ramnit | 39cd30364e480cc38aecb0b6247312064f7285024e969659e1fa3eac2e39814e

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-01-2025 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
Size

187KB
MD5

31dede4c6a77eb03089def7047136e59
SHA1

4d6b2af46dc1c729f82d406eab66d99aef386fbd
SHA256

39cd30364e480cc38aecb0b6247312064f7285024e969659e1fa3eac2e39814e
SHA512

40b2c838012326c4bfede49f9e0bbbada2a924c6ffbd29c1208be06fe9dd0b2b76e934a1bce3ac16f138cb41aee2f441d58eb309500485fb11b48dbbaf7e7718
SSDEEP

3072:46lXWN336MdMfLirVQW0/nyyplK1LanRaSyjWsZcvi72iIw2jsxD7IYjA/LA:pXgqqULirVT01uaYSUZca72ip2juD7mM

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\Geo\Nation	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe

Executes dropped EXE 4 IoCs

pid	Process
2520	JaffaCakes118_31dede4c6a77eb03089def7047136e59mgr.exe
2368	JaffaCakes118_31dede4c6a77eb03089def7047136e59mgrmgr.exe
3032	WaterMark.exe
2736	WaterMark.exe

Loads dropped DLL 8 IoCs

pid	Process
3012	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
3012	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
2520	JaffaCakes118_31dede4c6a77eb03089def7047136e59mgr.exe
2520	JaffaCakes118_31dede4c6a77eb03089def7047136e59mgr.exe
2368	JaffaCakes118_31dede4c6a77eb03089def7047136e59mgrmgr.exe
2368	JaffaCakes118_31dede4c6a77eb03089def7047136e59mgrmgr.exe
2520	JaffaCakes118_31dede4c6a77eb03089def7047136e59mgr.exe
2520	JaffaCakes118_31dede4c6a77eb03089def7047136e59mgr.exe

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Music\desktop.ini	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
File opened for modification	C:\Users\Public\desktop.ini	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
File opened (read-only)	\??\X:	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
File opened (read-only)	\??\O:	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
File opened (read-only)	\??\P:	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
File opened (read-only)	\??\S:	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
File opened (read-only)	\??\T:	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
File opened (read-only)	\??\A:	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
File opened (read-only)	\??\H:	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
File opened (read-only)	\??\L:	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
File opened (read-only)	\??\N:	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
File opened (read-only)	\??\R:	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
File opened (read-only)	\??\W:	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
File opened (read-only)	\??\E:	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
File opened (read-only)	\??\G:	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
File opened (read-only)	\??\J:	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
File opened (read-only)	\??\K:	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
File opened (read-only)	\??\V:	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
File opened (read-only)	\??\Y:	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
File opened (read-only)	\??\Z:	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
File opened (read-only)	\??\I:	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
File opened (read-only)	\??\M:	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
File opened (read-only)	\??\Q:	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
File opened (read-only)	\??\U:	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2520-17-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2520-18-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2368-47-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2520-19-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2520-56-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2520-58-0x0000000000050000-0x0000000000073000-memory.dmp	upx
behavioral1/memory/2736-68-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2368-34-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2368-32-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2368-31-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/3032-834-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2736-837-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libedgedetection_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\awt.dll	svchost.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\WordpadFilter.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\deployJava1.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\WindowsBase.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Engine.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libvc1_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\perf_nt.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgRes.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Xml.Linq.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libfps_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIBUtils.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssv.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jawt.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Linq.Resources.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFPrevHndlr.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Engine.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Xml.Linq.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libdemuxdump_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_duplicate_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\mpvis.DLL	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\ITIRCL55.DLL	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\oledb32r.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Selectors.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnssci.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\t2k.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Utilities.v3.5.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libantiflicker_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\currency.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\MoreGames.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\WindowsBase.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Utilities.v3.5.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libsid_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\libmosaic_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblendbench_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmirror_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\hxdsui.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\mojo_core.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jli.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jdwp.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nssckbi.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationTypes.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_srt_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libflaschen_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libbluescreen_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\libxslt.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ChkrRes.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\settings.html	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\slideShow.html	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jawt.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpshare.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_31dede4c6a77eb03089def7047136e59mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_31dede4c6a77eb03089def7047136e59mgrmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
2736	WaterMark.exe
2736	WaterMark.exe
3032	WaterMark.exe
3032	WaterMark.exe
2736	WaterMark.exe
2736	WaterMark.exe
2736	WaterMark.exe
2736	WaterMark.exe
2736	WaterMark.exe
2736	WaterMark.exe
1148	svchost.exe
3032	WaterMark.exe
3032	WaterMark.exe
3032	WaterMark.exe
3032	WaterMark.exe
3032	WaterMark.exe
3032	WaterMark.exe
1148	svchost.exe
1148	svchost.exe
1148	svchost.exe
1148	svchost.exe
1148	svchost.exe
1148	svchost.exe
1148	svchost.exe
1148	svchost.exe
1148	svchost.exe
1148	svchost.exe
1148	svchost.exe
1148	svchost.exe
1148	svchost.exe
1148	svchost.exe
1148	svchost.exe
1148	svchost.exe
1148	svchost.exe
1148	svchost.exe
1148	svchost.exe
1148	svchost.exe
1148	svchost.exe
1148	svchost.exe
1148	svchost.exe
1148	svchost.exe
1148	svchost.exe
1148	svchost.exe
1148	svchost.exe
1148	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	WaterMark.exe
Token: SeDebugPrivilege	3032	WaterMark.exe
Token: SeDebugPrivilege	1148	svchost.exe
Token: SeDebugPrivilege	3012	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
Token: SeDebugPrivilege	3032	WaterMark.exe
Token: SeDebugPrivilege	2736	WaterMark.exe
Token: SeDebugPrivilege	2012	svchost.exe
Token: SeDebugPrivilege	2164	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3012	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe

Suspicious use of UnmapMainImage 4 IoCs

pid	Process
2520	JaffaCakes118_31dede4c6a77eb03089def7047136e59mgr.exe
2368	JaffaCakes118_31dede4c6a77eb03089def7047136e59mgrmgr.exe
3032	WaterMark.exe
2736	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2520	3012	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe	30
PID 3012 wrote to memory of 2520	3012	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe	30
PID 3012 wrote to memory of 2520	3012	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe	30
PID 3012 wrote to memory of 2520	3012	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe	30
PID 2520 wrote to memory of 2368	2520	JaffaCakes118_31dede4c6a77eb03089def7047136e59mgr.exe	31
PID 2520 wrote to memory of 2368	2520	JaffaCakes118_31dede4c6a77eb03089def7047136e59mgr.exe	31
PID 2520 wrote to memory of 2368	2520	JaffaCakes118_31dede4c6a77eb03089def7047136e59mgr.exe	31
PID 2520 wrote to memory of 2368	2520	JaffaCakes118_31dede4c6a77eb03089def7047136e59mgr.exe	31
PID 2368 wrote to memory of 3032	2368	JaffaCakes118_31dede4c6a77eb03089def7047136e59mgrmgr.exe	32
PID 2368 wrote to memory of 3032	2368	JaffaCakes118_31dede4c6a77eb03089def7047136e59mgrmgr.exe	32
PID 2368 wrote to memory of 3032	2368	JaffaCakes118_31dede4c6a77eb03089def7047136e59mgrmgr.exe	32
PID 2368 wrote to memory of 3032	2368	JaffaCakes118_31dede4c6a77eb03089def7047136e59mgrmgr.exe	32
PID 2520 wrote to memory of 2736	2520	JaffaCakes118_31dede4c6a77eb03089def7047136e59mgr.exe	33
PID 2520 wrote to memory of 2736	2520	JaffaCakes118_31dede4c6a77eb03089def7047136e59mgr.exe	33
PID 2520 wrote to memory of 2736	2520	JaffaCakes118_31dede4c6a77eb03089def7047136e59mgr.exe	33
PID 2520 wrote to memory of 2736	2520	JaffaCakes118_31dede4c6a77eb03089def7047136e59mgr.exe	33
PID 2736 wrote to memory of 2748	2736	WaterMark.exe	34
PID 2736 wrote to memory of 2748	2736	WaterMark.exe	34
PID 2736 wrote to memory of 2748	2736	WaterMark.exe	34
PID 2736 wrote to memory of 2748	2736	WaterMark.exe	34
PID 2736 wrote to memory of 2748	2736	WaterMark.exe	34
PID 2736 wrote to memory of 2748	2736	WaterMark.exe	34
PID 2736 wrote to memory of 2748	2736	WaterMark.exe	34
PID 2736 wrote to memory of 2748	2736	WaterMark.exe	34
PID 2736 wrote to memory of 2748	2736	WaterMark.exe	34
PID 2736 wrote to memory of 2748	2736	WaterMark.exe	34
PID 3032 wrote to memory of 2164	3032	WaterMark.exe	35
PID 3032 wrote to memory of 2164	3032	WaterMark.exe	35
PID 3032 wrote to memory of 2164	3032	WaterMark.exe	35
PID 3032 wrote to memory of 2164	3032	WaterMark.exe	35
PID 3032 wrote to memory of 2164	3032	WaterMark.exe	35
PID 3032 wrote to memory of 2164	3032	WaterMark.exe	35
PID 3032 wrote to memory of 2164	3032	WaterMark.exe	35
PID 3032 wrote to memory of 2164	3032	WaterMark.exe	35
PID 3032 wrote to memory of 2164	3032	WaterMark.exe	35
PID 3032 wrote to memory of 2164	3032	WaterMark.exe	35
PID 3012 wrote to memory of 2944	3012	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe	36
PID 3012 wrote to memory of 2944	3012	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe	36
PID 3012 wrote to memory of 2944	3012	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe	36
PID 3012 wrote to memory of 2944	3012	JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe	36
PID 2736 wrote to memory of 1148	2736	WaterMark.exe	37
PID 2736 wrote to memory of 1148	2736	WaterMark.exe	37
PID 2736 wrote to memory of 1148	2736	WaterMark.exe	37
PID 2736 wrote to memory of 1148	2736	WaterMark.exe	37
PID 2736 wrote to memory of 1148	2736	WaterMark.exe	37
PID 2736 wrote to memory of 1148	2736	WaterMark.exe	37
PID 2736 wrote to memory of 1148	2736	WaterMark.exe	37
PID 2736 wrote to memory of 1148	2736	WaterMark.exe	37
PID 2736 wrote to memory of 1148	2736	WaterMark.exe	37
PID 2736 wrote to memory of 1148	2736	WaterMark.exe	37
PID 1148 wrote to memory of 256	1148	svchost.exe	1
PID 1148 wrote to memory of 256	1148	svchost.exe	1
PID 1148 wrote to memory of 256	1148	svchost.exe	1
PID 1148 wrote to memory of 256	1148	svchost.exe	1
PID 1148 wrote to memory of 256	1148	svchost.exe	1
PID 1148 wrote to memory of 332	1148	svchost.exe	2
PID 1148 wrote to memory of 332	1148	svchost.exe	2
PID 1148 wrote to memory of 332	1148	svchost.exe	2
PID 1148 wrote to memory of 332	1148	svchost.exe	2
PID 1148 wrote to memory of 332	1148	svchost.exe	2
PID 1148 wrote to memory of 384	1148	svchost.exe	3
PID 1148 wrote to memory of 384	1148	svchost.exe	3
PID 1148 wrote to memory of 384	1148	svchost.exe	3
PID 1148 wrote to memory of 384	1148	svchost.exe	3

