ramnit | 1abe45aa3042f4085101cf285a456c80c9e6f0189a6965e440c9f8ca33d99304

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
Size

108KB
MD5

ea69cbd4cef47b051db7a16308ec764b
SHA1

d6e3a85a10e31876a2ef250f85a66f91bf21293e
SHA256

1abe45aa3042f4085101cf285a456c80c9e6f0189a6965e440c9f8ca33d99304
SHA512

310ff8e047d557770124bdcd9180adabe290793528e7e13dd9990b0041ecaac17c44f53d5f31df833a64843592f453fb8f06ad2df5b839b309d2ed5021176ee3
SSDEEP

3072:1DahPBarKpbqAC3gNFmfnAZ1+cpVZX8nLlKSI7da0wL7MI:AhPBarKptTmfAZ1QnkBaXL5

Score

10^/10

ramnit banker discovery evasion persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe, \"C:\\Windows\\system32\\M5VBVM60.EXE StartUp\""	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "c:\\windows\\system32\\userinit.exe, \"c:\\windows\\system32\\m5vbvm60.exe startup\",c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe, \"C:\\Windows\\system32\\M5VBVM60.EXE StartUp\""	Zero.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	Hole.zip

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Zero.txt

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Zero.txt

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 7 IoCs

pid	Process
2948	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118mgr.exe
2696	WaterMark.exe
2056	Empty.jpg
296	Blank.doc
1820	Zero.txt
1908	Hole.zip
860	Unoccupied.reg

Loads dropped DLL 19 IoCs

pid	Process
2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
2948	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118mgr.exe
2948	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118mgr.exe
2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
2056	Empty.jpg
2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
296	Blank.doc
2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
1820	Zero.txt
2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
1908	Hole.zip
2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
860	Unoccupied.reg

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\SysWow64\\rund1132.exe %1"	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\SysWow64\\rund1132.exe %1"	Zero.txt

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Blank AntiViri = "C:\\AUT0EXEC.BAT StartUp"	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Secure64 = "C:\\Windows\\system32\\dllcache\\Regedit32.com StartUp"	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Secure32 = "C:\\Windows\\system32\\dllcache\\Shell32.com StartUp"	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Blank AntiViri = "C:\\AUT0EXEC.BAT StartUp"	Zero.txt
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Secure64 = "C:\\Windows\\system32\\dllcache\\Regedit32.com StartUp"	Zero.txt
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Secure32 = "C:\\Windows\\system32\\dllcache\\Shell32.com StartUp"	Zero.txt

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	Blank.doc
File opened (read-only)	\??\T:	Blank.doc
File opened (read-only)	\??\U:	Blank.doc
File opened (read-only)	\??\V:	Blank.doc
File opened (read-only)	\??\X:	Blank.doc
File opened (read-only)	\??\G:	Blank.doc
File opened (read-only)	\??\M:	Blank.doc
File opened (read-only)	\??\O:	Blank.doc
File opened (read-only)	\??\P:	Blank.doc
File opened (read-only)	\??\Q:	Blank.doc
File opened (read-only)	\??\S:	Blank.doc
File opened (read-only)	\??\J:	Blank.doc
File opened (read-only)	\??\K:	Blank.doc
File opened (read-only)	\??\H:	Blank.doc
File opened (read-only)	\??\I:	Blank.doc
File opened (read-only)	\??\L:	Blank.doc
File opened (read-only)	\??\W:	Blank.doc
File opened (read-only)	\??\Y:	Blank.doc
File opened (read-only)	\??\B:	Blank.doc
File opened (read-only)	\??\E:	Blank.doc
File opened (read-only)	\??\R:	Blank.doc
File opened (read-only)	\??\Z:	Blank.doc

Drops file in System32 directory 28 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dllChache\Unoccupied.reg	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\Regedit32.com	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dllcache\Shell32.com	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllChache\Zero.txt	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllChache\Hole.zip	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\Shell32.com	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dllchache	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dllChache\msvbvm60.dll	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\msvbvm60.dll	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dllcache\msvbvm60.dll	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\M5VBVM60.EXE	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllchache.exe	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllChache\msvbvm60.dll	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dllChache\Hole.zip	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dllChache\Unoccupied.reg	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dllcache\Regedit32.com	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dllChache\Blank.doc	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\rund1132.exe	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rund1132.exe	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dllchache.exe	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dllChache\Zero.txt	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllChache\Blank.doc	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dllChache\Empty.jpg	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\M5VBVM60.EXE	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllChache\Empty.jpg	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2948-18-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2948-23-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2948-21-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2948-20-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2948-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2948-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2948-12-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2696-65-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2696-128-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2696-842-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\unpack.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libjpeg_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\WindowsBase.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ts_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\CsiSoap.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\librist_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libvdr_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\libmarq_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcolorthres_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXSLE.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\npt.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Web.Entity.Design.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_concat_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libfilesystem_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libcdg_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\penusa.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\JSProfilerCore.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\settings.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEXBE.DLL	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\sqloledb.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsFormsIntegration.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Engine.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\perf_nt.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2ssv.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationFramework.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_display_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tipresx.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\d3dcompiler_47.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozwer.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libnsv_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libinflate_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Journal\InkSeg.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\RSSFeeds.html	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadox.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\eula.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libtheora_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\lua\liblua_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_transcode_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libsapi_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java_crw_demo.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\ucrtbase.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libkate_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libdca_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_av1_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libprefetch_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\settings.html	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-convert-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClient.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsamplerate_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libsepia_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\settings.html	svchost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32.exe	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
File opened for modification	C:\Windows\system32.exe	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zero.txt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hole.zip
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unoccupied.reg
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Empty.jpg
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blank.doc

