ramnit | 8fc2ae924e12369ba719eab3533728e48456aee5bfb8bf3476dd8df8a4a69d93

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_799656a9fe1313148e9b34302d43364b.exe
Size

248KB
MD5

799656a9fe1313148e9b34302d43364b
SHA1

75d5f2a8d7d679145b4857f8027e937c8d97fddd
SHA256

8fc2ae924e12369ba719eab3533728e48456aee5bfb8bf3476dd8df8a4a69d93
SHA512

9f0ae85b1ed7aa707666012fbc9a4d71d7b54a2e87a5455b61367ad31296039e96e960a6595c64e4a559edf6bd685af6a785b9036054a236bdb860fa321b7322
SSDEEP

3072:uR2xn3k0CdM1vabyzJYWqyZcFaF504UwPGX1NhG2ozrl8SmaUBzMZqa12DtjSs:uR2J0LS6Vymc0IPGEfzrjmPzMZq2M

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 5 IoCs

pid	Process
2092	JaffaCakes118_799656a9fe1313148e9b34302d43364bmgr.exe
2884	WaterMark.exe
2552	WaterMark.exe
2720	WaterMarkmgr.exe
2492	WaterMark.exe

Loads dropped DLL 10 IoCs

pid	Process
2184	JaffaCakes118_799656a9fe1313148e9b34302d43364b.exe
2184	JaffaCakes118_799656a9fe1313148e9b34302d43364b.exe
2184	JaffaCakes118_799656a9fe1313148e9b34302d43364b.exe
2092	JaffaCakes118_799656a9fe1313148e9b34302d43364bmgr.exe
2092	JaffaCakes118_799656a9fe1313148e9b34302d43364bmgr.exe
2184	JaffaCakes118_799656a9fe1313148e9b34302d43364b.exe
2884	WaterMark.exe
2884	WaterMark.exe
2720	WaterMarkmgr.exe
2720	WaterMarkmgr.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2184-21-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2184-22-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2092-27-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2720-63-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2884-74-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2184-20-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2184-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2184-12-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2184-11-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2184-10-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2552-120-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2884-695-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2884-698-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2492-701-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxslt.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libg711_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_chromecast_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\settings.html	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\WMM2CLIP.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.Design.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\journal.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\decora-sse.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kcms.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\JAWTAccessBridge-64.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\NAMEEXT.DLL	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.DataSetExtensions.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libvmem_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mraut.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\j2pcsc.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IdentityModel.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\clock.html	svchost.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnscfg.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\deployJava1.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\JdbcOdbc.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationFramework.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libcdda_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_dts_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_mmx_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\hxdsui.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jawt.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationBuildTasks.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libdca_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libfaad_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\msvcr100.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.Design.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\PhotoAcq.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\settings.html	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\glass.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationTypes.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\weather.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\ITIRCL55.DLL	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libexport_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\settings.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\glib-lite.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationBuildTasks.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Design.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libspeex_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libtaglib_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_setid_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\calendar.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeXMP.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pe.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msaddsr.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_799656a9fe1313148e9b34302d43364bmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_799656a9fe1313148e9b34302d43364b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMarkmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
2884	WaterMark.exe
2884	WaterMark.exe
2492	WaterMark.exe
2492	WaterMark.exe
2884	WaterMark.exe
2492	WaterMark.exe
2884	WaterMark.exe
2492	WaterMark.exe
2884	WaterMark.exe
2492	WaterMark.exe
2884	WaterMark.exe
2492	WaterMark.exe
2492	WaterMark.exe
2884	WaterMark.exe
2884	WaterMark.exe
2492	WaterMark.exe
2168	svchost.exe
2168	svchost.exe
2168	svchost.exe
2168	svchost.exe
2168	svchost.exe
2168	svchost.exe
2168	svchost.exe
2168	svchost.exe
2168	svchost.exe
2168	svchost.exe
2168	svchost.exe
2168	svchost.exe
2168	svchost.exe
2168	svchost.exe
2168	svchost.exe
2168	svchost.exe
2168	svchost.exe
2168	svchost.exe
2168	svchost.exe
2168	svchost.exe
2168	svchost.exe
2168	svchost.exe
2168	svchost.exe
2168	svchost.exe
2168	svchost.exe
2168	svchost.exe
2168	svchost.exe
2168	svchost.exe
2168	svchost.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	WaterMark.exe
Token: SeDebugPrivilege	2492	WaterMark.exe
Token: SeDebugPrivilege	2168	svchost.exe
Token: SeDebugPrivilege	1992	svchost.exe
Token: SeDebugPrivilege	2884	WaterMark.exe
Token: SeDebugPrivilege	2492	WaterMark.exe
Token: SeDebugPrivilege	536	svchost.exe

Suspicious use of UnmapMainImage 6 IoCs

pid	Process
2184	JaffaCakes118_799656a9fe1313148e9b34302d43364b.exe
2092	JaffaCakes118_799656a9fe1313148e9b34302d43364bmgr.exe
2884	WaterMark.exe
2720	WaterMarkmgr.exe
2492	WaterMark.exe
2552	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2092	2184	JaffaCakes118_799656a9fe1313148e9b34302d43364b.exe	28
PID 2184 wrote to memory of 2092	2184	JaffaCakes118_799656a9fe1313148e9b34302d43364b.exe	28
PID 2184 wrote to memory of 2092	2184	JaffaCakes118_799656a9fe1313148e9b34302d43364b.exe	28
PID 2184 wrote to memory of 2092	2184	JaffaCakes118_799656a9fe1313148e9b34302d43364b.exe	28
PID 2092 wrote to memory of 2884	2092	JaffaCakes118_799656a9fe1313148e9b34302d43364bmgr.exe	30
PID 2092 wrote to memory of 2884	2092	JaffaCakes118_799656a9fe1313148e9b34302d43364bmgr.exe	30
PID 2092 wrote to memory of 2884	2092	JaffaCakes118_799656a9fe1313148e9b34302d43364bmgr.exe	30
PID 2092 wrote to memory of 2884	2092	JaffaCakes118_799656a9fe1313148e9b34302d43364bmgr.exe	30
PID 2184 wrote to memory of 2552	2184	JaffaCakes118_799656a9fe1313148e9b34302d43364b.exe	29
PID 2184 wrote to memory of 2552	2184	JaffaCakes118_799656a9fe1313148e9b34302d43364b.exe	29
PID 2184 wrote to memory of 2552	2184	JaffaCakes118_799656a9fe1313148e9b34302d43364b.exe	29
PID 2184 wrote to memory of 2552	2184	JaffaCakes118_799656a9fe1313148e9b34302d43364b.exe	29
PID 2884 wrote to memory of 2720	2884	WaterMark.exe	31
PID 2884 wrote to memory of 2720	2884	WaterMark.exe	31
PID 2884 wrote to memory of 2720	2884	WaterMark.exe	31
PID 2884 wrote to memory of 2720	2884	WaterMark.exe	31
PID 2720 wrote to memory of 2492	2720	WaterMarkmgr.exe	32
PID 2720 wrote to memory of 2492	2720	WaterMarkmgr.exe	32
PID 2720 wrote to memory of 2492	2720	WaterMarkmgr.exe	32
PID 2720 wrote to memory of 2492	2720	WaterMarkmgr.exe	32
PID 2884 wrote to memory of 536	2884	WaterMark.exe	33
PID 2884 wrote to memory of 536	2884	WaterMark.exe	33
PID 2884 wrote to memory of 536	2884	WaterMark.exe	33
PID 2884 wrote to memory of 536	2884	WaterMark.exe	33
PID 2884 wrote to memory of 536	2884	WaterMark.exe	33
PID 2884 wrote to memory of 536	2884	WaterMark.exe	33
PID 2492 wrote to memory of 476	2492	WaterMark.exe	34
PID 2492 wrote to memory of 476	2492	WaterMark.exe	34
PID 2492 wrote to memory of 476	2492	WaterMark.exe	34
PID 2492 wrote to memory of 476	2492	WaterMark.exe	34
PID 2492 wrote to memory of 476	2492	WaterMark.exe	34
PID 2492 wrote to memory of 476	2492	WaterMark.exe	34
PID 2884 wrote to memory of 536	2884	WaterMark.exe	33
PID 2884 wrote to memory of 536	2884	WaterMark.exe	33
PID 2884 wrote to memory of 536	2884	WaterMark.exe	33
PID 2884 wrote to memory of 536	2884	WaterMark.exe	33
PID 2492 wrote to memory of 476	2492	WaterMark.exe	34
PID 2492 wrote to memory of 476	2492	WaterMark.exe	34
PID 2492 wrote to memory of 476	2492	WaterMark.exe	34
PID 2492 wrote to memory of 476	2492	WaterMark.exe	34
PID 2884 wrote to memory of 2168	2884	WaterMark.exe	36
PID 2884 wrote to memory of 2168	2884	WaterMark.exe	36
PID 2492 wrote to memory of 1992	2492	WaterMark.exe	35
PID 2884 wrote to memory of 2168	2884	WaterMark.exe	36
PID 2492 wrote to memory of 1992	2492	WaterMark.exe	35
PID 2884 wrote to memory of 2168	2884	WaterMark.exe	36
PID 2492 wrote to memory of 1992	2492	WaterMark.exe	35
PID 2492 wrote to memory of 1992	2492	WaterMark.exe	35
PID 2492 wrote to memory of 1992	2492	WaterMark.exe	35
PID 2492 wrote to memory of 1992	2492	WaterMark.exe	35
PID 2492 wrote to memory of 1992	2492	WaterMark.exe	35
PID 2492 wrote to memory of 1992	2492	WaterMark.exe	35
PID 2492 wrote to memory of 1992	2492	WaterMark.exe	35
PID 2492 wrote to memory of 1992	2492	WaterMark.exe	35
PID 2884 wrote to memory of 2168	2884	WaterMark.exe	36
PID 2884 wrote to memory of 2168	2884	WaterMark.exe	36
PID 2884 wrote to memory of 2168	2884	WaterMark.exe	36
PID 2884 wrote to memory of 2168	2884	WaterMark.exe	36
PID 2884 wrote to memory of 2168	2884	WaterMark.exe	36
PID 2884 wrote to memory of 2168	2884	WaterMark.exe	36
PID 2168 wrote to memory of 256	2168	svchost.exe	1
PID 2168 wrote to memory of 256	2168	svchost.exe	1
PID 2168 wrote to memory of 256	2168	svchost.exe	1
PID 2168 wrote to memory of 256	2168	svchost.exe	1

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:480
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:596
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1456
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      4⤵
      PID:2912
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:676
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:756
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:808
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1088
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:848
  - - C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:1264
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:956
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:272
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1048
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:1056
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1124
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:940
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2344
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:488
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:496

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:396

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1168
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_799656a9fe1313148e9b34302d43364b.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_799656a9fe1313148e9b34302d43364b.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_799656a9fe1313148e9b34302d43364bmgr.exe
    C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_799656a9fe1313148e9b34302d43364bmgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        7⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:476
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2168
- - C:\Program Files (x86)\Microsoft\WaterMark.exe
    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of UnmapMainImage
    PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
510KB

MD5
31a90f3799860db495e67e1fc8d7e954

SHA1
ca8828c8c33957b8fd49435c28be16ed44663221

SHA256
a716f54b3e8353bf9acee6c106fd8bd570cf6919f6678c6c4817b9d1ba64d552

SHA512
0c03c3de2b405edf49a429e1d1aec4ac1c22bc4ffa1957426d10dd86f20b8aa4311ac77a329f7d53b33980d880072fcbdf16e5a6a9cd6a905749f6688a2d50c8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
507KB

MD5
5fbb639c2c587485afcfdd65c06112aa

SHA1
2f4e2e4c45a58b25d11b23a0d915a2b0a52e0e69

SHA256
41fd7ba04340c11083cc9d377da347c864f7ee4c85027b03f4791befd01963f7

SHA512
16111a5f638767643ec711baf72f2bda36d81776a6d5f89c411c86023fc3d41b2bd2e3767afabc3d687a8654c628f0e6f570f3d5cdfe42fa2aa2ab8abc733912

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
248KB

MD5
799656a9fe1313148e9b34302d43364b

SHA1
75d5f2a8d7d679145b4857f8027e937c8d97fddd

SHA256
8fc2ae924e12369ba719eab3533728e48456aee5bfb8bf3476dd8df8a4a69d93

SHA512
9f0ae85b1ed7aa707666012fbc9a4d71d7b54a2e87a5455b61367ad31296039e96e960a6595c64e4a559edf6bd685af6a785b9036054a236bdb860fa321b7322

Download Submit
\Users\Admin\AppData\Local\Temp\JaffaCakes118_799656a9fe1313148e9b34302d43364bmgr.exe

Filesize
123KB

MD5
04161f533ee93611681445f8a165ed68

SHA1
d3f4b2bfc8b384d2602989082056751ae21b8105

SHA256
97e8d8fefbd8aef88875b7373e6a5ec0ff0fa02fc1b63af254d8116e6d959f81

SHA512
4e3ad0bd23e728966e7f0d86fda0883bb8196d9eca93c6c9633c3b786c451864fabd9f300fb7355277fb8de334c1fe5cb54b01c2ad88c3e51ad7fa221a57119f

Download Submit
memory/476-100-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/476-104-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/536-79-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/536-81-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2092-27-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2092-33-0x0000000000700000-0x000000000074B000-memory.dmp

Filesize
300KB

Download
memory/2184-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2184-0-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2184-22-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2184-21-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2184-19-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2184-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2184-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2184-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2184-4-0x0000000000120000-0x000000000014B000-memory.dmp

Filesize
172KB

Download
memory/2184-30-0x00000000003A0000-0x00000000003EB000-memory.dmp

Filesize
300KB

Download
memory/2184-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2492-701-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2492-77-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2552-120-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2720-63-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2884-38-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2884-43-0x0000000000120000-0x000000000014B000-memory.dmp

Filesize
172KB

Download
memory/2884-695-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2884-698-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2884-75-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2884-52-0x0000000000120000-0x000000000014B000-memory.dmp

Filesize
172KB

Download
memory/2884-74-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download