ramnit | 9de3cf4e7e6130ac8e4af4a6dd1842b93d8727d7ee397a6f66a19a5d0cf9c536

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe
Size

176KB
MD5

60cd2a9d6629a6f7909278d59ef17f51
SHA1

036b6b3cc2e66bb6a2c92a973a16b9505ac4b128
SHA256

9de3cf4e7e6130ac8e4af4a6dd1842b93d8727d7ee397a6f66a19a5d0cf9c536
SHA512

3b28835e32ad54553a7535fbd417d3efc4ce1cab312fca9e79849a0c41c4bb36a9f5dde95cb62b1a6011af13e2d6574ff90cf29be3055a930aaf289657ea1dc2
SSDEEP

3072:8T/55OCLuvYVjHe2PWudHriAXmJ4N/rkqMCSUxRrB9y2:8tKYVjHe2PHriAXlRkzS7

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 4 IoCs

pid	Process
2300	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51mgr.exe
2928	WaterMark.exe
2148	idemoodp0cetka.exe
3052	idemoodp0cetka.exe

Loads dropped DLL 7 IoCs

pid	Process
572	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe
572	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe
2300	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51mgr.exe
2300	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51mgr.exe
2136	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe
2136	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe
2148	idemoodp0cetka.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Service Manager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\idemoodp0cetka.exe"	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS Service Manager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\idemoodp0cetka.exe"	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 572 set thread context of 2136	572	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe	32
PID 2148 set thread context of 3052	2148	idemoodp0cetka.exe	35

