Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09/08/2024, 22:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
83e21ea5545f76f59a41aced67ade3bd_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
13 signatures
150 seconds
General
-
Target
83e21ea5545f76f59a41aced67ade3bd_JaffaCakes118.exe
-
Size
684KB
-
MD5
83e21ea5545f76f59a41aced67ade3bd
-
SHA1
f3c93f3b316877dcb800e8f9f732d27b057842b5
-
SHA256
aa0662f95f2f09d4f07c886bdddd8e40e468c2fb1f3e821ab396b4d36ac38d69
-
SHA512
e20311e55d3cab9892241aec6586d6e655d0013da6e9bbd8cefb310bb269fcf03a3fbd88181a4b637f0b6057c7697e18a41519fbd3d84a530a97738d5e4fb3bd
-
SSDEEP
12288:up10yTvLuemGWvPdFOUTNKW8n2p3uGUMotFbkPc7DiPBEcrf:O1XyFFOU5qn2ek8wBEYf
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 2376 83e21ea5545f76f59a41aced67ade3bd_JaffaCakes118mgr.exe 2276 WaterMark.exe -
Loads dropped DLL 4 IoCs
pid Process 2104 83e21ea5545f76f59a41aced67ade3bd_JaffaCakes118.exe 2104 83e21ea5545f76f59a41aced67ade3bd_JaffaCakes118.exe 2376 83e21ea5545f76f59a41aced67ade3bd_JaffaCakes118mgr.exe 2376 83e21ea5545f76f59a41aced67ade3bd_JaffaCakes118mgr.exe -
resource yara_rule behavioral1/memory/2376-17-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2276-44-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2376-18-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2276-37-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2376-16-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2376-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2376-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2376-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2376-29-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2276-638-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_mmx_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\ipcclientcerts.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libps_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_dummy_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libfaad_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe svchost.exe File opened for modification C:\Program Files\Windows Media Player\setup_wm.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\tabskb.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msado15.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.Selectors.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_mms_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_i420_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\visualization\libgoom_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libafile_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libdmo_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\librawvid_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpostproc_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadcfr.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msdaremr.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\msvcr100.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.Client.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\liba52_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jfxwebkit.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libdav1d_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libinflate_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\msvcr100.dll svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\INLAUNCH.DLL svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IdentityModel.Selectors.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libg711_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_dirac_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\ReachFramework.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\liblibass_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libt140_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\hxdsui.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\JavaAccessBridge-64.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClient.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Engine.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libsmf_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libadf_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\weather.html svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\cpu.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.DLL svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationCore.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Net.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspeex_resampler_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libavcodec_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libstats_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libhds_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\librawdv_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html svchost.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\PurblePlace.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Design.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Utilities.v3.5.resources.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 83e21ea5545f76f59a41aced67ade3bd_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 83e21ea5545f76f59a41aced67ade3bd_JaffaCakes118mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2276 WaterMark.exe 2276 WaterMark.exe 2276 WaterMark.exe 2276 WaterMark.exe 2276 WaterMark.exe 2276 WaterMark.exe 2276 WaterMark.exe 2276 WaterMark.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2276 WaterMark.exe Token: SeDebugPrivilege 2596 svchost.exe Token: SeDebugPrivilege 2104 83e21ea5545f76f59a41aced67ade3bd_JaffaCakes118.exe Token: SeDebugPrivilege 2276 WaterMark.