Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 23:54
Static task
static1
Behavioral task
behavioral1
Sample
180585584c14d9afbaa0670fad166c5f_JaffaCakes118.dll
Resource
win7-20240220-en
General
-
Target
180585584c14d9afbaa0670fad166c5f_JaffaCakes118.dll
-
Size
832KB
-
MD5
180585584c14d9afbaa0670fad166c5f
-
SHA1
500b7099db374c718f3fd3a399750ad44bb74138
-
SHA256
9e19c4b9e6c9e8715b20a36bdfda405ca12cfd26adb1ec6316a4f7256c60884b
-
SHA512
4d685d7e7fb4a868d7cc622209c14e1f3a862b34aa0b13d4aca02ce5fce2278a5ed1e1ba89c7255f5ccf0c1f608bde1a55de527b6855ffa587743b3552c91e44
-
SSDEEP
12288:tPTv+CFW4hPdahP/RN2kU7fWS36pweWGJr619QV4qqxEnEk3D6qC5Uju80rv1mNs:tPSH4hQP/RN2fLqNK9QV4qBH1edefKP
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
rundll32mgr.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" rundll32mgr.exe -
Processes:
rundll32mgr.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32mgr.exe -
Processes:
rundll32mgr.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" rundll32mgr.exe -
Executes dropped EXE 2 IoCs
Processes:
rundll32mgr.exeWaterMark.exepid process 3036 rundll32mgr.exe 1956 WaterMark.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exerundll32mgr.exepid process 2368 rundll32.exe 2368 rundll32.exe 3036 rundll32mgr.exe 3036 rundll32mgr.exe -
Processes:
resource yara_rule behavioral1/memory/1956-77-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1956-73-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/3036-56-0x0000000002700000-0x000000000378E000-memory.dmp upx behavioral1/memory/3036-34-0x0000000002700000-0x000000000378E000-memory.dmp upx behavioral1/memory/3036-33-0x0000000002700000-0x000000000378E000-memory.dmp upx behavioral1/memory/3036-32-0x0000000002700000-0x000000000378E000-memory.dmp upx behavioral1/memory/3036-28-0x0000000002700000-0x000000000378E000-memory.dmp upx behavioral1/memory/3036-27-0x0000000002700000-0x000000000378E000-memory.dmp upx behavioral1/memory/3036-25-0x0000000002700000-0x000000000378E000-memory.dmp upx behavioral1/memory/3036-24-0x0000000002700000-0x000000000378E000-memory.dmp upx behavioral1/memory/3036-30-0x0000000002700000-0x000000000378E000-memory.dmp upx behavioral1/memory/3036-14-0x0000000002700000-0x000000000378E000-memory.dmp upx behavioral1/memory/3036-26-0x0000000002700000-0x000000000378E000-memory.dmp upx behavioral1/memory/3036-22-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3036-20-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3036-19-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3036-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3036-18-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3036-17-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3036-16-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1956-611-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Processes:
rundll32mgr.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" rundll32mgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" rundll32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rundll32mgr.exe -
Processes:
rundll32mgr.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32mgr.exe -
Drops file in System32 directory 3 IoCs
Processes:
svchost.exerundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.Design.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspeex_resampler_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\zip.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libaddonsvorepository_plugin.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationProvider.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsBase.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmagnify_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Mail\wabfind.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\sqmapi.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Net.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d11_plugin.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\vulkan-1.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe svchost.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libedgedetection_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\wsdetect.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IO.Log.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Web.Entity.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Design.