ramnit | ddbfc0d3c20296477ebe7f16fa601796cc10a4520bce2588a277de306bf31dbf

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_68fbfbb10cf521d8091643ee3b727107.exe
Size

241KB
MD5

68fbfbb10cf521d8091643ee3b727107
SHA1

ae1aff1f798afec591b4c5b865dcd6c371648dcb
SHA256

ddbfc0d3c20296477ebe7f16fa601796cc10a4520bce2588a277de306bf31dbf
SHA512

ee68c4dcf9693dda92ca0cc61b3b199fd608d8f69f41cba7cd973ec70dcb43b3c798aa1ad6f212239b73ef28045ea31d5f4e12d3faad1cf8090cebd7f2f4a43a
SSDEEP

3072:enxwgxgfR/DVG7wBpEh1cFjhmA/+TZeRsWrVCAg107ODGDfaXgDKii+tOE0L6XMP:W+xDVG0BpCSaK+3WrA5u6IfaXg3H0G+

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 3 IoCs

pid	Process
2500	JaffaCakes118_68fbfbb10cf521d8091643ee3b727107mgr.exe
2732	WaterMark.exe
2920	WaterMark.exe

Loads dropped DLL 6 IoCs

pid	Process
2104	JaffaCakes118_68fbfbb10cf521d8091643ee3b727107.exe
2104	JaffaCakes118_68fbfbb10cf521d8091643ee3b727107.exe
2500	JaffaCakes118_68fbfbb10cf521d8091643ee3b727107mgr.exe
2500	JaffaCakes118_68fbfbb10cf521d8091643ee3b727107mgr.exe
2104	JaffaCakes118_68fbfbb10cf521d8091643ee3b727107.exe
2104	JaffaCakes118_68fbfbb10cf521d8091643ee3b727107.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2104-12-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2104-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2732-61-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2920-60-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2920-59-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2732-48-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2104-40-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2500-23-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2500-20-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2500-19-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2104-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2104-11-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2732-142-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2920-141-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2920-737-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\librtp_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_a52_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\F12Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Client.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Management.Instrumentation.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\libGLESv2.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Journal\NBDoc.DLL	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\cpu.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpuzzle_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\weather.html	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\deploy.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ogg_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libswscale_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libantiflicker_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\iedvtool.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dcpr.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\attach.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_socket.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Journal\JNTFiltr.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libmjpeg_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ALRTINTL.DLL	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Csi.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\glass.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\Welcome.html	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\VISSHE.DLL	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblendbench_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.RunTime.Serialization.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\logger\libconsole_logger_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_sse2_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\glass.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IdentityModel.Selectors.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d9\libdirect3d9_filters_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegaudio_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\view.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_shmem.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\journal.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\pdmproxy100.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libattachment_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libaudio_format_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libflacsys_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\keystore\libfile_keystore_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\logsession.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcolorthres_plugin.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_68fbfbb10cf521d8091643ee3b727107.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_68fbfbb10cf521d8091643ee3b727107mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
2732	WaterMark.exe
2732	WaterMark.exe
2920	WaterMark.exe
2920	WaterMark.exe
2920	WaterMark.exe
2732	WaterMark.exe
2920	WaterMark.exe
2732	WaterMark.exe
2920	WaterMark.exe
2920	WaterMark.exe
2732	WaterMark.exe
2732	WaterMark.exe
2920	WaterMark.exe
2920	WaterMark.exe
2732	WaterMark.exe
2732	WaterMark.exe
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe
2696	svchost.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	WaterMark.exe
Token: SeDebugPrivilege	2920	WaterMark.exe
Token: SeDebugPrivilege	2696	svchost.exe
Token: SeDebugPrivilege	2996	svchost.exe
Token: SeDebugPrivilege	2732	WaterMark.exe
Token: SeDebugPrivilege	2920	WaterMark.exe
Token: SeDebugPrivilege	2176	svchost.exe

Suspicious use of UnmapMainImage 4 IoCs

pid	Process
2104	JaffaCakes118_68fbfbb10cf521d8091643ee3b727107.exe
2500	JaffaCakes118_68fbfbb10cf521d8091643ee3b727107mgr.exe
2732	WaterMark.exe
2920	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2500	2104	JaffaCakes118_68fbfbb10cf521d8091643ee3b727107.exe	30
PID 2104 wrote to memory of 2500	2104	JaffaCakes118_68fbfbb10cf521d8091643ee3b727107.exe	30
PID 2104 wrote to memory of 2500	2104	JaffaCakes118_68fbfbb10cf521d8091643ee3b727107.exe	30
PID 2104 wrote to memory of 2500	2104	JaffaCakes118_68fbfbb10cf521d8091643ee3b727107.exe	30
PID 2500 wrote to memory of 2732	2500	JaffaCakes118_68fbfbb10cf521d8091643ee3b727107mgr.exe	31
PID 2500 wrote to memory of 2732	2500	JaffaCakes118_68fbfbb10cf521d8091643ee3b727107mgr.exe	31
PID 2500 wrote to memory of 2732	2500	JaffaCakes118_68fbfbb10cf521d8091643ee3b727107mgr.exe	31
PID 2500 wrote to memory of 2732	2500	JaffaCakes118_68fbfbb10cf521d8091643ee3b727107mgr.exe	31
PID 2104 wrote to memory of 2920	2104	JaffaCakes118_68fbfbb10cf521d8091643ee3b727107.exe	32
PID 2104 wrote to memory of 2920	2104	JaffaCakes118_68fbfbb10cf521d8091643ee3b727107.exe	32
PID 2104 wrote to memory of 2920	2104	JaffaCakes118_68fbfbb10cf521d8091643ee3b727107.exe	32
PID 2104 wrote to memory of 2920	2104	JaffaCakes118_68fbfbb10cf521d8091643ee3b727107.exe	32
PID 2732 wrote to memory of 2176	2732	WaterMark.exe	33
PID 2732 wrote to memory of 2176	2732	WaterMark.exe	33
PID 2732 wrote to memory of 2176	2732	WaterMark.exe	33
PID 2732 wrote to memory of 2176	2732	WaterMark.exe	33
PID 2732 wrote to memory of 2176	2732	WaterMark.exe	33
PID 2732 wrote to memory of 2176	2732	WaterMark.exe	33
PID 2732 wrote to memory of 2176	2732	WaterMark.exe	33
PID 2732 wrote to memory of 2176	2732	WaterMark.exe	33
PID 2732 wrote to memory of 2176	2732	WaterMark.exe	33
PID 2732 wrote to memory of 2176	2732	WaterMark.exe	33
PID 2920 wrote to memory of 2636	2920	WaterMark.exe	34
PID 2920 wrote to memory of 2636	2920	WaterMark.exe	34
PID 2920 wrote to memory of 2636	2920	WaterMark.exe	34
PID 2920 wrote to memory of 2636	2920	WaterMark.exe	34
PID 2920 wrote to memory of 2636	2920	WaterMark.exe	34
PID 2920 wrote to memory of 2636	2920	WaterMark.exe	34
PID 2920 wrote to memory of 2636	2920	WaterMark.exe	34
PID 2920 wrote to memory of 2636	2920	WaterMark.exe	34
PID 2920 wrote to memory of 2636	2920	WaterMark.exe	34
PID 2920 wrote to memory of 2636	2920	WaterMark.exe	34
PID 2920 wrote to memory of 2696	2920	WaterMark.exe	35
PID 2920 wrote to memory of 2696	2920	WaterMark.exe	35
PID 2920 wrote to memory of 2696	2920	WaterMark.exe	35
PID 2920 wrote to memory of 2696	2920	WaterMark.exe	35
PID 2920 wrote to memory of 2696	2920	WaterMark.exe	35
PID 2920 wrote to memory of 2696	2920	WaterMark.exe	35
PID 2920 wrote to memory of 2696	2920	WaterMark.exe	35
PID 2920 wrote to memory of 2696	2920	WaterMark.exe	35
PID 2920 wrote to memory of 2696	2920	WaterMark.exe	35
PID 2920 wrote to memory of 2696	2920	WaterMark.exe	35
PID 2732 wrote to memory of 2996	2732	WaterMark.exe	36
PID 2732 wrote to memory of 2996	2732	WaterMark.exe	36
PID 2732 wrote to memory of 2996	2732	WaterMark.exe	36
PID 2732 wrote to memory of 2996	2732	WaterMark.exe	36
PID 2732 wrote to memory of 2996	2732	WaterMark.exe	36
PID 2732 wrote to memory of 2996	2732	WaterMark.exe	36
PID 2732 wrote to memory of 2996	2732	WaterMark.exe	36
PID 2732 wrote to memory of 2996	2732	WaterMark.exe	36
PID 2732 wrote to memory of 2996	2732	WaterMark.exe	36
PID 2732 wrote to memory of 2996	2732	WaterMark.exe	36
PID 2696 wrote to memory of 256	2696	svchost.exe	1
PID 2696 wrote to memory of 256	2696	svchost.exe	1
PID 2696 wrote to memory of 256	2696	svchost.exe	1
PID 2696 wrote to memory of 256	2696	svchost.exe	1
PID 2696 wrote to memory of 256	2696	svchost.exe	1
PID 2696 wrote to memory of 332	2696	svchost.exe	2
PID 2696 wrote to memory of 332	2696	svchost.exe	2
PID 2696 wrote to memory of 332	2696	svchost.exe	2
PID 2696 wrote to memory of 332	2696	svchost.exe	2
PID 2696 wrote to memory of 332	2696	svchost.exe	2
PID 2696 wrote to memory of 380	2696	svchost.exe	3
PID 2696 wrote to memory of 380	2696	svchost.exe	3

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:380
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:616
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:856
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1532
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:692
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:772
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:828
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1184
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:864
  - - C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:1664
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:988
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:296
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:496
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1076
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1124
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1308
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2596
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2380
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:396

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68fbfbb10cf521d8091643ee3b727107.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68fbfbb10cf521d8091643ee3b727107.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68fbfbb10cf521d8091643ee3b727107mgr.exe
    C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68fbfbb10cf521d8091643ee3b727107mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
- - C:\Program Files (x86)\Microsoft\WaterMark.exe
    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Drops file in System32 directory
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:2636
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
252KB

MD5
18a95504a4a4b3fdc887fbac3854d011

SHA1
2ff0eef033f914af928f18b8e538cb2788882fb9

SHA256
f457a111044fd48cc2ab85bd974d5262e9053f71d0b1e483a170947d76b7426e

SHA512
6d0655c501a6670b5048bf616643a9191bf5e8c75e170f8694ae97fdacf961ec8fa0a426f21bf518ce281c3b54b9160dd1010f0035484ff78525a51296505553

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
248KB

MD5
5e0135e2dd1d39f19f5c075cca49e94e

SHA1
0ed81056c02ccac12b59ae906170563f1c2bc0d8

SHA256
693baf9637907deb57b146bad644bcc95833a450c8ac693182a55944fa581f57

SHA512
8309794a9e1caa0fc4356080c77a3ef9aa40cb2802a5be974ac28b1b739bd6baa5161367dc0e513f395f1521b98c2f8348a1d2d6ebba8f78098dad458a935a75

Download Submit
\Users\Admin\AppData\Local\Temp\JaffaCakes118_68fbfbb10cf521d8091643ee3b727107mgr.exe

Filesize
119KB

MD5
f4c96d08597557a35ce7822c9c54174a

SHA1
a22cc60e8f6bb59764822e293ce921be7a4456c0

SHA256
71935cf7b5f1faa64943abafb2d7ad0025ec6622715b67dbd131ece2dffdc640

SHA512
9f7b5f3917d14787832ba9846f79d4118d93856fd733d19b0d4c40454242591f8a2291af0b10261b0069f4ec52ba6a1d0e6a66389554f8cf7b20957487418bd6

Download Submit
memory/2104-8-0x00000000000B0000-0x00000000000D9000-memory.dmp

Filesize
164KB

Download
memory/2104-42-0x0000000000401000-0x0000000000416000-memory.dmp

Filesize
84KB

Download
memory/2104-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2104-41-0x0000000000416000-0x0000000000420000-memory.dmp

Filesize
40KB

Download
memory/2104-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2104-40-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2104-1-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2104-22-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2104-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2104-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2176-65-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2176-103-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2176-67-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2500-19-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2500-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2500-23-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2500-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2636-94-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2636-102-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2636-468-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2636-101-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2636-100-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2636-99-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2636-104-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2696-409-0x0000000076FF0000-0x0000000076FF1000-memory.dmp

Filesize
4KB

Download
memory/2732-61-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2732-58-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2732-62-0x0000000076FEF000-0x0000000076FF0000-memory.dmp

Filesize
4KB

Download
memory/2732-109-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2732-142-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2732-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2920-59-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2920-130-0x0000000076FEF000-0x0000000076FF0000-memory.dmp

Filesize
4KB

Download
memory/2920-141-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2920-737-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2920-60-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2920-74-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download