ramnit | 4a113e9217bfc48c1c79f17fec663637b92066af1dd82c9d8cf25cd0d5eda115

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19f258dc2ec48604dbc1552a8881fce1_JaffaCakes118.dll
Size

636KB
MD5

19f258dc2ec48604dbc1552a8881fce1
SHA1

9802c31fa930c682e7a7e7454263d4a484c90b07
SHA256

4a113e9217bfc48c1c79f17fec663637b92066af1dd82c9d8cf25cd0d5eda115
SHA512

4572f9cc0336c28741145bdbb2b223e08ab862c3c1cbd0ecab7ee4262bec62899770bafde7a1ff9438378b44feb0a5d91ea9a795b740dcae8a7e707f0aeda371
SSDEEP

12288:7ehnaNPpSVZmNxRCwnwm3W3OHIIf5B5QlqMuCqbZYJF:7eh0PpS6NxNnwYeOHXj2qMu3K

Score

10^/10

ramnit banker persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 4 IoCs

Processes:

rundll32mgr.exerundll32mgrmgr.exeWaterMark.exeWaterMark.exe

pid process

1148 rundll32mgr.exe
2696 rundll32mgrmgr.exe
2808 WaterMark.exe
2940 WaterMark.exe
Loads dropped DLL 8 IoCs

Processes:

rundll32.exerundll32mgr.exerundll32mgrmgr.exe

pid process

1448 rundll32.exe
1448 rundll32.exe
1148 rundll32mgr.exe
1148 rundll32mgr.exe
2696 rundll32mgrmgr.exe
2696 rundll32mgrmgr.exe
1148 rundll32mgr.exe
1148 rundll32mgr.exe

pid	process
1148	rundll32mgr.exe
2696	rundll32mgrmgr.exe
2808	WaterMark.exe
2940	WaterMark.exe

pid	process
1448	rundll32.exe
1448	rundll32.exe
1148	rundll32mgr.exe
1148	rundll32mgr.exe
2696	rundll32mgrmgr.exe
2696	rundll32mgrmgr.exe
1148	rundll32mgr.exe
1148	rundll32mgr.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2696-20-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2808-73-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2696-46-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2940-68-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2940-67-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral1/memory/1148-53-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2696-33-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2696-32-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2696-30-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral1/memory/1148-27-0x00000000000B0000-0x00000000000F1000-memory.dmp	upx
behavioral1/memory/2696-22-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2696-21-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2696-19-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2940-736-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

Processes:

rundll32mgr.exesvchost.exerundll32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rundll32mgrmgr.exe	rundll32mgr.exe
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Drops file in Program Files directory 64 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Mail\oeimport.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\settings.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DAO\dao360.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ACEWSTR.DLL	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_duplicate_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\NPSWF32.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\hprof.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsound.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\profilerinterface.dll	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Conversion.v3.5.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libdmo_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libps_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IO.Log.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libdca_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmagnify_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\WebKit.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.Printing.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunec.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\eula.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\IEAWSDC.DLL	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.Selectors.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libhds_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadco.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IdentityModel.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Engine.resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libdeinterlace_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpuzzle_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\calendar.html	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\slideShow.html	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdaosp.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunmscapi.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dt_shmem.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\vcruntime140.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationBuildTasks.resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Management.Instrumentation.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Framework.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\PhotoAcq.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\EEINTL.DLL	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\InkObj.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libt140_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libcache_read_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libcompressor_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jdwp.dll	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll	svchost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\IA2Marshal.dll	svchost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Linq.Resources.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libvc1_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\librv32_plugin.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d11_plugin.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\penusa.dll	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	svchost.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1312 1448 WerFault.exe rundll32.exe

pid	pid_target	process	target process
1312	1448	WerFault.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

Processes:

WaterMark.exeWaterMark.exesvchost.exe

pid	process
2808	WaterMark.exe
2808	WaterMark.exe
2940	WaterMark.exe
2940	WaterMark.exe
2940	WaterMark.exe
2808	WaterMark.exe
2940	WaterMark.exe
2808	WaterMark.exe
2940	WaterMark.exe
2808	WaterMark.exe
2940	WaterMark.exe
2808	WaterMark.exe
2940	WaterMark.exe
2940	WaterMark.exe
2808	WaterMark.exe
2808	WaterMark.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

