Analysis
-
max time kernel
92s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2024, 21:20
Static task
static1
Behavioral task
behavioral1
Sample
108bdf02c9eef1175ea53df02020ac7a_JaffaCakes118.dll
Resource
win7-20240903-en
General
-
Target
108bdf02c9eef1175ea53df02020ac7a_JaffaCakes118.dll
-
Size
432KB
-
MD5
108bdf02c9eef1175ea53df02020ac7a
-
SHA1
4a19e66696c5e9a6f53dd5536c3608f9d485f0c9
-
SHA256
a1d33cfc2c83a6b6a7a30966f9b90be161bf62c99879567888432a62a17d27ae
-
SHA512
ca04b04affb68c3e5141504a499c34e7187fbe4dae3dc248d129e6e20f901de5d05f12a2ee5bc813ba2b17dd0d7fe38824e5a49a7eca3391f45399607a726ce5
-
SSDEEP
6144:Hl9XgnzxOP/sFR2h+9q1kih6ibUxrp3/vIyReNMMXUOVEqx4eKhN02DKOMby89VP:HlCzcMg+9YkDiQ3/QjFXUje+hNF4VETK
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 1536 rundll32mgr.exe 2076 rundll32mgrmgr.exe 2248 WaterMark.exe 2892 WaterMark.exe 1792 WaterMarkmgr.exe 1676 WaterMark.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\rundll32mgrmgr.exe rundll32mgr.exe -
resource yara_rule behavioral2/memory/1536-21-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1536-22-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2076-28-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2076-23-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1536-24-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1536-33-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral2/memory/1536-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1536-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1536-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1536-10-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2248-63-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2892-62-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1792-61-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2248-79-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral2/memory/2892-80-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral2/memory/2248-86-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2892-85-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1676-87-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral2/memory/2248-88-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 10 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgrmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe WaterMarkmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\pxBC7A.tmp rundll32mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\pxBC7A.tmp rundll32mgrmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe File opened for modification C:\Program Files (x86)\Microsoft\pxBCF7.tmp WaterMarkmgr.exe -
Program crash 4 IoCs
pid pid_target Process procid_target 5060 4296 WerFault.exe 82 2312 980 WerFault.exe 91 1988 4208 WerFault.exe 96 1232 608 WerFault.exe 93 -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgrmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135194" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "836339969" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "836183568" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135194" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5D6673B4-81CD-11EF-84CD-562BAB028465} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5D61AF5A-81CD-11EF-84CD-562BAB028465} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "838839672" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5D68FD53-81CD-11EF-84CD-562BAB028465} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135194" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135194" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "838839672" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135194" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "838839672" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "836339969" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 