ramnit | 57b6be69fcf2242f250c2a0484d7351f057cb55e5ed69e6de30c6dc50af032e0

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/01/2025, 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_62eca207a983e83b0ac38dd8b320c9b4.exe
Size

441KB
MD5

62eca207a983e83b0ac38dd8b320c9b4
SHA1

733fe5bb48d1a32834d0fddccc1fd1bbcb1f4709
SHA256

57b6be69fcf2242f250c2a0484d7351f057cb55e5ed69e6de30c6dc50af032e0
SHA512

85e69a56e76ca83741fd08c51a7b35c622827c411cf0965d82d4c39f9fcf8ab3d20640aa8cb84296edb82457e3723bfff801a18cc7acc55778a50ee8a6613947
SSDEEP

6144:iThnqn2iFmK+ySdzV8/geKLkkKqR//Ay+:iThnxbTZGjtyHAy+

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2936	JaffaCakes118_62eca207a983e83b0ac38dd8b320c9b4mgr.exe
2740	WaterMark.exe

Loads dropped DLL 4 IoCs

pid	Process
2940	JaffaCakes118_62eca207a983e83b0ac38dd8b320c9b4.exe
2940	JaffaCakes118_62eca207a983e83b0ac38dd8b320c9b4.exe
2936	JaffaCakes118_62eca207a983e83b0ac38dd8b320c9b4mgr.exe
2936	JaffaCakes118_62eca207a983e83b0ac38dd8b320c9b4mgr.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2936-15-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2936-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2936-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2936-21-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2936-19-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2936-18-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2936-12-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2740-40-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2740-83-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2740-623-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsdt.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\slideShow.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.ServiceModel.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Web.Entity.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libqsv_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d9_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\Timeline.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\fxplugins.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libupnp_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\extensibility.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationTypes.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Engine.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libdmo_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_chromaprint_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_gather_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IO.Log.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Journal\jnwdui.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\RSSFeeds.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\libhotkeys_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_mosaic_bridge_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClientsideProviders.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadomd.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\jsprofilerui.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\hxdsui.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXPSRV.DLL	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\RSSFeeds.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\rt3d.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdaremr.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Luna.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Net.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\settings.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mraut.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\librawaud_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\picturePuzzle.html	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsFormsIntegration.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libaudioscrobbler_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libgrey_yuv_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgradfun_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\Pipeline.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jdwp.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libdolby_surround_decoder_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libextract_plugin.dll	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_62eca207a983e83b0ac38dd8b320c9b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_62eca207a983e83b0ac38dd8b320c9b4mgr.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2740	WaterMark.exe
2740	WaterMark.exe
2740	WaterMark.exe
2740	WaterMark.exe
2740	WaterMark.exe