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\liblpcm_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\settings.html svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\libGLESv2.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\BHOINTL.DLL svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_a52_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\visualization\libvisual_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsimple_channel_mixer_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\cpu.html svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe svchost.exe File opened for modification C:\Program Files\DVD Maker\WMM2CLIP.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\F12Resources.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\awt.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\gstreamer-lite.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jsound.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Luna.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_shout_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\settings.html svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Acrofx32.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdtv_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libstereo_widen_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_mmx_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libsharpen_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\logger\libfile_logger_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\WMPDMCCore.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEERR.DLL svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadds.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\nio.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\WindowsAccessBridge-64.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\PurblePlace2.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_chromecast_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\glass.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.DataSetExtensions.Resources.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXE8SharedExpat.dll svchost.exe -
Drops file in Windows directory 1 IoCs
Processes:
rundll32mgr.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI rundll32mgr.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
rundll32mgr.exeWaterMark.exesvchost.exepid process 3036 rundll32mgr.exe 1956 WaterMark.exe 1956 WaterMark.exe 1956 WaterMark.exe 1956 WaterMark.exe 1956 WaterMark.exe 1956 WaterMark.exe 1956 WaterMark.exe 1956 WaterMark.exe 1780 svchost.exe 1780 svchost.exe 1780 svchost.exe 1780 svchost.exe 1780 svchost.exe 1780 svchost.exe 1780 svchost.exe 1780 svchost.exe 1780 svchost.exe 1780 svchost.exe 1780 svchost.exe 1780 svchost.exe 1780 svchost.exe 1780 svchost.exe 1780 svchost.exe 1780 svchost.exe 1780 svchost.exe 1780 svchost.exe 1780 svchost.exe 1780 svchost.exe 1780 svchost.exe 1780 svchost.exe 1780 svchost.exe 1780 svchost.exe 1780 svchost.exe 1780 svchost.exe 1780 svchost.exe 1780 svchost.exe 1780 svchost.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
rundll32mgr.exeWaterMark.exesvchost.exedescription pid process Token: SeDebugPrivilege 3036 rundll32mgr.exe Token: SeDebugPrivilege 3036 rundll32mgr.exe Token: SeDebugPrivilege 3036 rundll32mgr.exe Token: SeDebugPrivilege 3036 rundll32mgr.exe Token: SeDebugPrivilege 3036 rundll32mgr.exe Token: SeDebugPrivilege 3036 rundll32mgr.exe Token: SeDebugPrivilege 3036 rundll32mgr.exe Token: SeDebugPrivilege 3036 rundll32mgr.exe Token: SeDebugPrivilege 3036 rundll32mgr.exe Token: SeDebugPrivilege 3036 rundll32mgr.exe Token: SeDebugPrivilege 3036 rundll32mgr.exe Token: SeDebugPrivilege 3036 rundll32mgr.exe Token: SeDebugPrivilege 3036 rundll32mgr.exe Token: SeDebugPrivilege 3036 rundll32mgr.exe Token: SeDebugPrivilege 3036 rundll32mgr.exe Token: SeDebugPrivilege 3036 rundll32mgr.exe Token: SeDebugPrivilege 3036 rundll32mgr.exe Token: SeDebugPrivilege 3036 rundll32mgr.exe Token: SeDebugPrivilege 3036 rundll32mgr.exe Token: SeDebugPrivilege 3036 rundll32mgr.exe Token: SeDebugPrivilege 1956 WaterMark.exe Token: SeDebugPrivilege 1780 svchost.exe Token: SeDebugPrivilege 1956 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
