ramnit | 13db9df01ad3a0b635518eb1ab5fa12a9398e979673ed62869b0b0b10309fae8

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-01-2025 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4ce88db3a58f15428331b074dd698a35.dll
Size

284KB
MD5

4ce88db3a58f15428331b074dd698a35
SHA1

168c77ce180ee8b14590bb4a53a3d80bd255dd5f
SHA256

13db9df01ad3a0b635518eb1ab5fa12a9398e979673ed62869b0b0b10309fae8
SHA512

4189ba7786f84310d5fee76cd85a87e2a62302c2d4b1fb8ed394573c080ae3324944ba0919633d3988adf2c9794a785eb2a4634f0f03c293e2164850f2f143a2
SSDEEP

6144:ZKtDP9elqi0AOROnJPmR2wl33YLba3XdBhxB:ZKtYlqi09ROnJPmRPVILbgrhxB

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\desktoplayer.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2320	regsvr32Srv.exe
1916	DesktopLayer.exe

Loads dropped DLL 4 IoCs

pid	Process
2240	regsvr32.exe
2240	regsvr32.exe
2320	regsvr32Srv.exe
2320	regsvr32Srv.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32Srv.exe	regsvr32.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2320-12-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/memory/1916-23-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/memory/1916-47-0x0000000000400000-0x0000000000415000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\jsprofilerui.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jawt.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationBuildTasks.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.ServiceModel.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_dts_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\glib-lite.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationClient.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libnormvol_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libgl_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\settings.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEEXCL.DLL	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\w2k_lsa_auth.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\t2k.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_cycle_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\Microsoft.Ink.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\management.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IO.Log.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libtimecode_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_nv12_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\currency.html	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-iio.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\WebKit.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libcvdsub_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\view.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgradient_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\visualization\libglspectrum_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEODBC.DLL	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\INLAUNCH.DLL	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozavutil.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\WindowsAccessBridge-64.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Xml.Linq.Resources.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Speech.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Journal\JNWDRV.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_elf.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\DiagnosticsHub_is.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\liberase_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libgrey_yuv_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	svchost.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\settings.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.RunTime.Serialization.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.Design.resources.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\hxds.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationClientsideProviders.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Royale.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Linq.Resources.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3FE67D45-34FE-4305-896B-19FB6C355A80}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{739022A5-2615-45BF-A30A-AEC6C70B049B}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96144532-C2BD-409D-8F3E-F2EFEDA7B4FB}\TypeLib\ = "{2E73E231-6A73-429F-AC58-4592BCCD6AC5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96144532-C2BD-409D-8F3E-F2EFEDA7B4FB}\TypeLib\ = "{2E73E231-6A73-429F-AC58-4592BCCD6AC5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3BE8465-5CFC-4C65-8AEC-AC50C2CCA89D}\TypeLib\ = "{2E73E231-6A73-429F-AC58-4592BCCD6AC5}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF262B62-CC1C-4FB9-AB52-5B54AFA357EE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F5E6FB2-D765-458E-BE53-031AF5E4269B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79867DC0-0AE6-11D4-B052-00409575855B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7D5F98A-8248-4144-A86F-19E3A0C46955}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ED18E0CA-6A5C-4DCC-BA33-2B1BC4420A57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3BE8465-5CFC-4C65-8AEC-AC50C2CCA89D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{739022A5-2615-45BF-A30A-AEC6C70B049B}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96144532-C2BD-409D-8F3E-F2EFEDA7B4FB}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79867DC0-0AE6-11D4-B052-00409575855B}\TypeLib\ = "{2E73E231-6A73-429F-AC58-4592BCCD6AC5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4F45FE87-19D5-45E3-9207-06AF2BAA93D3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4F45FE87-19D5-45E3-9207-06AF2BAA93D3}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{84E87512-7776-4F59-B119-165DEE47E60A}\TypeLib\ = "{2E73E231-6A73-429F-AC58-4592BCCD6AC5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84E87512-7776-4F59-B119-165DEE47E60A}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84E87512-7776-4F59-B119-165DEE47E60A}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F0AE2345-D700-4B48-97DB-A12506966B3C}\ = "IPassportLogin"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F0AE2345-D700-4B48-97DB-A12506966B3C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{93278B81-3743-4DB1-A6F7-ECAC01FFED1A}\TypeLib\ = "{2E73E231-6A73-429F-AC58-4592BCCD6AC5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD27FE13-A289-4439-9A62-9ED2278A7CA9}\ = "_ILogonManagerEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4894f79-8121-4df2-b79e-ed73fa8ade6f}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F5E6FB2-D765-458E-BE53-031AF5E4269B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{93278B81-3743-4DB1-A6F7-ECAC01FFED1A}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93278B81-3743-4DB1-A6F7-ECAC01FFED1A}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2E73E231-6A73-429F-AC58-4592BCCD6AC5}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4DAC7F6A-8BD2-4816-8283-9BEAB56D8739}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2E73E231-6A73-429F-AC58-4592BCCD6AC5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A6A09A1-32E9-4293-9E1D-1E131806E801}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ED18E0CA-6A5C-4DCC-BA33-2B1BC4420A57}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0CFA9F37-6669-4D30-9054-CE38A8D74233}\TypeLib\ = "{2E73E231-6A73-429F-AC58-4592BCCD6AC5}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3BE8465-5CFC-4C65-8AEC-AC50C2CCA89D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{183D4C60-0A32-11D4-B052-00409575855B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LogonMgr.LogonManager.1\CLSID\ = "{f4894f79-8121-4df2-b79e-ed73fa8ade6f}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4894f79-8121-4df2-b79e-ed73fa8ade6f}\VersionIndependentProgID\ = "LogonMgr.LogonManager"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3FE67D45-34FE-4305-896B-19FB6C355A80}\TypeLib\ = "{2E73E231-6A73-429F-AC58-4592BCCD6AC5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{739022A5-2615-45BF-A30A-AEC6C70B049B}\TypeLib\ = "{2E73E231-6A73-429F-AC58-4592BCCD6AC5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3BE8465-5CFC-4C65-8AEC-AC50C2CCA89D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F5E6FB2-D765-458E-BE53-031AF5E4269B}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{84E87512-7776-4F59-B119-165DEE47E60A}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4894f79-8121-4df2-b79e-ed73fa8ade6f}\Insertable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4894f79-8121-4df2-b79e-ed73fa8ade6f}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84E87512-7776-4F59-B119-165DEE47E60A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{89698CC5-DD69-4F34-BDCA-7FA190FCAA37}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4894f79-8121-4df2-b79e-ed73fa8ade6f}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4894f79-8121-4df2-b79e-ed73fa8ade6f}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{89698CC5-DD69-4F34-BDCA-7FA190FCAA37}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{89698CC5-DD69-4F34-BDCA-7FA190FCAA37}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4F45FE87-19D5-45E3-9207-06AF2BAA93D3}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4F45FE87-19D5-45E3-9207-06AF2BAA93D3}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD27FE13-A289-4439-9A62-9ED2278A7CA9}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{89698CC5-DD69-4F34-BDCA-7FA190FCAA37}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{89698CC5-DD69-4F34-BDCA-7FA190FCAA37}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79867DC0-0AE6-11D4-B052-00409575855B}\ = "ILAN"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F0AE2345-D700-4B48-97DB-A12506966B3C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{739022A5-2615-45BF-A30A-AEC6C70B049B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD27FE13-A289-4439-9A62-9ED2278A7CA9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B7D5F98A-8248-4144-A86F-19E3A0C46955}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4A6A09A1-32E9-4293-9E1D-1E131806E801}\ = "ILogonManager"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BF262B62-CC1C-4FB9-AB52-5B54AFA357EE}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C3BE8465-5CFC-4C65-8AEC-AC50C2CCA89D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD27FE13-A289-4439-9A62-9ED2278A7CA9}\TypeLib\ = "{2E73E231-6A73-429F-AC58-4592BCCD6AC5}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1916	DesktopLayer.exe
1916	DesktopLayer.exe
1916	DesktopLayer.exe
1916	DesktopLayer.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2240	2436	regsvr32.exe	30
PID 2436 wrote to memory of 2240	2436	regsvr32.exe	30
PID 2436 wrote to memory of 2240	2436	regsvr32.exe	30
PID 2436 wrote to memory of 2240	2436	regsvr32.exe	30
PID 2436 wrote to memory of 2240	2436	regsvr32.exe	30
PID 2436 wrote to memory of 2240	2436	regsvr32.exe	30
PID 2436 wrote to memory of 2240	2436	regsvr32.exe	30
PID 2240 wrote to memory of 2320	2240	regsvr32.exe	31
PID 2240 wrote to memory of 2320	2240	regsvr32.exe	31
PID 2240 wrote to memory of 2320	2240	regsvr32.exe	31
PID 2240 wrote to memory of 2320	2240	regsvr32.exe	31
PID 2320 wrote to memory of 1916	2320	regsvr32Srv.exe	32
PID 2320 wrote to memory of 1916	2320	regsvr32Srv.exe	32
PID 2320 wrote to memory of 1916	2320	regsvr32Srv.exe	32
PID 2320 wrote to memory of 1916	2320	regsvr32Srv.exe	32
PID 1916 wrote to memory of 2784	1916	DesktopLayer.exe	33
PID 1916 wrote to memory of 2784	1916	DesktopLayer.exe	33
PID 1916 wrote to memory of 2784	1916	DesktopLayer.exe	33
PID 1916 wrote to memory of 2784	1916	DesktopLayer.exe	33
PID 1916 wrote to memory of 2784	1916	DesktopLayer.exe	33
PID 1916 wrote to memory of 2784	1916	DesktopLayer.exe	33
PID 1916 wrote to memory of 2784	1916	DesktopLayer.exe	33
PID 1916 wrote to memory of 2784	1916	DesktopLayer.exe	33
PID 1916 wrote to memory of 2784	1916	DesktopLayer.exe	33
PID 1916 wrote to memory of 2784	1916	DesktopLayer.exe	33

