ramnit | 512bb2a447e76276245b8c753d271f9a6ec5a482eadb45f28da2177936a01055

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

975ce7ff59e6e1668f639d77d2efb0a8_JaffaCakes118.dll
Size

399KB
MD5

975ce7ff59e6e1668f639d77d2efb0a8
SHA1

e9fbee414dc38849a2028196dabb233f953f5b07
SHA256

512bb2a447e76276245b8c753d271f9a6ec5a482eadb45f28da2177936a01055
SHA512

2c8d67c305fd0e81d45c58ddbea80a8c85e9c367d371eda981ffafdaf11cc2c03fc760e7420557645a33885a8386e975cb5c1437be046a93566ef7457fb4ad5d
SSDEEP

3072:f2mUj2nDsNSToMb06HryEI2MnirCWDxBE8i5Em1lSDuH/8RPKocs0hcbbgznd95c:ZRy5y6OrXrhNtkRkkmfZ4X4/bR4wzgE

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2052	regsvr32mgr.exe
2332	WaterMark.exe

Loads dropped DLL 4 IoCs

pid	Process
2516	regsvr32.exe
2516	regsvr32.exe
2052	regsvr32mgr.exe
2052	regsvr32mgr.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2332-35-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2332-40-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2052-20-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2052-18-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2052-17-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2052-15-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2052-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2052-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2052-12-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2052-11-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2332-76-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2332-621-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_mmx_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpn.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\d3dcompiler_47.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\attach.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\npjp2.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Aero.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Engine.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libps_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ViewerPS.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\t2k.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\Hearts.exe	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Web.Entity.Design.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libadjust_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Portable Devices\sqmapi.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\F12Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\jsprofilerui.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationProvider.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libball_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcanvas_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-convert-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\msvcp140.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libafile_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\offset_window.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_rist_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libmod_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libextract_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\picturePuzzle.html	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunmscapi.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Web.Entity.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libjpeg_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\libdummy_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\Welcome.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.ServiceModel.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Conversion.v3.5.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\flyout.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Management.Instrumentation.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_file_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGM.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxslt.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.DataSetExtensions.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_nv12_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\settings.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\F12Tools.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libx264_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libglinterop_dxva2_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\setup_wm.exe	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\clock.