2892 WaterMark.exe 2248 WaterMark.exe 2892 WaterMark.exe 2248 WaterMark.exe 2248 WaterMark.exe 2248 WaterMark.exe 2892 WaterMark.exe 2892 WaterMark.exe 1676 WaterMark.exe 1676 WaterMark.exe 1676 WaterMark.exe 1676 WaterMark.exe 2248 WaterMark.exe 2248 WaterMark.exe 2248 WaterMark.exe 2248 WaterMark.exe 2248 WaterMark.exe 2248 WaterMark.exe 2248 WaterMark.exe 2248 WaterMark.exe 2248 WaterMark.exe 2248 WaterMark.exe 2248 WaterMark.exe 2248 WaterMark.exe 2892 WaterMark.exe 2892 WaterMark.exe 2892 WaterMark.exe 2892 WaterMark.exe 2892 WaterMark.exe 2892 WaterMark.exe 2892 WaterMark.exe 2892 WaterMark.exe 2892 WaterMark.exe 2892 WaterMark.exe 2892 WaterMark.exe 2892 WaterMark.exe 1676 WaterMark.exe 1676 WaterMark.exe 1676 WaterMark.exe 1676 WaterMark.exe 1676 WaterMark.exe 1676 WaterMark.exe 1676 WaterMark.exe 1676 WaterMark.exe 1676 WaterMark.exe 1676 WaterMark.exe 1676 WaterMark.exe 1676 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2892 WaterMark.exe Token: SeDebugPrivilege 2248 WaterMark.exe Token: SeDebugPrivilege 1676 WaterMark.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 3120 iexplore.exe 4464 iexplore.exe 3592 iexplore.exe 2772 iexplore.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 3120 iexplore.exe 3120 iexplore.exe 4464 iexplore.exe 4464 iexplore.exe 3592 iexplore.exe 3592 iexplore.exe 2772 iexplore.exe 2772 iexplore.exe 3248 IEXPLORE.EXE 3248 IEXPLORE.EXE 1008 IEXPLORE.EXE 1008 IEXPLORE.EXE 3036 IEXPLORE.EXE 3036 IEXPLORE.EXE 768 IEXPLORE.EXE 768 IEXPLORE.EXE 3248 IEXPLORE.EXE 3248 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 6 IoCs
pid Process 1536 rundll32mgr.exe 2076 rundll32mgrmgr.exe 2892 WaterMark.exe 2248 WaterMark.exe 1792 WaterMarkmgr.exe 1676 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2344 wrote to memory of 4296 2344 rundll32.exe 82 PID 2344 wrote to memory of 4296 2344 rundll32.exe 82 PID 2344 wrote to memory of 4296 2344 rundll32.exe 82 PID 4296 wrote to memory of 1536 4296 rundll32.exe 83 PID 4296 wrote to memory of 1536 4296 rundll32.exe 83 PID 4296 wrote to memory of 1536 4296 rundll32.exe 83 PID 1536 wrote to memory of 2076 1536 rundll32mgr.exe 85 PID 1536 wrote to memory of 2076 1536 rundll32mgr.exe 85 PID 1536 wrote to memory of 2076 1536 rundll32mgr.exe 85 PID 1536 wrote to memory of 2248 1536 rundll32mgr.exe 87 PID 1536 wrote to memory of 2248 1536 rundll32mgr.exe 87 PID 1536 wrote to memory of 2248 1536 rundll32mgr.exe 87 PID 2076 wrote to memory of 2892 2076 rundll32mgrmgr.exe 88 PID 2076 wrote to memory of 2892 2076 rundll32mgrmgr.exe 88 PID 2076 wrote to memory of 2892 2076 rundll32mgrmgr.exe 88 PID 2248 wrote to memory of 1792 2248 WaterMark.exe 89 PID 2248 wrote to memory of 1792 2248 WaterMark.exe 89 PID 2248 wrote to memory of 1792 2248 WaterMark.exe 89 PID 1792 wrote to memory of 1676 1792 WaterMarkmgr.exe 90 PID 1792 wrote to memory of 1676 1792 WaterMarkmgr.exe 90 PID 1792 wrote to memory of 1676 1792 WaterMarkmgr.exe 90 PID 2248 wrote to memory of 980 2248 WaterMark.exe 91 PID 2248 wrote to memory of 980 2248 WaterMark.exe 91 PID 2248 wrote to memory of 980 2248 WaterMark.exe 91 PID 2248 wrote to memory of 980 2248 WaterMark.exe 91 PID 2248 wrote to memory of 980 2248 WaterMark.exe 91 PID 2248 wrote to memory of 980 2248 WaterMark.exe 91 PID 2248 wrote to memory of 980 2248 WaterMark.exe 91 PID 2248 wrote to memory of 980 2248 WaterMark.exe 91 PID 2248 wrote to memory of 980 2248 WaterMark.exe 91 PID 2892 wrote to memory of 