Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
25-11-2024 01:08
Static task
static1
Behavioral task
behavioral1
Sample
984c8e7ac695f9968bcc99bbee6bc344_JaffaCakes118.dll
Resource
win7-20241023-en
General
-
Target
984c8e7ac695f9968bcc99bbee6bc344_JaffaCakes118.dll
-
Size
272KB
-
MD5
984c8e7ac695f9968bcc99bbee6bc344
-
SHA1
08d56c10e70bdf6c2c88b50a76c281ea141b56c3
-
SHA256
a862ceb0054409b5bdd7dce8ee74a98b4d81d1c3d910596ddb8eeb06922724a8
-
SHA512
04cb464cfa10f96cd62701c7a054ca657ecc1839cf580f99164342d2b6a95a80c136b7e91af9b5e7216146cb1feea627855071065a6aae6a710ba1f8bcc196f2
-
SSDEEP
3072:Z3BWcSZ2ShqnTTHQ+4+lB66EdOuqzsi/I14FI+fbeNUJRQ:Z3BWc7nb436EdOzsi/ZI+KNb
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Ramnit family
-
Executes dropped EXE 6 IoCs
pid Process 2972 regsvr32mgr.exe 2124 regsvr32mgrmgr.exe 2672 WaterMark.exe 2828 WaterMark.exe 484 WaterMarkmgr.exe 2304 WaterMark.exe -
Loads dropped DLL 12 IoCs
pid Process 2916 regsvr32.exe 2916 regsvr32.exe 2972 regsvr32mgr.exe 2972 regsvr32mgr.exe 2972 regsvr32mgr.exe 2972 regsvr32mgr.exe 2124 regsvr32mgrmgr.exe 2124 regsvr32mgrmgr.exe 2672 WaterMark.exe 2672 WaterMark.exe 484 WaterMarkmgr.exe 484 WaterMarkmgr.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\regsvr32mgr.exe regsvr32.exe File created C:\Windows\SysWOW64\regsvr32mgrmgr.exe regsvr32mgr.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
resource yara_rule behavioral1/memory/2124-38-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2972-33-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2672-63-0x0000000000120000-0x000000000015B000-memory.dmp upx behavioral1/memory/2972-47-0x0000000000370000-0x0000000000391000-memory.dmp upx behavioral1/memory/484-85-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2972-31-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2972-30-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2972-24-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2972-23-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2972-22-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2972-21-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2672-830-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msadox.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html svchost.exe File opened for modification C:\Program Files\Windows Mail\wabimp.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\cpu.html svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\rt3d.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\hprof.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_shout_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\slideShow.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libwasapi_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libt140_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmjpeg_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgrain_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACERCLR.DLL svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\javafx-font.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\OLKFSTUB.DLL svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\liboldrc_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\gui\libskins2_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libwinhibit_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\WindowsFormsIntegration.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libimem_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libparam_eq_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuvp_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MpOAV.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\settings.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\README.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jfxmedia.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\skchobj.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\sunec.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Classic.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libtheora_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\Timeline.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\glib-lite.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\ONLNTCOMLIB.DLL svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Printing.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Design.Resources.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\INLAUNCH.DLL svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.RunTime.Serialization.