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:604
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1280
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1500
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
      4⤵
      PID:336
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:684
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:748
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:820
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1168
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:856
  - - C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:576
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:968
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:112
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:344
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1036
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1120
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1100
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2204
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2420
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31dede4c6a77eb03089def7047136e59.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31dede4c6a77eb03089def7047136e59mgr.exe
    C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31dede4c6a77eb03089def7047136e59mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31dede4c6a77eb03089def7047136e59mgrmgr.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31dede4c6a77eb03089def7047136e59mgrmgr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2368
    - - C:\Program Files (x86)\Microsoft\WaterMark.exe
        
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:3032
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2748
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1148
- - C:\Program Files (x86)\Windows Media Player\wmpshare.exe
    "C:\Program Files (x86)\Windows Media Player\wmpshare.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
132KB

MD5
1730a04fbdf99381ffdf7bd68be8639c

SHA1
c75703024da8e71ff12dc34956e068d5ef3b9216

SHA256
a02f12215f092270f37d3e74a1e3e663276cbf60cdef943791f38160212d56b3

SHA512
adbbf0a11fb8ff003496c1e55dd9b046fa2a69575692b0a6ecca34529fc70f2bec0542ea74dd05d2de87db2694fec5a347c24781f619422ca29bdb8e092b66d4

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
128KB

MD5
b0ccfa7f9705e930c5e5825cb3c85aa8

SHA1
677dbb876014063f7925af55f4590dde6a8358b1

SHA256
e60f286f9b2b665776ebf368426e1a818c7d1b5fae297cac5063850e9d43d5fd

SHA512
ebb2fad2b4cfefbfc1931eeb85b6e34a1c44ee55c5b4c80bf22d217ee4035daf2ccffa742cd7bed88a3f77632c7b7f71b3bee94fedba8bc46ef70794114f1da6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{4AE778F8-BE0B-42C5-81FA-4918EB2D5FCE}.jpg

