ramnit | 937f50c31e81c4ba36e1d35d5041fa7b13f8cef3ba59ae566d902c6284e414c1

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
Size

156KB
MD5

9bc57dc527a3942601b4eaf6db85b06c
SHA1

795736c7ae20ed004ac0677bedd91d75179b5521
SHA256

937f50c31e81c4ba36e1d35d5041fa7b13f8cef3ba59ae566d902c6284e414c1
SHA512

54650bb7777cf2b732550b4bbec5c201cc22370d2305853f26eec90c609fbac4e31b4a48297fa517e84165542656ffa87919a797c05cdc71a546b1a45970c713
SSDEEP

3072:W1dN336MdMfLirVQW0/nyypiI4T3zopr1cS/rkhyjhT1:ATqqULirVT01kT3EppZrNjX

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\Geo\Nation	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1036	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118mgr.exe
1792	WaterMark.exe

Loads dropped DLL 4 IoCs

pid	Process
2580	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
2580	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
1036	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118mgr.exe
1036	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118mgr.exe

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Videos\desktop.ini	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
File opened for modification	C:\Users\Public\desktop.ini	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
File opened (read-only)	\??\S:	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
File opened (read-only)	\??\E:	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
File opened (read-only)	\??\I:	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
File opened (read-only)	\??\J:	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
File opened (read-only)	\??\M:	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
File opened (read-only)	\??\Q:	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
File opened (read-only)	\??\U:	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
File opened (read-only)	\??\V:	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
File opened (read-only)	\??\W:	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
File opened (read-only)	\??\G:	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
File opened (read-only)	\??\H:	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
File opened (read-only)	\??\L:	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
File opened (read-only)	\??\Y:	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
File opened (read-only)	\??\R:	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
File opened (read-only)	\??\X:	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
File opened (read-only)	\??\O:	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
File opened (read-only)	\??\P:	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
File opened (read-only)	\??\T:	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
File opened (read-only)	\??\Z:	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
File opened (read-only)	\??\A:	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
File opened (read-only)	\??\B:	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
File opened (read-only)	\??\N:	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1036-20-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1036-16-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1036-15-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1792-40-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1792-35-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral1/memory/1036-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1036-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1036-12-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1036-11-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1792-406-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1792-744-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\deployJava1.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libmjpeg_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libfps_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\vcruntime140.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationBuildTasks.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuvp_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\settings.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Utilities.v3.5.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jpeg.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\glass.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\Chkr.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Entity.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Windows.Presentation.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\profilerinterface.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\keystore\libfile_keystore_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\logsession.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdaprsr.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_shmem.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\gstreamer-lite.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\softokn3.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libspdif_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEODBC.DLL	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\msdia100.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\nio.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClient.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Utilities.v3.5.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libwingdi_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Journal\jnwppr.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\cpu.html	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dt_shmem.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jsound.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libremap_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libaribsub_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIB.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\Chess.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Linq.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_rist_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\liblogo_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_mmx_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\t2k.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsBase.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ps_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_mosaic_bridge_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Entity.Design.Resources.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpshare.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118mgr.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