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libschroedinger_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmod_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libchain_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\weather.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32mgrmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Modifies registry class 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\InProcServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\NumMethods\ = "5" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\NumMethods\ = "6" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\ = "PSFactoryBuffer" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\ = "ISetupServiceProvider" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\ = "ISetupObjectClass" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\ProxyStubClsid32\ = "{F4817E4B-04B6-11D3-8862-00C04F72F303}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\ProxyStubClsid32\ = "{F4817E4B-04B6-11D3-8862-00C04F72F303}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\984c8e7ac695f9968bcc99bbee6bc344_JaffaCakes118.dll" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 2828 WaterMark.exe 2828 WaterMark.exe 2672 WaterMark.exe 2672 WaterMark.exe 2304 WaterMark.exe 2304 WaterMark.exe 2672 WaterMark.exe 2672 WaterMark.exe 2672 WaterMark.exe 2672 WaterMark.exe 2672 WaterMark.exe 2672 WaterMark.exe 2828 WaterMark.exe 2828 WaterMark.exe 2304 WaterMark.exe 2304 WaterMark.exe 2304 WaterMark.exe 2828 WaterMark.exe 2304 WaterMark.exe 2828 WaterMark.exe 1672 svchost.exe 2828 WaterMark.exe 2828 WaterMark.exe 2304 WaterMark.exe 2304 WaterMark.exe 1672 svchost.exe 1672 svchost.exe 1672 svchost.exe 1672 svchost.exe 1672 svchost.exe 1672 svchost.exe 1672 svchost.exe 1672 svchost.exe 1672 svchost.exe 1672 svchost.exe 1672 svchost.exe 1672 svchost.exe 1672 svchost.exe 1672 svchost.exe 1672 svchost.exe 1672 svchost.exe 1672 svchost.exe 1672 svchost.exe 1672 svchost.exe 1672 svchost.exe 1672 svchost.exe 1672 svchost.exe 1672 svchost.exe 1672 svchost.exe 1672 svchost.exe 1672 svchost.exe 1672 svchost.exe 1672 svchost.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 2828 WaterMark.exe Token: SeDebugPrivilege 2672 WaterMark.exe Token: SeDebugPrivilege 2304 WaterMark.exe Token: SeDebugPrivilege 1672 svchost.exe Token: SeDebugPrivilege 2480 svchost.exe Token: SeDebugPrivilege 2284 svchost.exe Token: SeDebugPrivilege 2672 WaterMark.exe Token: SeDebugPrivilege 2828 WaterMark.exe Token: SeDebugPrivilege 2304 WaterMark.exe Token: SeDebugPrivilege 2144 svchost.exe Token: SeDebugPrivilege 2868 svchost.exe -
Suspicious use of UnmapMainImage 6 IoCs
pid Process 2972 regsvr32mgr.exe 2124 regsvr32mgrmgr.exe 2828 WaterMark.exe 2672 WaterMark.exe 484 WaterMarkmgr.exe 2304 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2932 wrote to memory of 2916 2932 regsvr32.exe 30 PID 2932 wrote to memory of 2916 2932 regsvr32.exe 30 PID 2932 wrote to memory of 2916 2932 regsvr32.exe 30 PID 2932 wrote to memory of 2916 2932 regsvr32.exe 30 PID 2932 wrote to memory of 2916 2932 regsvr32.exe 30 PID 2932 wrote to memory of 2916 2932 regsvr32.exe 30 PID 2932 wrote to memory of 2916 2932 regsvr32.exe 30 PID 2916 wrote to memory of 2972 2916 regsvr32.exe 31 PID 2916 wrote to memory of 2972 2916 regsvr32.exe 31 PID 2916 wrote to memory of 2972 2916 regsvr32.exe 31 PID 2916 wrote to memory of 2972 2916 regsvr32.exe 31 PID 2972 wrote to memory of 2124 2972 regsvr32mgr.exe 32 PID 2972 wrote to memory of 2124 2972 regsvr32mgr.exe 32 PID 2972 wrote to memory of 2124 2972 regsvr32mgr.exe 32 PID 2972 wrote to memory of 2124 2972 regsvr32mgr.exe 32 PID 2972 wrote to memory of 2672 2972 regsvr32mgr.exe 33 PID 2972 wrote to memory of 2672 2972 regsvr32mgr.exe 33 PID 2972 wrote to memory of 2672 2972 regsvr32mgr.exe 33 PID 2972 wrote to memory of 2672 2972 regsvr32mgr.exe 33 PID 2124 wrote to memory of 2828 2124 regsvr32mgrmgr.exe 34 PID 2124 wrote to memory of 2828 2124 regsvr32mgrmgr.exe 34 PID 2124 wrote to memory of 2828 2124 regsvr32mgrmgr.exe 34 PID 2124 wrote to memory of 2828 2124 regsvr32mgrmgr.exe 34 PID 2672 wrote to memory of 484 2672 WaterMark.exe 35 PID 2672 wrote to memory of 484 2672 WaterMark.exe 35 PID 2672 wrote to memory of 484 2672 WaterMark.exe 35 PID 2672 wrote to memory of 484 2672 WaterMark.exe 35 PID 484 wrote to memory of 2304 484 WaterMarkmgr.exe 36 PID 484 wrote to memory of 2304 484 WaterMarkmgr.exe 36 PID 484 wrote to memory of 2304 484 WaterMarkmgr.exe 36 PID 484 wrote to memory of 2304 484 WaterMarkmgr.exe 36 PID 2672 wrote to memory of 804 2672 WaterMark.exe 37 PID 2672 wrote to memory of 804 2672 WaterMark.exe 37 PID 2672 wrote to memory of 804 2672 WaterMark.exe 37 PID 2672 