Analysis
-
max time kernel
92s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2024 17:52
Static task
static1
Behavioral task
behavioral1
Sample
414219c99524f80257ba1fe2c9f44360_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
414219c99524f80257ba1fe2c9f44360_JaffaCakes118.exe
-
Size
121KB
-
MD5
414219c99524f80257ba1fe2c9f44360
-
SHA1
5066d2cfbd55c5a4f9613186ca44d6a0bd1155fa
-
SHA256
0141b9a6b51d4b0fc212d9e41859818572ba240d669f0f490861467d3cae2167
-
SHA512
83ee8e117372f374577de89575488aecac75c91d1787a59be597352c3e541117d585a20f8fe6a48f92806cc9aa8fde8197af0f596826854ae501c86f229fc753
-
SSDEEP
3072:VR2xn3k0CdM1vabyzJYWqmrAZd9vQl8WrNkyeUVj70:VR2J0LS6VKAZ7YlpBqUe
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
pid Process 1328 414219c99524f80257ba1fe2c9f44360_JaffaCakes118mgr.exe 4616 WaterMark.exe 3084 WaterMark.exe 2100 WaterMarkmgr.exe 4324 WaterMark.exe -
resource yara_rule behavioral2/memory/4916-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4916-20-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4916-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4916-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4616-41-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4616-43-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1328-25-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4916-8-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4916-6-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4916-7-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4616-71-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2100-68-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2100-62-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/3084-60-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3084-82-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3084-85-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3084-87-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4324-89-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/memory/4616-90-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\WaterMark.exe WaterMarkmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe 414219c99524f80257ba1fe2c9f44360_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe 414219c99524f80257ba1fe2c9f44360_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe 414219c99524f80257ba1fe2c9f44360_JaffaCakes118mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe File opened for modification C:\Program Files (x86)\Microsoft\pxF760.tmp WaterMarkmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\pxF676.tmp 414219c99524f80257ba1fe2c9f44360_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\pxF685.tmp 414219c99524f80257ba1fe2c9f44360_JaffaCakes118mgr.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 1388 4344 WerFault.exe 89 5036 2340 WerFault.exe 88 4632 2228 WerFault.exe 94 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 414219c99524f80257ba1fe2c9f44360_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 414219c99524f80257ba1fe2c9f44360_JaffaCakes118mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3049881810" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3053944526" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435606910" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31137176" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31137176" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3053944526" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E1671C7F-898B-11EF-BDBF-622000771059} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E1697EE4-898B-11EF-BDBF-622000771059} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3049881810" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31137176" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31137176" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 4616 WaterMark.exe 4616 WaterMark.exe 4616 WaterMark.exe 4616 WaterMark.exe 3084 WaterMark.exe 3084 WaterMark.exe 3084 WaterMark.exe 3084 WaterMark.exe 4324 WaterMark.exe 4324 WaterMark.exe 4324 WaterMark.exe 4324 WaterMark.exe 