ramnit | a5dda4343a9c554dfedc734a79229d37288a850ef1217051069572162ed4d7c9

General

Target

90d44862fd7a2e05f2511988ff360d5f_JaffaCakes118.dll
Size

316KB
MD5

90d44862fd7a2e05f2511988ff360d5f
SHA1

168ef5a541e3a90233bc896a8910d760e47f82e7
SHA256

a5dda4343a9c554dfedc734a79229d37288a850ef1217051069572162ed4d7c9
SHA512

f20cf7257a152e9f821ee0c2b73f10ac9cc9d4db868f51ac7604296b7cd8df232d521fd8df1614f741e368867d5e8d83b0fcb5b379c884b7f5ae384c21e13ef8
SSDEEP

6144:O5+QAs8Yqz+CLetk43n6JEaWeuk1i9QsjbWN1e6SKT:ZQAs8YJtksn6J3W5k1iPY1bSKT

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit
Executes dropped EXE 2 IoCs

Processes:

regsvr32mgr.exeWaterMark.exe

pid process

3164 regsvr32mgr.exe
508 WaterMark.exe
Drops file in System32 directory 1 IoCs

Processes:

regsvr32.exe

description ioc process

File created C:\Windows\SysWOW64\regsvr32mgr.exe regsvr32.exe

pid	process
3164	regsvr32mgr.exe
508	WaterMark.exe

description	ioc	process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3164-6-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3164-7-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3164-5-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3164-9-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3164-12-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3164-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/508-29-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3164-11-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/508-35-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/508-39-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

regsvr32mgr.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px6254.tmp	regsvr32mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	regsvr32mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	regsvr32mgr.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5084 3960 WerFault.exe svchost.exe

pid	pid_target	process	target process
5084	3960	WerFault.exe	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

IEXPLORE.EXEIEXPLORE.EXEregsvr32.exeregsvr32mgr.exeWaterMark.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe

Modifies Internet Explorer settings 1 TTPs 50 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "918610776"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31145457"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439163358"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{624445D8-A9E4-11EF-BEF1-F6235BFAC6D3} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31145457"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31145457"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "918454770"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31145457"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{623F81A4-A9E4-11EF-BEF1-F6235BFAC6D3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31145457"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "920642831"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "920642831"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "918454770"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31145457"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "918610776"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CddbDisc.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}\Insertable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f1110c60-736a-4d58-8e2a-4935dfcf9ac7}\ = "CddbFullName Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CddbCredit\CLSID\ = "{bfe639ee-762e-46c4-ae7c-3c34ccc317ff}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{bfe639ee-762e-46c4-ae7c-3c34ccc317ff}\ProgID\ = "CDDBControlWinamp5.CddbCredit.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control.1\ = "CDDBWinamp5Control Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControl.CDDBControl2.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69E9B473-22E6-471D-8683-84BD1E4BECE1}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.FullName\ = "CddbFullName Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CddbCredit\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c2e21ac1-675c-4cae-ba0c-98d25a5e5b84}\ProgID\ = "CDDBControlWinamp5.CddbDisc.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControl.CDDBControl2.1\ = "CDDBControl2 Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f1110c60-736a-4d58-8e2a-4935dfcf9ac7}\VersionIndependentProgID\ = "CDDBControlWinamp5.CddbFullName"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f1110c60-736a-4d58-8e2a-4935dfcf9ac7}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{bfe639ee-762e-46c4-ae7c-3c34ccc317ff}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{bfe639ee-762e-46c4-ae7c-3c34ccc317ff}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{bfe639ee-762e-46c4-ae7c-3c34ccc317ff}\TypeLib\ = "{092c84ce-ce92-439f-9c12-997beea855d2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}\MiscStatus\1\ = "135569"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.FullName\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.FullName\CLSID\ = "{f1110c60-736a-4d58-8e2a-4935dfcf9ac7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f1110c60-736a-4d58-8e2a-4935dfcf9ac7}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControl.CDDBControl2.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CddbCredit\CurVer\ = "CDDBControlWinamp5.CddbCredit.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp.CddbDisc\CLSID\ = "{c2e21ac1-675c-4cae-ba0c-98d25a5e5b84}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp.CddbDisc\CurVer\ = "CDDBControlWinamp5.CddbDisc.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}\ProgID\ = "CDDBControlWinamp5.CDDBWinamp5Control.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CddbFullName.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CddbDisc.1\ = "CddbDisc Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c2e21ac1-675c-4cae-ba0c-98d25a5e5b84}\TypeLib\ = "{092c84ce-ce92-439f-9c12-997beea855d2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69E9B473-22E6-471D-8683-84BD1E4BECE1}\VersionIndependentProgID\ = "CDDBControl.CDDBControl2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f1110c60-736a-4d58-8e2a-4935dfcf9ac7}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CddbCredit	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{bfe639ee-762e-46c4-ae7c-3c34ccc317ff}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\90d44862fd7a2e05f2511988ff360d5f_JaffaCakes118.dll, 104"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}\TypeLib\ = "{092c84ce-ce92-439f-9c12-997beea855d2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.FullName\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f1110c60-736a-4d58-8e2a-4935dfcf9ac7}\TypeLib\ = "{092c84ce-ce92-439f-9c12-997beea855d2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CddbDisc.1	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c2e21ac1-675c-4cae-ba0c-98d25a5e5b84}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c2e21ac1-675c-4cae-ba0c-98d25a5e5b84}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control.1\CLSID\ = "{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CddbCredit\ = "CddbCredit Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{bfe639ee-762e-46c4-ae7c-3c34ccc317ff}\VersionIndependentProgID\ = "CDDBControlWinamp5.CddbCredit"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control\CLSID\ = "{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CddbCredit\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{bfe639ee-762e-46c4-ae7c-3c34ccc317ff}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\90d44862fd7a2e05f2511988ff360d5f_JaffaCakes118.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f1110c60-736a-4d58-8e2a-4935dfcf9ac7}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control\ = "CDDBWinamp5Control Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}\VersionIndependentProgID\ = "CDDBControlWinamp5.CDDBWinamp5Control"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69E9B473-22E6-471D-8683-84BD1E4BECE1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c2e21ac1-675c-4cae-ba0c-98d25a5e5b84}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{bfe639ee-762e-46c4-ae7c-3c34ccc317ff}\ = "CddbCredit Class"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