608 2892 WaterMark.exe 93 PID 2892 wrote to memory of 608 2892 WaterMark.exe 93 PID 2892 wrote to memory of 608 2892 WaterMark.exe 93 PID 2892 wrote to memory of 608 2892 WaterMark.exe 93 PID 2892 wrote to memory of 608 2892 WaterMark.exe 93 PID 2892 wrote to memory of 608 2892 WaterMark.exe 93 PID 2892 wrote to memory of 608 2892 WaterMark.exe 93 PID 2892 wrote to memory of 608 2892 WaterMark.exe 93 PID 2892 wrote to memory of 608 2892 WaterMark.exe 93 PID 1676 wrote to memory of 4208 1676 WaterMark.exe 96 PID 1676 wrote to memory of 4208 1676 WaterMark.exe 96 PID 1676 wrote to memory of 4208 1676 WaterMark.exe 96 PID 1676 wrote to memory of 4208 1676 WaterMark.exe 96 PID 1676 wrote to memory of 4208 1676 WaterMark.exe 96 PID 1676 wrote to memory of 4208 1676 WaterMark.exe 96 PID 1676 wrote to memory of 4208 1676 WaterMark.exe 96 PID 1676 wrote to memory of 4208 1676 WaterMark.exe 96 PID 1676 wrote to memory of 4208 1676 WaterMark.exe 96 PID 2248 wrote to memory of 2772 2248 WaterMark.exe 101 PID 2248 wrote to memory of 2772 2248 WaterMark.exe 101 PID 2248 wrote to memory of 3592 2248 WaterMark.exe 102 PID 2248 wrote to memory of 3592 2248 WaterMark.exe 102 PID 2892 wrote to memory of 4464 2892 WaterMark.exe 103 PID 2892 wrote to memory of 4464 2892 WaterMark.exe 103 PID 2892 wrote to memory of 3120 2892 WaterMark.exe 104 PID 2892 wrote to memory of 3120 2892 WaterMark.exe 104 PID 1676 wrote to memory of 4876 1676 WaterMark.exe 105 PID 1676 wrote to memory of 4876 1676 WaterMark.exe 105 PID 1676 wrote to memory of 3604 1676 WaterMark.exe 106 PID 1676 wrote to memory of 3604 1676 WaterMark.exe 106 PID 4464 wrote to memory of 1008 4464 iexplore.exe 108 PID 4464 wrote to memory of 1008 4464 iexplore.exe 108 PID 4464 wrote to memory of 1008 4464 iexplore.exe 108 PID 3120 wrote to memory of 3248 3120 iexplore.exe 107
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\108bdf02c9eef1175ea53df02020ac7a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\108bdf02c9eef1175ea53df02020ac7a_JaffaCakes118.dll,#12⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\rundll32mgrmgr.exeC:\Windows\SysWOW64\rundll32mgrmgr.exe4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵PID:608
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 608 -s 2127⤵
- Program crash
PID:1232
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4464 CREDAT:17410 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1008
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3120 CREDAT:17410 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3248
-
-
-
-
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵PID:4208
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 2128⤵
- Program crash
PID:1988
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
PID:4876
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
PID:3604
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵PID:980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 2046⤵
- Program crash
PID:2312
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2772 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2772 CREDAT:17410 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:768
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3592 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3592 CREDAT:17410 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3036
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 6123⤵
- Program crash
PID:5060
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4296 -ip 42961⤵PID:3652
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 980 -ip 9801⤵PID:1184
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 608 -ip 6081⤵PID:4192