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\SysWow64\\rund1132.exe %1"	Zero.txt
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = a2003100000000008d59253617004541363943427e3100008a0008000400efbe8d5925368d5925362a0000009f6d0100000006000000000000000000000000000000650061003600390063006200640034006300650066003400370062003000350031006400620037006100310036003300300038006500630037003600340062005f004a006100660066006100430061006b0065007300310031003800000018000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7400310000000000575923881100557365727300600008000400efbeee3a851a575923882a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\SysWow64\\rund1132.exe %1"	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\rund1132.exe %1"	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4a003100000000008d592536102054656d700000360008000400efbe575923888d5925362a00000007020000000002000000000000000000000000000000540065006d007000000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c003100000000005759e98d100041646d696e00380008000400efbe575923885759e98d2a00000037000000000005000000000000000000000000000000410064006d0069006e00000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 520031000000000057592388122041707044617461003c0008000400efbe57592388575923882a000000f30100000000020000000000000000000000000000004100700070004400610074006100000016000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4c0031000000000057595d8910204c6f63616c00380008000400efbe5759238857595d892a000000060200000000020000000000000000000000000000004c006f00630061006c00000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\rund1132.exe %1"	Zero.txt

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2696	WaterMark.exe
2696	WaterMark.exe
2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
2056	Empty.jpg
2056	Empty.jpg
296	Blank.doc
296	Blank.doc
1820	Zero.txt
1820	Zero.txt
1908	Hole.zip
1908	Hole.zip
860	Unoccupied.reg
860	Unoccupied.reg
2056	Empty.jpg
2056	Empty.jpg
2056	Empty.jpg
2056	Empty.jpg
2056	Empty.jpg
2056	Empty.jpg
2056	Empty.jpg
2056	Empty.jpg
296	Blank.doc
296	Blank.doc
1820	Zero.txt
1820	Zero.txt
1908	Hole.zip
1908	Hole.zip
860	Unoccupied.reg
860	Unoccupied.reg
2696	WaterMark.exe
2696	WaterMark.exe
2696	WaterMark.exe
2696	WaterMark.exe
2696	WaterMark.exe
2696	WaterMark.exe
2296	svchost.exe
2056	Empty.jpg
2056	Empty.jpg
296	Blank.doc
296	Blank.doc
1820	Zero.txt
1820	Zero.txt
1908	Hole.zip
1908	Hole.zip
860	Unoccupied.reg
860	Unoccupied.reg
2056	Empty.jpg
2056	Empty.jpg
2056	Empty.jpg
2056	Empty.jpg
2056	Empty.jpg
2056	Empty.jpg
2056	Empty.jpg
2056	Empty.jpg
296	Blank.doc
296	Blank.doc
1820	Zero.txt
1820	Zero.txt
1908	Hole.zip
1908	Hole.zip

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	WaterMark.exe
Token: SeDebugPrivilege	2296	svchost.exe
Token: SeDebugPrivilege	2696	WaterMark.exe
Token: SeDebugPrivilege	2056	Empty.jpg
Token: SeDebugPrivilege	296	Blank.doc
Token: SeDebugPrivilege	1820	Zero.txt
Token: SeDebugPrivilege	1908	Hole.zip
Token: SeDebugPrivilege	860	Unoccupied.reg

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
2056	Empty.jpg
296	Blank.doc
1820	Zero.txt
1908	Hole.zip
860	Unoccupied.reg

