ramnit | 836b6139cfaf0666b37612e1cbf8578a882b01b6f4041e0d68d03dd63ab4f7fb

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4452ffa750b695b3d921c95d4f94eb0_JaffaCakes118.dll
Size

224KB
MD5

f4452ffa750b695b3d921c95d4f94eb0
SHA1

bfb105f0c59478d15bfca22fe93ab1962000c894
SHA256

836b6139cfaf0666b37612e1cbf8578a882b01b6f4041e0d68d03dd63ab4f7fb
SHA512

5cd43273ecc00f27db4e4fc3da225c181130f7ed9c4c6937ed2578a2fa28c21fd42682d639555f5af69ded931985bb89347c130ac7251a74b2935abc06ec7c6f
SSDEEP

3072:ZGd5SXa28vl8juKJcXV9lCgGNlx91xaafMWtXZDPEs3K0G:0d5h7+juU8V9rGrr1xaaflpDPEs3HG

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 5 IoCs

pid	Process
2216	rundll32mgr.exe
2388	rundll32mgrmgr.exe
3036	WaterMark.exe
2732	WaterMark.exe
2616	WaterMarkmgr.exe

Loads dropped DLL 10 IoCs

pid	Process
2088	rundll32.exe
2088	rundll32.exe
2216	rundll32mgr.exe
2216	rundll32mgr.exe
2388	rundll32mgrmgr.exe
2388	rundll32mgrmgr.exe
2216	rundll32mgr.exe
2216	rundll32mgr.exe
3036	WaterMark.exe
3036	WaterMark.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe
File created	C:\Windows\SysWOW64\rundll32mgrmgr.exe	rundll32mgr.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2216-22-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2216-30-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2388-40-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2216-27-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2216-26-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2216-21-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2216-20-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2216-19-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2616-112-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2732-65-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2616-90-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/3036-89-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2732-541-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2732-542-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/3036-546-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/3036-813-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2732-816-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\msdbg2.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\librawaud_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\settings.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libschroedinger_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libcaf_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\atl.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\management.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Utilities.v3.5.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libdshow_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\IEShims.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_vc1_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\librotate_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\InkDiv.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Linq.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_imem_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\npdeployJava1.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.Client.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libaddonsvorepository_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\jsdebuggeride.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libaddonsfsstorage_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\settings.html	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\settings.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libsid_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\settings.html	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\slideShow.html	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdatl3.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_shout_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXE8SharedExpat.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\main.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeXMP.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\offset_window.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\libgestures_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ACEINTL.DLL	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\WMPDMCCore.dll	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\OmdProject.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\msvcr100.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\WindowsFormsIntegration.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Luna.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Entity.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libnfs_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_livehttp_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\librv32_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Web.Entity.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcolorthres_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationCore.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libts_plugin.dll	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2540	2088	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgrmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMarkmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
2732	WaterMark.exe
2732	WaterMark.exe
3036	WaterMark.exe
3036	WaterMark.exe
3036	WaterMark.exe
3036	WaterMark.exe
3036	WaterMark.exe
3036	WaterMark.exe
3036	WaterMark.exe
3036	WaterMark.exe
2732	WaterMark.exe
2732	WaterMark.exe
2732	WaterMark.exe
2732	WaterMark.exe
2732	WaterMark.exe
1180	svchost.exe
2732	WaterMark.exe
1180	svchost.exe
1180	svchost.exe
1180	svchost.exe
1180	svchost.exe
1180	svchost.exe
1180	svchost.exe
1180	svchost.exe
1180	svchost.exe
1180	svchost.exe
1180	svchost.exe
1180	svchost.exe
1180	svchost.exe
1180	svchost.exe
1180	svchost.exe
1180	svchost.exe
1180	svchost.exe
1180	svchost.exe
1180	svchost.exe
1180	svchost.exe
1180	svchost.exe
1180	svchost.exe
1180	svchost.exe
1180	svchost.exe
1180	svchost.exe
1180	svchost.exe
1180	svchost.exe
1180	svchost.exe
1180	svchost.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	WaterMark.exe
Token: SeDebugPrivilege	3036	WaterMark.exe
Token: SeDebugPrivilege	1180	svchost.exe
Token: SeDebugPrivilege	2988	svchost.exe
Token: SeDebugPrivilege	2088	rundll32.exe
Token: SeDebugPrivilege	2540	WerFault.exe
Token: SeDebugPrivilege	3036	WaterMark.exe
Token: SeDebugPrivilege	2732	WaterMark.exe
Token: SeDebugPrivilege	1984	svchost.exe