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2104 83e21ea5545f76f59a41aced67ade3bd_JaffaCakes118.exe 2104 83e21ea5545f76f59a41aced67ade3bd_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2376 83e21ea5545f76f59a41aced67ade3bd_JaffaCakes118mgr.exe 2276 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2104 wrote to memory of 2376 2104 83e21ea5545f76f59a41aced67ade3bd_JaffaCakes118.exe 30 PID 2104 wrote to memory of 2376 2104 83e21ea5545f76f59a41aced67ade3bd_JaffaCakes118.exe 30 PID 2104 wrote to memory of 2376 2104 83e21ea5545f76f59a41aced67ade3bd_JaffaCakes118.exe 30 PID 2104 wrote to memory of 2376 2104 83e21ea5545f76f59a41aced67ade3bd_JaffaCakes118.exe 30 PID 2104 wrote to memory of 2376 2104 83e21ea5545f76f59a41aced67ade3bd_JaffaCakes118.exe 30 PID 2104 wrote to memory of 2376 2104 83e21ea5545f76f59a41aced67ade3bd_JaffaCakes118.exe 30 PID 2104 wrote to memory of 2376 2104 83e21ea5545f76f59a41aced67ade3bd_JaffaCakes118.exe 30 PID 2376 wrote to memory of 2276 2376 83e21ea5545f76f59a41aced67ade3bd_JaffaCakes118mgr.exe 31 PID 2376 wrote to memory of 2276 2376 83e21ea5545f76f59a41aced67ade3bd_JaffaCakes118mgr.exe 31 PID 2376 wrote to memory of 2276 2376 83e21ea5545f76f59a41aced67ade3bd_JaffaCakes118mgr.exe 31 PID 2376 wrote to memory of 2276 2376 83e21ea5545f76f59a41aced67ade3bd_JaffaCakes118mgr.exe 31 PID 2376 wrote to memory of 2276 2376 83e21ea5545f76f59a41aced67ade3bd_JaffaCakes118mgr.exe 31 PID 2376 wrote to memory of 2276 2376 83e21ea5545f76f59a41aced67ade3bd_JaffaCakes118mgr.exe 31 PID 2376 wrote to memory of 2276 2376 83e21ea5545f76f59a41aced67ade3bd_JaffaCakes118mgr.exe 31 PID 2276 wrote to memory of 2876 2276 WaterMark.exe 32 PID 2276 wrote to memory of 2876 2276 WaterMark.exe 32 PID 2276 wrote to memory of 2876 2276 WaterMark.exe 32 PID 2276 wrote to memory of 2876 2276 WaterMark.exe 32 PID 2276 wrote to memory of 2876 2276 WaterMark.exe 32 PID 2276 wrote to memory of 2876 2276 WaterMark.exe 32 PID 2276 wrote to memory of 2876 2276 WaterMark.exe 32 PID 2276 wrote to memory of 2876 2276 WaterMark.exe 32 PID 2276 wrote to memory of 2876 2276 WaterMark.exe 32 PID 2276 wrote to memory of 2876 2276 WaterMark.exe 32 PID 2276 wrote to memory of 2876 2276 WaterMark.exe 32 PID 2276 wrote to memory of 2876 2276 WaterMark.exe 32 PID 2276 wrote to memory of 2876 2276 WaterMark.exe 32 PID 2276 wrote to memory of 2596 2276 WaterMark.exe 33 PID 2276 wrote to memory of 2596 2276 WaterMark.exe 33 PID 2276 wrote to memory of 2596 2276 WaterMark.exe 33 PID 2276 wrote to memory of 2596 2276 WaterMark.exe 33 PID 2276 wrote to memory of 2596 2276 WaterMark.exe 33 PID 2276 wrote to memory of 2596 2276 WaterMark.exe 33 PID 2276 wrote to memory of 2596 2276 WaterMark.exe 33 PID 2276 wrote to memory of 2596 2276 WaterMark.exe 33 PID 2276 wrote to memory of 2596 2276 WaterMark.exe 33 PID 2276 wrote to memory of 2596 2276 WaterMark.exe 33 PID 2276 wrote to memory of 2596 2276 WaterMark.exe 33 PID 2276 wrote to memory of 2596 2276 WaterMark.exe 33 PID 2276 wrote to memory of 2596 2276 WaterMark.exe 33 PID 2596 wrote to memory of 256 2596 svchost.exe 1 PID 2596 wrote to memory of 256 2596 svchost.exe 1 PID 2596 wrote to memory of 256 2596 svchost.exe 1 PID 2596 wrote to memory of 256 2596 svchost.exe 1 PID 2596 wrote to memory of 256 2596 svchost.exe 1 PID 2596 wrote to memory of 332 2596 svchost.exe 2 PID 2596 wrote to memory of 332 2596 svchost.exe 2 PID 2596 wrote to memory of 332 2596 svchost.exe 2 PID 2596 wrote to memory of 332 2596 svchost.exe 2 PID 2596 wrote to memory of 332 2596 svchost.exe 2 PID 2596 wrote to memory of 384 2596 svchost.exe 3 PID 2596 wrote to memory of 384 2596 svchost.exe 3 PID 2596 wrote to memory of 384 2596 svchost.exe 3 PID 2596 wrote to memory of 384 2596 svchost.exe 3 PID 2596 wrote to memory of 384 2596 svchost.exe 3 PID 2596 wrote to memory of 392 2596 svchost.exe 4 PID 2596 wrote to memory of 392 2596 svchost.exe 4 PID 2596 wrote to memory of 392 2596 svchost.exe 4 PID 2596 wrote to memory of 392 2596 svchost.exe 4 PID 2596 wrote to memory of 392 2596 svchost.exe 4 PID 2596 wrote to memory of 432 2596 svchost.exe 5 PID 2596 wrote to memory of 432 2596 svchost.exe 5 PID 2596 wrote to memory of 432 2596 svchost.exe 5 PID 2596 wrote to memory of 432 2596 svchost.exe 5
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:600
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1316
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1384
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:680
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:748
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:812
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1164
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:848
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:1916
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:968
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:236
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:108
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1028
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1112
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:2040
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2268
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2488
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:392
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1240
-
C:\Users\Admin\AppData\Local\Temp\83e21ea5545f76f59a41aced67ade3bd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\83e21ea5545f76f59a41aced67ade3bd_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\83e21ea5545f76f59a41aced67ade3bd_JaffaCakes118mgr.exeC:\Users\Admin\AppData\Local\Temp\83e21ea5545f76f59a41aced67ade3bd_JaffaCakes118mgr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2876
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize259KB
MD5cb3b65016959c36f8a18cb05a4b73012
SHA1a034e710c09cf6a3d4a0522b0c5c3e07530109a6
SHA256e983189162c18cc0fd2f80b583c99abbf2412c20f2901b6d5656aa5567ea85a6
SHA512c69a28e982824299f6cd689525b36f2f51fd4cb397ed4b38460460d34cf8d5a0f0debf4bf4b4047f0e351e6318d34a98e66d4972b35cbf726e263e91a1b89a3a
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize255KB
MD59e9e78acf391e059e45c3737fc2c12c0
SHA16882592f34644840466bd725b60f9b134eb0d2da
SHA256a83d558a5eaa226d9988144c635450b3ed19567c9684163559fc776df4c032b3
SHA512b28c198b3eb8073d7bd78e7b638915691cef6c1f209e7b2f7845ff960a617801c6872c71e19ea9f467fe42600a204996e4bc65485aa5a147d84e09ec7a976e42
-
Filesize
123KB
MD558ae04d47a7587cba542671907b6a9af
SHA11f1e13105f87605281aac5666e8e448ab388b113
SHA256aaaccf3120e3a27abb632e12c69b5e21056ec88780f001605d763eed9a2d1709
SHA51278e2ecd54578cf8413f025f060412df7855ba661c07fafe0891a6827295a80caa8c3eae2be771786bc49ef5492163530319b86eba10cc6627d40b1677a496401