Analysis
-
max time kernel
105s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
14/04/2025, 19:22
Static task
static1
1 signatures
General
-
Target
JaffaCakes118_b8c0cce64b64b00bb6805dbf83b5f470.dll
-
Size
484KB
-
MD5
b8c0cce64b64b00bb6805dbf83b5f470
-
SHA1
b0a5f375eb6d797436820c715e7754f19862b3c3
-
SHA256
4e3ab308d832e8b6a96448e3e09feaf7bbac4e5f8a58de7493f874eb660a69b7
-
SHA512
d45a2b061a827ee0f295019238ec264472158bb42af574247966dbbde549cfc6748a794706ec7279fb3968c5af5f3e01a511cbc32cdcdfe5fd5ffee56c7eb666
-
SSDEEP
3072:u4aWY9nTGKTNX91X1cM3Sm+3HDktMBuSdfIQWyONwEUQ3z9DUnCUlKK3XF7PJ1Xb:ahUuIMSmgktMB9lKhUcUnZgu17nXKEKY
Malware Config
Signatures
-
Ramnit family
-
Executes dropped EXE 6 IoCs
pid Process 2384 regsvr32mgr.exe 4124 regsvr32mgrmgr.exe 2236 WaterMark.exe 3208 WaterMark.exe 904 WaterMarkmgr.exe 2280 WaterMark.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\regsvr32mgrmgr.exe regsvr32mgr.exe File created C:\Windows\SysWOW64\regsvr32mgr.exe regsvr32.exe -
resource yara_rule behavioral1/memory/2384-19-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2384-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2384-22-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3208-44-0x0000000000400000-0x0000000000470000-memory.dmp upx behavioral1/memory/904-71-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3208-78-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2280-82-0x0000000000400000-0x0000000000470000-memory.dmp upx behavioral1/memory/3208-54-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/4124-29-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2384-28-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2384-21-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2384-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2384-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2236-85-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2236-89-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3208-91-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 10 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe regsvr32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\px6BCA.tmp regsvr32mgrmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe regsvr32mgrmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\px6BBA.tmp regsvr32mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe regsvr32mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe File opened for modification C:\Program Files (x86)\Microsoft\px6C66.tmp WaterMarkmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe WaterMarkmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 264 4464 WerFault.exe 2688 596 WerFault.exe 96 2588 644 WerFault.exe 95 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32mgrmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "451423510" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C63E6F80-1965-11F0-9C64-FAE45D61E238} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Modifies registry class 60 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TriEditParse.TriEditParse\CurVer\ = "TriEditParse.TriEditParse.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{438DA5D1-F171-11D0-984E-0000F80270F8}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{438DA5DF-F171-11D0-984E-0000F80270F8}\TypeLib\ = "{438DA5D1-F171-11D0-984E-0000F80270F8}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{438DA5DF-F171-11D0-984E-0000F80270F8}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{010E6CBE-FE2B-11D0-B079-006008058A0E} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{438DA5E0-F171-11D0-984E-0000F80270F8}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TriEditParse.TriEditParse.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{010E6CBE-FE2B-11D0-B079-006008058A0E}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{438DA5D1-F171-11D0-984E-0000F80270F8}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TriEditDocument.TriEditDocument\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TriEditParse.TriEditParse\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{438DA5E0-F171-11D0-984E-0000F80270F8}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TriEditParse.TriEditParse\ = "TriEditParse Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{438DA5DF-F171-11D0-984E-0000F80270F8}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{010E6CBE-FE2B-11D0-B079-006008058A0E}\ = "TriEditParse Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{438DA5D1-F171-11D0-984E-0000F80270F8}\1.0\ = "triedit 1.