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ce88db3a58f15428331b074dd698a35.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ce88db3a58f15428331b074dd698a35.dll
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\SysWOW64\regsvr32Srv.exe
    C:\Windows\SysWOW64\regsvr32Srv.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html

Filesize
128KB

MD5
718b8fbd5d4e8ebae945fb5fd23eba38

SHA1
e490d80f748d6d9648b97c2d6b411ad0ead8d33c

SHA256
196c2e256336e3670b73dd8915344c5a133436d1ef3232b0afb6eba22db5bb75

SHA512
3da152bcc67e720da448f54377beb224f97e0470aee5824948d90129a770d86248a0a56892dc46cdd3f87d4016d76e7e770151e304760447b8dc41e9095b44d8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html

Filesize
125KB

MD5
42d4347eb355f9638c987c7f54c50771

SHA1
15f531b32354f1b21b6321cdcf05d0e879e31ad4

SHA256
37aa54ddd49855bac8e0c0443646999c1c1d5f6ceef3abeb26c5305c04602de5

SHA512
05014770925e3f911328a94536ce48604de016db13ebbaec31f2f019758d96ad34e87bfc7e5159d29b0b15c3b68b9be6b714ae9331a121a8414d81ee87b0bda6

Download Submit
\Windows\SysWOW64\regsvr32Srv.exe

Filesize
58KB

MD5
4502c416e99cec6355c19363d336d5b8

SHA1
f8827aeaf1549106d866828b3842d703c4eb8424

SHA256
1c6f9b9996c0947d3649212c05513809ef8e303de4206415a0af4c2ffcd2be84

SHA512
937eab494c54130129cff9485dfea884af2a7cf75d3e3a6d99552bd0cc669a12c013627f9acfd40587ea2b9646499b3ab28e4f92e7ae8deb4a4d00d7b79ffbb9

Download Submit
memory/1916-47-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1916-22-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1916-23-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2240-0-0x000000004C0C0000-0x000000004C107000-memory.dmp

Filesize
284KB

Download
memory/2320-11-0x0000000000220000-0x0000000000235000-memory.dmp

Filesize
84KB

Download
memory/2320-12-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2784-32-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2784-33-0x0000000020010000-0x000000002001E000-memory.dmp

Filesize
56KB

Download
memory/2784-37-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2784-40-0x0000000020010000-0x000000002001E000-memory.dmp

Filesize
56KB

Download
memory/2784-38-0x0000000020010000-0x000000002001E000-memory.dmp

Filesize
56KB

Download
memory/2784-44-0x0000000020010000-0x000000002001E000-memory.dmp

Filesize
56KB

Download
memory/2784-31-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2784-48-0x0000000020010000-0x000000002001E000-memory.dmp

Filesize
56KB

Download
memory/2784-25-0x0000000020010000-0x000000002001E000-memory.dmp

Filesize
56KB

Download
memory/2784-27-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download