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4208 -ip 42081⤵PID:1148
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD56de4427d02d49cee2c46a8fead1fafa8
SHA1bee49bf0e4452ca72442face8e655bf4a8c3af17
SHA25646d5cd7ff558e5c788807eb674587359c6a660cef091eb420676977e49833d53
SHA512c80311bb92f9f49de96d06e9a76a3ef0310365999f00f401fd003d438b66744a88f093b5887e1723c6b8179798697ec24c4b2bda489323337f6cec6d28ef6434
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5e644088496fb4209f36ab9a39b932882
SHA19b0319b50185345b8fe26aae6d4b9abd7dca7b94
SHA256c3a268110545fbd7f8f4b2e284fc90d7d7a4ba58ddfd43403dbc49cf7cf5e3b2
SHA512a05a60e90f07503bc02428c7a46201acb5f6594c6636ab7562f1febd3a4b59b1b7b6a30c4fe499d792281ba1d6c0f8e4968e96cb993429cf6fefeeed252de400
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD54074aac51971ff9dc04d1992e47c2d34
SHA1f61a9a101bac19e1a2939f4295ae859be7298034
SHA2563e8d9dad5b32fbe8e1d18db92837aff7030ed6fec7e5d84d99937bb801b134e4
SHA512764b02cbe121ba905aad359660ea6da1569ba35df90b61a093112d6ce2724c021f711ca47f323d5b6275162f3334a0aebdce6602cf0649f9808cee897c6bb6c4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD543292c52c02bad43207ab69552a2b9f9
SHA19d98b405517edca62683c02e13038bd0ebbd7d30
SHA256a20e436e6eafba59c5c173d9945d470ca893f8eba266cc925f14089014c78119
SHA51263e6447d9e70776f1fa7b3827b46f5bc4771e37249077a52ae3ce9ea9eeefc1b16300787ec4a44ea84ad2cec6e1ae465818a8e1ff6c503bf8f2a6477a64245a1
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5D61AF5A-81CD-11EF-84CD-562BAB028465}.dat
Filesize3KB
MD5835161b283033c9a1e7aab24cf6b353b
SHA1bc54a9d73ba6c6a522a13e0c12819f127567f892
SHA2562b891e89eae1f38cc5e1977bd00d60453cb318272569141a33642143a0b6dfaf
SHA512d7fa0257f7c29f1cdd80091036bc587264ef26b37e857864c11aa4b41417638e95d8273e0019c05bf7fc11d5dac7fe6a25113a8978035e6c2632e1e9f8d378a7
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5D6673B4-81CD-11EF-84CD-562BAB028465}.dat
Filesize3KB
MD5558c59697cce69b4ed4fe44cc84b4130
SHA17cfb90c3ed098869d8a2552289ca61001fefbb1e
SHA256a8de6cece70f0745b13e1ee6ee041ac6a5f2069c3f437ed70adc79ae2051e284
SHA512d69057d2e1607d25d444f51e44578fb8728a2f6c00498b4bf4dee4ddd8392bdf8df5103e1f1b048b38eb966d8aa6dec8a25c2f9c9ae01712d27998fd73597c98
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5D6673B4-81CD-11EF-84CD-562BAB028465}.dat
Filesize5KB
MD5836f342e272dab8c471bfa5d462a2c9d
SHA104e0da20247df075feb144208445b4c53f0c4116
SHA256619c6b74650b5f053096c17546b15a8b8e4467e5a8f7ce2e00fd034b171112e4
SHA5120caae8073aa3c18464fba2e844d051ad28783eb1055878733dae848adfb63538bea7354b045373561cccf0574fa9628e9ee71b5a23fc2ecf71f7c828ae123c95
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5D68FD53-81CD-11EF-84CD-562BAB028465}.dat
Filesize5KB
MD52820c23b8ce9cd08735bac8bbf66bdb8
SHA1d185bc2a788fcfa7d1340cd2117cb2847a9b9167
SHA256a23656ebdf635d512f1c008563070dcee7684fb680fdca65e7f4d264a5899136
SHA512d4151990975d8b2dac54a97242fe09d5ace7ceeab4b7d7e2caddd347e50925f3f9aef0136d7157d960b8b82dee1b4c24f4ea2147d71bf51923c1e77e961fbed8
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
193KB
MD5b80ba009ada99611fb0f58a874e2a2c6
SHA1233a75da371c7de9d55b6e69a11b1520d4d4758b
SHA256cde713c433fff87c62831354e844a867acd211c14ff314589526ea4488c4b0db
SHA5129097abf9565ed788ab781758a27b5552b0d847fcbb7c6fb8cf312efd6d640bcb0fc79a9798b0ea39a71f3fa126bb366947b33a4b8656c1a0743e33186ac761a2
-
Filesize
95KB
MD56bde351c18bbc50d5131f901df12e0ae
SHA1f6f3aa982d86f8756db87772da94f8d8ad0bbdfe
SHA2561f1b20a143a5cc4d1c103453b7c0f465f6cf1e1ae20425f416480c6fc968d9de
SHA512da954bb740377e5ecbb74f227453ccefc68d0ac55deeb800dd6d3939765b34cfcb46fd3dfff1fea68b5ded09c310409f0d2f628dd2bfe35f20e6d22c321be4dc