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{438DA5D1-F171-11D0-984E-0000F80270F8}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{438DA5DF-F171-11D0-984E-0000F80270F8}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TriEditDocument.TriEditDocument.1\ = "TriEditDocument Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TriEditDocument.TriEditDocument.1\CLSID\ = "{438DA5E0-F171-11D0-984E-0000F80270F8}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TriEditParse.TriEditParse.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{438DA5DF-F171-11D0-984E-0000F80270F8}\ = "ITriEditDocument" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TriEditDocument.TriEditDocument.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{010E6CBE-FE2B-11D0-B079-006008058A0E}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{438DA5D1-F171-11D0-984E-0000F80270F8}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{438DA5DF-F171-11D0-984E-0000F80270F8} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{438DA5DF-F171-11D0-984E-0000F80270F8}\TypeLib\ = "{438DA5D1-F171-11D0-984E-0000F80270F8}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{438DA5DF-F171-11D0-984E-0000F80270F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{438DA5E0-F171-11D0-984E-0000F80270F8}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_b8c0cce64b64b00bb6805dbf83b5f470.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{438DA5D1-F171-11D0-984E-0000F80270F8} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{438DA5D1-F171-11D0-984E-0000F80270F8}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_b8c0cce64b64b00bb6805dbf83b5f470.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{438DA5DF-F171-11D0-984E-0000F80270F8}\ = "ITriEditDocument" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{438DA5E0-F171-11D0-984E-0000F80270F8}\ProgID\ = "TriEditDocument.TriEditDocument.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TriEditDocument.TriEditDocument.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{438DA5E0-F171-11D0-984E-0000F80270F8} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TriEditDocument.TriEditDocument regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{438DA5E0-F171-11D0-984E-0000F80270F8}\ = "TriEditDocument Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{010E6CBE-FE2B-11D0-B079-006008058A0E}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{438DA5E0-F171-11D0-984E-0000F80270F8}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{010E6CBE-FE2B-11D0-B079-006008058A0E}\ProgID\ = "TriEditParse.TriEditParse.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{438DA5D1-F171-11D0-984E-0000F80270F8}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{438DA5D1-F171-11D0-984E-0000F80270F8}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{438DA5DF-F171-11D0-984E-0000F80270F8} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TriEditDocument.TriEditDocument\CurVer\ = "TriEditDocument.TriEditDocument.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{438DA5E0-F171-11D0-984E-0000F80270F8}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{438DA5E0-F171-11D0-984E-0000F80270F8}\VersionIndependentProgID\ = "TriEditDocument.TriEditDocument" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{438DA5E0-F171-11D0-984E-0000F80270F8}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TriEditParse.TriEditParse.1\ = "TriEditParse Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TriEditParse.TriEditParse.1\CLSID\ = "{010E6CBE-FE2B-11D0-B079-006008058A0E}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TriEditParse.TriEditParse regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TriEditDocument.TriEditDocument\ = "TriEditDocument Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{010E6CBE-FE2B-11D0-B079-006008058A0E}\VersionIndependentProgID\ = "TriEditParse.TriEditParse" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{010E6CBE-FE2B-11D0-B079-006008058A0E}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{010E6CBE-FE2B-11D0-B079-006008058A0E}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{010E6CBE-FE2B-11D0-B079-006008058A0E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_b8c0cce64b64b00bb6805dbf83b5f470.