Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-12-2024 00:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e91974b96449dadf2c18e41c7e259189_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
150 seconds
General
-
Target
e91974b96449dadf2c18e41c7e259189_JaffaCakes118.exe
-
Size
924KB
-
MD5
e91974b96449dadf2c18e41c7e259189
-
SHA1
08ee9dd9f046c0db70e14fae0e348f88983fc896
-
SHA256
172226d0aa7ecbe277f6b7f2baecc12f2a13e038054c1df2d05cef76970e332f
-
SHA512
f2fc6088060be86cf77a42f459d26b9e6069252a24347f530e6261b4d8e87c3e7197695f3520a640d4212e79f7bbf16ebf5f3c50908112bb5e4b93a6765c165d
-
SSDEEP
12288:LnJcI2fLcSsZaFcWpiFbQbpIpYVwj8xVVoS0tSW:j+dYVZE0lQpIpYVwEVVoS05
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Ramnit family
-
Executes dropped EXE 2 IoCs
pid Process 2056 e91974b96449dadf2c18e41c7e259189_JaffaCakes118mgr.exe 2780 WaterMark.exe -
Loads dropped DLL 10 IoCs
pid Process 2364 e91974b96449dadf2c18e41c7e259189_JaffaCakes118.exe 2364 e91974b96449dadf2c18e41c7e259189_JaffaCakes118.exe 2056 e91974b96449dadf2c18e41c7e259189_JaffaCakes118mgr.exe 2056 e91974b96449dadf2c18e41c7e259189_JaffaCakes118mgr.exe 2056 e91974b96449dadf2c18e41c7e259189_JaffaCakes118mgr.exe 2056 e91974b96449dadf2c18e41c7e259189_JaffaCakes118mgr.exe 2056 e91974b96449dadf2c18e41c7e259189_JaffaCakes118mgr.exe 2780 WaterMark.exe 2780 WaterMark.exe 2780 WaterMark.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
resource yara_rule behavioral1/memory/2056-19-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2056-25-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2056-24-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2056-23-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2056-21-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2056-18-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2056-17-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2780-47-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2780-687-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.ServiceModel.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\wmpconfig.exe svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\settings.html svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\settings.html svchost.exe File opened for modification C:\Program Files\Internet Explorer\sqmapi.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jsdt.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Conversion.v3.5.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_realrtsp_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpeg4audio_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libfilesystem_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_hevc_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libalphamask_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\slideShow.html svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\IEAWSDC.DLL svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\liberase_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jli.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationCore.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libdav1d_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\wmprph.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_http_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\slideShow.html svchost.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-iio.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\freebl3.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Onix32.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libsftp_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_cycle_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\picturePuzzle.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\librtpvideo_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\libEGL.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\librist_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-font.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\decora-sse.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.Client.resources.dll svchost.exe File opened for modification C:\Program Files\Windows NT\Accessories\WordpadFilter.