ramnit | c3eece0e1546f2266057b90688fc8b303afe462b656f29cc727e666058b66185

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_02c7f2667a6fc190c858d3040ae1b660.exe
Size

234KB
MD5

02c7f2667a6fc190c858d3040ae1b660
SHA1

689bad0bb52f67fa2a445dc42f131860f3f684cb
SHA256

c3eece0e1546f2266057b90688fc8b303afe462b656f29cc727e666058b66185
SHA512

909cb8d4bd26f65411d8cf4bccf2714f164ea130fdfaca1dd13ee6a3270ef5cfcac5840541a9d4b92c7d502838c40c74443f88f6e0cbed40739961a22955fb38
SSDEEP

3072:LobBqJq3ZruXzi+wGw3T9Z7vyppNBrYFnB26ukk/CXrkm:LwBqJ+ZaDi+4xdINBrAnk6u1wrn

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2184	JaffaCakes118_02c7f2667a6fc190c858d3040ae1b660mgr.exe
2568	WaterMark.exe

Loads dropped DLL 4 IoCs

pid	Process
2688	JaffaCakes118_02c7f2667a6fc190c858d3040ae1b660.exe
2688	JaffaCakes118_02c7f2667a6fc190c858d3040ae1b660.exe
2184	JaffaCakes118_02c7f2667a6fc190c858d3040ae1b660mgr.exe
2184	JaffaCakes118_02c7f2667a6fc190c858d3040ae1b660mgr.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2184-19-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2568-35-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/memory/2568-39-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2184-16-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2184-15-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2184-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2184-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2184-12-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2184-11-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2568-71-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2568-82-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2568-615-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\IA2Marshal.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Mail\wabimp.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Web.Entity.Design.Resources.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DBGHELP.DLL	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_socket.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\libxml2.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\msvcr100.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationProvider.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\settings.html	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\wmplayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIBUtils.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.ServiceModel.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationBuildTasks.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationTypes.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_rist_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozglue.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Net.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdfmap.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspeex_resampler_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jfxmedia.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE	svchost.exe
File opened for modification	C:\Program Files\PublishUnpublish.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libheadphone_channel_mixer_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\jsdebuggeride.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationFramework.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.DataSetExtensions.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_standard_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\weather.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\npt.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\MoreGames.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationTypes.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libvod_rtsp_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.Client.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_srt_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_duplicate_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libwingdi_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\sidebar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\deploy.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libbluescreen_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libripple_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Engine.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\liblibass_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmirror_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ccme_base.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jawt.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Entity.Design.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.WorkflowServices.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\flyout.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\skchui.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_02c7f2667a6fc190c858d3040ae1b660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_02c7f2667a6fc190c858d3040ae1b660mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2568	WaterMark.exe
2568	WaterMark.exe
2568	WaterMark.exe
2568	WaterMark.exe
2568	WaterMark.exe
2568	WaterMark.exe
2568	WaterMark.exe
2568	WaterMark.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2568	WaterMark.exe
Token: SeDebugPrivilege	2432	svchost.exe
Token: SeDebugPrivilege	2568	WaterMark.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2184	JaffaCakes118_02c7f2667a6fc190c858d3040ae1b660mgr.exe
2568	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2184	2688	JaffaCakes118_02c7f2667a6fc190c858d3040ae1b660.exe	31
PID 2688 wrote to memory of 2184	2688	JaffaCakes118_02c7f2667a6fc190c858d3040ae1b660.exe	31
PID 2688 wrote to memory of 2184	2688	JaffaCakes118_02c7f2667a6fc190c858d3040ae1b660.exe	31
PID 2688 wrote to memory of 2184	2688	JaffaCakes118_02c7f2667a6fc190c858d3040ae1b660.exe	31
PID 2184 wrote to memory of 2568	2184	JaffaCakes118_02c7f2667a6fc190c858d3040ae1b660mgr.exe	32
PID 2184 wrote to memory of 2568	2184	JaffaCakes118_02c7f2667a6fc190c858d3040ae1b660mgr.exe	32
PID 2184 wrote to memory of 2568	2184	JaffaCakes118_02c7f2667a6fc190c858d3040ae1b660mgr.exe	32
PID 2184 wrote to memory of 2568	2184	JaffaCakes118_02c7f2667a6fc190c858d3040ae1b660mgr.exe	32
PID 2568 wrote to memory of 2724	2568	WaterMark.exe	33
PID 2568 wrote to memory of 2724	2568	WaterMark.exe	33
PID 2568 wrote to memory of 2724	2568	WaterMark.exe	33
PID 2568 wrote to memory of 2724	2568	WaterMark.exe	33
PID 2568 wrote to memory of 2724	2568	WaterMark.exe	33
PID 2568 wrote to memory of 2724	2568	WaterMark.exe	33
PID 2568 wrote to memory of 2724	2568	WaterMark.exe	33
PID 2568 wrote to memory of 2724	2568	WaterMark.exe	33
PID 2568 wrote to memory of 2724	2568	WaterMark.exe	33
PID 2568 wrote to memory of 2724	2568	WaterMark.exe	33
PID 2568 wrote to memory of 2432	2568	WaterMark.exe	34
PID 2568 wrote to memory of 2432	2568	WaterMark.exe	34
PID 2568 wrote to memory of 2432	2568	WaterMark.exe	34
PID 2568 wrote to memory of 2432	2568	WaterMark.exe	34
PID 2568 wrote to memory of 2432	2568	WaterMark.exe	34
PID 2568 wrote to memory of 2432	2568	WaterMark.exe	34
PID 2568 wrote to memory of 2432	2568	WaterMark.exe	34
PID 2568 wrote to memory of 2432	2568	WaterMark.exe	34
PID 2568 wrote to memory of 2432	2568	WaterMark.exe	34
PID 2568 wrote to memory of 2432	2568	WaterMark.exe	34
PID 2432 wrote to memory of 256	2432	svchost.exe	1
PID 2432 wrote to memory of 256	2432	svchost.exe	1
PID 2432 wrote to memory of 256	2432	svchost.exe	1
PID 2432 wrote to memory of 256	2432	svchost.exe	1
PID 2432 wrote to memory of 256	2432	svchost.exe	1
PID 2432 wrote to memory of 332	2432	svchost.exe	2
PID 2432 wrote to memory of 332	2432	svchost.exe	2
PID 2432 wrote to memory of 332	2432	svchost.exe	2
PID 2432 wrote to memory of 332	2432	svchost.exe	2
PID 2432 wrote to memory of 332	2432	svchost.exe	2
PID 2432 wrote to memory of 384	2432	svchost.exe	3
PID 2432 wrote to memory of 384	2432	svchost.exe	3
PID 2432 wrote to memory of 384	2432	svchost.exe	3
PID 2432 wrote to memory of 384	2432	svchost.exe	3
PID 2432 wrote to memory of 384	2432	svchost.exe	3
PID 2432 wrote to memory of 396	2432	svchost.exe	4
PID 2432 wrote to memory of 396	2432	svchost.exe	4
PID 2432 wrote to memory of 396	2432	svchost.exe	4
PID 2432 wrote to memory of 396	2432	svchost.exe	4
PID 2432 wrote to memory of 396	2432	svchost.exe	4
PID 2432 wrote to memory of 432	2432	svchost.exe	5
PID 2432 wrote to memory of 432	2432	svchost.exe	5
PID 2432 wrote to memory of 432	2432	svchost.exe	5
PID 2432 wrote to memory of 432	2432	svchost.exe	5
PID 2432 wrote to memory of 432	2432	svchost.exe	5
PID 2432 wrote to memory of 476	2432	svchost.exe	6
PID 2432 wrote to memory of 476	2432	svchost.exe	6
PID 2432 wrote to memory of 476	2432	svchost.exe	6
PID 2432 wrote to memory of 476	2432	svchost.exe	6
PID 2432 wrote to memory of 476	2432	svchost.exe	6
PID 2432 wrote to memory of 492	2432	svchost.exe	7
PID 2432 wrote to memory of 492	2432	svchost.exe	7
PID 2432 wrote to memory of 492	2432	svchost.exe	7
PID 2432 wrote to memory of 492	2432	svchost.exe	7
PID 2432 wrote to memory of 492	2432	svchost.exe	7
PID 2432 wrote to memory of 500	2432	svchost.exe	8