Suspicious use of UnmapMainImage 5 IoCs

pid	Process
2216	rundll32mgr.exe
2388	rundll32mgrmgr.exe
2732	WaterMark.exe
3036	WaterMark.exe
2616	WaterMarkmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2088	1804	rundll32.exe	30
PID 1804 wrote to memory of 2088	1804	rundll32.exe	30
PID 1804 wrote to memory of 2088	1804	rundll32.exe	30
PID 1804 wrote to memory of 2088	1804	rundll32.exe	30
PID 1804 wrote to memory of 2088	1804	rundll32.exe	30
PID 1804 wrote to memory of 2088	1804	rundll32.exe	30
PID 1804 wrote to memory of 2088	1804	rundll32.exe	30
PID 2088 wrote to memory of 2216	2088	rundll32.exe	31
PID 2088 wrote to memory of 2216	2088	rundll32.exe	31
PID 2088 wrote to memory of 2216	2088	rundll32.exe	31
PID 2088 wrote to memory of 2216	2088	rundll32.exe	31
PID 2088 wrote to memory of 2540	2088	rundll32.exe	33
PID 2088 wrote to memory of 2540	2088	rundll32.exe	33
PID 2088 wrote to memory of 2540	2088	rundll32.exe	33
PID 2088 wrote to memory of 2540	2088	rundll32.exe	33
PID 2216 wrote to memory of 2388	2216	rundll32mgr.exe	32
PID 2216 wrote to memory of 2388	2216	rundll32mgr.exe	32
PID 2216 wrote to memory of 2388	2216	rundll32mgr.exe	32
PID 2216 wrote to memory of 2388	2216	rundll32mgr.exe	32
PID 2388 wrote to memory of 3036	2388	rundll32mgrmgr.exe	34
PID 2388 wrote to memory of 3036	2388	rundll32mgrmgr.exe	34
PID 2388 wrote to memory of 3036	2388	rundll32mgrmgr.exe	34
PID 2388 wrote to memory of 3036	2388	rundll32mgrmgr.exe	34
PID 2216 wrote to memory of 2732	2216	rundll32mgr.exe	35
PID 2216 wrote to memory of 2732	2216	rundll32mgr.exe	35
PID 2216 wrote to memory of 2732	2216	rundll32mgr.exe	35
PID 2216 wrote to memory of 2732	2216	rundll32mgr.exe	35
PID 3036 wrote to memory of 2616	3036	WaterMark.exe	36
PID 3036 wrote to memory of 2616	3036	WaterMark.exe	36
PID 3036 wrote to memory of 2616	3036	WaterMark.exe	36
PID 3036 wrote to memory of 2616	3036	WaterMark.exe	36
PID 2732 wrote to memory of 1984	2732	WaterMark.exe	37
PID 2732 wrote to memory of 1984	2732	WaterMark.exe	37
PID 2732 wrote to memory of 1984	2732	WaterMark.exe	37
PID 2732 wrote to memory of 1984	2732	WaterMark.exe	37
PID 2732 wrote to memory of 1984	2732	WaterMark.exe	37
PID 2732 wrote to memory of 1984	2732	WaterMark.exe	37
PID 2732 wrote to memory of 1984	2732	WaterMark.exe	37
PID 3036 wrote to memory of 1424	3036	WaterMark.exe	38
PID 3036 wrote to memory of 1424	3036	WaterMark.exe	38
PID 3036 wrote to memory of 1424	3036	WaterMark.exe	38
PID 3036 wrote to memory of 1424	3036	WaterMark.exe	38
PID 3036 wrote to memory of 1424	3036	WaterMark.exe	38
PID 3036 wrote to memory of 1424	3036	WaterMark.exe	38
PID 3036 wrote to memory of 1424	3036	WaterMark.exe	38
PID 3036 wrote to memory of 1424	3036	WaterMark.exe	38
PID 3036 wrote to memory of 1424	3036	WaterMark.exe	38
PID 3036 wrote to memory of 1424	3036	WaterMark.exe	38
PID 2732 wrote to memory of 1984	2732	WaterMark.exe	37
PID 2732 wrote to memory of 1984	2732	WaterMark.exe	37
PID 2732 wrote to memory of 1984	2732	WaterMark.exe	37
PID 3036 wrote to memory of 1180	3036	WaterMark.exe	39
PID 3036 wrote to memory of 1180	3036	WaterMark.exe	39
PID 3036 wrote to memory of 1180	3036	WaterMark.exe	39
PID 3036 wrote to memory of 1180	3036	WaterMark.exe	39
PID 3036 wrote to memory of 1180	3036	WaterMark.exe	39
PID 3036 wrote to memory of 1180	3036	WaterMark.exe	39
PID 3036 wrote to memory of 1180	3036	WaterMark.exe	39
PID 3036 wrote to memory of 1180	3036	WaterMark.exe	39
PID 3036 wrote to memory of 1180	3036	WaterMark.exe	39
PID 3036 wrote to memory of 1180	3036	WaterMark.exe	39
PID 2732 wrote to memory of 2988	2732	WaterMark.exe	40
PID 2732 wrote to memory of 2988	2732	WaterMark.exe	40
PID 2732 wrote to memory of 2988	2732	WaterMark.exe	40