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/572-0-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2300-19-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2300-23-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2300-18-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2928-40-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/572-39-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2300-16-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2300-15-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2300-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2300-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/572-78-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2928-80-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/files/0x00060000000193a0-351.dat	upx
behavioral1/memory/2148-409-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2928-698-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libgme_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\wab32res.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Entity.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libdcp_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libdeinterlace_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpn.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\instrument.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleHandler.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Utilities.v3.5.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\cpu.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\net.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\eclipse_1665.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\libremoteosd_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpostproc_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\calendar.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DAO\dao360.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationProvider.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IdentityModel.Selectors.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Xml.Linq.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\settings.html	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\sbdrop.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.RunTime.Serialization.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Luna.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Entity.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_window.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_udp_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_av1_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpuzzle_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\JdbcOdbc.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jfr.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxslt.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationClientsideProviders.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libdvdnav_plugin.dll	svchost.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51mgr.exe
File opened for modification	C:\Program Files\Internet Explorer\DiagnosticsTap.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_dummy_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pe.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsBase.resources.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\pdfshell.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\DESIGNER\MSADDNDR.DLL	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px5792.tmp	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51mgr.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.ServiceModel.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libfreetype_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\DirectDB.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IO.Log.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_cdg_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_mpjpeg_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libsepia_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\libGLESv2.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idemoodp0cetka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idemoodp0cetka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51mgr.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2928	WaterMark.exe
2928	WaterMark.exe
2928	WaterMark.exe
2928	WaterMark.exe
2928	WaterMark.exe
2928	WaterMark.exe
2928	WaterMark.exe
2928	WaterMark.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2928	WaterMark.exe
Token: SeDebugPrivilege	2732	svchost.exe
Token: SeDebugPrivilege	2928	WaterMark.exe
Token: SeDebugPrivilege	2136	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe
Token: SeDebugPrivilege	3052	idemoodp0cetka.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
572	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe
2148	idemoodp0cetka.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2300	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51mgr.exe
2928	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 572 wrote to memory of 2300	572	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe	29
PID 572 wrote to memory of 2300	572	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe	29
PID 572 wrote to memory of 2300	572	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe	29
PID 572 wrote to memory of 2300	572	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe	29
PID 2300 wrote to memory of 2928	2300	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51mgr.exe	30
PID 2300 wrote to memory of 2928	2300	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51mgr.exe	30
PID 2300 wrote to memory of 2928	2300	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51mgr.exe	30
PID 2300 wrote to memory of 2928	2300	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51mgr.exe	30
PID 2928 wrote to memory of 2824	2928	WaterMark.exe	31
PID 2928 wrote to memory of 2824	2928	WaterMark.exe	31
PID 2928 wrote to memory of 2824	2928	WaterMark.exe	31
PID 2928 wrote to memory of 2824	2928	WaterMark.exe	31
PID 2928 wrote to memory of 2824	2928	WaterMark.exe	31
PID 2928 wrote to memory of 2824	2928	WaterMark.exe	31
PID 2928 wrote to memory of 2824	2928	WaterMark.exe	31
PID 2928 wrote to memory of 2824	2928	WaterMark.exe	31
PID 2928 wrote to memory of 2824	2928	WaterMark.exe	31
PID 2928 wrote to memory of 2824	2928	WaterMark.exe	31
PID 572 wrote to memory of 2136	572	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe	32
PID 572 wrote to memory of 2136	572	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe	32
PID 572 wrote to memory of 2136	572	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe	32
PID 572 wrote to memory of 2136	572	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe	32
PID 572 wrote to memory of 2136	572	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe	32
PID 572 wrote to memory of 2136	572	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe	32
PID 572 wrote to memory of 2136	572	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe	32
PID 572 wrote to memory of 2136	572	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe	32
PID 572 wrote to memory of 2136	572	JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe	32
PID 2928 wrote to memory of 2732	2928	WaterMark.exe	33
PID 2928 wrote to memory of 2732	2928	WaterMark.exe	33
PID 2928 wrote to memory of 2732	2928	WaterMark.exe	33
PID 2928 wrote to memory of 2732	2928	WaterMark.exe	33
PID 2928 wrote to memory of 2732	2928	WaterMark.exe	33
PID 2928 wrote to memory of 2732	2928	WaterMark.exe	33
PID 2928 wrote to memory of 2732	2928	WaterMark.exe	33
PID 2928 wrote to memory of 2732	2928	WaterMark.exe	33
PID 2928 wrote to memory of 2732	2928	WaterMark.exe	33
PID 2928 wrote to memory of 2732	2928	WaterMark.exe	33
PID 2732 wrote to memory of 256	2732	svchost.exe	1
PID 2732 wrote to memory of 256	2732	svchost.exe	1
PID 2732 wrote to memory of 256	2732	svchost.exe	1
PID 2732 wrote to memory of 256	2732	svchost.exe	1
PID 2732 wrote to memory of 256	2732	svchost.exe	1
PID 2732 wrote to memory of 336	2732	svchost.exe	2
PID 2732 wrote to memory of 336	2732	svchost.exe	2
PID 2732 wrote to memory of 336	2732	svchost.exe	2
PID 2732 wrote to memory of 336	2732	svchost.exe	2
PID 2732 wrote to memory of 336	2732	svchost.exe	2
PID 2732 wrote to memory of 372	2732	svchost.exe	3
PID 2732 wrote to memory of 372	2732	svchost.exe	3
PID 2732 wrote to memory of 372	2732	svchost.exe	3
PID 2732 wrote to memory of 372	2732	svchost.exe	3
PID 2732 wrote to memory of 372	2732	svchost.exe	3
PID 2732 wrote to memory of 384	2732	svchost.exe	4
PID 2732 wrote to memory of 384	2732	svchost.exe	4
PID 2732 wrote to memory of 384	2732	svchost.exe	4
PID 2732 wrote to memory of 384	2732	svchost.exe	4
PID 2732 wrote to memory of 384	2732	svchost.exe	4
PID 2732 wrote to memory of 424	2732	svchost.exe	5
PID 2732 wrote to memory of 424	2732	svchost.exe	5
PID 2732 wrote to memory of 424	2732	svchost.exe	5
PID 2732 wrote to memory of 424	2732	svchost.exe	5
PID 2732 wrote to memory of 424	2732	svchost.exe	5
PID 2732 wrote to memory of 468	2732	svchost.exe	6
PID 2732 wrote to memory of 468	2732	svchost.exe	6

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:336

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:468
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:604
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1556
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1880
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:680
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:740
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:808
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1180
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:832
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:988
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:296
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:664
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1040
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1128
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1788
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:1940
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:1920
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:484
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:492

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:572
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51mgr.exe
    C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2824
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51.exe"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2136
  - - C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe
      "C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2148
    - - C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe
        
        "C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
248KB

MD5
60286c725740562439aa30a361b22f23

SHA1
aafdcb04fc79259ae145c350b431b7a5aab9a872

SHA256
eb4db89334ffb9b04d87246ec4d3305d94791bfbc71b8d2e873e331350471352

SHA512
4fb23e9c5109f9313f9c24f80ee4b9b38b00ca52b7e318f50b5d80b1633358c387ddeb353ee9e455493f589814e643e1906858865ce67226e0507253c50eaa66

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
244KB

MD5
3cbc07ff39e37fb0565f5b022d9b2337

SHA1
c59d284b7eeb4768741e8554661583fefcaec3b9

SHA256
47f92e1b84c9bebb061174ca4fe308a929f1f56726be355b9282bc338ee6ce84

SHA512
7385a93a01990004d9a465bd9615d0452831fa701e776fa3a339c32ced3c32452e81d33645c932e5cf381f6779cfa73e406fbc377d31dfd3014ed952cd853cbb

Download Submit
\Users\Admin\AppData\Local\Temp\JaffaCakes118_60cd2a9d6629a6f7909278d59ef17f51mgr.exe

Filesize
117KB

MD5
71b5d732c52788553e49f6ffbd85af45

SHA1
01fe9d4f7fe8b4b8727931fdeb328a58d5b46903

SHA256
faee1aafe1afadf0eabd446cf12cc7698933c7a1b5920a748a3c9b90e9210dd2

SHA512
16236b287b5ed06a2d3a512f4af159a812b46adad593b9d37119e63cb2e116c472574f7de043092765e75df091b7b4d68d65fa7321c6f58c85a44dbe88884cf7

Download Submit
\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe

Filesize
176KB

MD5
60cd2a9d6629a6f7909278d59ef17f51

SHA1
036b6b3cc2e66bb6a2c92a973a16b9505ac4b128

SHA256
9de3cf4e7e6130ac8e4af4a6dd1842b93d8727d7ee397a6f66a19a5d0cf9c536

SHA512
3b28835e32ad54553a7535fbd417d3efc4ce1cab312fca9e79849a0c41c4bb36a9f5dde95cb62b1a6011af13e2d6574ff90cf29be3055a930aaf289657ea1dc2

Download Submit
memory/572-39-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/572-10-0x0000000000220000-0x0000000000248000-memory.dmp

Filesize
160KB

Download
memory/572-4-0x0000000000220000-0x0000000000248000-memory.dmp

Filesize
160KB

Download
memory/572-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/572-78-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2136-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2136-70-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2136-371-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/2136-374-0x00000000002A0000-0x00000000002E8000-memory.dmp

Filesize
288KB

Download
memory/2136-74-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2136-77-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2148-409-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2300-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2300-22-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2300-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2300-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2300-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2300-23-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2300-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2300-19-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2732-102-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2732-100-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2732-91-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2732-95-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2732-99-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2732-103-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2732-82-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2732-104-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2732-101-0x00000000777C0000-0x00000000777C1000-memory.dmp

Filesize
4KB

Download
memory/2824-373-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2824-67-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2824-47-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2824-56-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2824-64-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2824-45-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2824-63-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2824-55-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2824-54-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2928-42-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/2928-80-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2928-40-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2928-98-0x00000000777BF000-0x00000000777C0000-memory.dmp

Filesize
4KB

Download
memory/2928-698-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2928-79-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2928-43-0x00000000777BF000-0x00000000777C0000-memory.dmp

Filesize
4KB

Download