ramnit | 679a4974ab63899ed62e52788c391369675a904adc969c93d4ec274dada141d2

Analysis

max time kernel
140s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 01:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

59fa728668cadc67f6c031e08cf7d203_JaffaCakes118.exe
Size

193KB
MD5

59fa728668cadc67f6c031e08cf7d203
SHA1

6fe6f0f77504d02560e2ce3cea79e01dc8dc1c8e
SHA256

679a4974ab63899ed62e52788c391369675a904adc969c93d4ec274dada141d2
SHA512

9e273dc3707de2a13e58d78bb6f5694493886f88ffc1a5893fd7290be509be56439cd8d31c247d7bf72ad9a2f650af4dca84d5eaf175687572b347a3e967318b
SSDEEP

3072:pR2xn3k0CdM1vabyzJYWqSSpbaxhptgiHaKruj3A3dS5DFZSHZFD:pR2J0LS6VTI/fjaHQ31V

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 5 IoCs

pid	Process
1228	59fa728668cadc67f6c031e08cf7d203_JaffaCakes118mgr.exe
3508	WaterMark.exe
1648	WaterMark.exe
2256	WaterMarkmgr.exe
4788	WaterMark.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3612-17-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1228-23-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3508-54-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4788-71-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral2/memory/4788-77-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1648-69-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2256-57-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2256-53-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral2/memory/3508-37-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral2/memory/3612-21-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3612-16-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3612-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3612-7-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3612-6-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3612-5-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1648-88-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px90C6.tmp	59fa728668cadc67f6c031e08cf7d203_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	59fa728668cadc67f6c031e08cf7d203_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px9134.tmp	WaterMarkmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	WaterMarkmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe	WaterMark.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	59fa728668cadc67f6c031e08cf7d203_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px90D6.tmp	59fa728668cadc67f6c031e08cf7d203_JaffaCakes118mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	59fa728668cadc67f6c031e08cf7d203_JaffaCakes118mgr.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4900	900	WerFault.exe	91
3840	212	WerFault.exe	94
3332	1188	WerFault.exe	92

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31119741"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3089146680"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31119741"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3083990594"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31119741"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E37BA4EB-4570-11EF-A8A8-F62CC64740F5} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31119741"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3084459086"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428118638"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3089459240"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3089146680"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3083990594"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31119741"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3089146680"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E37456D6-4570-11EF-A8A8-F62CC64740F5} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31119741"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31119741"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E3791BB1-4570-11EF-A8A8-F62CC64740F5} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E37B7DDB-4570-11EF-A8A8-F62CC64740F5} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31119741"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3508	WaterMark.exe
3508	WaterMark.exe
1648	WaterMark.exe
1648	WaterMark.exe
3508	WaterMark.exe
3508	WaterMark.exe
1648	WaterMark.exe
1648	WaterMark.exe
4788	WaterMark.exe
4788	WaterMark.exe
4788	WaterMark.exe
4788	WaterMark.exe
3508	WaterMark.exe
1648	WaterMark.exe
3508	WaterMark.exe
1648	WaterMark.exe
3508	WaterMark.exe
1648	WaterMark.exe
3508	WaterMark.exe
1648	WaterMark.exe
3508	WaterMark.exe
1648	WaterMark.exe
3508	WaterMark.exe
1648	WaterMark.exe
3508	WaterMark.exe
1648	WaterMark.exe
1648	WaterMark.exe
1648	WaterMark.exe
1648	WaterMark.exe
1648	WaterMark.exe
1648	WaterMark.exe
3508	WaterMark.exe
4788	WaterMark.exe
3508	WaterMark.exe
4788	WaterMark.exe
3508	WaterMark.exe
3508	WaterMark.exe
4788	WaterMark.exe
3508	WaterMark.exe
4788	WaterMark.exe
4788	WaterMark.exe
4788	WaterMark.exe
4788	WaterMark.exe
4788	WaterMark.exe
4788	WaterMark.exe
4788	WaterMark.exe
4788	WaterMark.exe
4788	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3508	WaterMark.exe
Token: SeDebugPrivilege	1648	WaterMark.exe
Token: SeDebugPrivilege	4788	WaterMark.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4628	iexplore.exe
4256	iexplore.exe
2372	iexplore.exe
1724	iexplore.exe
1296	iexplore.exe
5080	iexplore.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
1724	iexplore.exe
1724	iexplore.exe
2372	iexplore.exe
2372	iexplore.exe
4628	iexplore.exe
4628	iexplore.exe
4256	iexplore.exe
4256	iexplore.exe
5080	iexplore.exe
5080	iexplore.exe
1296	iexplore.exe
1296	iexplore.exe
8	IEXPLORE.EXE
8	IEXPLORE.EXE
1060	IEXPLORE.EXE
1060	IEXPLORE.EXE
3988	IEXPLORE.EXE
3988	IEXPLORE.EXE
3976	IEXPLORE.EXE
3976	IEXPLORE.EXE
432	IEXPLORE.EXE
432	IEXPLORE.EXE
3212	IEXPLORE.EXE
3212	IEXPLORE.EXE
8	IEXPLORE.EXE
8	IEXPLORE.EXE