2740	WaterMark.exe
2740	WaterMark.exe
2740	WaterMark.exe
1260	svchost.exe
1260	svchost.exe
1260	svchost.exe
1260	svchost.exe
1260	svchost.exe
1260	svchost.exe
1260	svchost.exe
1260	svchost.exe
1260	svchost.exe
1260	svchost.exe
1260	svchost.exe
1260	svchost.exe
1260	svchost.exe
1260	svchost.exe
1260	svchost.exe
1260	svchost.exe
1260	svchost.exe
1260	svchost.exe
1260	svchost.exe
1260	svchost.exe
1260	svchost.exe
1260	svchost.exe
1260	svchost.exe
1260	svchost.exe
1260	svchost.exe
1260	svchost.exe
1260	svchost.exe
1260	svchost.exe
1260	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	WaterMark.exe
Token: SeDebugPrivilege	1260	svchost.exe
Token: SeDebugPrivilege	2940	JaffaCakes118_62eca207a983e83b0ac38dd8b320c9b4.exe
Token: SeDebugPrivilege	2740	WaterMark.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2936	JaffaCakes118_62eca207a983e83b0ac38dd8b320c9b4mgr.exe
2740	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2936	2940	JaffaCakes118_62eca207a983e83b0ac38dd8b320c9b4.exe	30
PID 2940 wrote to memory of 2936	2940	JaffaCakes118_62eca207a983e83b0ac38dd8b320c9b4.exe	30
PID 2940 wrote to memory of 2936	2940	JaffaCakes118_62eca207a983e83b0ac38dd8b320c9b4.exe	30
PID 2940 wrote to memory of 2936	2940	JaffaCakes118_62eca207a983e83b0ac38dd8b320c9b4.exe	30
PID 2936 wrote to memory of 2740	2936	JaffaCakes118_62eca207a983e83b0ac38dd8b320c9b4mgr.exe	31
PID 2936 wrote to memory of 2740	2936	JaffaCakes118_62eca207a983e83b0ac38dd8b320c9b4mgr.exe	31
PID 2936 wrote to memory of 2740	2936	JaffaCakes118_62eca207a983e83b0ac38dd8b320c9b4mgr.exe	31
PID 2936 wrote to memory of 2740	2936	JaffaCakes118_62eca207a983e83b0ac38dd8b320c9b4mgr.exe	31
PID 2740 wrote to memory of 2616	2740	WaterMark.exe	32
PID 2740 wrote to memory of 2616	2740	WaterMark.exe	32
PID 2740 wrote to memory of 2616	2740	WaterMark.exe	32
PID 2740 wrote to memory of 2616	2740	WaterMark.exe	32
PID 2740 wrote to memory of 2616	2740	WaterMark.exe	32
PID 2740 wrote to memory of 2616	2740	WaterMark.exe	32
PID 2740 wrote to memory of 2616	2740	WaterMark.exe	32
PID 2740 wrote to memory of 2616	2740	WaterMark.exe	32
PID 2740 wrote to memory of 2616	2740	WaterMark.exe	32
PID 2740 wrote to memory of 2616	2740	WaterMark.exe	32
PID 2740 wrote to memory of 1260	2740	WaterMark.exe	33
PID 2740 wrote to memory of 1260	2740	WaterMark.exe	33
PID 2740 wrote to memory of 1260	2740	WaterMark.exe	33
PID 2740 wrote to memory of 1260	2740	WaterMark.exe	33
PID 2740 wrote to memory of 1260	2740	WaterMark.exe	33
PID 2740 wrote to memory of 1260	2740	WaterMark.exe	33
PID 2740 wrote to memory of 1260	2740	WaterMark.exe	33
PID 2740 wrote to memory of 1260	2740	WaterMark.exe	33
PID 2740 wrote to memory of 1260	2740	WaterMark.exe	33
PID 2740 wrote to memory of 1260	2740	WaterMark.exe	33
PID 1260 wrote to memory of 256	1260	svchost.exe	1
PID 1260 wrote to memory of 256	1260	svchost.exe	1
PID 1260 wrote to memory of 256	1260	svchost.exe	1
PID 1260 wrote to memory of 256	1260	svchost.exe	1
PID 1260 wrote to memory of 256	1260	svchost.exe	1
PID 1260 wrote to memory of 332	1260	svchost.exe	2
PID 1260 wrote to memory of 332	1260	svchost.exe	2
PID 1260 wrote to memory of 332	1260	svchost.exe	2
PID 1260 wrote to memory of 332	1260	svchost.exe	2
PID 1260 wrote to memory of 332	1260	svchost.exe	2
PID 1260 wrote to memory of 380	1260	svchost.exe	3
PID 1260 wrote to memory of 380	1260	svchost.exe	3
PID 1260 wrote to memory of 380	1260	svchost.exe	3
PID 1260 wrote to memory of 380	1260	svchost.exe	3
PID 1260 wrote to memory of 380	1260	svchost.exe	3
PID 1260 wrote to memory of 388	1260	svchost.exe	4
PID 1260 wrote to memory of 388	1260	svchost.exe	4
PID 1260 wrote to memory of 388	1260	svchost.exe	4
PID 1260 wrote to memory of 388	1260	svchost.exe	4
PID 1260 wrote to memory of 388	1260	svchost.exe	4
PID 1260 wrote to memory of 428	1260	svchost.exe	5
PID 1260 wrote to memory of 428	1260	svchost.exe	5
PID 1260 wrote to memory of 428	1260	svchost.exe	5
PID 1260 wrote to memory of 428	1260	svchost.exe	5
PID 1260 wrote to memory of 428	1260	svchost.exe	5
PID 1260 wrote to memory of 476	1260	svchost.exe	6
PID 1260 wrote to memory of 476	1260	svchost.exe	6
PID 1260 wrote to memory of 476	1260	svchost.exe	6
PID 1260 wrote to memory of 476	1260	svchost.exe	6
PID 1260 wrote to memory of 476	1260	svchost.exe	6
PID 1260 wrote to memory of 484	1260	svchost.exe	7
PID 1260 wrote to memory of 484	1260	svchost.exe	7
PID 1260 wrote to memory of 484	1260	svchost.exe	7
PID 1260 wrote to memory of 484	1260	svchost.exe	7
PID 1260 wrote to memory of 484	1260	svchost.exe	7
PID 1260 wrote to memory of 492	1260	svchost.exe	8