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Resources.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\flyout.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\librecord_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libvdummy_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmjpeg_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_display_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE svchost.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IdentityModel.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Runtime.dll svchost.exe File opened for modification C:\Program Files\Windows Photo Viewer\PhotoAcq.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEES.DLL svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEEXCL.DLL svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\wmsetup.log e91974b96449dadf2c18e41c7e259189_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e91974b96449dadf2c18e41c7e259189_JaffaCakes118mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e91974b96449dadf2c18e41c7e259189_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2780 WaterMark.exe 2780 WaterMark.exe 2780 WaterMark.exe 2780 WaterMark.exe 2780 WaterMark.exe 2780 WaterMark.exe 2780 WaterMark.exe 2780 WaterMark.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe 2640 svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2780 WaterMark.exe Token: SeDebugPrivilege 2640 svchost.exe Token: SeDebugPrivilege 2364 e91974b96449dadf2c18e41c7e259189_JaffaCakes118.exe Token: SeDebugPrivilege 2780 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2056 e91974b96449dadf2c18e41c7e259189_JaffaCakes118mgr.exe 2780 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2364 wrote to memory of 2056 2364 e91974b96449dadf2c18e41c7e259189_JaffaCakes118.exe 31 PID 2364 wrote to memory of 2056 2364 e91974b96449dadf2c18e41c7e259189_JaffaCakes118.exe 31 PID 2364 wrote to memory of 2056 2364 e91974b96449dadf2c18e41c7e259189_JaffaCakes118.exe 31 PID 2364 wrote to memory of 2056 2364 e91974b96449dadf2c18e41c7e259189_JaffaCakes118.exe 31 PID 2364 wrote to memory of 2056 2364 e91974b96449dadf2c18e41c7e259189_JaffaCakes118.exe 31 PID 2364 wrote to memory of 2056 2364 e91974b96449dadf2c18e41c7e259189_JaffaCakes118.exe 31 PID 2364 wrote to memory of 2056 2364 e91974b96449dadf2c18e41c7e259189_JaffaCakes118.exe 31 PID 2056 wrote to memory of 2780 2056 e91974b96449dadf2c18e41c7e259189_JaffaCakes118mgr.exe 32 PID 2056 wrote to memory of 2780 2056 e91974b96449dadf2c18e41c7e259189_JaffaCakes118mgr.exe 32 PID 2056 wrote to memory of 2780 2056 e91974b96449dadf2c18e41c7e259189_JaffaCakes118mgr.exe 32 PID 2056 wrote to memory of 2780 2056 e91974b96449dadf2c18e41c7e259189_JaffaCakes118mgr.exe 32 PID 2056 wrote to memory of 2780 2056 e91974b96449dadf2c18e41c7e259189_JaffaCakes118mgr.exe 32 PID 2056 wrote to memory of 2780 2056 e91974b96449dadf2c18e41c7e259189_JaffaCakes118mgr.exe 32 PID 2056 wrote to memory of 2780 2056 e91974b96449dadf2c18e41c7e259189_JaffaCakes118mgr.exe 32 PID 2780 wrote to memory of 2848 2780 WaterMark.exe 33 PID 2780 wrote to memory of 2848 2780 WaterMark.exe 33 PID 2780 wrote to memory of 2848 2780 WaterMark.exe 33 PID 2780 wrote to memory of 2848 2780 WaterMark.exe 33 PID 2780 wrote to memory of 2848 2780 WaterMark.exe 33 PID 2780 wrote to memory of 2848 2780 WaterMark.exe 33 PID 2780 wrote to memory of 2848 2780 WaterMark.exe 33 PID 2780 wrote to memory of 2848 2780 WaterMark.exe 33 PID 2780 wrote to memory of 2848 2780 WaterMark.exe 33 PID 2780 wrote to memory of 2848 2780 WaterMark.exe 33 PID 2780 wrote to memory of 2848 2780 WaterMark.exe 33 PID 2780 wrote to memory of 2848 2780 WaterMark.exe 33 PID 2780 wrote to memory of 2848 2780 WaterMark.exe 33 PID 2780 wrote to memory of 2640 2780 WaterMark.exe 35 PID 2780 wrote to memory of 2640 2780 WaterMark.exe 35 PID 2780 wrote to memory of 2640 2780 WaterMark.exe 35 PID 2780 wrote to memory of 2640 2780 WaterMark.exe 35 PID 2780 wrote to memory of 2640 2780 WaterMark.exe 35 PID 2780 wrote to memory of 2640 2780 WaterMark.exe 35 PID 2780 wrote to memory of 2640 2780 WaterMark.exe 35 PID 2780 wrote to memory of 2640 