Suspicious use of UnmapMainImage 6 IoCs

pid	Process
3612	59fa728668cadc67f6c031e08cf7d203_JaffaCakes118.exe
1228	59fa728668cadc67f6c031e08cf7d203_JaffaCakes118mgr.exe
3508	WaterMark.exe
2256	WaterMarkmgr.exe
1648	WaterMark.exe
4788	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 1228	3612	59fa728668cadc67f6c031e08cf7d203_JaffaCakes118.exe	86
PID 3612 wrote to memory of 1228	3612	59fa728668cadc67f6c031e08cf7d203_JaffaCakes118.exe	86
PID 3612 wrote to memory of 1228	3612	59fa728668cadc67f6c031e08cf7d203_JaffaCakes118.exe	86
PID 3612 wrote to memory of 3508	3612	59fa728668cadc67f6c031e08cf7d203_JaffaCakes118.exe	87
PID 3612 wrote to memory of 3508	3612	59fa728668cadc67f6c031e08cf7d203_JaffaCakes118.exe	87
PID 3612 wrote to memory of 3508	3612	59fa728668cadc67f6c031e08cf7d203_JaffaCakes118.exe	87
PID 1228 wrote to memory of 1648	1228	59fa728668cadc67f6c031e08cf7d203_JaffaCakes118mgr.exe	88
PID 1228 wrote to memory of 1648	1228	59fa728668cadc67f6c031e08cf7d203_JaffaCakes118mgr.exe	88
PID 1228 wrote to memory of 1648	1228	59fa728668cadc67f6c031e08cf7d203_JaffaCakes118mgr.exe	88
PID 3508 wrote to memory of 2256	3508	WaterMark.exe	89
PID 3508 wrote to memory of 2256	3508	WaterMark.exe	89
PID 3508 wrote to memory of 2256	3508	WaterMark.exe	89
PID 2256 wrote to memory of 4788	2256	WaterMarkmgr.exe	90
PID 2256 wrote to memory of 4788	2256	WaterMarkmgr.exe	90
PID 2256 wrote to memory of 4788	2256	WaterMarkmgr.exe	90
PID 1648 wrote to memory of 900	1648	WaterMark.exe	91
PID 1648 wrote to memory of 900	1648	WaterMark.exe	91
PID 1648 wrote to memory of 900	1648	WaterMark.exe	91
PID 1648 wrote to memory of 900	1648	WaterMark.exe	91
PID 1648 wrote to memory of 900	1648	WaterMark.exe	91
PID 1648 wrote to memory of 900	1648	WaterMark.exe	91
PID 1648 wrote to memory of 900	1648	WaterMark.exe	91
PID 1648 wrote to memory of 900	1648	WaterMark.exe	91
PID 1648 wrote to memory of 900	1648	WaterMark.exe	91
PID 3508 wrote to memory of 1188	3508	WaterMark.exe	92
PID 3508 wrote to memory of 1188	3508	WaterMark.exe	92
PID 3508 wrote to memory of 1188	3508	WaterMark.exe	92
PID 3508 wrote to memory of 1188	3508	WaterMark.exe	92
PID 3508 wrote to memory of 1188	3508	WaterMark.exe	92
PID 3508 wrote to memory of 1188	3508	WaterMark.exe	92
PID 3508 wrote to memory of 1188	3508	WaterMark.exe	92
PID 3508 wrote to memory of 1188	3508	WaterMark.exe	92
PID 3508 wrote to memory of 1188	3508	WaterMark.exe	92
PID 4788 wrote to memory of 212	4788	WaterMark.exe	94
PID 4788 wrote to memory of 212	4788	WaterMark.exe	94
PID 4788 wrote to memory of 212	4788	WaterMark.exe	94
PID 4788 wrote to memory of 212	4788	WaterMark.exe	94
PID 4788 wrote to memory of 212	4788	WaterMark.exe	94
PID 4788 wrote to memory of 212	4788	WaterMark.exe	94
PID 4788 wrote to memory of 212	4788	WaterMark.exe	94
PID 4788 wrote to memory of 212	4788	WaterMark.exe	94
PID 4788 wrote to memory of 212	4788	WaterMark.exe	94
PID 3508 wrote to memory of 2372	3508	WaterMark.exe	105
PID 3508 wrote to memory of 2372	3508	WaterMark.exe	105
PID 1648 wrote to memory of 4256	1648	WaterMark.exe	104
PID 1648 wrote to memory of 4256	1648	WaterMark.exe	104
PID 1648 wrote to memory of 4628	1648	WaterMark.exe	106
PID 1648 wrote to memory of 4628	1648	WaterMark.exe	106
PID 4788 wrote to memory of 1296	4788	WaterMark.exe	107
PID 4788 wrote to memory of 1296	4788	WaterMark.exe	107
PID 3508 wrote to memory of 1724	3508	WaterMark.exe	108
PID 3508 wrote to memory of 1724	3508	WaterMark.exe	108
PID 4788 wrote to memory of 5080	4788	WaterMark.exe	109
PID 4788 wrote to memory of 5080	4788	WaterMark.exe	109
PID 1296 wrote to memory of 432	1296	iexplore.exe	112
PID 1296 wrote to memory of 432	1296	iexplore.exe	112
PID 1296 wrote to memory of 432	1296	iexplore.exe	112
PID 1724 wrote to memory of 3976	1724	iexplore.exe	110
PID 1724 wrote to memory of 3976	1724	iexplore.exe	110
PID 1724 wrote to memory of 3976	1724	iexplore.exe	110
PID 2372 wrote to memory of 3988	2372	iexplore.exe	111
PID 2372 wrote to memory of 3988	2372	iexplore.exe	111
PID 2372 wrote to memory of 3988	2372	iexplore.exe	111
PID 4628 wrote to memory of 8	4628	iexplore.exe	113

