-4213-BF46-F992758CAB81}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A24F60F4-39B8-461D-9DDB-DF42E7225ED7}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A24F60F4-39B8-461D-9DDB-DF42E7225ED7}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A24F60F4-39B8-461D-9DDB-DF42E7225ED7}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B8F5B4C2-444B-474C-B795-134A5D0239FB}\ = "IRtlCP110"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B8F5B4C2-444B-474C-B795-134A5D0239FB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA1F512C-85D2-4A68-9DC9-BD3B10E625BA}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9F1F599-7B14-4213-BF46-F992758CAB81}\VersionIndependentProgID\ = "RtlCP.RtlCP"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9F1F599-7B14-4213-BF46-F992758CAB81}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA1F512C-85D2-4A68-9DC9-BD3B10E625BA}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA1F512C-85D2-4A68-9DC9-BD3B10E625BA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA1F512C-85D2-4A68-9DC9-BD3B10E625BA}\ = "IRtlCP114"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RtlCP.RtlCP\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B8F5B4C2-444B-474C-B795-134A5D0239FB}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9F1F599-7B14-4213-BF46-F992758CAB81}\ProgID\ = "RtlCP.RtlCP.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AE1250CD-F527-4B55-BE4A-5CC211216C49}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4974615476e90e97538ce50f3441935d_JaffaCakes118.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B8F5B4C2-444B-474C-B795-134A5D0239FB}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA1F512C-85D2-4A68-9DC9-BD3B10E625BA}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RtlCP.RtlCP.1\ = "RtlCP Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9F1F599-7B14-4213-BF46-F992758CAB81}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A24F60F4-39B8-461D-9DDB-DF42E7225ED7}\TypeLib\ = "{AE1250CD-F527-4B55-BE4A-5CC211216C49}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{68C93223-1B9E-4BBC-9F32-AD4928C0ECAB}\ = "IRtlCP111"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68C93223-1B9E-4BBC-9F32-AD4928C0ECAB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RtlCP.RtlCP.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AE1250CD-F527-4B55-BE4A-5CC211216C49}\1.0\ = "RtlCPAPI 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68C93223-1B9E-4BBC-9F32-AD4928C0ECAB}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA1F512C-85D2-4A68-9DC9-BD3B10E625BA}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{68C93223-1B9E-4BBC-9F32-AD4928C0ECAB}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{68C93223-1B9E-4BBC-9F32-AD4928C0ECAB}\TypeLib\ = "{AE1250CD-F527-4B55-BE4A-5CC211216C49}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AE1250CD-F527-4B55-BE4A-5CC211216C49}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B8F5B4C2-444B-474C-B795-134A5D0239FB}\ = "IRtlCP110"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{68C93223-1B9E-4BBC-9F32-AD4928C0ECAB}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68C93223-1B9E-4BBC-9F32-AD4928C0ECAB}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68C93223-1B9E-4BBC-9F32-AD4928C0ECAB}\TypeLib\ = "{AE1250CD-F527-4B55-BE4A-5CC211216C49}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA1F512C-85D2-4A68-9DC9-BD3B10E625BA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RtlCP.RtlCP\ = "RtlCP Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9F1F599-7B14-4213-BF46-F992758CAB81}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B8F5B4C2-444B-474C-B795-134A5D0239FB}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RtlCP.RtlCP.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A24F60F4-39B8-461D-9DDB-DF42E7225ED7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{68C93223-1B9E-4BBC-9F32-AD4928C0ECAB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{68C93223-1B9E-4BBC-9F32-AD4928C0ECAB}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA1F512C-85D2-4A68-9DC9-BD3B10E625BA}\TypeLib\ = "{AE1250CD-F527-4B55-BE4A-5CC211216C49}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9F1F599-7B14-4213-BF46-F992758CAB81}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\497461~1.DLL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AE1250CD-F527-4B55-BE4A-5CC211216C49}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RtlCP.RtlCP.1\CLSID\ = "{E9F1F599-7B14-4213-BF46-F992758CAB81}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A24F60F4-39B8-461D-9DDB-DF42E7225ED7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B8F5B4C2-444B-474C-B795-134A5D0239FB}\TypeLib\ = "{AE1250CD-F527-4B55-BE4A-5CC211216C49}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B8F5B4C2-444B-474C-B795-134A5D0239FB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AE1250CD-F527-4B55-BE4A-5CC211216C49}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A24F60F4-39B8-461D-9DDB-DF42E7225ED7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A24F60F4-39B8-461D-9DDB-DF42E7225ED7}\TypeLib\ = "{AE1250CD-F527-4B55-BE4A-5CC211216C49}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{68C93223-1B9E-4BBC-9F32-AD4928C0ECAB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68C93223-1B9E-4BBC-9F32-AD4928C0ECAB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA1F512C-85D2-4A68-9DC9-BD3B10E625BA}\ = "IRtlCP114"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9F1F599-7B14-4213-BF46-F992758CAB81}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9F1F599-7B14-4213-BF46-F992758CAB81}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AE1250CD-F527-4B55-BE4A-5CC211216C49}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B8F5B4C2-444B-474C-B795-134A5D0239FB}	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2984	WaterMark.exe
2984	WaterMark.exe
2984	WaterMark.exe
2984	WaterMark.exe
2984	WaterMark.exe
2984	WaterMark.exe
2984	WaterMark.exe
2984	WaterMark.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe
2632	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	WaterMark.exe
Token: SeDebugPrivilege	2632	svchost.exe
Token: SeDebugPrivilege	2984	WaterMark.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1996	regsvr32mgr.exe
2984	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 3040	3032	regsvr32.exe	30
PID 3032 wrote to memory of 3040	3032	regsvr32.exe	30
PID 3032 wrote to memory of 3040	3032	regsvr32.exe	30
PID 3032 wrote to memory of 3040	3032	regsvr32.exe	30
PID 3032 wrote to memory of 3040	3032	regsvr32.exe	30
PID 3032 wrote to memory of 3040	3032	regsvr32.exe	30
PID 3032 wrote to memory of 3040	3032	regsvr32.exe	30
PID 3040 wrote to memory of 1996	3040	regsvr32.exe	31
PID 3040 wrote to memory of 1996	3040	regsvr32.exe	31
PID 3040 wrote to memory of 1996	3040	regsvr32.exe	31
PID 3040 wrote to memory of 1996	3040	regsvr32.exe	31
PID 1996 wrote to memory of 2984	1996	regsvr32mgr.exe	32
PID 1996 wrote to memory of 2984	1996	regsvr32mgr.exe	32
PID 1996 wrote to memory of 2984	1996	regsvr32mgr.exe	32
PID 1996 wrote to memory of 2984	1996	regsvr32mgr.exe	32
PID 2984 wrote to memory of 2828	2984	WaterMark.exe	33
PID 2984 wrote to memory of 2828	2984	WaterMark.exe	33
PID 2984 wrote to memory of 2828	2984	WaterMark.exe	33
PID 2984 wrote to memory of 2828	2984	WaterMark.exe	33
PID 2984 wrote to memory of 2828	2984	WaterMark.exe	33
PID 2984 wrote to memory of 2828	2984	WaterMark.exe	33
PID 2984 wrote to memory of 2828	2984	WaterMark.exe	33
PID 2984 wrote to memory of 2828	2984	WaterMark.exe	33
PID 2984 wrote to memory of 2828	2984	WaterMark.exe	33
PID 2984 wrote to memory of 2828	2984	WaterMark.exe	33
PID 2984 wrote to memory of 2632	2984	WaterMark.exe	34
PID 2984 wrote to memory of 2632	2984	WaterMark.exe	34
PID 2984 wrote to memory of 2632	2984	WaterMark.exe	34
PID 2984 wrote to memory of 2632	2984	WaterMark.exe	34
PID 2984 wrote to memory of 2632	2984	WaterMark.exe	34
PID 2984 wrote to memory of 2632	2984	WaterMark.exe	34
PID 2984 wrote to memory of 2632	2984	WaterMark.exe	34
PID 2984 wrote to memory of 2632	2984	WaterMark.exe	34
PID 2984 wrote to memory of 2632	2984	WaterMark.exe	34
PID 2984 wrote to memory of 2632	2984	WaterMark.exe	34
PID 2632 wrote to memory of 256	2632	svchost.exe	1
PID 2632 wrote to memory of 256	2632	svchost.exe	1
PID 2632 wrote to memory of 256	2632	svchost.exe	1
PID 2632 wrote to memory of 256	2632	svchost.exe	1
PID 2632 wrote to memory of 256	2632	svchost.exe	1
PID 2632 wrote to memory of 336	2632	svchost.exe	2
PID 2632 wrote to memory of 336	2632	svchost.exe	2
PID 2632 wrote to memory of 336	2632	svchost.exe	2
PID 2632 wrote to memory of 336	2632	svchost.exe	2
PID 2632 wrote to memory of 336	2632	svchost.exe	2
PID 2632 wrote to memory of 384	2632	svchost.exe	3
PID 2632 wrote to memory of 384	2632	svchost.exe	3
PID 2632 wrote to memory of 384	2632	svchost.exe	3
PID 2632 wrote to memory of 384	2632	svchost.exe	3
PID 2632 wrote to memory of 384	2632	svchost.exe	3
PID 2632 wrote to memory of 396	2632	svchost.exe	4
PID 2632 wrote to memory of 396	2632	svchost.exe	4
PID 2632 wrote to memory of 396	2632	svchost.exe	4
PID 2632 wrote to memory of 396	2632	svchost.exe	4
PID 2632 wrote to memory of 396	2632	svchost.exe	4
PID 2632 wrote to memory of 432	2632	svchost.exe	5
PID 2632 wrote to memory of 432	2632	svchost.exe	5
PID 2632 wrote to memory of 432	2632	svchost.exe	5
PID 2632 wrote to memory of 432	2632	svchost.exe	5
PID 2632 wrote to memory of 432	2632	svchost.exe	5
PID 2632 wrote to memory of 476	2632	svchost.exe	6
PID 2632 wrote to memory of 476	2632	svchost.exe	6
PID 2632 wrote to memory of 476	2632	svchost.exe	6
PID 2632 wrote to memory of 476	2632	svchost.exe	6