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2948	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118mgr.exe
2696	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 2948	2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe	30
PID 2920 wrote to memory of 2948	2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe	30
PID 2920 wrote to memory of 2948	2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe	30
PID 2920 wrote to memory of 2948	2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe	30
PID 2948 wrote to memory of 2696	2948	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118mgr.exe	31
PID 2948 wrote to memory of 2696	2948	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118mgr.exe	31
PID 2948 wrote to memory of 2696	2948	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118mgr.exe	31
PID 2948 wrote to memory of 2696	2948	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118mgr.exe	31
PID 2696 wrote to memory of 300	2696	WaterMark.exe	32
PID 2696 wrote to memory of 300	2696	WaterMark.exe	32
PID 2696 wrote to memory of 300	2696	WaterMark.exe	32
PID 2696 wrote to memory of 300	2696	WaterMark.exe	32
PID 2696 wrote to memory of 300	2696	WaterMark.exe	32
PID 2696 wrote to memory of 300	2696	WaterMark.exe	32
PID 2696 wrote to memory of 300	2696	WaterMark.exe	32
PID 2696 wrote to memory of 300	2696	WaterMark.exe	32
PID 2696 wrote to memory of 300	2696	WaterMark.exe	32
PID 2696 wrote to memory of 300	2696	WaterMark.exe	32
PID 2920 wrote to memory of 2056	2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe	33
PID 2920 wrote to memory of 2056	2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe	33
PID 2920 wrote to memory of 2056	2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe	33
PID 2920 wrote to memory of 2056	2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe	33
PID 2920 wrote to memory of 296	2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe	34
PID 2920 wrote to memory of 296	2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe	34
PID 2920 wrote to memory of 296	2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe	34
PID 2920 wrote to memory of 296	2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe	34
PID 2920 wrote to memory of 1820	2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe	35
PID 2920 wrote to memory of 1820	2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe	35
PID 2920 wrote to memory of 1820	2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe	35
PID 2920 wrote to memory of 1820	2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe	35
PID 2920 wrote to memory of 1908	2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe	36
PID 2920 wrote to memory of 1908	2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe	36
PID 2920 wrote to memory of 1908	2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe	36
PID 2920 wrote to memory of 1908	2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe	36
PID 2920 wrote to memory of 860	2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe	37
PID 2920 wrote to memory of 860	2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe	37
PID 2920 wrote to memory of 860	2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe	37
PID 2920 wrote to memory of 860	2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe	37
PID 2920 wrote to memory of 2480	2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe	38
PID 2920 wrote to memory of 2480	2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe	38
PID 2920 wrote to memory of 2480	2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe	38
PID 2920 wrote to memory of 2480	2920	ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe	38
PID 2696 wrote to memory of 2296	2696	WaterMark.exe	40
PID 2696 wrote to memory of 2296	2696	WaterMark.exe	40
PID 2696 wrote to memory of 2296	2696	WaterMark.exe	40
PID 2696 wrote to memory of 2296	2696	WaterMark.exe	40
PID 2696 wrote to memory of 2296	2696	WaterMark.exe	40
PID 2696 wrote to memory of 2296	2696	WaterMark.exe	40
PID 2696 wrote to memory of 2296	2696	WaterMark.exe	40
PID 2696 wrote to memory of 2296	2696	WaterMark.exe	40
PID 2696 wrote to memory of 2296	2696	WaterMark.exe	40
PID 2696 wrote to memory of 2296	2696	WaterMark.exe	40
PID 2296 wrote to memory of 256	2296	svchost.exe	1
PID 2296 wrote to memory of 256	2296	svchost.exe	1
PID 2296 wrote to memory of 256	2296	svchost.exe	1
PID 2296 wrote to memory of 256	2296	svchost.exe	1
PID 2296 wrote to memory of 256	2296	svchost.exe	1
PID 2296 wrote to memory of 332	2296	svchost.exe	2
PID 2296 wrote to memory of 332	2296	svchost.exe	2
PID 2296 wrote to memory of 332	2296	svchost.exe	2
PID 2296 wrote to memory of 332	2296	svchost.exe	2
PID 2296 wrote to memory of 332	2296	svchost.exe	2
PID 2296 wrote to memory of 380	2296	svchost.exe	3
PID 2296 wrote to memory of 380	2296	svchost.exe	3

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:380
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:484
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:592
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1636
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1716
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      4⤵
      Modifies Internet Explorer settings
      Modifies registry class
      PID:1828
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:668
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:748
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:816
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1168
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:852
  - - C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:2152
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:964
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:108
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:1008
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1076
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1116
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1432
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2084
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2576
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:396