Filesize
23KB

MD5
fd5fd28e41676618aac733b243ad54db

SHA1
b2d69ad6a2e22c30ef1806ac4f990790c3b44763

SHA256
a26544648ef8ceffad6c789a3677031be3c515918627d7c8f8e0587d3033c431

SHA512
4c32623796679be7066b719f231d08d24341784ecfd5d6461e8140379f5b394216e446865df56e05b5f1e36962c9d34d2b5041275366aeabcd606f4536217fe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{E0DE71EF-C196-48B3-A9CA-6197473FD606}.jpg

Filesize
22KB

MD5
35e787587cd3fa8ed360036c9fca3df2

SHA1
84c76a25c6fe336f6559c033917a4c327279886d

SHA256
98c49a68ee578e10947209ebc17c0ad188ed39c7d0c91a2b505f317259c0c9b2

SHA512
aeec3eed5a52670f4cc35935005bb04bb435964a1975e489b8e101adfbce278142fd1a6c475860b7ccb414afe5e24613361a66d92f457937de9b21a7a112e1f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31dede4c6a77eb03089def7047136e59mgrmgr.exe

Filesize
59KB

MD5
f2c8b7e238a07cce22920efb1c8645a6

SHA1
cd2af4b30add747e222f938206b78d7730fdf346

SHA256
6b20b420e84a30df810d52a9b205a3af0f46cafe82bf378867542f15eb64461e

SHA512
c4b9c8c3dccaa39b5ac1faea7e92b0e1d391f0943989178634992be07c40be15b8543f9c6746ab6a5a7136ea00e3c0818fc43bc2eee4e5d282c3cbf7ea279699

Download Submit
C:\Users\Public\Music\Sample Music\AlbumArtSmall.jpg

Filesize
5KB

MD5
1c6a4f664e8e18eba1a5b61ac4dde46f

SHA1
f09e10bc312f20ccd61c65c892666677d54d2282

SHA256
ccc20b7b3b29325db0a0b1c2127c12d8a1c019ca159505a96cbcbc89701702f9

SHA512
3ff32e45c7b0c1f38d5296c0a1ed6a87c987d1b5a4fd0efed2aacbce0794a8f804ec985891bf03ed1ec4bf03b18b25b9717a2aa405dc45aadae4b2b30d6012a6

Download Submit
C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Large.jpg

Filesize
32KB

MD5
84bba83cfbc0233517407678bb842686

SHA1
1c617de788de380d28c52dc733ad580c3745a1c1

SHA256
6ecf98adb3cd0931ec803f3a56a9563c7d60bb86ec1886b21e3d0f7eb25198d9

SHA512
a6a80c00a28c43c1c427018e6fb6dac4682d299d2f50202f520af0b1bca803546c850f04094ed2f532ff8775f6d45f2a40e4f5e069937bcaa0326a80bd818e0e

Download Submit
\Users\Admin\AppData\Local\Temp\JaffaCakes118_31dede4c6a77eb03089def7047136e59mgr.exe

Filesize
122KB

MD5
c5255edf109342e3e1d1eb0990b2d094

SHA1
ba029b47b9b3a5ccccae3038d90382ec68a1dd44

SHA256
ea49164b416d1b900f80a14f30295ea7d546483a0d7ba8b3a9e48dbcb48a3dc5

SHA512
6b6911ea424763af3ed4964e67aa75d1ffe74551e1e4e12e6220afcda720dbfdda00d744e23486c07701662bac3702220f760d1c86a188772e9bf8af7b64a3a3

Download Submit
memory/2368-34-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2368-47-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2368-25-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2368-31-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2368-32-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2520-19-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2520-22-0x00000000001B0000-0x00000000001D3000-memory.dmp

Filesize
140KB

Download
memory/2520-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2520-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2520-23-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2520-56-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2520-21-0x00000000001B0000-0x00000000001D3000-memory.dmp

Filesize
140KB

Download
memory/2520-58-0x0000000000050000-0x0000000000073000-memory.dmp

Filesize
140KB

Download
memory/2736-69-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/2736-837-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2736-68-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2736-113-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2748-85-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2748-73-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2748-81-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2748-90-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2748-71-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/3012-0-0x0000000000B90000-0x0000000000BC3000-memory.dmp

Filesize
204KB

Download
memory/3012-4-0x00000000000F0000-0x0000000000123000-memory.dmp

Filesize
204KB

Download
memory/3012-3531-0x00000000000F0000-0x0000000000123000-memory.dmp

Filesize
204KB

Download
memory/3012-3529-0x0000000000B90000-0x0000000000BC3000-memory.dmp

Filesize
204KB

Download
memory/3032-94-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/3032-89-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/3032-834-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download