WaterMark.exe

pid	process
508	WaterMark.exe
508	WaterMark.exe
508	WaterMark.exe
508	WaterMark.exe
508	WaterMark.exe
508	WaterMark.exe
508	WaterMark.exe
508	WaterMark.exe
508	WaterMark.exe
508	WaterMark.exe
508	WaterMark.exe
508	WaterMark.exe
508	WaterMark.exe
508	WaterMark.exe
508	WaterMark.exe
508	WaterMark.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WaterMark.exe

description pid process

Token: SeDebugPrivilege 508 WaterMark.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

3860 iexplore.exe
2712 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	508	WaterMark.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
3860	iexplore.exe
3860	iexplore.exe
2712	iexplore.exe
2712	iexplore.exe
4588	IEXPLORE.EXE
4588	IEXPLORE.EXE
640	IEXPLORE.EXE
640	IEXPLORE.EXE
4588	IEXPLORE.EXE
4588	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

Processes:

regsvr32mgr.exeWaterMark.exe

pid process

3164 regsvr32mgr.exe
508 WaterMark.exe

pid	process
3164	regsvr32mgr.exe
508	WaterMark.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32mgr.exeWaterMark.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 1620 wrote to memory of 2056	1620	regsvr32.exe	regsvr32.exe
PID 1620 wrote to memory of 2056	1620	regsvr32.exe	regsvr32.exe
PID 1620 wrote to memory of 2056	1620	regsvr32.exe	regsvr32.exe
PID 2056 wrote to memory of 3164	2056	regsvr32.exe	regsvr32mgr.exe
PID 2056 wrote to memory of 3164	2056	regsvr32.exe	regsvr32mgr.exe
PID 2056 wrote to memory of 3164	2056	regsvr32.exe	regsvr32mgr.exe
PID 3164 wrote to memory of 508	3164	regsvr32mgr.exe	WaterMark.exe
PID 3164 wrote to memory of 508	3164	regsvr32mgr.exe	WaterMark.exe
PID 3164 wrote to memory of 508	3164	regsvr32mgr.exe	WaterMark.exe
PID 508 wrote to memory of 3960	508	WaterMark.exe	svchost.exe
PID 508 wrote to memory of 3960	508	WaterMark.exe	svchost.exe
PID 508 wrote to memory of 3960	508	WaterMark.exe	svchost.exe
PID 508 wrote to memory of 3960	508	WaterMark.exe	svchost.exe
PID 508 wrote to memory of 3960	508	WaterMark.exe	svchost.exe
PID 508 wrote to memory of 3960	508	WaterMark.exe	svchost.exe
PID 508 wrote to memory of 3960	508	WaterMark.exe	svchost.exe
PID 508 wrote to memory of 3960	508	WaterMark.exe	svchost.exe
PID 508 wrote to memory of 3960	508	WaterMark.exe	svchost.exe
PID 508 wrote to memory of 2712	508	WaterMark.exe	iexplore.exe
PID 508 wrote to memory of 2712	508	WaterMark.exe	iexplore.exe
PID 508 wrote to memory of 3860	508	WaterMark.exe	iexplore.exe
PID 508 wrote to memory of 3860	508	WaterMark.exe	iexplore.exe
PID 2712 wrote to memory of 640	2712	iexplore.exe	IEXPLORE.EXE
PID 2712 wrote to memory of 640	2712	iexplore.exe	IEXPLORE.EXE
PID 2712 wrote to memory of 640	2712	iexplore.exe	IEXPLORE.EXE
PID 3860 wrote to memory of 4588	3860	iexplore.exe	IEXPLORE.EXE
PID 3860 wrote to memory of 4588	3860	iexplore.exe	IEXPLORE.EXE
PID 3860 wrote to memory of 4588	3860	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\90d44862fd7a2e05f2511988ff360d5f_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\90d44862fd7a2e05f2511988ff360d5f_JaffaCakes118.dll
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\regsvr32mgr.exe
    C:\Windows\SysWOW64\regsvr32mgr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:3164
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:508
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        
        PID:3960
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 204
        6⤵
        Program crash
        