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:380
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:584
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1476
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1640
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:664
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:732
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:808
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1160
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:848
  - - C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:2436
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:968
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:280
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:352
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1064
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1100
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1320
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2320
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2340
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:484
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:492

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:388

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:428

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62eca207a983e83b0ac38dd8b320c9b4.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62eca207a983e83b0ac38dd8b320c9b4.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62eca207a983e83b0ac38dd8b320c9b4mgr.exe
    C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62eca207a983e83b0ac38dd8b320c9b4mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2616
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
258KB

MD5
ca2ae14aa907ddb7bb26cf64515c7caa

SHA1
7bc61f8b566485ae5b5b90b3a7d3cf8a5c1c7da0

SHA256
3368db444852b5fb16467e02378ce45ef22ef48ce7bac6c2f1186a5fbaa21eff

SHA512
3de7592c55734a3d8f27ad449d3d390e29f5a991b656fa8819d085b2076d4e7e8a8eefcdbd84611b73a1f09177dd5f5b8bac366d15bbaa551cd94a5f7518fb0c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
254KB

MD5
09ad2f05863ff6b1b2ca97676c71ab55

SHA1
fc4d8da9c29589df545b2d3e3c4c3dbfa0647c81

SHA256
3015442a996d9da37a25c711b0721512814cab421f5198c08e42ff253b0b0c0e

SHA512
6aa6f7f485964e310c58ffa7ae84ec15e2b326d7c21c9243f8318ac4271cb73636b10a0ef2a189b443ef251c635df89a0a5f484255999914f005af3ba22f29ba

Download Submit
\Users\Admin\AppData\Local\Temp\JaffaCakes118_62eca207a983e83b0ac38dd8b320c9b4mgr.exe

Filesize
122KB

MD5
0972a845726ea839fd2e63c57335ec70

SHA1
baa2daaef7859009a09c24d8d92ea4573ebc5e23

SHA256
4030d96c4a63e3e8a2f10a9822d5769338b7f048acb40b2c15f218106e98a358

SHA512
1f9518fe04cd512dfa2fb1f82a1a50c48506aff6e51d17c54d33cc353c1dd21d981f546a980abac01e04319cfd14fbee2e8d07e59f6db2ac259e284bb47944f2

Download Submit
memory/1260-74-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1260-90-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1260-91-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1260-93-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1260-94-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1260-95-0x0000000076F40000-0x0000000076F41000-memory.dmp

Filesize
4KB

Download
memory/1260-92-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1260-84-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1260-89-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2616-63-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2616-61-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2616-368-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2616-54-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2616-55-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2616-60-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2616-47-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2616-45-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2616-56-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2616-67-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2740-72-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2740-88-0x0000000076F3F000-0x0000000076F40000-memory.dmp

Filesize
4KB

Download
memory/2740-32-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2740-42-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/2740-43-0x0000000076F3F000-0x0000000076F40000-memory.dmp

Filesize
4KB

Download
memory/2740-623-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2740-40-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2740-83-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2936-17-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2936-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2936-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2936-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2936-19-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2936-21-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2936-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2936-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2936-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2936-25-0x0000000000050000-0x000000000007B000-memory.dmp

Filesize
172KB

Download
memory/2940-370-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2940-8-0x00000000002D0000-0x00000000002FB000-memory.dmp

Filesize
172KB

Download
memory/2940-0-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2940-9-0x00000000002D0000-0x00000000002FB000-memory.dmp

Filesize
172KB

Download