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:336

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:592
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1496
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1556
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:668
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:760
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:808
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1160
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:840
  - - C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:2552
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:960
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:268
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:328
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1064
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1104
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1260
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:1776
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2264
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:396

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4974615476e90e97538ce50f3441935d_JaffaCakes118.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\SysWOW64\regsvr32.exe
    /s C:\Users\Admin\AppData\Local\Temp\4974615476e90e97538ce50f3441935d_JaffaCakes118.dll
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\SysWOW64\regsvr32mgr.exe
      C:\Windows\SysWOW64\regsvr32mgr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:1996
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2984
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:2828
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
342KB

MD5
6c49ee008d02aadfb11fe959b8326ba6

SHA1
704f807c0b5e02792c2f7064c722c9e0c6c901cb

SHA256
be0d7f3aa31c11a7d9a3789180907fc036815602e093e92204b842c61a85542e

SHA512
0dbdb1e1143a40d3df5a04ab50010ee3e7e68e38ebf14c429beaea48ecbdb9abbaa8d793589d0d2349285d73748d48b8ac4dfb703b4dcba2e4db7dd1ea5773b6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
338KB

MD5
6381a03eaf66cba2440c60918a134a93

SHA1
975fa355fa1aab25241ae646930935f7bd406208

SHA256
3fa1d91a54856b73605c8566c7a6ab3f3bb6b9e0834807889982030afe1ec5bc

SHA512
575828fd06478a446054188cf7f671106f5e6940d143f4c5fb933a23990592a46a38de81842ce8d4b6b0d258db9ef4438eb3a2559cfd879f64eeab42d55e4e0e

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
164KB

MD5
690f4f39b79de5d7720c91be8e3f3221

SHA1
3dc339e52ddc91aa5d680ab1c0022d57ccbcdaf5

SHA256
c95619091f4fe285e2418bb39ab6c038ef1eab6b82ab783b2d7f2dfc99de1669

SHA512
4024e28fa7011ff9081b9542f2aa5ac682b1636139299a66ba366b46020efb16c6bf55666319fdf215fb9e87cb1558c0f888b451ea4c60f69b64c7d8494ac9fb

Download Submit
memory/1996-15-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1996-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1996-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1996-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1996-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1996-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1996-21-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1996-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2632-86-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2632-72-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2632-89-0x0000000077AE0000-0x0000000077AE1000-memory.dmp

Filesize
4KB

Download
memory/2632-91-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2632-92-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2632-90-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2632-88-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2632-87-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2632-82-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2828-59-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2828-52-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2828-61-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2828-66-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2828-1150-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2828-57-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2828-44-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2828-42-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2828-58-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2828-56-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2984-38-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2984-81-0x0000000077ADF000-0x0000000077AE0000-memory.dmp

Filesize
4KB

Download
memory/2984-40-0x0000000077ADF000-0x0000000077AE0000-memory.dmp

Filesize
4KB

Download
memory/2984-39-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2984-627-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2984-70-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/3040-1-0x0000000010000000-0x000000001004E000-memory.dmp

Filesize
312KB

Download
memory/3040-10-0x0000000000190000-0x00000000001CA000-memory.dmp

Filesize
232KB

Download
memory/3040-4-0x0000000000190000-0x00000000001CA000-memory.dmp

Filesize
232KB

Download