2780 WaterMark.exe 35 PID 2780 wrote to memory of 2640 2780 WaterMark.exe 35 PID 2780 wrote to memory of 2640 2780 WaterMark.exe 35 PID 2780 wrote to memory of 2640 2780 WaterMark.exe 35 PID 2780 wrote to memory of 2640 2780 WaterMark.exe 35 PID 2780 wrote to memory of 2640 2780 WaterMark.exe 35 PID 2640 wrote to memory of 256 2640 svchost.exe 1 PID 2640 wrote to memory of 256 2640 svchost.exe 1 PID 2640 wrote to memory of 256 2640 svchost.exe 1 PID 2640 wrote to memory of 256 2640 svchost.exe 1 PID 2640 wrote to memory of 256 2640 svchost.exe 1 PID 2640 wrote to memory of 336 2640 svchost.exe 2 PID 2640 wrote to memory of 336 2640 svchost.exe 2 PID 2640 wrote to memory of 336 2640 svchost.exe 2 PID 2640 wrote to memory of 336 2640 svchost.exe 2 PID 2640 wrote to memory of 336 2640 svchost.exe 2 PID 2640 wrote to memory of 384 2640 svchost.exe 3 PID 2640 wrote to memory of 384 2640 svchost.exe 3 PID 2640 wrote to memory of 384 2640 svchost.exe 3 PID 2640 wrote to memory of 384 2640 svchost.exe 3 PID 2640 wrote to memory of 384 2640 svchost.exe 3 PID 2640 wrote to memory of 392 2640 svchost.exe 4 PID 2640 wrote to memory of 392 2640 svchost.exe 4 PID 2640 wrote to memory of 392 2640 svchost.exe 4 PID 2640 wrote to memory of 392 2640 svchost.exe 4 PID 2640 wrote to memory of 392 2640 svchost.exe 4 PID 2640 wrote to memory of 432 2640 svchost.exe 5 PID 2640 wrote to memory of 432 2640 svchost.exe 5 PID 2640 wrote to memory of 432 2640 svchost.exe 5 PID 2640 wrote to memory of 432 2640 svchost.exe 5
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:336
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:604
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1228
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1308
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}4⤵PID:2284
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵PID:2304
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:684
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:748
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:824
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1172
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:860
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:2216
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:972
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:276
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:348
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1068
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1112
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:2012
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:3020
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2512
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:392
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\e91974b96449dadf2c18e41c7e259189_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e91974b96449dadf2c18e41c7e259189_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\e91974b96449dadf2c18e41c7e259189_JaffaCakes118mgr.exeC:\Users\Admin\AppData\Local\Temp\e91974b96449dadf2c18e41c7e259189_JaffaCakes118mgr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2848
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize252KB
MD5e9775f42f9773c28d10114078a2003b6
SHA13f3891a4723822be65122ace30ea31783a8f32f9
SHA25682ece7397d7033df489aa6fbaecfe8c343e09ffc14d9e16b4f2df419e00f0fac
SHA512da079feded5eb219abd92e336e14cc0737e50d2f5f2b32b2ede43ef9ec715bc439d856badb031c2b9559289b61592820d27281537d27c6c61087fd215d0deab1
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize248KB
MD5944ea03b6f050b7f4363a4e9cbf84d34
SHA1ccdc2629929cf1dfc4db144caa1b99a0ed8008eb
SHA2565aac419cc893361537c0b23a4040ced236f2a1f4527000f291763c2a8a0628f4
SHA512558c6d7f00f1d6b1b1896b1ce4fb5e241d5bc7b960111100b05f22c36179d7a22ccd279345f8fafff1ab9ec4b5c775b448c4dcb3cc115f21d90e9b93899f4653
-
Filesize
119KB
MD59d5d609dc8e2554054733d19eed45c5c
SHA1ce72453fca9f477940a9def32bd8463549c6e1e4
SHA2567a85b3db04beb0c4b6a8929fdf79726bcf1084efab0a9f04a8ebaa0a2bc9e0b1
SHA512012cabde17ed1c1d1a48b5bc136591ff9c8e261e5da8bc7f67d0bd235a32150f63274362cdeef2376d2d5a38dfb0c9acc7cd3aa5244c1858b88b183f8cbe550b