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:336

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:592
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1440
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:756
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:672
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:744
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:812
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1160
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:848
  - - C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:3416
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:964
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:108
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:1020
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1060
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1100
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1712
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:1964
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:772
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:396

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f4452ffa750b695b3d921c95d4f94eb0_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f4452ffa750b695b3d921c95d4f94eb0_JaffaCakes118.dll,#1
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Windows\SysWOW64\rundll32mgr.exe
      C:\Windows\SysWOW64\rundll32mgr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2216
    - - C:\Windows\SysWOW64\rundll32mgrmgr.exe
        
        C:\Windows\SysWOW64\rundll32mgrmgr.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2388
      - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of UnmapMainImage
        
        PID:2616
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        7⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:1424
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 224
      4⤵
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
384KB

MD5
006d343518117f898160d353ed43325e

SHA1
357527507739a2b541228ce5495a218a9aad913c

SHA256
3d8c9e95dd7e468df6a17c76895303a2a84be33c26d2c1d25cf8b9f847812243

SHA512
b9efe8b4aeefa28159fe67006986c55c9c49633b261682f9df7fe1afecc4d197d972e9e5517abe1419c33a1fffc92c274fa385b4fcbf8d2f887ea79e79660f42

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
381KB

MD5
083a9f112d9720e4db9e53538e1c85a8

SHA1
a31c603f20567c173d2f208ec8eb00112da0a874

SHA256
f45b1c112b5d0f0f1702b6b74e9cb7f9b29a6cce5f64a2239098b4520923e6d6

SHA512
5ae00a8e84600bf44dbc8d93942d061d59703b73de9ef179613ed0e689302ab22cdf819044ee0ac83b1b54b31f30c6aead8615ea488954fbb9efa8796e2ffb09

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
185KB

MD5
a1ada298faa9819dca0eab0165d978d9

SHA1
50d7bd60790cc2370d4c3a2382e3e7248b95ef6e

SHA256
3f2af8dff9eb0ee18e38ce952c51bf1b461094fd03e71e137a61219c595cc742

SHA512
672a5f15f704932ae0dab2562238be9ca91743ce6885b79fe0bbf000ee1a8e9389278591221dcb6ee5d488faaf374d0603a985a62cb1b639ba27b0e774e25978

Download Submit
\Windows\SysWOW64\rundll32mgrmgr.exe

Filesize
91KB

MD5
c56eab01a1504045b4e4b4376630e35d

SHA1
1586025ddf036c2ce35601e6021fad5df2814963

SHA256
e41b8af9b477ee81e0c2fa21b6a3a5a598a43874128ba117f287ce99471d8631

SHA512
1f1034f40beeb52e92524dc17984f45f12a911d5364d36ca43ef197b89348d7a3c373ca4ebee20b260693028151df1475d472d3432eed02cce6b2e3ac3d12d71

Download Submit
memory/1424-119-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1424-810-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1424-102-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1424-107-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1424-127-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1424-128-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1984-76-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1984-78-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1984-125-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1984-126-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2088-10-0x0000000000240000-0x000000000027E000-memory.dmp

Filesize
248KB

Download
memory/2088-549-0x000000006D200000-0x000000006D238000-memory.dmp

Filesize
224KB

Download
memory/2088-1-0x000000006D200000-0x000000006D238000-memory.dmp

Filesize
224KB

Download
memory/2216-27-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2216-14-0x0000000000120000-0x0000000000146000-memory.dmp

Filesize
152KB

Download
memory/2216-11-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2216-19-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2216-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2216-21-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2216-23-0x0000000000120000-0x0000000000146000-memory.dmp

Filesize
152KB

Download
memory/2216-26-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2216-24-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2216-22-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2216-30-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2388-29-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2388-40-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2616-112-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2616-113-0x0000000000416000-0x0000000000420000-memory.dmp

Filesize
40KB

Download
memory/2616-114-0x0000000000401000-0x0000000000416000-memory.dmp

Filesize
84KB

Download
memory/2616-90-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2732-65-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2732-64-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2732-541-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2732-543-0x0000000077A9F000-0x0000000077AA0000-memory.dmp

Filesize
4KB

Download
memory/2732-542-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2732-816-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2732-71-0x0000000077A9F000-0x0000000077AA0000-memory.dmp

Filesize
4KB

Download
memory/3036-89-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3036-546-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3036-50-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3036-70-0x00000000000B0000-0x00000000000D6000-memory.dmp

Filesize
152KB

Download
memory/3036-813-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3036-91-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download