        PID:5084
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2712
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2712 CREDAT:17410 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:640
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3860
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3860 CREDAT:17410 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3960 -ip 3960
1⤵
PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
7fecd001d472e28495336306d3e0b570

SHA1
7dabf5687a11d1d8f92f8ffd348fb73bf077e960

SHA256
d3b1b54dfa02ea5cf017cd692023d382defa55e40749816bbddcc3e8ef5e9bff

SHA512
5255e2e7897f3abc246464dacea7d32b54a8bdb88806e9d0f54a3d23e76074e2a88adaa35789c32b68d0ca8d6f67726c9ceec31597f3b05628b29cd52af613db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
f2f60849a7654d06f39f8fe17dac2704

SHA1
61f4ff55fab840d3ca2fecd26d07dd47a2703dcc

SHA256
85344a3f411ddb77c0f89f4c958480f2d174b0cfb912c773c1d206cb27cc24b0

SHA512
a3818cc4c2b3a34b0efa8106936ca832bbf2a294841910ba87d7acba6184322493dfa520d1985361dcea7f06daa6828625673eda3301ea498fb825a2e344d0ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
7e86c4dbc2f0670062e979da08bdcfcb

SHA1
8abee19aa1d4f2894239afedf82edfa061bf740f

SHA256
c645fd284db9e8d2020a6ee14507cd7467fd4956bc8a3a4c4088f57b350f434a

SHA512
c99eae873bc0dbd0fdbb22c6fb287a9fc74db25f913eb62e52cf82c0c36b6433d31a4e6ec6ee32fa1da916c94b08c7e5e42c2f1021b6418ea4dc03113f8c80b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{623F81A4-A9E4-11EF-BEF1-F6235BFAC6D3}.dat

Filesize
3KB

MD5
23ab2cc5656d325eecc9e4d70055d5b4

SHA1
9e1d8d549d955a2bd2ba8b15e0821ead3b93a2b4

SHA256
3327fe9e792a29ad30d9f30c076b79fd539736f767bb56cbfe4cacb9726c0e10

SHA512
bac6034cadcc5904da2694f2ae3a04b854d81dab7e67172401876deea262d0af4aa432b5721e084979475a02b0d66f2ce805193973e49a61144a75a24539a60f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{624445D8-A9E4-11EF-BEF1-F6235BFAC6D3}.dat

Filesize
5KB

MD5
2fbbc006b3c88980f164cd4696766a52

SHA1
a7b3758135bd6a0a4d569733ac6973b7c6b44c62

SHA256
019ff4dbff20be1ad85a8a035985159ea65292e561599aaf66b897b962ed2d62

SHA512
141e3ebc0dc60b1fec55803996f2fa59e419994cfacf393df03fd63489ddc71ee37e59c5cc388442c9b61e4239199df8f78dd233080e0296ebade33f6a5ac925

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verE57E.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0GUUC90F\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
59KB

MD5
0e0f0ae845d89c22bb6385f64a6b85fd

SHA1
0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

SHA256
5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

SHA512
baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

Download Submit
memory/508-35-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/508-28-0x0000000077CB2000-0x0000000077CB3000-memory.dmp

Filesize
4KB

Download
memory/508-29-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/508-27-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/508-39-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/508-34-0x0000000077CB2000-0x0000000077CB3000-memory.dmp

Filesize
4KB

Download
memory/508-33-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/2056-0-0x0000000010000000-0x0000000010050000-memory.dmp

Filesize
320KB

Download
memory/3164-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3164-10-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/3164-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3164-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3164-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3164-5-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3164-7-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3164-6-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3960-31-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/3960-32-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads