Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
01-01-2025 20:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe
Resource
win7-20240729-en
windows7-x64
13 signatures
150 seconds
General
-
Target
JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe
-
Size
357KB
-
MD5
60a08bd5e8aba152f80bd94b017a1af0
-
SHA1
0d63970524bcb68a2b13cd063d67e7115aa13882
-
SHA256
c7e035548267cd6502e23d30f834af95e03bd1ee2af8df1c27d0409995256ab6
-
SHA512
8c7f94cc2b7fb925dc4a55a36d0b30a91a157cabe2bd4ab3ac819e77900679a4a2880617d3dc5fe5ef8e3179a9c08fae6bbe48cc94d799c0c3f15eb42c8d7c10
-
SSDEEP
6144:SqHGoq/TMz7GQVONhSdnCsyJ6yzmmCXTl9xGUkKjDR:S4dNHGeOeAsuzzYXTEUkK3R
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Ramnit family
-
Executes dropped EXE 5 IoCs
pid Process 2892 JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0mgr.exe 2824 WaterMark.exe 2744 WaterMark.exe 2932 WaterMarkmgr.exe 2612 WaterMark.exe -
Loads dropped DLL 10 IoCs
pid Process 2584 JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe 2584 JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe 2584 JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe 2892 JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0mgr.exe 2584 JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe 2892 JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0mgr.exe 2824 WaterMark.exe 2824 WaterMark.exe 2932 WaterMarkmgr.exe 2932 WaterMarkmgr.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
resource yara_rule behavioral1/memory/2584-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2584-18-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2584-17-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2892-28-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2584-16-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2584-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2584-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2584-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2892-36-0x0000000000220000-0x0000000000284000-memory.dmp upx behavioral1/memory/2824-67-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2612-87-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2744-59-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2824-109-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2744-106-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2932-73-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2612-590-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2744-849-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2824-850-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2612-853-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\ieproxy.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\net.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jli.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Selectors.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libdav1d_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.RunTime.Serialization.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Management.Instrumentation.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libscreen_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libwall_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipres.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxslt.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libtcp_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libpng_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_mp4_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\cpu.html svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\MAPISHELL.DLL svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Design.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpostproc_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Portable Devices\sqmapi.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dcpr.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\gstreamer-lite.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_hevc_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Journal\NBMapTIP.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\hxdsui.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\IA2Marshal.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Web.Entity.Design.Resources.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\msitss55.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\deploy.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\javafx-iio.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\libvlc.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MpSvc.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\settings.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\w2k_lsa_auth.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationBuildTasks.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_es_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe svchost.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSCommon.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Web.Entity.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libremap_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsusf_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libadaptive_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\librawvid_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libvobsub_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm svchost.exe File opened for modification C:\Program Files\Internet Explorer\networkinspection.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMarkmgr.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 2824 WaterMark.exe 2824 WaterMark.exe 2744 WaterMark.exe 2744 WaterMark.exe 2612 WaterMark.exe 2612 WaterMark.exe 2824 WaterMark.exe 2744 WaterMark.exe 2824 WaterMark.exe 2744 WaterMark.exe 2824 WaterMark.exe 2744 WaterMark.exe 2824 WaterMark.exe 2744 WaterMark.exe 2824 WaterMark.exe 2744 WaterMark.exe 2824 WaterMark.exe 2744 WaterMark.exe 2276 svchost.exe 2612 WaterMark.exe 2612 WaterMark.exe 2612 WaterMark.exe 2612 WaterMark.exe 2612 WaterMark.exe 2612 WaterMark.exe 2276 svchost.exe 2276 svchost.exe 2276 svchost.exe 2276 svchost.exe 2276 svchost.exe 2276 svchost.exe 2276 svchost.exe 2276 svchost.exe 2276 svchost.exe 2276 svchost.exe 2276 svchost.exe 2276 svchost.exe 2276 svchost.exe 2276 svchost.exe 2276 svchost.exe 2276 svchost.exe 2276 svchost.exe 2276 svchost.exe 2276 svchost.exe 2276 svchost.exe 2276 svchost.exe 2276 svchost.exe 2276 svchost.exe 2276 svchost.exe 2276 svchost.exe 2276 svchost.exe 2276 svchost.exe 2276 svchost.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 2824 WaterMark.exe Token: SeDebugPrivilege 2744 WaterMark.exe Token: SeDebugPrivilege 2612 WaterMark.exe Token: SeDebugPrivilege 2276 svchost.exe Token: SeDebugPrivilege 2196 svchost.exe Token: SeDebugPrivilege 2744 WaterMark.exe Token: SeDebugPrivilege 2824 WaterMark.exe Token: SeDebugPrivilege 2612 WaterMark.exe Token: SeDebugPrivilege 2688 svchost.exe Token: SeDebugPrivilege 2896 svchost.exe Token: SeDebugPrivilege 2488 svchost.exe -
Suspicious use of UnmapMainImage 6 IoCs
pid Process 2584 JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe 2892 JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0mgr.exe 2824 WaterMark.exe 2744 WaterMark.exe 2932 WaterMarkmgr.exe 2612 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2584 wrote to memory of 2892 2584 JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe 30 PID 2584 wrote to memory of 2892 2584 JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe 30 PID 2584 wrote to memory of 2892 2584 JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe 30 PID 2584 wrote to memory of 2892 2584 JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe 30 PID 2584 wrote to memory of 2744 2584 JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe 31 PID 2584 wrote to memory of 2744 2584 JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe 31 PID 2584 wrote to memory of 2744 2584 JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe 31 PID 2584 wrote to memory of 2744 2584 JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe 31 PID 2892 wrote to memory of 2824 2892 JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0mgr.exe 32 PID 2892 wrote to memory of 2824 2892 JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0mgr.exe 32 PID 2892 wrote to memory of 2824 2892 JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0mgr.exe 32 PID 2892 wrote to memory of 2824 2892 JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0mgr.exe 32 PID 2824 wrote to memory of 2932 2824 WaterMark.exe 33 PID 2824 wrote to memory of 2932 2824 WaterMark.exe 33 PID 2824 wrote to memory of 2932 2824 WaterMark.exe 33 PID 2824 wrote to memory of 2932 2824 WaterMark.exe 33 PID 2932 wrote to memory of 2612 2932 WaterMarkmgr.exe 34 PID 2932 wrote to memory of 2612 2932 WaterMarkmgr.exe 34 PID 2932 wrote to memory of 2612 2932 WaterMarkmgr.exe 34 PID 2932 wrote to memory of 2612 2932 WaterMarkmgr.exe 34 PID 2824 wrote to memory of 2688 2824 WaterMark.exe 35 PID 2824 wrote to memory of 2688 2824 WaterMark.exe 35 PID 2824 wrote to memory of 2688 2824 WaterMark.exe 35 PID 2824 wrote to memory of 2688 2824 WaterMark.exe 35 PID 2824 wrote to memory of 2688 2824 WaterMark.exe 35 PID 2824 wrote to memory of 2688 2824 WaterMark.exe 35 PID 2824 wrote to memory of 2688 2824 WaterMark.exe 35 PID 2824 wrote to memory of 2688 2824 WaterMark.exe 35 PID 2824 wrote to memory of 2688 2824 WaterMark.exe 35 PID 2824 wrote to memory of 2688 2824 WaterMark.exe 35 PID 2744 wrote to memory of 2020 2744 WaterMark.exe 36 PID 2744 wrote to memory of 2020 2744 WaterMark.exe 36 PID 2744 wrote to memory of 2020 2744 WaterMark.exe 36 PID 2744 wrote to memory of 2020 2744 WaterMark.exe 36 PID 2744 wrote to memory of 2020 2744 WaterMark.exe 36 PID 2744 wrote to memory of 2020 2744 WaterMark.exe 36 PID 2744 wrote to memory of 2020 2744 WaterMark.exe 36 PID 2744 wrote to memory of 2020 2744 WaterMark.exe 36 PID 2744 wrote to memory of 2020 2744 WaterMark.exe 36 PID 2744 wrote to memory of 2020 2744 WaterMark.exe 36 PID 2612 wrote to memory of 2896 2612 WaterMark.exe 37 PID 2612 wrote to memory of 2896 2612 WaterMark.exe 37 PID 2612 wrote to memory of 2896 2612 WaterMark.exe 37 PID 2612 wrote to memory of 2896 2612 WaterMark.exe 37 PID 2612 wrote to memory of 2896 2612 WaterMark.exe 37 PID 2612 wrote to memory of 2896 2612 WaterMark.exe 37 PID 2612 wrote to memory of 2896 2612 WaterMark.exe 37 PID 2612 wrote to memory of 2896 2612 WaterMark.exe 37 PID 2612 wrote to memory of 2896 2612 WaterMark.exe 37 PID 2612 wrote to memory of 2896 2612 WaterMark.exe 37 PID 2824 wrote to memory of 2276 2824 WaterMark.exe 38 PID 2744 wrote to memory of 2196 2744 WaterMark.exe 39 PID 2744 wrote to memory of 2196 2744 WaterMark.exe 39 PID 2824 wrote to memory of 2276 2824 WaterMark.exe 38 PID 2824 wrote to memory of 2276 2824 WaterMark.exe 38 PID 2744 wrote to memory of 2196 2744 WaterMark.exe 39 PID 2824 wrote to memory of 2276 2824 WaterMark.exe 38 PID 2744 wrote to memory of 2196 2744 WaterMark.exe 39 PID 2824 wrote to memory of 2276 2824 WaterMark.exe 38 PID 2744 wrote to memory of 2196 2744 WaterMark.exe 39 PID 2824 wrote to memory of 2276 2824 WaterMark.exe 38 PID 2744 wrote to memory of 2196 2744 WaterMark.exe 39 PID 2824 wrote to memory of 2276 2824 WaterMark.exe 38 PID 2744 wrote to memory of 2196 2744 WaterMark.exe 39
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:480
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:596
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1036
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1800
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:672
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:740
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:816
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1168
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:852
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:2336
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:972
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:296
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:1048
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1076
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1128
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:760
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2308
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2256
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:496
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:504
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:392
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0mgr.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60a08bd5e8aba152f80bd94b017a1af0mgr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
-
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2020
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize729KB
MD5a0ef56b6197f6830ad862f730d274ae6
SHA196d1edee2c85483eb95090a0d2f07c7d5895a5b7
SHA2565c831f3e44446322e1ed1be9263b820b26bcb0415a40a8442e696e8e02a2b1ec
SHA51296705abae26e7a779e58c24a42dca44e01ddc574340b58ed3b226a5745a3d796a80cac2ec830ae3f2394dcf3dde8f2b6a817507d4edf954135f69af49fe1eb29
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize725KB
MD5259d16f33e964a4d0c9c2036089a18a5
SHA1117be589b383c8f86894f4ca039609585e081b5e
SHA25601cd6905fcbe92d3787691b68bf809ab29270a8a036ef551de5a6be5073ba070
SHA5124a6d6992b7babb3e2fa6f76b834c28a0670d8ac0c56e2b510f751a3de8dccc9469f5a13889a5b291486f75cb75e9c5729fc24b02ddc890eab9d2d6bcefdef7db
-
Filesize
357KB
MD560a08bd5e8aba152f80bd94b017a1af0
SHA10d63970524bcb68a2b13cd063d67e7115aa13882
SHA256c7e035548267cd6502e23d30f834af95e03bd1ee2af8df1c27d0409995256ab6
SHA5128c7f94cc2b7fb925dc4a55a36d0b30a91a157cabe2bd4ab3ac819e77900679a4a2880617d3dc5fe5ef8e3179a9c08fae6bbe48cc94d799c0c3f15eb42c8d7c10
-
Filesize
177KB
MD5abfefbb11f25ef6fdb9514c8720b7e46
SHA18e85a2c22dfcf3ae742148fff0b70c68144f4f08
SHA2565fc31eba84b6df213ba163f82dd1518f5d41839201d48bf2240b43a3bb0bfd9c
SHA512488a1c11042f92800f56db27e69a0fdeb6f1499686cb6ae8243850db18eb930f133b4b7d6165a6cb20039720ff500af2f99a0246ae0c4bdf0cb827be917f5703