rundll32mgr.exeWaterMark.exepid process 3036 rundll32mgr.exe 1956 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exerundll32mgr.exeWaterMark.exesvchost.exedescription pid process target process PID 1948 wrote to memory of 2368 1948 rundll32.exe rundll32.exe PID 1948 wrote to memory of 2368 1948 rundll32.exe rundll32.exe PID 1948 wrote to memory of 2368 1948 rundll32.exe rundll32.exe PID 1948 wrote to memory of 2368 1948 rundll32.exe rundll32.exe PID 1948 wrote to memory of 2368 1948 rundll32.exe rundll32.exe PID 1948 wrote to memory of 2368 1948 rundll32.exe rundll32.exe PID 1948 wrote to memory of 2368 1948 rundll32.exe rundll32.exe PID 2368 wrote to memory of 3036 2368 rundll32.exe rundll32mgr.exe PID 2368 wrote to memory of 3036 2368 rundll32.exe rundll32mgr.exe PID 2368 wrote to memory of 3036 2368 rundll32.exe rundll32mgr.exe PID 2368 wrote to memory of 3036 2368 rundll32.exe rundll32mgr.exe PID 3036 wrote to memory of 1120 3036 rundll32mgr.exe taskhost.exe PID 3036 wrote to memory of 1180 3036 rundll32mgr.exe Dwm.exe PID 3036 wrote to memory of 1224 3036 rundll32mgr.exe Explorer.EXE PID 3036 wrote to memory of 1008 3036 rundll32mgr.exe DllHost.exe PID 3036 wrote to memory of 1956 3036 rundll32mgr.exe WaterMark.exe PID 3036 wrote to memory of 1956 3036 rundll32mgr.exe WaterMark.exe PID 3036 wrote to memory of 1956 3036 rundll32mgr.exe WaterMark.exe PID 3036 wrote to memory of 1956 3036 rundll32mgr.exe WaterMark.exe PID 1956 wrote to memory of 2936 1956 WaterMark.exe svchost.exe PID 1956 wrote to memory of 2936 1956 WaterMark.exe svchost.exe PID 1956 wrote to memory of 2936 1956 WaterMark.exe svchost.exe PID 1956 wrote to memory of 2936 1956 WaterMark.exe svchost.exe PID 1956 wrote to memory of 2936 1956 WaterMark.exe svchost.exe PID 1956 wrote to memory of 2936 1956 WaterMark.exe svchost.exe PID 1956 wrote to memory of 2936 1956 WaterMark.exe svchost.exe PID 1956 wrote to memory of 2936 1956 WaterMark.exe svchost.exe PID 1956 wrote to memory of 2936 1956 WaterMark.exe svchost.exe PID 1956 wrote to memory of 2936 1956 WaterMark.exe svchost.exe PID 1956 wrote to memory of 1780 1956 WaterMark.exe svchost.exe PID 1956 wrote to memory of 1780 1956 WaterMark.exe svchost.exe PID 1956 wrote to memory of 1780 1956 WaterMark.exe svchost.exe PID 1956 wrote to memory of 1780 1956 WaterMark.exe svchost.exe PID 1956 wrote to memory of 1780 1956 WaterMark.exe svchost.exe PID 1956 wrote to memory of 1780 1956 WaterMark.exe svchost.exe PID 1956 wrote to memory of 1780 1956 WaterMark.exe svchost.exe PID 1956 wrote to memory of 1780 1956 WaterMark.exe svchost.exe PID 1956 wrote to memory of 1780 1956 WaterMark.exe svchost.exe PID 1956 wrote to memory of 1780 1956 WaterMark.exe svchost.exe PID 1780 wrote to memory of 260 1780 svchost.exe smss.exe PID 1780 wrote to memory of 260 1780 svchost.exe smss.exe PID 1780 wrote to memory of 260 1780 svchost.exe smss.exe PID 1780 wrote to memory of 260 1780 svchost.exe smss.exe PID 1780 wrote to memory of 260 1780 svchost.exe smss.exe PID 1780 wrote to memory of 336 1780 svchost.exe csrss.exe PID 1780 wrote to memory of 336 1780 svchost.exe csrss.exe PID 1780 wrote to memory of 336 1780 svchost.exe csrss.exe PID 1780 wrote to memory of 336 1780 svchost.exe csrss.exe PID 1780 wrote to memory of 336 1780 svchost.exe csrss.exe PID 1780 wrote to memory of 384 1780 svchost.exe wininit.exe PID 1780 wrote to memory of 384 1780 svchost.exe wininit.exe PID 1780 wrote to memory of 384 1780 svchost.exe wininit.exe PID 1780 wrote to memory of 384 1780 svchost.exe wininit.exe PID 1780 wrote to memory of 384 1780 svchost.exe wininit.exe PID 1780 wrote to memory of 396 1780 svchost.exe csrss.exe PID 1780 wrote to memory of 396 1780 svchost.exe csrss.exe PID 1780 wrote to memory of 396 1780 svchost.exe csrss.exe PID 1780 wrote to memory of 396 1780 svchost.exe csrss.exe PID 1780 wrote to memory of 396 1780 svchost.exe csrss.exe PID 1780 wrote to memory of 432 1780 svchost.exe winlogon.exe PID 1780 wrote to memory of 432 1780 svchost.exe winlogon.exe PID 1780 wrote to memory of 432 1780 svchost.exe winlogon.exe PID 1780 wrote to memory of 432 1780 svchost.exe winlogon.exe PID 1780 wrote to memory of 432 1780 svchost.exe winlogon.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
rundll32mgr.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32mgr.exe
