ramnit | a862ceb0054409b5bdd7dce8ee74a98b4d81d1c3d910596ddb8eeb06922724a8

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

984c8e7ac695f9968bcc99bbee6bc344_JaffaCakes118.dll
Size

272KB
MD5

984c8e7ac695f9968bcc99bbee6bc344
SHA1

08d56c10e70bdf6c2c88b50a76c281ea141b56c3
SHA256

a862ceb0054409b5bdd7dce8ee74a98b4d81d1c3d910596ddb8eeb06922724a8
SHA512

04cb464cfa10f96cd62701c7a054ca657ecc1839cf580f99164342d2b6a95a80c136b7e91af9b5e7216146cb1feea627855071065a6aae6a710ba1f8bcc196f2
SSDEEP

3072:Z3BWcSZ2ShqnTTHQ+4+lB66EdOuqzsi/I14FI+fbeNUJRQ:Z3BWc7nb436EdOzsi/ZI+KNb

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 6 IoCs

pid	Process
2972	regsvr32mgr.exe
2124	regsvr32mgrmgr.exe
2672	WaterMark.exe
2828	WaterMark.exe
484	WaterMarkmgr.exe
2304	WaterMark.exe

Loads dropped DLL 12 IoCs

pid	Process
2916	regsvr32.exe
2916	regsvr32.exe
2972	regsvr32mgr.exe
2972	regsvr32mgr.exe
2972	regsvr32mgr.exe
2972	regsvr32mgr.exe
2124	regsvr32mgrmgr.exe
2124	regsvr32mgrmgr.exe
2672	WaterMark.exe
2672	WaterMark.exe
484	WaterMarkmgr.exe
484	WaterMarkmgr.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe
File created	C:\Windows\SysWOW64\regsvr32mgrmgr.exe	regsvr32mgr.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2124-38-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2972-33-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2672-63-0x0000000000120000-0x000000000015B000-memory.dmp	upx
behavioral1/memory/2972-47-0x0000000000370000-0x0000000000391000-memory.dmp	upx
behavioral1/memory/484-85-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2972-31-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2972-30-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2972-24-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2972-23-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2972-22-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2972-21-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2672-830-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadox.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html	svchost.exe
File opened for modification	C:\Program Files\Windows Mail\wabimp.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\cpu.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\rt3d.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\hprof.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_shout_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\slideShow.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libwasapi_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libt140_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libmjpeg_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgrain_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACERCLR.DLL	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javafx-font.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\OLKFSTUB.DLL	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\liboldrc_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\gui\libskins2_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libwinhibit_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\WindowsFormsIntegration.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libimem_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libparam_eq_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuvp_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\settings.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\README.html	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jfxmedia.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\skchobj.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\sunec.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Classic.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libtheora_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\Timeline.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\glib-lite.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\ONLNTCOMLIB.DLL	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Printing.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Design.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\INLAUNCH.DLL	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.RunTime.Serialization.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libschroedinger_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libmod_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libchain_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\weather.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32mgrmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMarkmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies registry class 19 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\NumMethods\ = "5"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\NumMethods\ = "6"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\ = "PSFactoryBuffer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\ = "ISetupServiceProvider"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\ = "ISetupObjectClass"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\ProxyStubClsid32\ = "{F4817E4B-04B6-11D3-8862-00C04F72F303}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\ProxyStubClsid32\ = "{F4817E4B-04B6-11D3-8862-00C04F72F303}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\984c8e7ac695f9968bcc99bbee6bc344_JaffaCakes118.dll"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2828	WaterMark.exe
2828	WaterMark.exe
2672	WaterMark.exe
2672	WaterMark.exe
2304	WaterMark.exe
2304	WaterMark.exe
2672	WaterMark.exe
2672	WaterMark.exe
2672	WaterMark.exe
2672	WaterMark.exe
2672	WaterMark.exe
2672	WaterMark.exe
2828	WaterMark.exe
2828	WaterMark.exe
2304	WaterMark.exe
2304	WaterMark.exe
2304	WaterMark.exe
2828	WaterMark.exe
2304	WaterMark.exe
2828	WaterMark.exe
1672	svchost.exe
2828	WaterMark.exe
2828	WaterMark.exe
2304	WaterMark.exe
2304	WaterMark.exe
1672	svchost.exe
1672	svchost.exe
1672	svchost.exe
1672	svchost.exe
1672	svchost.exe
1672	svchost.exe
1672	svchost.exe
1672	svchost.exe
1672	svchost.exe
1672	svchost.exe
1672	svchost.exe
1672	svchost.exe
1672	svchost.exe
1672	svchost.exe
1672	svchost.exe
1672	svchost.exe
1672	svchost.exe
1672	svchost.exe
1672	svchost.exe
1672	svchost.exe
1672	svchost.exe
1672	svchost.exe
1672	svchost.exe
1672	svchost.exe
1672	svchost.exe
1672	svchost.exe
1672	svchost.exe
1672	svchost.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	WaterMark.exe
Token: SeDebugPrivilege	2672	WaterMark.exe
Token: SeDebugPrivilege	2304	WaterMark.exe
Token: SeDebugPrivilege	1672	svchost.exe
Token: SeDebugPrivilege	2480	svchost.exe
Token: SeDebugPrivilege	2284	svchost.exe
Token: SeDebugPrivilege	2672	WaterMark.exe
Token: SeDebugPrivilege	2828	WaterMark.exe
Token: SeDebugPrivilege	2304	WaterMark.exe
Token: SeDebugPrivilege	2144	svchost.exe
Token: SeDebugPrivilege	2868	svchost.exe

