Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/10/2024, 07:41
Static task
static1
Behavioral task
behavioral1
Sample
16c669febc9180a25d967de726a83065_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
16c669febc9180a25d967de726a83065_JaffaCakes118.exe
-
Size
241KB
-
MD5
16c669febc9180a25d967de726a83065
-
SHA1
a71cfe2dcbd34521128b6c3f9340358eda6e3de6
-
SHA256
f28599ac1925dcfeaf87e6456e97cb203650af4f3e886b4470b20752787be580
-
SHA512
dc56797fcc0cfecd7af8fab5a37972894f2203cad7c62bc2339cc74bae487fe49bbf49cdd431275974bd8276dbda1e40521303ea30ae41c411d4cf507a848ebb
-
SSDEEP
3072:qnxwgxgfR/DVG7wBpELolQZ6puhCB+9dAqmHymrnsZ8BHZlImLKUwq:a+xDVG0Bpwtw+9aXymzf5lImKXq
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 3 IoCs
pid Process 2656 16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe 1136 WaterMark.exe 2688 WaterMark.exe -
Loads dropped DLL 6 IoCs
pid Process 1552 16c669febc9180a25d967de726a83065_JaffaCakes118.exe 1552 16c669febc9180a25d967de726a83065_JaffaCakes118.exe 2656 16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe 2656 16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe 1552 16c669febc9180a25d967de726a83065_JaffaCakes118.exe 1552 16c669febc9180a25d967de726a83065_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
resource yara_rule behavioral1/memory/1136-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1136-61-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2688-60-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2688-59-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1552-27-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2656-24-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2656-22-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2656-21-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1552-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1552-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1552-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1552-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1136-373-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2688-372-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2688-721-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1136-724-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.ServiceModel.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Speech.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libgme_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\settings.html svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\logsession.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\libxslt.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.Speech.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\libvlc.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libavcodec_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_mpjpeg_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libvmem_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunmscapi.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Net.Resources.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\WMPDMCCore.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEEXCH.DLL svchost.exe File opened for modification C:\Program Files\DVD Maker\OmdProject.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\dt_socket.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libinflate_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_display_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\cpu.html svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\VISSHE.DLL svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\gui\libskins2_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\wmpnssci.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\hxdsui.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\installer.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_sse2_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\picturePuzzle.html svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\settings.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXEV.DLL svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_dummy_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcolorthres_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msado15.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\WindowsAccessBridge-64.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ps_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\wlsrvc.