Analysis
-
max time kernel
96s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/10/2024, 07:41
Static task
static1
Behavioral task
behavioral1
Sample
16c669febc9180a25d967de726a83065_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
16c669febc9180a25d967de726a83065_JaffaCakes118.exe
-
Size
241KB
-
MD5
16c669febc9180a25d967de726a83065
-
SHA1
a71cfe2dcbd34521128b6c3f9340358eda6e3de6
-
SHA256
f28599ac1925dcfeaf87e6456e97cb203650af4f3e886b4470b20752787be580
-
SHA512
dc56797fcc0cfecd7af8fab5a37972894f2203cad7c62bc2339cc74bae487fe49bbf49cdd431275974bd8276dbda1e40521303ea30ae41c411d4cf507a848ebb
-
SSDEEP
3072:qnxwgxgfR/DVG7wBpELolQZ6puhCB+9dAqmHymrnsZ8BHZlImLKUwq:a+xDVG0Bpwtw+9aXymzf5lImKXq
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2120 16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe 1456 WaterMark.exe 3820 WaterMarkmgr.exe 3976 WaterMark.exe -
resource yara_rule behavioral2/memory/2000-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2000-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2120-26-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1456-46-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3820-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1456-57-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3820-49-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3976-70-0x0000000000400000-0x0000000000448000-memory.dmp upx behavioral2/memory/3976-72-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1456-69-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2000-20-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2000-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2000-9-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2000-8-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2000-7-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1456-76-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3976-77-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1456-81-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 9 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\pxB630.tmp 16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe 16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe WaterMarkmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe 16c669febc9180a25d967de726a83065_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe 16c669febc9180a25d967de726a83065_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\pxB67F.tmp WaterMarkmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe File opened for modification C:\Program Files (x86)\Microsoft\pxB630.tmp 16c669febc9180a25d967de726a83065_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 224 4176 WerFault.exe 87 2412 3924 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 16c669febc9180a25d967de726a83065_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "188510468" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{36A8222A-82ED-11EF-9A03-5ED96FC588C3} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135482" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135482" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "185385265" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135482" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135482" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135482" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{36A7FB1A-82ED-11EF-9A03-5ED96FC588C3} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "185072870" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "188666756" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "188510468" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{36A59985-82ED-11EF-9A03-5ED96FC588C3} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "185072870" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "185385265" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434879056" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 1456 WaterMark.exe 1456 WaterMark.exe 1456 WaterMark.exe 1456 WaterMark.exe 3976 WaterMark.exe 3976 WaterMark.exe 3976 WaterMark.exe 3976 WaterMark.exe 1456 WaterMark.exe 1456 WaterMark.exe 1456 WaterMark.exe 1456 WaterMark.exe 1456 WaterMark.exe 1456 WaterMark.exe 1456 WaterMark.exe 1456 WaterMark.exe 1456 WaterMark.exe 1456 WaterMark.exe 1456 WaterMark.exe 1456 WaterMark.exe 3976 WaterMark.exe 3976 WaterMark.exe 3976 WaterMark.exe 3976 WaterMark.exe 3976 WaterMark.exe 3976 WaterMark.exe 3976 WaterMark.exe 3976 WaterMark.exe 3976 WaterMark.exe 3976 WaterMark.exe 3976 WaterMark.exe 3976 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1456 WaterMark.exe Token: SeDebugPrivilege 3976 WaterMark.