ramnit | c6628f4091e5f7d7b9292e707ec606a8f3085402e2fb1c406553b2454871e8b7

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

191bfbe9c5e47b8736a7829834006e37_JaffaCakes118.exe
Size

355KB
MD5

191bfbe9c5e47b8736a7829834006e37
SHA1

7b22cdc9ea3b7e8c3e88656973d9f27796bcdad8
SHA256

c6628f4091e5f7d7b9292e707ec606a8f3085402e2fb1c406553b2454871e8b7
SHA512

853fe256e3010e32379c3774bf4e121e88ba92f1b1d290241e3c316547efaf9d62cb2558feddef8ce434dbcc72e100e6891fc3cdf20ef6023b4397bf89c7af03
SSDEEP

6144:D5BgvadeLnJiYZ+up5BmmbKaRwmNN5rWlBtCAA6LoFAPo:D//miwZ/JKqW3tjsZ

Score

10^/10

ramnit banker persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

191bfbe9c5e47b8736a7829834006e37_JaffaCakes118mgr.exeWaterMark.exe

pid process

2456 191bfbe9c5e47b8736a7829834006e37_JaffaCakes118mgr.exe
2680 WaterMark.exe

pid	process
2456	191bfbe9c5e47b8736a7829834006e37_JaffaCakes118mgr.exe
2680	WaterMark.exe

Loads dropped DLL 4 IoCs

Processes:

191bfbe9c5e47b8736a7829834006e37_JaffaCakes118.exe191bfbe9c5e47b8736a7829834006e37_JaffaCakes118mgr.exe

pid	process
1176	191bfbe9c5e47b8736a7829834006e37_JaffaCakes118.exe
1176	191bfbe9c5e47b8736a7829834006e37_JaffaCakes118.exe
2456	191bfbe9c5e47b8736a7829834006e37_JaffaCakes118mgr.exe
2456	191bfbe9c5e47b8736a7829834006e37_JaffaCakes118mgr.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2456-15-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2456-14-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2456-17-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2456-20-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2456-16-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2456-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2456-12-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2680-37-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2680-39-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2680-41-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2680-591-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2680-594-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe
File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Drops file in Program Files directory 64 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspatialaudio_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libx264_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\DiagnosticsHub.DataWarehouse.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\gstreamer-lite.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdaps.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2ssv.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\liblibbluray_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\libsubsdelay_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFPrevHndlr.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxwebkit.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Management.Instrumentation.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libcc_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_dummy_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\ITIRCL55.DLL	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ALRTINTL.DLL	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jpeg.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\NAMEEXT.DLL	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationTypes.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Utilities.v3.5.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libspudec_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\DirectDB.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXEV.DLL	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libpva_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libstats_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_record_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\PhotoAcq.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Mail\WinMail.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\EEINTL.DLL	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\jvm.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.IO.Log.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspatializer_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\librecord_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Journal\InkSeg.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jsoundds.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\librtpvideo_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\cpu.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Net.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.Design.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mlp_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libmicrodns_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_mmx_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\w2k_lsa_auth.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.RunTime.Serialization.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libschroedinger_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libyuv_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

WaterMark.exesvchost.exe

pid	process
2680	WaterMark.exe
2680	WaterMark.exe
2680	WaterMark.exe
2680	WaterMark.exe
2680	WaterMark.exe
2680	WaterMark.exe
2680	WaterMark.exe
2680	WaterMark.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

WaterMark.exesvchost.exe191bfbe9c5e47b8736a7829834006e37_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2680	WaterMark.exe
Token: SeDebugPrivilege	2892	svchost.exe
Token: SeDebugPrivilege	1176	191bfbe9c5e47b8736a7829834006e37_JaffaCakes118.exe
Token: SeDebugPrivilege	2680	WaterMark.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

191bfbe9c5e47b8736a7829834006e37_JaffaCakes118.exe

pid process

1176 191bfbe9c5e47b8736a7829834006e37_JaffaCakes118.exe
1176 191bfbe9c5e47b8736a7829834006e37_JaffaCakes118.exe
1176 191bfbe9c5e47b8736a7829834006e37_JaffaCakes118.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

191bfbe9c5e47b8736a7829834006e37_JaffaCakes118mgr.exeWaterMark.exe

pid process

2456 191bfbe9c5e47b8736a7829834006e37_JaffaCakes118mgr.exe
2680 WaterMark.exe

pid	process
2456	191bfbe9c5e47b8736a7829834006e37_JaffaCakes118mgr.exe
2680	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

191bfbe9c5e47b8736a7829834006e37_JaffaCakes118.exe191bfbe9c5e47b8736a7829834006e37_JaffaCakes118mgr.exeWaterMark.exesvchost.exe

description	pid	process	target process
PID 1176 wrote to memory of 2456	1176	191bfbe9c5e47b8736a7829834006e37_JaffaCakes118.exe	191bfbe9c5e47b8736a7829834006e37_JaffaCakes118mgr.exe
PID 1176 wrote to memory of 2456	1176	191bfbe9c5e47b8736a7829834006e37_JaffaCakes118.exe	191bfbe9c5e47b8736a7829834006e37_JaffaCakes118mgr.exe
PID 1176 wrote to memory of 2456	1176	191bfbe9c5e47b8736a7829834006e37_JaffaCakes118.exe	191bfbe9c5e47b8736a7829834006e37_JaffaCakes118mgr.exe
PID 1176 wrote to memory of 2456	1176	191bfbe9c5e47b8736a7829834006e37_JaffaCakes118.exe	191bfbe9c5e47b8736a7829834006e37_JaffaCakes118mgr.exe
PID 2456 wrote to memory of 2680	2456	191bfbe9c5e47b8736a7829834006e37_JaffaCakes118mgr.exe	WaterMark.exe
PID 2456 wrote to memory of 2680	2456	191bfbe9c5e47b8736a7829834006e37_JaffaCakes118mgr.exe	WaterMark.exe
PID 2456 wrote to memory of 2680	2456	191bfbe9c5e47b8736a7829834006e37_JaffaCakes118mgr.exe	WaterMark.exe
PID 2456 wrote to memory of 2680	2456	191bfbe9c5e47b8736a7829834006e37_JaffaCakes118mgr.exe	WaterMark.exe
PID 1176 wrote to memory of 2732	1176	191bfbe9c5e47b8736a7829834006e37_JaffaCakes118.exe	splwow64.exe
PID 1176 wrote to memory of 2732	1176	191bfbe9c5e47b8736a7829834006e37_JaffaCakes118.exe	splwow64.exe
PID 1176 wrote to memory of 2732	1176	191bfbe9c5e47b8736a7829834006e37_JaffaCakes118.exe	splwow64.exe
PID 1176 wrote to memory of 2732	1176	191bfbe9c5e47b8736a7829834006e37_JaffaCakes118.exe	splwow64.exe
PID 2680 wrote to memory of 2792	2680	WaterMark.exe	svchost.exe
PID 2680 wrote to memory of 2792	2680	WaterMark.exe	svchost.exe
PID 2680 wrote to memory of 2792	2680	WaterMark.exe	svchost.exe
PID 2680 wrote to memory of 2792	2680	WaterMark.exe	svchost.exe
PID 2680 wrote to memory of 2792	2680	WaterMark.exe	svchost.exe
PID 2680 wrote to memory of 2792	2680	WaterMark.exe	svchost.exe
PID 2680 wrote to memory of 2792	2680	WaterMark.exe	svchost.exe
PID 2680 wrote to memory of 2792	2680	WaterMark.exe	svchost.exe
PID 2680 wrote to memory of 2792	2680	WaterMark.exe	svchost.exe
PID 2680 wrote to memory of 2792	2680	WaterMark.exe	svchost.exe
PID 2680 wrote to memory of 2892	2680	WaterMark.exe	svchost.exe
PID 2680 wrote to memory of 2892	2680	WaterMark.exe	svchost.exe
PID 2680 wrote to memory of 2892	2680	WaterMark.exe	svchost.exe
PID 2680 wrote to memory of 2892	2680	WaterMark.exe	svchost.exe
PID 2680 wrote to memory of 2892	2680	WaterMark.exe	svchost.exe
PID 2680 wrote to memory of 2892	2680	WaterMark.exe	svchost.exe
PID 2680 wrote to memory of 2892	2680	WaterMark.exe	svchost.exe
PID 2680 wrote to memory of 2892	2680	WaterMark.exe	svchost.exe
PID 2680 wrote to memory of 2892	2680	WaterMark.exe	svchost.exe
PID 2680 wrote to memory of 2892	2680	WaterMark.exe	svchost.exe
PID 2892 wrote to memory of 256	2892	svchost.exe	smss.exe
PID 2892 wrote to memory of 256	2892	svchost.exe	smss.exe
PID 2892 wrote to memory of 256	2892	svchost.exe	smss.exe
PID 2892 wrote to memory of 256	2892	svchost.exe	smss.exe
PID 2892 wrote to memory of 256	2892	svchost.exe	smss.exe
PID 2892 wrote to memory of 336	2892	svchost.exe	csrss.exe
PID 2892 wrote to memory of 336	2892	svchost.exe	csrss.exe
PID 2892 wrote to memory of 336	2892	svchost.exe	csrss.exe
PID 2892 wrote to memory of 336	2892	svchost.exe	csrss.exe
PID 2892 wrote to memory of 336	2892	svchost.exe	csrss.exe
PID 2892 wrote to memory of 384	2892	svchost.exe	wininit.exe
PID 2892 wrote to memory of 384	2892	svchost.exe	wininit.exe
PID 2892 wrote to memory of 384	2892	svchost.exe	wininit.exe
PID 2892 wrote to memory of 384	2892	svchost.exe	wininit.exe
PID 2892 wrote to memory of 384	2892	svchost.exe	wininit.exe
PID 2892 wrote to memory of 396	2892	svchost.exe	csrss.exe
PID 2892 wrote to memory of 396	2892	svchost.exe	csrss.exe
PID 2892 wrote to memory of 396	2892	svchost.exe	csrss.exe
PID 2892 wrote to memory of 396	2892	svchost.exe	csrss.exe
PID 2892 wrote to memory of 396	2892	svchost.exe	csrss.exe
PID 2892 wrote to memory of 432	2892	svchost.exe	winlogon.exe
PID 2892 wrote to memory of 432	2892	svchost.exe	winlogon.exe
PID 2892 wrote to memory of 432	2892	svchost.exe	winlogon.exe
PID 2892 wrote to memory of 432	2892	svchost.exe	winlogon.exe
PID 2892 wrote to memory of 432	2892	svchost.exe	winlogon.exe
PID 2892 wrote to memory of 476	2892	svchost.exe	services.exe
PID 2892 wrote to memory of 476	2892	svchost.exe	services.exe
PID 2892 wrote to memory of 476	2892	svchost.exe	services.exe
PID 2892 wrote to memory of 476	2892	svchost.exe	services.exe
PID 2892 wrote to memory of 476	2892	svchost.exe	services.exe
PID 2892 wrote to memory of 492	2892	svchost.exe	lsass.exe
PID 2892 wrote to memory of 492	2892	svchost.exe	lsass.exe