wrote to memory of 804 2672 WaterMark.exe 37 PID 2672 wrote to memory of 804 2672 WaterMark.exe 37 PID 2672 wrote to memory of 804 2672 WaterMark.exe 37 PID 2672 wrote to memory of 804 2672 WaterMark.exe 37 PID 2672 wrote to memory of 804 2672 WaterMark.exe 37 PID 2672 wrote to memory of 804 2672 WaterMark.exe 37 PID 2672 wrote to memory of 804 2672 WaterMark.exe 37 PID 2828 wrote to memory of 2144 2828 WaterMark.exe 38 PID 2828 wrote to memory of 2144 2828 WaterMark.exe 38 PID 2828 wrote to memory of 2144 2828 WaterMark.exe 38 PID 2828 wrote to memory of 2144 2828 WaterMark.exe 38 PID 2828 wrote to memory of 2144 2828 WaterMark.exe 38 PID 2828 wrote to memory of 2144 2828 WaterMark.exe 38 PID 2828 wrote to memory of 2144 2828 WaterMark.exe 38 PID 2828 wrote to memory of 2144 2828 WaterMark.exe 38 PID 2828 wrote to memory of 2144 2828 WaterMark.exe 38 PID 2828 wrote to memory of 2144 2828 WaterMark.exe 38 PID 2304 wrote to memory of 2868 2304 WaterMark.exe 39 PID 2304 wrote to memory of 2868 2304 WaterMark.exe 39 PID 2304 wrote to memory of 2868 2304 WaterMark.exe 39 PID 2304 wrote to memory of 2868 2304 WaterMark.exe 39 PID 2304 wrote to memory of 2868 2304 WaterMark.exe 39 PID 2304 wrote to memory of 2868 2304 WaterMark.exe 39 PID 2304 wrote to memory of 2868 2304 WaterMark.exe 39 PID 2304 wrote to memory of 2868 2304 WaterMark.exe 39 PID 2304 wrote to memory of 2868 2304 WaterMark.exe 39 PID 2304 wrote to memory of 2868 2304 WaterMark.exe 39 PID 2672 wrote to memory of 1672 2672 WaterMark.exe 40 PID 2672 wrote to memory of 1672 2672 WaterMark.exe 40 PID 2672 wrote to memory of 1672 2672 WaterMark.exe 40
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:336
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:596
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:992
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1816
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:672
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:744
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:808
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1028
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:852
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:1872
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:972
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:280
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1088
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:1096
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1168
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:756
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2072
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2128
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:396
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1052
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\984c8e7ac695f9968bcc99bbee6bc344_JaffaCakes118.dll2⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\984c8e7ac695f9968bcc99bbee6bc344_JaffaCakes118.dll3⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\regsvr32mgr.exeC:\Windows\SysWOW64\regsvr32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\regsvr32mgrmgr.exeC:\Windows\SysWOW64\regsvr32mgrmgr.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
-
-
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:804
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize483KB
MD52574c9ab6aa3c6a91812303aa14bcc53
SHA163d8ab4dd364cada94c7362f66037aa27bcca86f
SHA25614eda76a6780c25326e68561ddbe1197cd39f5462be9e43e4ec0d052c61c3615
SHA512fa0a48effbf2e492f079e036732406fd8fd20fd42c9d0ecde9e64b82d310f27aac6f24b232b3c1e2671a82743b010ea0dc0e19eede0e5e7929ba3cd98c1cf6f8
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize479KB
MD5df79749efd888f003052ce48359c0890
SHA1f202f9f27b3923f071e3877fce3c7f0b3eee99f6
SHA256778e56912b5c770a7c65f9637ac4bb40b62449d98987e6fbae9fc171b4c6d99c
SHA512bb123b70800ab9ac8b1d6ea30e89d7cb1c9e67276df1369d352e8ba914ea025bc6b099cf743858bbf67ffe425275185b52dcd3c0052a43dfff7a7cf3acb54352
-
Filesize
234KB
MD5c3a6eaa4a1cbbe625a1f4ed4f486ce15
SHA1c7810ef979cf5242d99ad79b29849604c7508b99
SHA256e898c9afe93f94d2b0183582a583386aa33a3765fd40caf82ea37c01832e12e6
SHA512461ba410a006f47760c0f8368955b5c66f1789ba33546e3d9b704f9197b86b465f3328dd704e1c1904efdf8d460bb74a1190d0c69cfb2d4adcf1982a5c286942
-
Filesize
116KB
MD5fd6899e36fcc5f26903dea1c0519a8fd
SHA1af249681be87eed2b680baa7d9b514c051d6d4a7
SHA256b9d75d71f61d31de963a29114d370d6495a18c81e78c78ce89c77ef134f8e6e8
SHA51278980b599fe5cd62fdaf6165a38e16c629cf0e7864f45bbdbc8c95b1ed1967f1cfdfdecaa879a5b5656f57ced55919082c4bd5fcd7a4a7f4fa6ac64fca58a16d