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1932 iexplore.exe 2708 iexplore.exe 3516 iexplore.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 2708 iexplore.exe 2708 iexplore.exe 1932 iexplore.exe 1932 iexplore.exe 3516 iexplore.exe 3516 iexplore.exe 4128 IEXPLORE.EXE 4128 IEXPLORE.EXE 2608 IEXPLORE.EXE 2608 IEXPLORE.EXE 5044 IEXPLORE.EXE 5044 IEXPLORE.EXE 4128 IEXPLORE.EXE 4128 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 5 IoCs
pid Process 2000 16c669febc9180a25d967de726a83065_JaffaCakes118.exe 2120 16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe 1456 WaterMark.exe 3820 WaterMarkmgr.exe 3976 WaterMark.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 2000 wrote to memory of 2120 2000 16c669febc9180a25d967de726a83065_JaffaCakes118.exe 82 PID 2000 wrote to memory of 2120 2000 16c669febc9180a25d967de726a83065_JaffaCakes118.exe 82 PID 2000 wrote to memory of 2120 2000 16c669febc9180a25d967de726a83065_JaffaCakes118.exe 82 PID 2000 wrote to memory of 1456 2000 16c669febc9180a25d967de726a83065_JaffaCakes118.exe 83 PID 2000 wrote to memory of 1456 2000 16c669febc9180a25d967de726a83065_JaffaCakes118.exe 83 PID 2000 wrote to memory of 1456 2000 16c669febc9180a25d967de726a83065_JaffaCakes118.exe 83 PID 1456 wrote to memory of 3820 1456 WaterMark.exe 84 PID 1456 wrote to memory of 3820 1456 WaterMark.exe 84 PID 1456 wrote to memory of 3820 1456 WaterMark.exe 84 PID 3820 wrote to memory of 3976 3820 WaterMarkmgr.exe 85 PID 3820 wrote to memory of 3976 3820 WaterMarkmgr.exe 85 PID 3820 wrote to memory of 3976 3820 WaterMarkmgr.exe 85 PID 1456 wrote to memory of 3924 1456 WaterMark.exe 86 PID 1456 wrote to memory of 3924 1456 WaterMark.exe 86 PID 1456 wrote to memory of 3924 1456 WaterMark.exe 86 PID 1456 wrote to memory of 3924 1456 WaterMark.exe 86 PID 1456 wrote to memory of 3924 1456 WaterMark.exe 86 PID 1456 wrote to memory of 3924 1456 WaterMark.exe 86 PID 1456 wrote to memory of 3924 1456 WaterMark.exe 86 PID 1456 wrote to memory of 3924 1456 WaterMark.exe 86 PID 1456 wrote to memory of 3924 1456 WaterMark.exe 86 PID 3976 wrote to memory of 4176 3976 WaterMark.exe 87 PID 3976 wrote to memory of 4176 3976 WaterMark.exe 87 PID 3976 wrote to memory of 4176 3976 WaterMark.exe 87 PID 3976 wrote to memory of 4176 3976 WaterMark.exe 87 PID 3976 wrote to memory of 4176 3976 WaterMark.exe 87 PID 3976 wrote to memory of 4176 3976 WaterMark.exe 87 PID 3976 wrote to memory of 4176 3976 WaterMark.exe 87 PID 3976 wrote to memory of 4176 3976 WaterMark.exe 87 PID 3976 wrote to memory of 4176 3976 WaterMark.exe 87 PID 1456 wrote to memory of 1932 1456 WaterMark.exe 93 PID 1456 wrote to memory of 1932 1456 WaterMark.exe 93 PID 1456 wrote to memory of 3516 1456 WaterMark.exe 94 PID 1456 wrote to memory of 3516 1456 WaterMark.exe 94 PID 3976 wrote to memory of 2708 3976 WaterMark.exe 95 PID 3976 wrote to memory of 2708 3976 WaterMark.exe 95 PID 3976 wrote to memory of 3456 3976 WaterMark.exe 96 PID 3976 wrote to memory of 3456 3976 WaterMark.exe 96 PID 2708 wrote to memory of 2608 2708 iexplore.exe 97 PID 2708 wrote to memory of 2608 2708 iexplore.exe 97 PID 2708 wrote to memory of 2608 2708 iexplore.exe 97 PID 1932 wrote to memory of 4128 1932 iexplore.exe 99 PID 1932 wrote to memory of 4128 1932 iexplore.exe 99 PID 1932 wrote to memory of 4128 1932 iexplore.exe 99 PID 3516 wrote to memory of 5044 3516 iexplore.exe 98 PID 3516 wrote to memory of 5044 3516 iexplore.exe 98 PID 3516 wrote to memory of 5044 3516 iexplore.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exeC:\Users\Admin\AppData\Local\Temp\16c669febc9180a25d967de726a83065_JaffaCakes118mgr.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:2120