1792	WaterMark.exe
1792	WaterMark.exe
1792	WaterMark.exe
1792	WaterMark.exe
1792	WaterMark.exe
1792	WaterMark.exe
1792	WaterMark.exe
1792	WaterMark.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1792	WaterMark.exe
Token: SeDebugPrivilege	1788	svchost.exe
Token: SeDebugPrivilege	2580	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
Token: SeDebugPrivilege	1792	WaterMark.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2580	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1036	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118mgr.exe
1792	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 1036	2580	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe	30
PID 2580 wrote to memory of 1036	2580	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe	30
PID 2580 wrote to memory of 1036	2580	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe	30
PID 2580 wrote to memory of 1036	2580	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe	30
PID 1036 wrote to memory of 1792	1036	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118mgr.exe	31
PID 1036 wrote to memory of 1792	1036	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118mgr.exe	31
PID 1036 wrote to memory of 1792	1036	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118mgr.exe	31
PID 1036 wrote to memory of 1792	1036	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118mgr.exe	31
PID 1792 wrote to memory of 2540	1792	WaterMark.exe	32
PID 1792 wrote to memory of 2540	1792	WaterMark.exe	32
PID 1792 wrote to memory of 2540	1792	WaterMark.exe	32
PID 1792 wrote to memory of 2540	1792	WaterMark.exe	32
PID 1792 wrote to memory of 2540	1792	WaterMark.exe	32
PID 1792 wrote to memory of 2540	1792	WaterMark.exe	32
PID 1792 wrote to memory of 2540	1792	WaterMark.exe	32
PID 1792 wrote to memory of 2540	1792	WaterMark.exe	32
PID 1792 wrote to memory of 2540	1792	WaterMark.exe	32
PID 1792 wrote to memory of 2540	1792	WaterMark.exe	32
PID 2580 wrote to memory of 2140	2580	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe	33
PID 2580 wrote to memory of 2140	2580	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe	33
PID 2580 wrote to memory of 2140	2580	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe	33
PID 2580 wrote to memory of 2140	2580	9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe	33
PID 1792 wrote to memory of 1788	1792	WaterMark.exe	34
PID 1792 wrote to memory of 1788	1792	WaterMark.exe	34
PID 1792 wrote to memory of 1788	1792	WaterMark.exe	34
PID 1792 wrote to memory of 1788	1792	WaterMark.exe	34
PID 1792 wrote to memory of 1788	1792	WaterMark.exe	34
PID 1792 wrote to memory of 1788	1792	WaterMark.exe	34
PID 1792 wrote to memory of 1788	1792	WaterMark.exe	34
PID 1792 wrote to memory of 1788	1792	WaterMark.exe	34
PID 1792 wrote to memory of 1788	1792	WaterMark.exe	34
PID 1792 wrote to memory of 1788	1792	WaterMark.exe	34
PID 1788 wrote to memory of 256	1788	svchost.exe	1
PID 1788 wrote to memory of 256	1788	svchost.exe	1
PID 1788 wrote to memory of 256	1788	svchost.exe	1
PID 1788 wrote to memory of 256	1788	svchost.exe	1
PID 1788 wrote to memory of 256	1788	svchost.exe	1
PID 1788 wrote to memory of 332	1788	svchost.exe	2
PID 1788 wrote to memory of 332	1788	svchost.exe	2
PID 1788 wrote to memory of 332	1788	svchost.exe	2
PID 1788 wrote to memory of 332	1788	svchost.exe	2
PID 1788 wrote to memory of 332	1788	svchost.exe	2
PID 1788 wrote to memory of 380	1788	svchost.exe	3
PID 1788 wrote to memory of 380	1788	svchost.exe	3
PID 1788 wrote to memory of 380	1788	svchost.exe	3
PID 1788 wrote to memory of 380	1788	svchost.exe	3
PID 1788 wrote to memory of 380	1788	svchost.exe	3
PID 1788 wrote to memory of 392	1788	svchost.exe	4
PID 1788 wrote to memory of 392	1788	svchost.exe	4
PID 1788 wrote to memory of 392	1788	svchost.exe	4
PID 1788 wrote to memory of 392	1788	svchost.exe	4
PID 1788 wrote to memory of 392	1788	svchost.exe	4
PID 1788 wrote to memory of 428	1788	svchost.exe	5
PID 1788 wrote to memory of 428	1788	svchost.exe	5
PID 1788 wrote to memory of 428	1788	svchost.exe	5
PID 1788 wrote to memory of 428	1788	svchost.exe	5
PID 1788 wrote to memory of 428	1788	svchost.exe	5
PID 1788 wrote to memory of 476	1788	svchost.exe	6
PID 1788 wrote to memory of 476	1788	svchost.exe	6
PID 1788 wrote to memory of 476	1788	svchost.exe	6
PID 1788 wrote to memory of 476	1788	svchost.exe	6
PID 1788 wrote to memory of 476	1788	svchost.exe	6
PID 1788 wrote to memory of 484	1788	svchost.exe	7
PID 1788 wrote to memory of 484	1788	svchost.exe	7

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:380
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:596
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1388
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:548
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:2436
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:672
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:748
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:808
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1156
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:840
  - - C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:1900
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:964
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:112
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:1004
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1056
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1100
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1676
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2440
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2512
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:484
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:492

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:428

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Users\Admin\AppData\Local\Temp\9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118mgr.exe
    C:\Users\Admin\AppData\Local\Temp\9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:1792
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2540
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1788
- - C:\Program Files (x86)\Windows Media Player\wmpshare.exe
    "C:\Program Files (x86)\Windows Media Player\wmpshare.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
197KB