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:600
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1204
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1612
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      4⤵
      PID:484
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:676
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:740
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:812
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1164
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:852
  - - \\?\C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:2996
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:968
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:272
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:352
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1076
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1112
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:568
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2444
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2216
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:396

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02c7f2667a6fc190c858d3040ae1b660.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02c7f2667a6fc190c858d3040ae1b660.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02c7f2667a6fc190c858d3040ae1b660mgr.exe
    C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02c7f2667a6fc190c858d3040ae1b660mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2724
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
342KB

MD5
542e7a4b24dd832e344bf0d1731c8c0b

SHA1
507dfed69cc812e0bf9e9850c484d524d7289d38

SHA256
d657db80b4fe5627bd796c474e7aa3c6645859f5c67e208883210a75bda405d9

SHA512
57df1d807af3510fb46f36a4ed5c7857d9593fb0874e67a86f7a5cbcdb0b0079f8e9e9654099d1d679610e2e28ebfe84e691ef60863dc04e0095b5856839bb5b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
338KB

MD5
efc307c44c57c3a2d20eed26953481e6

SHA1
de70a8332b5058da67de5db6eb13ac87f61658d2

SHA256
e676b3f9a25a914517193bfe4b121f398ceaf17b9d9cdb85115cc42fa79d0f1b

SHA512
cd8b4ccddb343bc1865ae520ca4ed7b301166c251e96cfda94d1594f34f1919994e4840ab63a346054e1a51ff78524b119ad9fe415310c3315a24e73303ddb7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02c7f2667a6fc190c858d3040ae1b660mgr.exe

Filesize
164KB

MD5
d15503ad1b18b12e61b71317eb9da448

SHA1
65ecd5d7e6d3c03d59985a32eba7b8ff9f395680

SHA256
dcf1a705180f34d3461d9a6a3a7c50cf080c497fed467cb21bff513baefaf289

SHA512
f2dcba0fc837aee6b50331c4a4ce2d4e8811ee7146397032e513a61dbf44b769e8dc9c59d3d2c6356bca3b70583cb0df146ec4e76998225c21449a280017d493

Download Submit
memory/2184-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2184-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2184-19-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2184-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2184-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2184-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2184-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2184-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2184-18-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2432-83-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2432-93-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2432-90-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2432-91-0x0000000077350000-0x0000000077351000-memory.dmp

Filesize
4KB

Download
memory/2432-92-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2432-94-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2432-89-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2432-87-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2432-73-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2568-82-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2568-71-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2568-41-0x000000007734F000-0x0000000077350000-memory.dmp

Filesize
4KB

Download
memory/2568-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2568-615-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2568-70-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2568-40-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2568-88-0x000000007734F000-0x0000000077350000-memory.dmp

Filesize
4KB

Download
memory/2568-39-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2688-1-0x0000000000030000-0x000000000006F000-memory.dmp

Filesize
252KB

Download
memory/2688-8-0x0000000000030000-0x000000000006F000-memory.dmp

Filesize
252KB

Download
memory/2724-45-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2724-43-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2724-61-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2724-59-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2724-53-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2724-54-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2724-58-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2724-362-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2724-66-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2724-52-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download