-
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵PID:4176
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 2046⤵
- Program crash
PID:224
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:17410 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2608
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
PID:3456
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:3924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 2044⤵
- Program crash
PID:2412
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1932 CREDAT:17410 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4128
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3516 CREDAT:17410 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5044
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3924 -ip 39241⤵PID:3896
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4176 -ip 41761⤵PID:3580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
241KB
MD516c669febc9180a25d967de726a83065
SHA1a71cfe2dcbd34521128b6c3f9340358eda6e3de6
SHA256f28599ac1925dcfeaf87e6456e97cb203650af4f3e886b4470b20752787be580
SHA512dc56797fcc0cfecd7af8fab5a37972894f2203cad7c62bc2339cc74bae487fe49bbf49cdd431275974bd8276dbda1e40521303ea30ae41c411d4cf507a848ebb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5db7c83e09ebc4317f2bf2df7f66b8513
SHA129d58ef43f72ce7cf79ce6109d038a6c9b4873f0
SHA2561ae4c8aa37bf433bc5b3b45e017c95bf843c7dbbe348c78c7ab6f3cad0fda4b8
SHA5126eb46ae0c3e091ba13b1c0e3fb6de568882940df7968d0e1297568ea5356a4691f2a869c7c9ac9e9642bcc2e4e1388d00b15c663276143e8cb5015ab89c27867
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5fd474e667c4cb0a92df475c48a723071
SHA1f9a794f103dc8d0b9e4b7b217aa033bb99e90cc0
SHA256bc6c836021595e606007a95e0cb1388d9e2b4e7619fd2ffa13096f9e1da6f57d
SHA51244dc78c9fb5e405946c42e18fd45b7f94ce7503f169169147eb7f58194351112a455d71242fc4c9267ccf63effda009eb6a698cdaf0b4e6564d7ac21154b011c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD56ad0d33790f3a57a6178f4ed4ba8c590
SHA197ee180abfdefdfacd5b52c67967ba315a048fe5
SHA2567d85781e4065492c293f4a5e38a8f6c2a8736064ef4930b5103e5da352320100
SHA512f7ca0793ab2a3f467a45167e7de192202fff7ff656bed31d591b0b6f1ffadb6997b8914e151e8073cc52674b4166dccd617972fabad454f1682d269a8f379964
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD575e12349981ec0bb83c7050c8c137513
SHA1bc85dae0dd6c095eb88739c8f9d23045c67aba40
SHA2563f4fa3d42d0b228f26568f5cb053c44dffc72ed95c63525e80f1bbcfdecf1b52
SHA512970b6fa8ee640399fbbb85e8b924ccf9ffc6ee5363b96d12fada8cb96426b4eb695db5be60baa06891754edca1a16f9520a7a7354a059a6b8a536f6a05b441c5
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{36A59985-82ED-11EF-9A03-5ED96FC588C3}.dat
Filesize5KB
MD5e41cee613eddf30d2d7e762b70d319d0
SHA135993845648651f8de8390cb3f0c615d0037b452
SHA25653cab9eb866c1a0315379bafbb9f5c4782cd5a5b6d8a18f2cf6f0f36ad88e7c7
SHA5123985c864de4cf66c3afa12e2dc0fc46b374e21f0478ba3473fbcafea721ffcd3dc6f6f682ac8d93d195cee841e1858b9871c7ee8dfba717d4a7c5595db51ca14
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{36A7FB1A-82ED-11EF-9A03-5ED96FC588C3}.dat
Filesize3KB
MD520b2bfcf7f977c30c55c30bbfa5b6658
SHA1f804da8241e2628c4e72d1e467670d8e2fe2722a
SHA256b337f91dadb09de39b735fcce8cd7e7dba4e6f9cca27b22898486eaad936b8cb
SHA5123826f343eed153d05e07a96f0dac7fd5657938ac8b3c118fc85a296194556213c1c39bc094bd2723e5f69dc11735577cfcac6b62e8c837dc303068d25768c50d
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{36A8222A-82ED-11EF-9A03-5ED96FC588C3}.dat
Filesize5KB
MD538f735e0d2a9d52206ac7bb9f3792ac6
SHA18f4093528a17a83509e71f2ba728a891e617046e
SHA2568eb611c4b8c474da1cb81ff15873e3ff2d9dfeebd6382cbc7d578786dd2caf4b
SHA512a2826b6b402b72ac313aee6d180e8732540b8a0e4c72bcbd8bcf4015736db4da0248ac3e614e3b2e9af8dd4119e8c4e2c717e2e1074ffa5aca8eeb4628accc19
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
119KB
MD5da387bb5ecf64c32251d4b13773a0d23
SHA1c197b3a2d51900c7b9d7d0bba3feef81d48cf5b5
SHA256c92f502e604f3dcdd2ddacb06a1ad6f7fc8f56de8b15001a911a63a81ea8535d
SHA5124f8e1513b2913f4aaf60883638ad37e5c48aa7426ccc6ae227856c6edcdd26f9d6ddb81a2c76d4768def6ba97fc09859d6e00d3fbf68ad58595a0eb09494dbb2