Suspicious use of UnmapMainImage 6 IoCs

pid	Process
2972	regsvr32mgr.exe
2124	regsvr32mgrmgr.exe
2828	WaterMark.exe
2672	WaterMark.exe
484	WaterMarkmgr.exe
2304	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2916	2932	regsvr32.exe	30
PID 2932 wrote to memory of 2916	2932	regsvr32.exe	30
PID 2932 wrote to memory of 2916	2932	regsvr32.exe	30
PID 2932 wrote to memory of 2916	2932	regsvr32.exe	30
PID 2932 wrote to memory of 2916	2932	regsvr32.exe	30
PID 2932 wrote to memory of 2916	2932	regsvr32.exe	30
PID 2932 wrote to memory of 2916	2932	regsvr32.exe	30
PID 2916 wrote to memory of 2972	2916	regsvr32.exe	31
PID 2916 wrote to memory of 2972	2916	regsvr32.exe	31
PID 2916 wrote to memory of 2972	2916	regsvr32.exe	31
PID 2916 wrote to memory of 2972	2916	regsvr32.exe	31
PID 2972 wrote to memory of 2124	2972	regsvr32mgr.exe	32
PID 2972 wrote to memory of 2124	2972	regsvr32mgr.exe	32
PID 2972 wrote to memory of 2124	2972	regsvr32mgr.exe	32
PID 2972 wrote to memory of 2124	2972	regsvr32mgr.exe	32
PID 2972 wrote to memory of 2672	2972	regsvr32mgr.exe	33
PID 2972 wrote to memory of 2672	2972	regsvr32mgr.exe	33
PID 2972 wrote to memory of 2672	2972	regsvr32mgr.exe	33
PID 2972 wrote to memory of 2672	2972	regsvr32mgr.exe	33
PID 2124 wrote to memory of 2828	2124	regsvr32mgrmgr.exe	34
PID 2124 wrote to memory of 2828	2124	regsvr32mgrmgr.exe	34
PID 2124 wrote to memory of 2828	2124	regsvr32mgrmgr.exe	34
PID 2124 wrote to memory of 2828	2124	regsvr32mgrmgr.exe	34
PID 2672 wrote to memory of 484	2672	WaterMark.exe	35
PID 2672 wrote to memory of 484	2672	WaterMark.exe	35
PID 2672 wrote to memory of 484	2672	WaterMark.exe	35
PID 2672 wrote to memory of 484	2672	WaterMark.exe	35
PID 484 wrote to memory of 2304	484	WaterMarkmgr.exe	36
PID 484 wrote to memory of 2304	484	WaterMarkmgr.exe	36
PID 484 wrote to memory of 2304	484	WaterMarkmgr.exe	36
PID 484 wrote to memory of 2304	484	WaterMarkmgr.exe	36
PID 2672 wrote to memory of 804	2672	WaterMark.exe	37
PID 2672 wrote to memory of 804	2672	WaterMark.exe	37
PID 2672 wrote to memory of 804	2672	WaterMark.exe	37
PID 2672 wrote to memory of 804	2672	WaterMark.exe	37
PID 2672 wrote to memory of 804	2672	WaterMark.exe	37
PID 2672 wrote to memory of 804	2672	WaterMark.exe	37
PID 2672 wrote to memory of 804	2672	WaterMark.exe	37
PID 2672 wrote to memory of 804	2672	WaterMark.exe	37
PID 2672 wrote to memory of 804	2672	WaterMark.exe	37
PID 2672 wrote to memory of 804	2672	WaterMark.exe	37
PID 2828 wrote to memory of 2144	2828	WaterMark.exe	38
PID 2828 wrote to memory of 2144	2828	WaterMark.exe	38
PID 2828 wrote to memory of 2144	2828	WaterMark.exe	38
PID 2828 wrote to memory of 2144	2828	WaterMark.exe	38
PID 2828 wrote to memory of 2144	2828	WaterMark.exe	38
PID 2828 wrote to memory of 2144	2828	WaterMark.exe	38
PID 2828 wrote to memory of 2144	2828	WaterMark.exe	38
PID 2828 wrote to memory of 2144	2828	WaterMark.exe	38
PID 2828 wrote to memory of 2144	2828	WaterMark.exe	38
PID 2828 wrote to memory of 2144	2828	WaterMark.exe	38
PID 2304 wrote to memory of 2868	2304	WaterMark.exe	39
PID 2304 wrote to memory of 2868	2304	WaterMark.exe	39
PID 2304 wrote to memory of 2868	2304	WaterMark.exe	39
PID 2304 wrote to memory of 2868	2304	WaterMark.exe	39
PID 2304 wrote to memory of 2868	2304	WaterMark.exe	39
PID 2304 wrote to memory of 2868	2304	WaterMark.exe	39
PID 2304 wrote to memory of 2868	2304	WaterMark.exe	39
PID 2304 wrote to memory of 2868	2304	WaterMark.exe	39
PID 2304 wrote to memory of 2868	2304	WaterMark.exe	39
PID 2304 wrote to memory of 2868	2304	WaterMark.exe	39
PID 2672 wrote to memory of 1672	2672	WaterMark.exe	40
PID 2672 wrote to memory of 1672	2672	WaterMark.exe	40
PID 2672 wrote to memory of 1672	2672	WaterMark.exe	40