C:\Users\Admin\AppData\Local\Temp\59fa728668cadc67f6c031e08cf7d203_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\59fa728668cadc67f6c031e08cf7d203_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Users\Admin\AppData\Local\Temp\59fa728668cadc67f6c031e08cf7d203_JaffaCakes118mgr.exe
  C:\Users\Admin\AppData\Local\Temp\59fa728668cadc67f6c031e08cf7d203_JaffaCakes118mgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Program Files (x86)\Microsoft\WaterMark.exe
    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:900
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 204
        5⤵
        Program crash
        
        PID:4900
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:4256
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4256 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1060
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4628
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4628 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:8
- C:\Program Files (x86)\Microsoft\WaterMark.exe
  "C:\Program Files (x86)\Microsoft\WaterMark.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
    "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:4788
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        
        PID:212
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 204
        6⤵
        Program crash
        
        PID:3840
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1296
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1296 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:432
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:5080
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5080 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3212
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:1188
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 204
      4⤵
      Program crash
      PID:3332
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2372 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3988
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1724 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 212 -ip 212
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 900 -ip 900
1⤵
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1188 -ip 1188
1⤵
PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
193KB

MD5
59fa728668cadc67f6c031e08cf7d203

SHA1
6fe6f0f77504d02560e2ce3cea79e01dc8dc1c8e

SHA256
679a4974ab63899ed62e52788c391369675a904adc969c93d4ec274dada141d2

SHA512
9e273dc3707de2a13e58d78bb6f5694493886f88ffc1a5893fd7290be509be56439cd8d31c247d7bf72ad9a2f650af4dca84d5eaf175687572b347a3e967318b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E3791BB1-4570-11EF-A8A8-F62CC64740F5}.dat

Filesize
3KB

MD5
9b7a36eacce5aee5dd8694c794559a3c

SHA1
2a052d794e79f9104ffcfee6826069e31f95e15d

SHA256
5e061e0b1d4c28781023956b66711265578ecfd5ed1c3cd2232e696eb4530f92

SHA512
fd733d51ac77e630fe66d8ed85a6ebd1239ff9e019a2b852a23739b46c36d42a41aecaa6fd580e887a45d7276bd694dc53f9bea711a5dd37cff6e02929e530db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E3791BB1-4570-11EF-A8A8-F62CC64740F5}.dat