4616 WaterMark.exe 4616 WaterMark.exe 4616 WaterMark.exe 4616 WaterMark.exe 4616 WaterMark.exe 4616 WaterMark.exe 4616 WaterMark.exe 4616 WaterMark.exe 4616 WaterMark.exe 4616 WaterMark.exe 4616 WaterMark.exe 4616 WaterMark.exe 3084 WaterMark.exe 3084 WaterMark.exe 3084 WaterMark.exe 3084 WaterMark.exe 3084 WaterMark.exe 3084 WaterMark.exe 3084 WaterMark.exe 3084 WaterMark.exe 3084 WaterMark.exe 3084 WaterMark.exe 3084 WaterMark.exe 3084 WaterMark.exe 4324 WaterMark.exe 4324 WaterMark.exe 4324 WaterMark.exe 4324 WaterMark.exe 4324 WaterMark.exe 4324 WaterMark.exe 4324 WaterMark.exe 4324 WaterMark.exe 4324 WaterMark.exe 4324 WaterMark.exe 4324 WaterMark.exe 4324 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4616 WaterMark.exe Token: SeDebugPrivilege 3084 WaterMark.exe Token: SeDebugPrivilege 4324 WaterMark.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 5068 iexplore.exe 3292 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 5068 iexplore.exe 5068 iexplore.exe 3292 iexplore.exe 3292 iexplore.exe 768 IEXPLORE.EXE 768 IEXPLORE.EXE 4436 IEXPLORE.EXE 4436 IEXPLORE.EXE 768 IEXPLORE.EXE 768 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 6 IoCs
pid Process 4916 414219c99524f80257ba1fe2c9f44360_JaffaCakes118.exe 1328 414219c99524f80257ba1fe2c9f44360_JaffaCakes118mgr.exe 4616 WaterMark.exe 3084 WaterMark.exe 2100 WaterMarkmgr.exe 4324 WaterMark.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 4916 wrote to memory of 1328 4916 414219c99524f80257ba1fe2c9f44360_JaffaCakes118.exe 84 PID 4916 wrote to memory of 1328 4916 414219c99524f80257ba1fe2c9f44360_JaffaCakes118.exe 84 PID 4916 wrote to memory of 1328 4916 414219c99524f80257ba1fe2c9f44360_JaffaCakes118.exe 84 PID 4916 wrote to memory of 4616 4916 414219c99524f80257ba1fe2c9f44360_JaffaCakes118.exe 85 PID 4916 wrote to memory of 4616 4916 414219c99524f80257ba1fe2c9f44360_JaffaCakes118.exe 85 PID 4916 wrote to memory of 4616 4916 414219c99524f80257ba1fe2c9f44360_JaffaCakes118.exe 85 PID 1328 wrote to memory of 3084 1328 414219c99524f80257ba1fe2c9f44360_JaffaCakes118mgr.exe 86 PID 1328 wrote to memory of 3084 1328 414219c99524f80257ba1fe2c9f44360_JaffaCakes118mgr.exe 86 PID 1328 wrote to memory of 3084 1328 414219c99524f80257ba1fe2c9f44360_JaffaCakes118mgr.exe 86 PID 4616 wrote to memory of 2340 4616 WaterMark.exe 88 PID 4616 wrote to memory of 2340 4616 WaterMark.exe 88 PID 4616 wrote to memory of 2340 4616 WaterMark.exe 88 PID 3084 wrote to memory of 2100 3084 WaterMark.exe 87 PID 3084 wrote to memory of 2100 3084 WaterMark.exe 87 PID 3084 wrote to memory of 2100 3084 WaterMark.exe 87 PID 4616 wrote to memory of 2340 4616 WaterMark.exe 88 PID 4616 wrote to memory of 2340 4616 WaterMark.exe 88 PID 4616 wrote to memory of 2340 4616 WaterMark.exe 88 PID 4616 wrote to memory of 2340 4616 WaterMark.exe 88 PID 4616 wrote to memory of 2340 4616 WaterMark.exe 88 PID 4616 wrote to memory of 2340 4616 WaterMark.exe 88 PID 2100 wrote to memory of 4324 2100 WaterMarkmgr.exe 90 PID 2100 wrote to memory of 4324 2100 WaterMarkmgr.exe 90 PID 2100 wrote to memory of 4324 2100 WaterMarkmgr.exe 90 PID 3084 wrote to memory of 4344 3084 WaterMark.exe 89 PID 3084 wrote to memory of 4344 3084 WaterMark.exe 89 PID 3084 wrote to memory of 4344 3084 WaterMark.exe 89 PID 3084 wrote to memory of 4344 3084 WaterMark.exe 89 PID 3084 wrote to memory of 4344 3084 WaterMark.exe 89 PID 3084 wrote to memory of 4344 3084 WaterMark.exe 89 PID 3084 wrote to memory of 4344 3084 WaterMark.exe 89 PID 3084 wrote to memory of 4344 3084 WaterMark.exe 89 PID 3084 wrote to memory of 4344 3084 WaterMark.exe 89 PID 4324 wrote to memory of 2228 4324 WaterMark.exe 94 PID 4324 wrote to memory of 2228 4324 WaterMark.exe 94 PID 4324 wrote to memory of 2228 4324 WaterMark.exe 94 PID 4324 wrote to memory of 2228 4324 WaterMark.exe 94 PID 4324 wrote to memory of 2228 4324 WaterMark.exe 94 PID 4324 wrote to memory of 2228 4324 WaterMark.exe 94 PID 4324 wrote to memory of 2228 4324 WaterMark.exe 94 PID 4324 wrote to memory of 2228 4324 WaterMark.exe 94 PID 4324 wrote to memory of 2228 