Analysis
-
max time kernel
93s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2024 16:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d7ea26196294d1221cc5e6c1e75bcc83_JaffaCakes118.dll
Resource
win7-20240903-en
windows7-x64
22 signatures
150 seconds
General
-
Target
d7ea26196294d1221cc5e6c1e75bcc83_JaffaCakes118.dll
-
Size
840KB
-
MD5
d7ea26196294d1221cc5e6c1e75bcc83
-
SHA1
2dcffeeab4a9ef26ffe35d73a997f2db90fbd072
-
SHA256
d946b050d162fd5a3ed39f2f42ec1f7147b45684ee6701d9ea7a4823e26c2bf7
-
SHA512
8e578458e87f6ca73b0a27329338195c42c6ff648695a29b2bbce3e2a23a666e67f1c28c7820d6f9b19f5b0b62bdff2dd6234177d1969a1eb2352dcd20ecdbe0
-
SSDEEP
12288:7PTv+CFW4hPdahP/RN2kU7fWS36pweWGJr619QV4qqxEnEk3D6qC5UjufyFU/77n:7PSH4hQP/RN2fLqNK9QV4qBH1t+J0dET
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" rundll32mgr.exe -
Ramnit family
-
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32mgr.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rundll32mgr.exe -
Executes dropped EXE 2 IoCs
pid Process 464 rundll32mgr.exe 1908 WaterMark.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" rundll32mgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc rundll32mgr.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32mgr.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
resource yara_rule behavioral2/memory/464-11-0x00000000032C0000-0x000000000434E000-memory.dmp upx behavioral2/memory/1908-50-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/464-36-0x00000000032C0000-0x000000000434E000-memory.dmp upx behavioral2/memory/464-12-0x00000000032C0000-0x000000000434E000-memory.dmp upx behavioral2/memory/464-28-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/464-20-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/464-19-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/464-10-0x00000000032C0000-0x000000000434E000-memory.dmp upx behavioral2/memory/464-9-0x00000000032C0000-0x000000000434E000-memory.dmp upx behavioral2/memory/464-27-0x00000000032C0000-0x000000000434E000-memory.dmp upx behavioral2/memory/464-16-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/464-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/464-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/464-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/464-8-0x00000000032C0000-0x000000000434E000-memory.dmp upx behavioral2/memory/1908-53-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral2/memory/1908-57-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\pxB7F6.tmp rundll32mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI rundll32mgr.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1292265255" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31148428" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1292421329" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1294608959" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440439430" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1292421329" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31148428" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31148428" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{78A8C768-B57F-11EF-B9D5-F6235BFAC6D3} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31148428" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1292265255" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31148428" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1294608959" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31148428" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{78A4032C-B57F-11EF-B9D5-F6235BFAC6D3} = "0" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 464 rundll32mgr.exe 464 rundll32mgr.exe 1908 WaterMark.exe 1908 WaterMark.exe 1908 WaterMark.exe 1908 WaterMark.exe 1908 WaterMark.exe 1908 WaterMark.exe 1908 WaterMark.exe 1908 WaterMark.exe 1908 WaterMark.exe 1908 WaterMark.exe 1908 WaterMark.exe 1908 WaterMark.exe 1908 WaterMark.exe 1908 WaterMark.exe 1908 WaterMark.exe 1908 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe Token: SeDebugPrivilege 464 rundll32mgr.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3316 iexplore.exe 4516 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 3316 iexplore.exe 3316 iexplore.exe 4516 iexplore.exe 4516 iexplore.exe 316 IEXPLORE.EXE 316 IEXPLORE.EXE 3868 IEXPLORE.EXE 3868 IEXPLORE.EXE 3868 IEXPLORE.EXE 3868 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 464 rundll32mgr.exe 1908 WaterMark.