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:336

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
2⤵
PID:476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
3⤵
PID:596

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
4⤵
PID:2040

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
4⤵
PID:580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
3⤵
PID:672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
3⤵
PID:752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
3⤵
PID:804

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
4⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
3⤵
PID:832

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
4⤵
PID:1596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
3⤵
PID:980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
3⤵
PID:268

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
3⤵
PID:904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
3⤵
PID:324

C:\Windows\system32\taskhost.exe
"taskhost.exe"
3⤵
PID:1224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
3⤵
PID:2152

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
3⤵
PID:2416

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
2⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:396

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\191bfbe9c5e47b8736a7829834006e37_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\191bfbe9c5e47b8736a7829834006e37_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1176

C:\Users\Admin\AppData\Local\Temp\191bfbe9c5e47b8736a7829834006e37_JaffaCakes118mgr.exe
C:\Users\Admin\AppData\Local\Temp\191bfbe9c5e47b8736a7829834006e37_JaffaCakes118mgr.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2456

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2792

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:2732

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize
292KB

MD5
472790ca8255abd405e1a3b86c1f1118

SHA1
91be45ee97a126ac6abb27a40a84022397f55b0f

SHA256
ba53d801cac390092f861df6ccca0489d31299008e720df38b6462e1f64afb52

SHA512
a18845e27fe4af1172ab5e2e96e367c5ac2e820c15767f584c63567b554b7154d6993a652fdb8cb9d6464b70df182e4e40f2c1f746bd29832c00fbe61acd2e90

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize
288KB

MD5
6ffacf848cc0d470655d83fa44654418

SHA1
63792832d42a1ad8a54f7413e6b33d94547841c8

SHA256
fde1d751a2e9406e7a089a161b2fa7906a5a2fd1d16ed0338278193b6293a857

SHA512
af479c26515ae274cefdf681e25f7429e2fe6163a8f7b58edb876e6f7e2f3338e343d229b8ebac8117160c2421d42fee5b20bf26b90c912e3c544316b47f93ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\191bfbe9c5e47b8736a7829834006e37_JaffaCakes118mgr.exe
Filesize
139KB

MD5
03f2a314cd1c598c38a1de2663e1aebb

SHA1
aff058f29943df223cc418ed6544ab0f176e5762

SHA256
64ff2387190101102b4f140065c12780ea9ad822a1c05444a552164cc30a3392

SHA512
950368f5a8eacdee919ca7d2c93c1939f9fc120602fd7347e16ae6a67e382cec7b2525adc652ac2ce39e08a614437248d1ff83d44171075ce8333016bf45ae45

Download Submit
memory/1176-5018-0x0000000001000000-0x000000000105D000-memory.dmp

Filesize
372KB

Download
memory/1176-9-0x00000000002E0000-0x000000000030E000-memory.dmp

Filesize
184KB

Download
memory/1176-8-0x00000000002E0000-0x000000000030E000-memory.dmp

Filesize
184KB

Download
memory/1176-0-0x0000000001000000-0x000000000105D000-memory.dmp

Filesize
372KB

Download
memory/2456-21-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2456-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2456-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2456-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2456-11-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2456-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2456-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2456-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2456-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2680-72-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2680-41-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2680-43-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2680-38-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2680-39-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2680-40-0x000000007774F000-0x0000000077750000-memory.dmp

Filesize
4KB

Download
memory/2680-37-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2680-594-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2680-591-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2680-88-0x000000007774F000-0x0000000077750000-memory.dmp

Filesize
4KB

Download
memory/2792-65-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2792-63-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2792-44-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2792-62-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2792-46-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2792-68-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2792-54-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2792-1055-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2792-64-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2892-90-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2892-94-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2892-93-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2892-92-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2892-91-0x0000000077750000-0x0000000077751000-memory.dmp

Filesize
4KB

Download
memory/2892-83-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2892-89-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2892-87-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/2892-74-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download