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationProvider.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Design.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libmad_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libfingerprinter_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_av1_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\wmpshare.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationBuildTasks.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libhds_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpn.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Management.Instrumentation.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_es_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\WMPDMC.exe svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\slideShow.html svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\slideShow.html svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\notificationserver.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.Printing.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Entity.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libaudio_format_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXSLE.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 16c669febc9180a25d967de726a83065_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 45 IoCs
pid Process 1136 WaterMark.exe 1136 WaterMark.exe 2688 WaterMark.exe 2688 WaterMark.exe 2688 WaterMark.exe 2688 WaterMark.exe 2688 WaterMark.exe 2688 WaterMark.exe 2688 WaterMark.exe 2688 WaterMark.exe 1136 WaterMark.exe 1136 WaterMark.exe 1136 WaterMark.exe 1136 WaterMark.exe 1136 WaterMark.exe 1136 WaterMark.exe 1716 svchost.exe 1716 svchost.exe 1716 svchost.exe 1716 svchost.exe 1716 svchost.exe 1716 svchost.exe 1716 svchost.exe 1716 svchost.exe 1716 svchost.exe 1716 svchost.exe 1716 svchost.exe 1716 svchost.exe 1716 svchost.exe 1716 svchost.exe 1716 svchost.exe 1716 svchost.exe 1716 svchost.exe 1716 svchost.exe 1716 svchost.exe 1716 svchost.exe 1716 svchost.exe 1716 svchost.exe 1716 svchost.exe 1716 svchost.exe 1716 svchost.exe 1716 svchost.exe 1716 svchost.exe 1716 svchost.exe 1716 svchost.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 1136 WaterMark.exe Token: SeDebugPrivilege 2688 WaterMark.exe Token: SeDebugPrivilege 1716 svchost.exe Token: SeDebugPrivilege 1136 WaterMark.exe Token: SeDebugPrivilege 2640 svchost.exe Token: SeDebugPrivilege 2688 WaterMark.exe Token: SeDebugPrivilege 2292 svchost.exe -
Suspicious use of UnmapMainImage 4 IoCs
pid Process 1552 16c669febc9180a25d967de726a83065_JaffaCakes118.exe 2656 16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe 1136 WaterMark.exe 2688 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1552 wrote to memory of 2656 1552 16c669febc9180a25d967de726a83065_JaffaCakes118.exe 30 PID 1552 wrote to memory of 2656 1552 16c669febc9180a25d967de726a83065_JaffaCakes118.exe 30 PID 1552 wrote to memory of 2656 1552 16c669febc9180a25d967de726a83065_JaffaCakes118.exe 30 PID 1552 wrote to memory of 2656 1552 16c669febc9180a25d967de726a83065_JaffaCakes118.exe 30 PID 2656 wrote to memory of 1136 2656 16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe 31 PID 2656 wrote to memory of 1136 2656 16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe 31 PID 2656 wrote to memory of 1136 2656 16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe 31 PID 2656 wrote to memory of 1136 2656 16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe 31 PID 1552 wrote to memory of 2688 1552 16c669febc9180a25d967de726a83065_JaffaCakes118.exe 32 PID 1552 wrote to memory of 2688 1552 16c669febc9180a25d967de726a83065_JaffaCakes118.exe 32 PID 1552 wrote to memory of 2688 1552 16c669febc9180a25d967de726a83065_JaffaCakes118.exe 32 PID 1552 wrote to memory of 2688 1552 16c669febc9180a25d967de726a83065_JaffaCakes118.exe 32 PID 2688 wrote to memory of 2596 2688 WaterMark.exe 33 PID 2688 wrote to memory of 2596 2688 WaterMark.exe 33 PID 2688 wrote to memory of 2596 2688 WaterMark.exe 33 PID 2688 wrote to memory of 2596 2688 WaterMark.exe 33 PID 2688 wrote to memory of 2596 2688 WaterMark.exe 33 PID 2688 wrote to memory of 2596 2688 WaterMark.exe 33 PID 2688 wrote to memory of 2596 2688 WaterMark.exe 33 PID 2688 wrote to memory of 2596 2688 WaterMark.exe 33 PID 2688 wrote to memory of 2596 2688 WaterMark.exe 33 PID 2688 wrote to memory of 2596 2688 WaterMark.exe 33 PID 1136 wrote to memory of 2292 1136 WaterMark.exe 34 PID 1136 wrote to memory of 2292 1136 