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{438DA5D1-F171-11D0-984E-0000F80270F8}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{438DA5DF-F171-11D0-984E-0000F80270F8}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{438DA5DF-F171-11D0-984E-0000F80270F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{438DA5DF-F171-11D0-984E-0000F80270F8}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{438DA5DF-F171-11D0-984E-0000F80270F8}\TypeLib\Version = "1.0" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 3208 WaterMark.exe 3208 WaterMark.exe 2236 WaterMark.exe 2236 WaterMark.exe 3208 WaterMark.exe 3208 WaterMark.exe 2236 WaterMark.exe 2236 WaterMark.exe 2280 WaterMark.exe 2280 WaterMark.exe 2280 WaterMark.exe 2280 WaterMark.exe 3208 WaterMark.exe 3208 WaterMark.exe 3208 WaterMark.exe 3208 WaterMark.exe 3208 WaterMark.exe 3208 WaterMark.exe 3208 WaterMark.exe 3208 WaterMark.exe 3208 WaterMark.exe 3208 WaterMark.exe 3208 WaterMark.exe 3208 WaterMark.exe 2236 WaterMark.exe 2236 WaterMark.exe 2236 WaterMark.exe 2236 WaterMark.exe 2236 WaterMark.exe 2236 WaterMark.exe 2236 WaterMark.exe 2236 WaterMark.exe 2236 WaterMark.exe 2236 WaterMark.exe 2236 WaterMark.exe 2236 WaterMark.exe 2280 WaterMark.exe 2280 WaterMark.exe 2280 WaterMark.exe 2280 WaterMark.exe 2280 WaterMark.exe 2280 WaterMark.exe 2280 WaterMark.exe 2280 WaterMark.exe 2280 WaterMark.exe 2280 WaterMark.exe 2280 WaterMark.exe 2280 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3208 WaterMark.exe Token: SeDebugPrivilege 2236 WaterMark.exe Token: SeDebugPrivilege 2280 WaterMark.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 5020 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 5020 iexplore.exe 5020 iexplore.exe 4924 IEXPLORE.EXE 4924 IEXPLORE.EXE 4924 IEXPLORE.EXE 4924 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 6 IoCs
pid Process 2384 regsvr32mgr.exe 4124 regsvr32mgrmgr.exe 3208 WaterMark.exe 2236 WaterMark.exe 904 WaterMarkmgr.exe 2280 WaterMark.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 4704 wrote to memory of 2556 4704 regsvr32.exe 85 PID 4704 wrote to memory of 2556 4704 regsvr32.exe 85 PID 4704 wrote to memory of 2556 4704 regsvr32.exe 85 PID 2556 wrote to memory of 2384 2556 regsvr32.exe 86 PID 2556 wrote to memory of 2384 2556 regsvr32.exe 86 PID 2556 wrote to memory of 2384 2556 regsvr32.exe 86 PID 2384 wrote to memory of 4124 2384 regsvr32mgr.exe 87 PID 2384 wrote to memory of 4124 2384 regsvr32mgr.exe 87 PID 2384 wrote to memory of 4124 2384 regsvr32mgr.exe 87 PID 2384 wrote to memory of 2236 2384 regsvr32mgr.exe 88 PID 2384 wrote to memory of 2236 2384 regsvr32mgr.exe 88 PID 2384 wrote to memory of 2236 2384 regsvr32mgr.exe 88 PID 4124 wrote to memory of 3208 4124 regsvr32mgrmgr.exe 89 PID 4124 wrote to memory of 3208 4124 regsvr32mgrmgr.exe 89 PID 4124 wrote to memory of 3208 4124 regsvr32mgrmgr.exe 89 PID 3208 wrote to memory of 904 3208 WaterMark.exe 90 PID 3208 wrote to memory of 904 3208 WaterMark.exe 90 PID 3208 wrote to memory of 904 3208 WaterMark.exe 90 PID 3208 wrote to memory of 4464 3208 WaterMark.exe 92 PID 3208 wrote to memory of 4464 3208 WaterMark.exe 92 PID 3208 wrote to memory of 4464 3208 WaterMark.exe 92 PID 3208 wrote to memory of 4464 3208 WaterMark.exe 92 PID 3208 wrote to memory of 4464 3208 WaterMark.exe 92 PID 3208 wrote to memory of 4464 3208 WaterMark.exe 92 PID 3208 wrote to memory of 4464 3208 WaterMark.exe 92 PID 3208 wrote to memory of 4464 3208 WaterMark.exe 92 PID 3208 wrote to memory of 4464 3208 WaterMark.exe 92 PID 904 wrote to memory of 2280 904 WaterMarkmgr.exe 93 PID 904 wrote to memory of 2280 904 WaterMarkmgr.exe 93 PID 904 wrote to memory of 2280 904 WaterMarkmgr.exe 93 PID 2236 wrote to memory of 644 2236 WaterMark.exe 95 PID 2236 wrote to memory of 644 2236 WaterMark.exe 95 PID 2236 wrote to memory of 644 2236 WaterMark.exe 95 PID 2236 wrote to memory of 644 2236 WaterMark.exe 95 PID 2236 wrote to memory of 644 2236 WaterMark.exe 95 PID 2236 wrote to memory of 644 2236 WaterMark.exe 95 PID 2236 wrote to memory of 644 2236 WaterMark.exe 95 PID 2236 wrote to memory of 644 2236 WaterMark.exe 95 PID 2236 wrote to memory of 644 2236 WaterMark.exe 