Filesize
5KB

MD5
59f71ef6eefa275ae61a42791de264ae

SHA1
f23f8ac18293ad9504fef0bad56adf3a3293e510

SHA256
82447b379e0da8c670f75ea0609cd729f853385d75a96b9af92c61944949b58d

SHA512
34cc42a64ddc5789fb9e5e7d9ae35963c333837b1b27aca7143d5c383e929bf0a7f6ce96cfb3be0b3a3c3b7816dcfbd5cd29eea241ce59896a5e6cfb566e012b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E37BA4EB-4570-11EF-A8A8-F62CC64740F5}.dat

Filesize
3KB

MD5
4b61f9cee72991c621e5cf9deb7c848b

SHA1
167f603b18ca103f0561a0a164443b8e3fb56a39

SHA256
1e593c6968b46327eb505cc40714751c305821fcc1e3b4cbef1cc5256830d5d3

SHA512
bdea43725de96d4ee00ef206b1c66c089245d8d9026be7c213054df29a40c2d2e44fa07727627f234ea8e5f569162acde1db486f7d0fdd0c85a79906a3645d47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E37BA4EB-4570-11EF-A8A8-F62CC64740F5}.dat

Filesize
5KB

MD5
c2aa9f3d746effc6246aa477bca9477a

SHA1
c62beda1fc1205024f5b093b4de10fb6855f2d66

SHA256
6e6858807abc2400c820b7a99d3d7148fd307dbb63735cc450e2282961356962

SHA512
51be4538af5bf46b1b354b90d24d98d97c8e91f049501886f38f21cecd40606cbc46805b62ddd794ea7b239589df4248a363a93d9b9f7d240b976b43dc2364ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E37DDFF2-4570-11EF-A8A8-F62CC64740F5}.dat

Filesize
5KB

MD5
1ee67443a705015df6730f50b0200a0b

SHA1
e7ad54bb1988aa6e8f580f1d130616ec7029abad

SHA256
ba89921bcdf8e032ab14cf89d48012d50abd4a0e1096021c0d5ed111a6b409bf

SHA512
4f9987e042d5836b3ca701b25b39e05d3a5e28d646a5d49a1b2be2e50c1952ce0137aef14501c33fb05609515bdc7e6921c9e0a0fcf7c0dd7a08f44a821786be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E37E0702-4570-11EF-A8A8-F62CC64740F5}.dat

Filesize
4KB

MD5
e4e8efc99ae8053b79f3f77bf2995c36

SHA1
3823a559b5b242c7f321dc0e48a108f9f5c8f28a

SHA256
d90add80df89e2f4dc56f992fcf28e6144e07f871785f53483769af394eada2e

SHA512
319a068abae4506b530dbec56147ab5c4e8c38dab74d1ea13f5253e903d64e65e98da17b88092ee0aaf493fb5e6ca63ac63613840812b75da28a020a89ad6148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver1354.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WZ04RUV6\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\59fa728668cadc67f6c031e08cf7d203_JaffaCakes118mgr.exe

Filesize
95KB

MD5
f8a6e7529ad1b00a18c6ca2702521471

SHA1
2cadb00ca99be622623dc78095f594bedfec7534

SHA256
ce8e07cec9c3857f48e20916c65413335ab480b0c3d70345e98147b2ff7b8de6

SHA512
e1c3f164aa58360e4b664341ddea907fe990fa93de6f1e98b4fe87bf713e62b50191d738afc5591ead628f6f58dead74d78d26267ac03079f96bcb85b93ce2f7

Download Submit
memory/900-76-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/900-75-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1228-13-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1228-23-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1648-89-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/1648-88-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1648-69-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1648-39-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/1648-38-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2256-57-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2256-53-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3508-79-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/3508-37-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3508-54-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3508-70-0x00000000774F2000-0x00000000774F3000-memory.dmp

Filesize
4KB

Download
memory/3508-60-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/3612-5-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3612-0-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3612-21-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3612-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3612-6-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3612-7-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3612-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3612-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3612-15-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4788-77-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4788-74-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/4788-71-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download