4324 WaterMark.exe 94 PID 4616 wrote to memory of 3292 4616 WaterMark.exe 101 PID 4616 wrote to memory of 3292 4616 WaterMark.exe 101 PID 4616 wrote to memory of 5068 4616 WaterMark.exe 102 PID 4616 wrote to memory of 5068 4616 WaterMark.exe 102 PID 3084 wrote to memory of 3420 3084 WaterMark.exe 103 PID 3084 wrote to memory of 3420 3084 WaterMark.exe 103 PID 3084 wrote to memory of 2628 3084 WaterMark.exe 104 PID 3084 wrote to memory of 2628 3084 WaterMark.exe 104 PID 3292 wrote to memory of 4436 3292 iexplore.exe 105 PID 3292 wrote to memory of 4436 3292 iexplore.exe 105 PID 3292 wrote to memory of 4436 3292 iexplore.exe 105 PID 5068 wrote to memory of 768 5068 iexplore.exe 106 PID 5068 wrote to memory of 768 5068 iexplore.exe 106 PID 5068 wrote to memory of 768 5068 iexplore.exe 106 PID 4324 wrote to memory of 1404 4324 WaterMark.exe 107 PID 4324 wrote to memory of 1404 4324 WaterMark.exe 107 PID 4324 wrote to memory of 4476 4324 WaterMark.exe 108 PID 4324 wrote to memory of 4476 4324 WaterMark.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\414219c99524f80257ba1fe2c9f44360_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\414219c99524f80257ba1fe2c9f44360_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Users\Admin\AppData\Local\Temp\414219c99524f80257ba1fe2c9f44360_JaffaCakes118mgr.exeC:\Users\Admin\AppData\Local\Temp\414219c99524f80257ba1fe2c9f44360_JaffaCakes118mgr.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵PID:2228
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 2047⤵
- Program crash
PID:4632
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
PID:1404
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
PID:4476
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵PID:4344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 2045⤵
- Program crash
PID:1388
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
PID:3420
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
PID:2628
-
-
-
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2340
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 2044⤵
- Program crash
PID:5036
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3292 CREDAT:17410 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4436
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5068 CREDAT:17410 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:768
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2340 -ip 23401⤵PID:3216
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4344 -ip 43441⤵PID:3924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2228 -ip 22281⤵PID:1416
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
121KB
MD5414219c99524f80257ba1fe2c9f44360
SHA15066d2cfbd55c5a4f9613186ca44d6a0bd1155fa
SHA2560141b9a6b51d4b0fc212d9e41859818572ba240d669f0f490861467d3cae2167
SHA51283ee8e117372f374577de89575488aecac75c91d1787a59be597352c3e541117d585a20f8fe6a48f92806cc9aa8fde8197af0f596826854ae501c86f229fc753
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E1671C7F-898B-11EF-BDBF-622000771059}.dat
Filesize3KB
MD5cc5de3b8c8adc6cf7ab561c220b4abf1
SHA16171e0f6827c803ad7f19f2a305bc7ab7aa43cb3
SHA256c80ff26f1229a066417ab667a33f11a4810c8522fca2407fef2ae16a04e9d618
SHA5121b9bf316448f325a1ace96b55da9f341768c72566c90c1c74c24b94d2e1dfcff9b60227acc1da922e7d9f78e8784011f70f3736ee6831e0e99122ecc1e2db02e
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E1697EE4-898B-11EF-BDBF-622000771059}.dat
Filesize5KB
MD52d9a344fe02eab23f612db06a41015f5
SHA1fb5c01ddcad80504a413f49c84953be05dfdcf9d
SHA25670427f0f1710188c91eff3ff0fe6dd6b075732785c14135db5cf9169767f1330
SHA512fe37277a6d4ff1de5a622f3ec66d4ac80db89a452b1d0cbba86389581ad6d1d635cdaeef3e3023927bff46b1efc78c3a9cd91d9cad307ecddfbc7c1e9f4277ba
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
59KB
MD5f2c8b7e238a07cce22920efb1c8645a6
SHA1cd2af4b30add747e222f938206b78d7730fdf346
SHA2566b20b420e84a30df810d52a9b205a3af0f46cafe82bf378867542f15eb64461e
SHA512c4b9c8c3dccaa39b5ac1faea7e92b0e1d391f0943989178634992be07c40be15b8543f9c6746ab6a5a7136ea00e3c0818fc43bc2eee4e5d282c3cbf7ea279699