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:336

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:596
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:992
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1816
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:672
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:744
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:808
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1028
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:852
  - - C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:1872
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:972
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:280
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1088
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:1096
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1168
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:756
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2072
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2128
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:396

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1052
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\984c8e7ac695f9968bcc99bbee6bc344_JaffaCakes118.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\SysWOW64\regsvr32.exe
    /s C:\Users\Admin\AppData\Local\Temp\984c8e7ac695f9968bcc99bbee6bc344_JaffaCakes118.dll
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\regsvr32mgr.exe
      C:\Windows\SysWOW64\regsvr32mgr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Windows\SysWOW64\regsvr32mgrmgr.exe
        
        C:\Windows\SysWOW64\regsvr32mgrmgr.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2124
      - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2672
      - C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:484
        
        C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:804
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
483KB

MD5
2574c9ab6aa3c6a91812303aa14bcc53

SHA1
63d8ab4dd364cada94c7362f66037aa27bcca86f

SHA256
14eda76a6780c25326e68561ddbe1197cd39f5462be9e43e4ec0d052c61c3615

SHA512
fa0a48effbf2e492f079e036732406fd8fd20fd42c9d0ecde9e64b82d310f27aac6f24b232b3c1e2671a82743b010ea0dc0e19eede0e5e7929ba3cd98c1cf6f8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
479KB

MD5
df79749efd888f003052ce48359c0890

SHA1
f202f9f27b3923f071e3877fce3c7f0b3eee99f6

SHA256
778e56912b5c770a7c65f9637ac4bb40b62449d98987e6fbae9fc171b4c6d99c

SHA512
bb123b70800ab9ac8b1d6ea30e89d7cb1c9e67276df1369d352e8ba914ea025bc6b099cf743858bbf67ffe425275185b52dcd3c0052a43dfff7a7cf3acb54352

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
234KB

MD5
c3a6eaa4a1cbbe625a1f4ed4f486ce15

SHA1
c7810ef979cf5242d99ad79b29849604c7508b99

SHA256
e898c9afe93f94d2b0183582a583386aa33a3765fd40caf82ea37c01832e12e6

SHA512
461ba410a006f47760c0f8368955b5c66f1789ba33546e3d9b704f9197b86b465f3328dd704e1c1904efdf8d460bb74a1190d0c69cfb2d4adcf1982a5c286942

Download Submit
\Windows\SysWOW64\regsvr32mgrmgr.exe

Filesize
116KB

MD5
fd6899e36fcc5f26903dea1c0519a8fd

SHA1
af249681be87eed2b680baa7d9b514c051d6d4a7

SHA256
b9d75d71f61d31de963a29114d370d6495a18c81e78c78ce89c77ef134f8e6e8

SHA512
78980b599fe5cd62fdaf6165a38e16c629cf0e7864f45bbdbc8c95b1ed1967f1cfdfdecaa879a5b5656f57ced55919082c4bd5fcd7a4a7f4fa6ac64fca58a16d

Download Submit
memory/484-85-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/804-109-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/804-95-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/804-97-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/804-105-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2124-38-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2124-52-0x00000000003A0000-0x00000000003F9000-memory.dmp

Filesize
356KB

Download
memory/2672-830-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2672-68-0x0000000000120000-0x000000000015B000-memory.dmp

Filesize
236KB

Download
memory/2672-63-0x0000000000120000-0x000000000015B000-memory.dmp

Filesize
236KB

Download
memory/2828-56-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2828-75-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2916-0-0x0000000010000000-0x0000000010044000-memory.dmp

Filesize
272KB

Download
memory/2916-8-0x00000000001D0000-0x0000000000229000-memory.dmp

Filesize
356KB

Download
memory/2916-9-0x00000000001D0000-0x0000000000229000-memory.dmp

Filesize
356KB

Download
memory/2972-25-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2972-47-0x0000000000370000-0x0000000000391000-memory.dmp

Filesize
132KB

Download
memory/2972-31-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2972-30-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2972-24-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2972-23-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2972-22-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2972-21-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2972-33-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2972-15-0x0000000000370000-0x00000000003AB000-memory.dmp

Filesize
236KB

Download
memory/2972-11-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download