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 2772 wrote to memory of 544 2772 rundll32.exe 82 PID 2772 wrote to memory of 544 2772 rundll32.exe 82 PID 2772 wrote to memory of 544 2772 rundll32.exe 82 PID 544 wrote to memory of 464 544 rundll32.exe 83 PID 544 wrote to memory of 464 544 rundll32.exe 83 PID 544 wrote to memory of 464 544 rundll32.exe 83 PID 464 wrote to memory of 780 464 rundll32mgr.exe 8 PID 464 wrote to memory of 788 464 rundll32mgr.exe 9 PID 464 wrote to memory of 380 464 rundll32mgr.exe 13 PID 464 wrote to memory of 2852 464 rundll32mgr.exe 49 PID 464 wrote to memory of 2872 464 rundll32mgr.exe 50 PID 464 wrote to memory of 2976 464 rundll32mgr.exe 51 PID 464 wrote to memory of 3432 464 rundll32mgr.exe 56 PID 464 wrote to memory of 3576 464 rundll32mgr.exe 57 PID 464 wrote to memory of 3768 464 rundll32mgr.exe 58 PID 464 wrote to memory of 3856 464 rundll32mgr.exe 59 PID 464 wrote to memory of 3920 464 rundll32mgr.exe 60 PID 464 wrote to memory of 4012 464 rundll32mgr.exe 61 PID 464 wrote to memory of 4164 464 rundll32mgr.exe 62 PID 464 wrote to memory of 4376 464 rundll32mgr.exe 74 PID 464 wrote to memory of 2500 464 rundll32mgr.exe 76 PID 464 wrote to memory of 1908 464 rundll32mgr.exe 84 PID 464 wrote to memory of 1908 464 rundll32mgr.exe 84 PID 464 wrote to memory of 1908 464 rundll32mgr.exe 84 PID 1908 wrote to memory of 3084 1908 WaterMark.exe 85 PID 1908 wrote to memory of 3084 1908 WaterMark.exe 85 PID 1908 wrote to memory of 3084 1908 WaterMark.exe 85 PID 1908 wrote to memory of 3084 1908 WaterMark.exe 85 PID 1908 wrote to memory of 3084 1908 WaterMark.exe 85 PID 1908 wrote to memory of 3084 1908 WaterMark.exe 85 PID 1908 wrote to memory of 3084 1908 WaterMark.exe 85 PID 1908 wrote to memory of 3084 1908 WaterMark.exe 85 PID 1908 wrote to memory of 3084 1908 WaterMark.exe 85 PID 1908 wrote to memory of 3316 1908 WaterMark.exe 86 PID 1908 wrote to memory of 3316 1908 WaterMark.exe 86 PID 1908 wrote to memory of 4516 1908 WaterMark.exe 87 PID 1908 wrote to memory of 4516 1908 WaterMark.exe 87 PID 4516 wrote to memory of 3868 4516 iexplore.exe 88 PID 4516 wrote to memory of 3868 4516 iexplore.exe 88 PID 4516 wrote to memory of 3868 4516 iexplore.exe 88 PID 3316 wrote to memory of 316 3316 iexplore.exe 89 PID 3316 wrote to memory of 316 3316 iexplore.exe 89 PID 3316 wrote to memory of 316 3316 iexplore.exe 89 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32mgr.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2852
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2872
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2976
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3432
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d7ea26196294d1221cc5e6c1e75bcc83_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d7ea26196294d1221cc5e6c1e75bcc83_JaffaCakes118.dll,#13⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:464 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵PID:3084
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3316 CREDAT:17410 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:316
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4516 CREDAT:17410 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3868
-
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3576
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3768
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3856
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3920
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4012
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4164
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4376
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2500
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD51f183ce23aead67e14c3472b43109763
SHA192e55d3557a1fdd6c2eab6282dee7d13134ae9db
SHA256657a1895a158bfb57dce6059274bd063c0273a2421c903bc8978fd3250be3964
SHA5125be76dbf70581a4a703d68ebe460875ef60373f52f39eaf4d65acd3b743d2f382b341dde170349f7001453041f8470091752c80f627633667344b4859848d2c5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD55940d207329ed950594812aa0ef7fcbb
SHA1173c63e7f7c43f1c033360769d2a78d5f9d7a084
SHA256bda47391f2d8fcc39d26247fa775fae8be8db2de7b6753cf7b1439315cb950c4
SHA5122b4ab5fd0322433b76111e61f36c1867a09af3e3e85c06884c4bd898ea1341120a32a8fca93e17c800483e4624dff0678281631ceef6ec769d7374a02d7ceb3a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD500f54137d4629648bdee895c95a18e42
SHA1e5a60b400f87ff8420c7f6ed24a2015fa3029873
SHA256a3abe3c3d0b8aa2b18c2fc8f985dc5981d4160dd9f6318db4b92cdec535c6783
SHA51215f2422231e0d740d0af2e1c567dea8836e02116d8e2f9c8f63f041b411858478d3e15198ec1c5ae09567a6e200173e057990c2ff0dc03570985118089ff15df
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{78A4032C-B57F-11EF-B9D5-F6235BFAC6D3}.dat
Filesize5KB
MD5bae416f190d77a2e91227ff8d83e5090
SHA15e11f660a90c79bfbde1c0c34fd29fe1f116a6d0
SHA256e0333596c518d1ba03130f79d24f790568dfca57dd6c98286fb766df7efe548c
SHA512f1cea21a3d92ebcb036a78b5f42934ec7dfcdbac5f511843bfc0f81824529a5156ebdf0ad7db8f643657a2faf679164a293cebe0f25c48592a1876007f311f64
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{78A8C768-B57F-11EF-B9D5-F6235BFAC6D3}.dat
Filesize3KB
MD5f6cbd8c3ce9f6b556d77c547dbe08781
SHA1d96aa8584cffa17856476fff99dd6ae87ad325cf
SHA25696bac81c579628fbc09094e6781b31679072edb6d56536575d3acc5fdb65529d
SHA512b54401c56ecc6313de360483a25ef38f344d7e58ad78066bbe6ac4bb72fb820fd9e4b3c0204d5d40a8971b6c2a6dee0ed7d7b28dbd32f97fad1b9f34e9fe6711
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
176KB
MD5e84af6679afa662650008962b89ced75
SHA1e88441cfbb29d4823ae5daa800e28edb5b47b295
SHA2561ccef926014568be9bc602b2d56217590590b44167c31507d851b71b89905dfb
SHA5122ebef0ddb954e9faf4d8c7bf29f5011794b50b54e8c413d18c4b3ebb6b211f5e81533a791d87c54c1bb587af68cce43586b9073bb270a2bc8b015bf0248f9302