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B2C867E6-69D6-46F2-A611-DED9A4BD7FEF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{16A4841D-77E7-463D-A47F-86EBF32A787F}\ProxyStubClsid32\ = "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EC9E51C1-4E5D-11D3-9144-00104BA11C5E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BE2D872-86AA-4D47-B776-32CCA40C7018}\NumMethods\ = "13"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1AC3D9F0-175C-11D1-95BE-00609797EA4F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55CCB004-59B1-4B9F-A174-2CB9392EBC24}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD364CE-ADCB-11D3-8269-00805FC732C0}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30510410-98B5-11CF-BB82-00AA00BDCE0B}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6295DF2C-35EE-11D1-8707-00C04FD93327}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3050F360-98B5-11CF-BB82-00AA00BDCE0B}\NumMethods\ = "7"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{77F295D5-2D6F-4E19-B8AE-322F3E721AB5}\ = "ITransferMediumItem"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{973510DB-7D7F-452B-8975-74A85828D354}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AE6C0C49-C1CD-411E-A177-A78BCE40A5D0}\ = "IShellTabWindow"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CEA2CC7-C557-480C-B44D-04172E801C7F}\ = "IFontManagerEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FFF994DD-E785-11D6-8F9F-00065BBD32BD}\NumMethods\ = "4"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74C26041-70D1-11D1-B75A-00A0C90564FE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E757B2F5-E73E-434E-A1BF-2BD7C3E60FCB}\ = "IXFeedItem"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2C1C7E2E-2D0E-4059-831E-1E6F82335C2E}\NumMethods\ = "7"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2AD6C81C-42DC-46B8-931B-EE0DB2A20D1B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{193215BF-3815-441A-98BC-589DB62452A6}\NumMethods\ = "4"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0002E011-0000-0000-C000-000000000046}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{602D4995-B13A-429B-A66E-1935E44F4317}\ = "ITaskbarList2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000214F2-0000-0000-C000-000000000046}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{62F191AB-FEE5-4966-83C1-426D9754DFF1}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D10F6761-83E9-11CF-8F20-00805F2CD064}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7847EC01-2BEC-11D0-82B4-00A0C90C29C5}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4CD19ADA-25A5-4A32-B3B7-347BEE5BE36B}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4F2DEC15-7A70-45DD-8913-2A230CDB195B}\ = "IBrowserFrameCallbackManager"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7AF4B09C-7312-4A4E-ADED-342D15E8EF1D}\ = "IShellExtPrerequisiteDelegate"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D5F78C80-5252-11CF-90FA-00AA0042106E}\ProxyStubClsid32\ = "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{912E56FA-0E44-45A3-B433-5EB1098A1147}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{38698B65-1CA7-458C-B4D6-E0A51379C1D2}\ProxyStubClsid32\ = "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F7C40885-2506-4EB9-B4AB-0E1E3D3FD5F9}\NumMethods\ = "5"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F81B80BC-29D1-4734-B515-7724BFF16001}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{83E7A2AB-486C-466D-AF9C-652713DBBFB2}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000214F2-0000-0000-C000-000000000046}\NumMethods\ = "7"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4F2DEC15-7A70-45DD-8913-2A230CDB195B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B3DCB623-4280-4EB1-84B3-8D07E84F299A}\ProxyStubClsid32\ = "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8156E35C-E47D-4AD0-B7F5-FF58036BCF11}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BF78CC76-73E3-4C61-8822-F5F651A9C6D4}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{502B2DDB-A0D2-4285-8BA0-08906AA0B4FF}\ProxyStubClsid32\ = "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C374A42-BAE4-11CF-BF7D-00AA006946EE}\NumMethods\ = "8"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE7C4271-210C-448D-9F54-76DAB7047B28}\NumMethods\ = "4"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{764651D0-38DE-11D4-A2A3-00104BD35090}\ = "IActiveScriptSIPInfo"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{863A99A0-21BC-11D0-82B4-00A0C90C29C5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{02BA3B52-0547-11D1-B833-00C04FC9B31F}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9AF64809-5864-4C26-A720-C1F78C086EE3}\ProxyStubClsid32\ = "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3615A21D-2536-4E4E-BE72-110FE0647D5B}\NumMethods\ = "4"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D783F427-3C66-4CFF-87B6-B0DB2305736C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7EBFDD80-AD18-11D3-A4C5-00C04F72D6B8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B722BCC8-4E68-101B-A2BC-00AA00404770}\ = "IEnumOleDocumentViews"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1630852E-1263-465B-98E5-FE60FFEC4AC2}\NumMethods\ = "11"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91A565C1-E38F-11D0-94BF-00A0C9055CBF}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9AF64809-5864-4C26-A720-C1F78C086EE3}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3AA7AF7E-9B36-420C-A8E3-F77D4674A488}\ = "IKnownFolder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2271DCCA-74FC-4414-8FB7-C56B05ACE2D7}\ProxyStubClsid32\ = "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE96689E-4499-4B78-AEB8-6D3717564BC3}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C9CD5BB-98E9-4491-A60F-31AACC72B83C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FECE3DD3-B657-4FC1-B2DF-532A1BDF43AC}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{63CDBCB0-C1B1-11D0-9336-00A0C90DCAA9}\ = "IBindEventHandler"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DB5CEF35-BEC6-4762-A1BD-253F5BF67C72}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DC43A9D5-5015-4301-8C96-A47434B4D658}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{964D6B67-8259-40DB-9F5E-F4F768A9CCA3}\NumMethods\ = "12"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E693CF68-D967-4112-8763-99172AEE5E5A}\ProxyStubClsid32	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2332	WaterMark.exe
2332	WaterMark.exe
2332	WaterMark.exe
2332	WaterMark.exe
2332	WaterMark.exe
2332	WaterMark.exe
2332	WaterMark.exe
2332	WaterMark.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe
2804	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2332	WaterMark.exe
Token: SeDebugPrivilege	2804	svchost.exe
Token: SeDebugPrivilege	2332	WaterMark.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2052	regsvr32mgr.exe
2332	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 596 wrote to memory of 2516	596	regsvr32.exe	30
PID 596 wrote to memory of 2516	596	regsvr32.exe	30
PID 596 wrote to memory of 2516	596	regsvr32.exe	30
PID 596 wrote to memory of 2516	596	regsvr32.exe	30
PID 596 wrote to memory of 2516	596	regsvr32.exe	30
PID 596 wrote to memory of 2516	596	regsvr32.exe	30
PID 596 wrote to memory of 2516	596	regsvr32.exe	30
PID 2516 wrote to memory of 2052	2516	regsvr32.exe	31
PID 2516 wrote to memory of 2052	2516	regsvr32.exe	31
PID 2516 wrote to memory of 2052	2516	regsvr32.exe	31
PID 2516 wrote to memory of 2052	2516	regsvr32.exe	31
PID 2052 wrote to memory of 2332	2052	regsvr32mgr.exe	32
PID 2052 wrote to memory of 2332	2052	regsvr32mgr.exe	32
PID 2052 wrote to memory of 2332	2052	regsvr32mgr.exe	32
PID 2052 wrote to memory of 2332	2052	regsvr32mgr.exe	32
PID 2332 wrote to memory of 2964	2332	WaterMark.exe	33
PID 2332 wrote to memory of 2964	2332	WaterMark.exe	33
PID 2332 wrote to memory of 2964	2332	WaterMark.exe	33
PID 2332 wrote to memory of 2964	2332	WaterMark.exe	33
PID 2332 wrote to memory of 2964	2332	WaterMark.exe	33
PID 2332 wrote to memory of 2964	2332	WaterMark.exe	33
PID 2332 wrote to memory of 2964	2332	WaterMark.exe	33
PID 2332 wrote to memory of 2964	2332	WaterMark.exe	33
PID 2332 wrote to memory of 2964	2332	WaterMark.exe	33
PID 2332 wrote to memory of 2964	2332	WaterMark.exe	33
PID 2332 wrote to memory of 2804	2332	WaterMark.exe	34
PID 2332 wrote to memory of 2804	2332	WaterMark.exe	34
PID 2332 wrote to memory of 2804	2332	WaterMark.exe	34
PID 2332 wrote to memory of 2804	2332	WaterMark.exe	34
PID 2332 wrote to memory of 2804	2332	WaterMark.exe	34
PID 2332 wrote to memory of 2804	2332	WaterMark.exe	34
PID 2332 wrote to memory of 2804	2332	WaterMark.exe	34
PID 2332 wrote to memory of 2804	2332	WaterMark.exe	34
PID 2332 wrote to memory of 2804	2332	WaterMark.exe	34
PID 2332 wrote to memory of 2804	2332	WaterMark.exe	34
PID 2804 wrote to memory of 256	2804	svchost.exe	1
PID 2804 wrote to memory of 256	2804	svchost.exe	1
PID 2804 wrote to memory of 256	2804	svchost.exe	1
PID 2804 wrote to memory of 256	2804	svchost.exe	1
PID 2804 wrote to memory of 256	2804	svchost.exe	1
PID 2804 wrote to memory of 336	2804	svchost.exe	2
PID 2804 wrote to memory of 336	2804	svchost.exe	2
PID 2804 wrote to memory of 336	2804	svchost.exe	2
PID 2804 wrote to memory of 336	2804	svchost.exe	2
PID 2804 wrote to memory of 336	2804	svchost.exe	2
PID 2804 wrote to memory of 384	2804	svchost.exe	3
PID 2804 wrote to memory of 384	2804	svchost.exe	3
PID 2804 wrote to memory of 384	2804	svchost.exe	3
PID 2804 wrote to memory of 384	2804	svchost.exe	3
PID 2804 wrote to memory of 384	2804	svchost.exe	3
PID 2804 wrote to memory of 396	2804	svchost.exe	4
PID 2804 wrote to memory of 396	2804	svchost.exe	4
PID 2804 wrote to memory of 396	2804	svchost.exe	4
PID 2804 wrote to memory of 396	2804	svchost.exe	4
PID 2804 wrote to memory of 396	2804	svchost.exe	4
PID 2804 wrote to memory of 432	2804	svchost.exe	5
PID 2804 wrote to memory of 432	2804	svchost.exe	5
PID 2804 wrote to memory of 432	2804	svchost.exe	5
PID 2804 wrote to memory of 432	2804	svchost.exe	5
PID 2804 wrote to memory of 432	2804	svchost.exe	5
PID 2804 wrote to memory of 476	2804	svchost.exe	6
PID 2804 wrote to memory of 476	2804	svchost.exe	6
PID 2804 wrote to memory of 476	2804	svchost.exe	6
PID 2804 wrote to memory of 476	2804	svchost.exe	6