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\180585584c14d9afbaa0670fad166c5f_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\180585584c14d9afbaa0670fad166c5f_JaffaCakes118.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
168KB
MD54ee90e77cc7b95036c28d6f85eaf278b
SHA11234d710eb024b4e1a4c02b3e244a7a827039808
SHA256a73144e948274aa0ad9c291ab52d9a944e969020d92cfcdbc5f83b492d2dd5b1
SHA5125c82fdf8d94c15c63fb0f6e577a22851787f316e32178df633fcdf89aeb6075e5399cc610ac1875f871d6f4ac34b620ef67ed09a74af8e699a1c1c764f7858f1
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.htmlFilesize
351KB
MD5f0f6afea3085f3d605d88347e180e97b
SHA1cb2978637f2be27d7897a6c278b38aec4521bd69
SHA25602d89531b56acff0aca0ba0b788e5f07a971d68384fddf1000f078f6a2cb52eb
SHA5123bd967fc9c88d6504309978f08dc013d5795d4ab079cb86125d21f3a8d4e2128676cf28c34a06d9957706837c2ef9858ad2a5d4b1b6c4fab80aab2d0ad107f10
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.htmlFilesize
347KB
MD5b6fd5a1d79055164e4a8369771102cfe
SHA1ad1f00e312351b4a7357296daf43a31b094fc41e
SHA2563fb3f394582fc56bc4bc307e6c49dfaa642422f86cc6f39947b5aeb089e73dbe
SHA512208044893809c440c133a8a592b6ab3a0bf3335ffed5e553b8e1db086bb7dbfe4e8e170a9eb9ffdad8905468e40750627fcd4a61c022d7bc87cb333e62ab60de
-
memory/1120-35-0x0000000000410000-0x0000000000412000-memory.dmpFilesize
8KB
-
memory/1780-377-0x0000000077AA0000-0x0000000077AA1000-memory.dmpFilesize
4KB
-
memory/1956-73-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1956-124-0x0000000077A9F000-0x0000000077AA0000-memory.dmpFilesize
4KB
-
memory/1956-611-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1956-79-0x0000000077A9F000-0x0000000077AA0000-memory.dmpFilesize
4KB
-
memory/1956-78-0x0000000000380000-0x0000000000381000-memory.dmpFilesize
4KB
-
memory/1956-77-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2368-2-0x0000000075020000-0x00000000750F2000-memory.dmpFilesize
840KB
-
memory/2368-3-0x0000000074F40000-0x0000000075012000-memory.dmpFilesize
840KB
-
memory/2368-4-0x0000000075020000-0x00000000750F2000-memory.dmpFilesize
840KB
-
memory/2368-5-0x0000000000180000-0x00000000001B4000-memory.dmpFilesize
208KB
-
memory/2368-12-0x0000000000180000-0x00000000001B4000-memory.dmpFilesize
208KB
-
memory/2936-81-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2936-90-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2936-1052-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2936-95-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2936-99-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/2936-100-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/2936-102-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2936-101-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/3036-49-0x0000000000830000-0x0000000000831000-memory.dmpFilesize
4KB
-
memory/3036-31-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/3036-30-0x0000000002700000-0x000000000378E000-memory.dmpFilesize
16.6MB
-
memory/3036-14-0x0000000002700000-0x000000000378E000-memory.dmpFilesize
16.6MB
-
memory/3036-26-0x0000000002700000-0x000000000378E000-memory.dmpFilesize
16.6MB
-
memory/3036-22-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3036-20-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3036-19-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3036-15-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3036-18-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3036-17-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3036-16-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3036-13-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3036-24-0x0000000002700000-0x000000000378E000-memory.dmpFilesize
16.6MB
-
memory/3036-25-0x0000000002700000-0x000000000378E000-memory.dmpFilesize
16.6MB
-
memory/3036-27-0x0000000002700000-0x000000000378E000-memory.dmpFilesize
16.6MB
-
memory/3036-28-0x0000000002700000-0x000000000378E000-memory.dmpFilesize
16.6MB
-
memory/3036-44-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/3036-45-0x0000000000830000-0x0000000000831000-memory.dmpFilesize
4KB
-
memory/3036-32-0x0000000002700000-0x000000000378E000-memory.dmpFilesize
16.6MB
-
memory/3036-33-0x0000000002700000-0x000000000378E000-memory.dmpFilesize
16.6MB
-
memory/3036-34-0x0000000002700000-0x000000000378E000-memory.dmpFilesize
16.6MB
-
memory/3036-64-0x00000000048A0000-0x00000000048D4000-memory.dmpFilesize
208KB
-
memory/3036-56-0x0000000002700000-0x000000000378E000-memory.dmpFilesize
16.6MB