MD5
bef608d6547bdaa67686c5a5928d4f64

SHA1
8c14a45844d200cfc9063f562386aaf00ae53a6b

SHA256
49f187df78f02438e001014f60c91248ea1c8459b19ab18307258b90c80ca733

SHA512
b6faccf95441490e51b7e3167beccf565002f0cf7ce73eb2287f822965a5380853006fbd8da4fdb7c6fab1e4161a0d6de453106cb86bf009c01109c840a760f0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
193KB

MD5
2fbe9ba40ee02eebe4d1fddd496815f9

SHA1
abe1a7c78161080d89784ebeac8dffaa806866d4

SHA256
ec98a3c254e19c74eef67f1df32d54c32fba7ad84eea756dfac12352d6042471

SHA512
cbca1cae5f0a6249e30749fb4a63ebd10856798646390d2356080d1feafc73f7b0b2eedcc6bbc2812215f201e8a15c1ce74d1afe6b65e8034bd812ff7158bfea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{46E3AD54-F2CE-465B-A3C1-E99FBF2A03D7}.jpg

Filesize
22KB

MD5
35e787587cd3fa8ed360036c9fca3df2

SHA1
84c76a25c6fe336f6559c033917a4c327279886d

SHA256
98c49a68ee578e10947209ebc17c0ad188ed39c7d0c91a2b505f317259c0c9b2

SHA512
aeec3eed5a52670f4cc35935005bb04bb435964a1975e489b8e101adfbce278142fd1a6c475860b7ccb414afe5e24613361a66d92f457937de9b21a7a112e1f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{AD12EC96-C19E-4785-9AB8-2EE7F5646F9B}.jpg

Filesize
23KB

MD5
fd5fd28e41676618aac733b243ad54db

SHA1
b2d69ad6a2e22c30ef1806ac4f990790c3b44763

SHA256
a26544648ef8ceffad6c789a3677031be3c515918627d7c8f8e0587d3033c431

SHA512
4c32623796679be7066b719f231d08d24341784ecfd5d6461e8140379f5b394216e446865df56e05b5f1e36962c9d34d2b5041275366aeabcd606f4536217fe4

Download Submit
C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Large.jpg

Filesize
32KB

MD5
84bba83cfbc0233517407678bb842686

SHA1
1c617de788de380d28c52dc733ad580c3745a1c1

SHA256
6ecf98adb3cd0931ec803f3a56a9563c7d60bb86ec1886b21e3d0f7eb25198d9

SHA512
a6a80c00a28c43c1c427018e6fb6dac4682d299d2f50202f520af0b1bca803546c850f04094ed2f532ff8775f6d45f2a40e4f5e069937bcaa0326a80bd818e0e

Download Submit
\Users\Admin\AppData\Local\Temp\9bc57dc527a3942601b4eaf6db85b06c_JaffaCakes118mgr.exe

Filesize
92KB

MD5
9efa35f79704a13f682a13efc6770276

SHA1
e75cb9eac6f47407baaeac4b6f342e9b34385d02

SHA256
98b86f0605c851a7ba65f27c98831ef55195370e20b181d8faa1131e4aee6387

SHA512
83a48096a9898482f7069f8ec0372b1dec3145c4c13edd91aa7ea76328544b6bb0c7bb56aebd091f26faaf078e8dc8d560047073911e0a11db62acfc74058874

Download Submit
memory/1036-10-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1036-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1036-19-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1036-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1036-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1036-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1036-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1036-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1036-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1788-94-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1788-78-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1788-93-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1788-96-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1788-95-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1788-92-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1788-88-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1788-91-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1792-39-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1792-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1792-744-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1792-76-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1792-41-0x0000000077B4F000-0x0000000077B50000-memory.dmp

Filesize
4KB

Download
memory/1792-40-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1792-407-0x0000000077B4F000-0x0000000077B50000-memory.dmp

Filesize
4KB

Download
memory/1792-406-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2540-64-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2540-65-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2540-67-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2540-58-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2540-43-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2540-45-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2540-63-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2540-53-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2540-66-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2540-462-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2580-741-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2580-71-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2580-1-0x0000000001000000-0x000000000102A000-memory.dmp

Filesize
168KB

Download
memory/2580-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2580-3927-0x0000000001000000-0x000000000102A000-memory.dmp

Filesize
168KB

Download
memory/2580-3928-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download