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:336

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:604
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:2028
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1600
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:680
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:748
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:816
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1160
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:852
  - - C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:2876
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:968
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:236
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:400
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1072
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1096
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1404
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2572
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2588
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:396

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\975ce7ff59e6e1668f639d77d2efb0a8_JaffaCakes118.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:596
- - C:\Windows\SysWOW64\regsvr32.exe
    /s C:\Users\Admin\AppData\Local\Temp\975ce7ff59e6e1668f639d77d2efb0a8_JaffaCakes118.dll
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Windows\SysWOW64\regsvr32mgr.exe
      C:\Windows\SysWOW64\regsvr32mgr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2052
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2332
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2964
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
244KB

MD5
d6dee78f4ad4437875d555e6e6552aae

SHA1
633497acd8f1c4c245b90d40d88c8c001b30e192

SHA256
2a90a43528e8a81926596a02f787bb698d1d4d09f2272c7ccc2a580de3eddb1a

SHA512
06b4242582f4d5e9935e4a3040a422254d4ffdec2accd0d58a81973ad7bbc8c95dda9476607fa739170a4d129fec72f3ee446619f46ca6a1ad00dd9126be3839

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
240KB

MD5
94fe74e7090a6600ec854325feaa6328

SHA1
6f3642a5ff27b133a6b6dc9b4dc2189dc3f46c89

SHA256
335ddfcbb605faa443aff15aa4279cce69a1c03e2173662eb8a4e9d01e7fc0cc

SHA512
346b5193f77e5bb463ea8c7d1e8e787e58bdd18d78d485de56add84e78956c9f4e38bc8de5ce1ecc5597ecfa01f51d316336b6fb9506b28905c0aa1f40b72cbc

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
115KB

MD5
e7d0f3375fdfbd47fe81dbfac6313129

SHA1
8662bafb76ebc0a31488ab2b3819b3764fed5a50

SHA256
2f42698d07f35c62fe0deef9518c4e4d8616d7ee9249477a0b454c8e5977d996

SHA512
9d986453a7f3086c1a185867931fccc7cf920d815ac540adca15a90b1989f5f5e9902ff1e53ccea360495f328328f78868cfcef16b7db495982346654ca9a55d

Download Submit
memory/2052-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2052-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2052-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2052-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2052-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2052-16-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2052-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2052-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2052-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2332-40-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2332-68-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2332-42-0x000000007741F000-0x0000000077420000-memory.dmp

Filesize
4KB

Download
memory/2332-41-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2332-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2332-621-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2332-355-0x000000007741F000-0x0000000077420000-memory.dmp

Filesize
4KB

Download
memory/2332-76-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2516-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2516-4-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2516-1-0x00000000749E0000-0x0000000074A48000-memory.dmp

Filesize
416KB

Download
memory/2804-81-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2804-82-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2804-83-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2804-84-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2804-70-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2804-86-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2804-77-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2804-87-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2804-85-0x0000000077420000-0x0000000077421000-memory.dmp

Filesize
4KB

Download
memory/2964-57-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2964-56-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2964-55-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2964-50-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2964-54-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2964-63-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2964-358-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2964-59-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2964-44-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2964-46-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download