WaterMark.exe 34 PID 1136 wrote to memory of 2292 1136 WaterMark.exe 34 PID 1136 wrote to memory of 2292 1136 WaterMark.exe 34 PID 1136 wrote to memory of 2292 1136 WaterMark.exe 34 PID 1136 wrote to memory of 2292 1136 WaterMark.exe 34 PID 1136 wrote to memory of 2292 1136 WaterMark.exe 34 PID 1136 wrote to memory of 2292 1136 WaterMark.exe 34 PID 1136 wrote to memory of 2292 1136 WaterMark.exe 34 PID 1136 wrote to memory of 2292 1136 WaterMark.exe 34 PID 2688 wrote to memory of 1716 2688 WaterMark.exe 35 PID 2688 wrote to memory of 1716 2688 WaterMark.exe 35 PID 2688 wrote to memory of 1716 2688 WaterMark.exe 35 PID 2688 wrote to memory of 1716 2688 WaterMark.exe 35 PID 2688 wrote to memory of 1716 2688 WaterMark.exe 35 PID 2688 wrote to memory of 1716 2688 WaterMark.exe 35 PID 2688 wrote to memory of 1716 2688 WaterMark.exe 35 PID 2688 wrote to memory of 1716 2688 WaterMark.exe 35 PID 2688 wrote to memory of 1716 2688 WaterMark.exe 35 PID 2688 wrote to memory of 1716 2688 WaterMark.exe 35 PID 1136 wrote to memory of 2640 1136 WaterMark.exe 36 PID 1136 wrote to memory of 2640 1136 WaterMark.exe 36 PID 1136 wrote to memory of 2640 1136 WaterMark.exe 36 PID 1136 wrote to memory of 2640 1136 WaterMark.exe 36 PID 1136 wrote to memory of 2640 1136 WaterMark.exe 36 PID 1136 wrote to memory of 2640 1136 WaterMark.exe 36 PID 1136 wrote to memory of 2640 1136 WaterMark.exe 36 PID 1136 wrote to memory of 2640 1136 WaterMark.exe 36 PID 1136 wrote to memory of 2640 1136 WaterMark.exe 36 PID 1136 wrote to memory of 2640 1136 WaterMark.exe 36 PID 1716 wrote to memory of 256 1716 svchost.exe 1 PID 1716 wrote to memory of 256 1716 svchost.exe 1 PID 1716 wrote to memory of 256 1716 svchost.exe 1 PID 1716 wrote to memory of 256 1716 svchost.exe 1 PID 1716 wrote to memory of 256 1716 svchost.exe 1 PID 1716 wrote to memory of 332 1716 svchost.exe 2 PID 1716 wrote to memory of 332 1716 svchost.exe 2 PID 1716 wrote to memory of 332 1716 svchost.exe 2 PID 1716 wrote to memory of 332 1716 svchost.exe 2 PID 1716 wrote to memory of 332 1716 svchost.exe 2 PID 1716 wrote to memory of 380 1716 svchost.exe 3 PID 1716 wrote to memory of 380 1716 svchost.exe 3
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:380
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:600
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1744
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1632
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵PID:564
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:680
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:760
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:804
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1160
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:840
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:964
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:280
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:1036
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1060
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1096
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:812
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2028
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:1300
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:396
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exeC:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
-
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2596
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
119KB
MD5da387bb5ecf64c32251d4b13773a0d23
SHA1c197b3a2d51900c7b9d7d0bba3feef81d48cf5b5
SHA256c92f502e604f3dcdd2ddacb06a1ad6f7fc8f56de8b15001a911a63a81ea8535d
SHA5124f8e1513b2913f4aaf60883638ad37e5c48aa7426ccc6ae227856c6edcdd26f9d6ddb81a2c76d4768def6ba97fc09859d6e00d3fbf68ad58595a0eb09494dbb2
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize252KB
MD507080e3d4e8d45831d07ad84c0a0aefe
SHA13ce802e8d8038f84a3723c067bbee1f87537beb9
SHA256b98555f40911dc9c59b74a050930c4b085a0935213e4d8d8e51ca7ddbfeee704
SHA512ccbe78fe813cbca4f388db0f208a7363caeb5f31906cb99c4d2ab7d478b7413fcd43b51db15f1600e80ba346d3747432ea8538358ae030c9430639a5d52ab192
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize248KB
MD5f339ba4d9f79b4e25a911e1544008efa
SHA153838d61c91286f916961927a080c43773830b97
SHA256986e0f60cc874cfb699aaa64f5252947743b74a9d1c8f5e708601dd63693a928
SHA512c47a725c2e0cb8bd15ccb96621bce43bb507754f8c5cdb7866d63dbf804d8e9158e993154fc903d0a70be6dba85a6a7ec0e8ce824d5c1543093f2e84fe0127b2