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Users\Admin\AppData\Local\Temp\ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118mgr.exe
    C:\Users\Admin\AppData\Local\Temp\ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:300
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
- - C:\Windows\SysWOW64\dllChache\Empty.jpg
    C:\Windows\system32\dllChache\Empty.jpg ReStart
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2056
- - C:\Windows\SysWOW64\dllChache\Blank.doc
    C:\Windows\system32\dllChache\Blank.doc ReStart
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:296
- - C:\Windows\SysWOW64\dllChache\Zero.txt
    C:\Windows\system32\dllChache\Zero.txt ReStart
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1820
- - C:\Windows\SysWOW64\dllChache\Hole.zip
    C:\Windows\system32\dllChache\Hole.zip ReStart
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1908
- - C:\Windows\SysWOW64\dllChache\Unoccupied.reg
    C:\Windows\system32\dllChache\Unoccupied.reg ReStart
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:860
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Temp\ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
134KB

MD5
c160d436f0c34b6dced871f0f9e6a586

SHA1
ff0eb8da116c8b248db0c54eac4254e73c2f6b05

SHA256
b92713cba31544d4d58e984364100be03677d20c189a61d92b5dde2eccb55903

SHA512
6161e5b33cfaef7133245748836162915a98e8c5b1b6b455f4ebd40712423bd32b1dbaa66e1cb0f66e804116f03117494c9e9dc756c613aa195a4e6b8252098d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
130KB

MD5
44349c7e95fac240e7da239cade99660

SHA1
09d9955fbf65b9d894f99881dbeb736ddd3d9196

SHA256
0c065e883bbc06da20238be93534df20ffc76c42a20c97e9ae3ea11fbbd7ac2a

SHA512
95797bea564b8cc8d5c585f4448678daf42a574bf407a582b5e950703b6cb673759334fe4eceba3fb36bd67f52f6ef7c205c98ccabf2245f9ec13a49924e0a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea69cbd4cef47b051db7a16308ec764b_JaffaCakes118mgr.exe

Filesize
60KB

MD5
f4f27869cdedbb0d9d1996d33be2c8a1

SHA1
277b2df1585794b40b51053af2aeaf88ce40474a

SHA256
1c81a61ce416989fcdc5a72585933e60f68a21d952733afd65092156c3c253a1

SHA512
8656ba9d9618954026fee9ca48d701b10d336eba0549ad506bc91df26b647be1db265062112a4699ca554c8dda2c7a4706055474cd0b127eefff1086c840dfd8

Download Submit
C:\Windows\SysWOW64\dllChache\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\dllchache\Zero.txt

Filesize
108KB

MD5
ea69cbd4cef47b051db7a16308ec764b

SHA1
d6e3a85a10e31876a2ef250f85a66f91bf21293e

SHA256
1abe45aa3042f4085101cf285a456c80c9e6f0189a6965e440c9f8ca33d99304

SHA512
310ff8e047d557770124bdcd9180adabe290793528e7e13dd9990b0041ecaac17c44f53d5f31df833a64843592f453fb8f06ad2df5b839b309d2ed5021176ee3

Download Submit
memory/296-161-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/300-101-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/300-75-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/300-84-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/300-88-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/300-89-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/300-99-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/300-91-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/300-100-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/300-144-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/300-73-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/860-835-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1820-570-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1820-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1828-165-0x00000000039A0000-0x00000000039B0000-memory.dmp

Filesize
64KB

Download
memory/1908-573-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2056-152-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2296-186-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2296-169-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2296-182-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2296-179-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2296-183-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2296-184-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2296-185-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2296-187-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2696-54-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2696-72-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2696-842-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2696-167-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2696-128-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2696-55-0x0000000076F7F000-0x0000000076F80000-memory.dmp

Filesize
4KB

Download
memory/2696-65-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2920-142-0x0000000000260000-0x000000000028D000-memory.dmp

Filesize
180KB

Download
memory/2920-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2920-141-0x0000000000260000-0x000000000028D000-memory.dmp

Filesize
180KB

Download
memory/2920-143-0x0000000000260000-0x000000000028D000-memory.dmp

Filesize
180KB

Download
memory/2920-162-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/2920-103-0x0000000000260000-0x000000000028D000-memory.dmp

Filesize
180KB

Download
memory/2920-164-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2920-17-0x0000000000240000-0x0000000000261000-memory.dmp

Filesize
132KB

Download
memory/2920-146-0x0000000000260000-0x000000000028D000-memory.dmp

Filesize
180KB

Download
memory/2920-112-0x0000000000260000-0x000000000028D000-memory.dmp

Filesize
180KB

Download
memory/2920-52-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2920-117-0x0000000000260000-0x000000000028D000-memory.dmp

Filesize
180KB

Download
memory/2920-11-0x0000000000240000-0x0000000000261000-memory.dmp

Filesize
132KB

Download
memory/2920-129-0x0000000000260000-0x000000000028D000-memory.dmp

Filesize
180KB

Download
memory/2948-27-0x0000000000050000-0x0000000000071000-memory.dmp

Filesize
132KB

Download
memory/2948-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2948-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2948-21-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2948-23-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2948-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2948-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2948-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2948-19-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download