95 PID 2280 wrote to memory of 596 2280 WaterMark.exe 96 PID 2280 wrote to memory of 596 2280 WaterMark.exe 96 PID 2280 wrote to memory of 596 2280 WaterMark.exe 96 PID 2280 wrote to memory of 596 2280 WaterMark.exe 96 PID 2280 wrote to memory of 596 2280 WaterMark.exe 96 PID 2280 wrote to memory of 596 2280 WaterMark.exe 96 PID 2280 wrote to memory of 596 2280 WaterMark.exe 96 PID 2280 wrote to memory of 596 2280 WaterMark.exe 96 PID 2280 wrote to memory of 596 2280 WaterMark.exe 96 PID 3208 wrote to memory of 5020 3208 WaterMark.exe 107 PID 3208 wrote to memory of 5020 3208 WaterMark.exe 107 PID 3208 wrote to memory of 4152 3208 WaterMark.exe 108 PID 3208 wrote to memory of 4152 3208 WaterMark.exe 108 PID 2236 wrote to memory of 5108 2236 WaterMark.exe 109 PID 2236 wrote to memory of 5108 2236 WaterMark.exe 109 PID 2236 wrote to memory of 1132 2236 WaterMark.exe 110 PID 2236 wrote to memory of 1132 2236 WaterMark.exe 110 PID 2280 wrote to memory of 4328 2280 WaterMark.exe 111 PID 2280 wrote to memory of 4328 2280 WaterMark.exe 111 PID 5020 wrote to memory of 4924 5020 iexplore.exe 112 PID 5020 wrote to memory of 4924 5020 iexplore.exe 112 PID 5020 wrote to memory of 4924 5020 iexplore.exe 112 PID 2280 wrote to memory of 2700 2280 WaterMark.exe 113 PID 2280 wrote to memory of 2700 2280 WaterMark.exe 113
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b8c0cce64b64b00bb6805dbf83b5f470.dll1⤵
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b8c0cce64b64b00bb6805dbf83b5f470.dll2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\regsvr32mgr.exeC:\Windows\SysWOW64\regsvr32mgr.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\regsvr32mgrmgr.exeC:\Windows\SysWOW64\regsvr32mgrmgr.exe4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe8⤵PID:596
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 596 -s 2049⤵
- Program crash
PID:2688
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵
- Modifies Internet Explorer settings
PID:4328
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵
- Modifies Internet Explorer settings
PID:2700
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵PID:4464
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 2047⤵
- Program crash
PID:264
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5020 CREDAT:17410 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4924
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
PID:4152
-
-
-
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵PID:644
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 2046⤵
- Program crash
PID:2588
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
PID:5108
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
PID:1132
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 644 -ip 6441⤵PID:4356
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 596 -ip 5961⤵PID:3472
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4464 -ip 44641⤵PID:2252
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
164KB
MD51e7fd6957860e5272c6b6866b8775940
SHA1baa96e2375f1ed39d9848f78442d2ab4cc5feb59
SHA256538641e6c912e4a3693c65bd4d7c188c4d2819e9e4049866369506b705cbbafc
SHA5124f9906af00f9de914f263fbbbba94f587a0067a9b2b847cac2cd3a4e9a4ee54804e0c329a702b86653ac0fa22c21e7d6fa44fff30ff8f3ee3d792502838c05f3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize471B
MD5d9e0b437587fc16df735e81bd8664814
SHA1378e1ddfe081e992f77f85a51fcc607f7f0c60e4
SHA25671fd77be59db04b79ee56549a4016b972c2b37ffdae785d1eb57279bcff4319b
SHA5128f64e3065ecbcafb29c68f1804a63cb7e477d8901771a2a283baf041eba3bc4b3ebc2ea8aa5073b22d82388889bfe7912870802c69996c1d13083ea3c8da2c75
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize412B
MD592a39566ffe3250f762d4728f7f8e875
SHA15ad73bcbd414d970707daf30107bc77d3be0cdd9
SHA25652ee4d8c4bb0a35922e525d510e58d17fc7114a365541d4f50dd37f4a005b702
SHA5126010f67bba3daa079d8df1dec089af3d1641602ecde366044cae5463dcdf715acdacb094ee89344ed6da59c3d02f93a0ff88e60b0e011444c7560da497b26b68
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
331KB
MD5db591b83cf5e261078afcfca484417c3
SHA11115663be4e5d4e98a76254d4bce2ae8b0b771f2
SHA2567a0d389157998f975ddc44be2d440264d861ba0bb4a6b7f605383e7035a77806
SHA5126f462b6484f044f73b90dbf6b34547a25ceabc050f25b2f38a1400bd2d7fbc2f6591019ce6e3708d3b6ce44b5805900f50f4812acd5dc1536b955baafdcafa1e