WaterMark.exeWaterMark.exesvchost.exesvchost.exerundll32.exeWerFault.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2808	WaterMark.exe
Token: SeDebugPrivilege	2940	WaterMark.exe
Token: SeDebugPrivilege	2220	svchost.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	1448	rundll32.exe
Token: SeDebugPrivilege	1312	WerFault.exe
Token: SeDebugPrivilege	2940	WaterMark.exe
Token: SeDebugPrivilege	2808	WaterMark.exe
Token: SeDebugPrivilege	2580	svchost.exe

Suspicious use of UnmapMainImage 4 IoCs

Processes:

rundll32mgrmgr.exerundll32mgr.exeWaterMark.exeWaterMark.exe

pid process

2696 rundll32mgrmgr.exe
1148 rundll32mgr.exe
2808 WaterMark.exe
2940 WaterMark.exe

pid	process
2696	rundll32mgrmgr.exe
1148	rundll32mgr.exe
2808	WaterMark.exe
2940	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exerundll32mgr.exerundll32mgrmgr.exeWaterMark.exeWaterMark.exe

description	pid	process	target process
PID 3056 wrote to memory of 1448	3056	rundll32.exe	rundll32.exe
PID 3056 wrote to memory of 1448	3056	rundll32.exe	rundll32.exe
PID 3056 wrote to memory of 1448	3056	rundll32.exe	rundll32.exe
PID 3056 wrote to memory of 1448	3056	rundll32.exe	rundll32.exe
PID 3056 wrote to memory of 1448	3056	rundll32.exe	rundll32.exe
PID 3056 wrote to memory of 1448	3056	rundll32.exe	rundll32.exe
PID 3056 wrote to memory of 1448	3056	rundll32.exe	rundll32.exe
PID 1448 wrote to memory of 1148	1448	rundll32.exe	rundll32mgr.exe
PID 1448 wrote to memory of 1148	1448	rundll32.exe	rundll32mgr.exe
PID 1448 wrote to memory of 1148	1448	rundll32.exe	rundll32mgr.exe
PID 1448 wrote to memory of 1148	1448	rundll32.exe	rundll32mgr.exe
PID 1448 wrote to memory of 1312	1448	rundll32.exe	WerFault.exe
PID 1448 wrote to memory of 1312	1448	rundll32.exe	WerFault.exe
PID 1448 wrote to memory of 1312	1448	rundll32.exe	WerFault.exe
PID 1448 wrote to memory of 1312	1448	rundll32.exe	WerFault.exe
PID 1148 wrote to memory of 2696	1148	rundll32mgr.exe	rundll32mgrmgr.exe
PID 1148 wrote to memory of 2696	1148	rundll32mgr.exe	rundll32mgrmgr.exe
PID 1148 wrote to memory of 2696	1148	rundll32mgr.exe	rundll32mgrmgr.exe
PID 1148 wrote to memory of 2696	1148	rundll32mgr.exe	rundll32mgrmgr.exe
PID 2696 wrote to memory of 2940	2696	rundll32mgrmgr.exe	WaterMark.exe
PID 2696 wrote to memory of 2940	2696	rundll32mgrmgr.exe	WaterMark.exe
PID 2696 wrote to memory of 2940	2696	rundll32mgrmgr.exe	WaterMark.exe
PID 2696 wrote to memory of 2940	2696	rundll32mgrmgr.exe	WaterMark.exe
PID 1148 wrote to memory of 2808	1148	rundll32mgr.exe	WaterMark.exe
PID 1148 wrote to memory of 2808	1148	rundll32mgr.exe	WaterMark.exe
PID 1148 wrote to memory of 2808	1148	rundll32mgr.exe	WaterMark.exe
PID 1148 wrote to memory of 2808	1148	rundll32mgr.exe	WaterMark.exe
PID 2940 wrote to memory of 2580	2940	WaterMark.exe	svchost.exe
PID 2940 wrote to memory of 2580	2940	WaterMark.exe	svchost.exe
PID 2940 wrote to memory of 2580	2940	WaterMark.exe	svchost.exe
PID 2940 wrote to memory of 2580	2940	WaterMark.exe	svchost.exe
PID 2940 wrote to memory of 2580	2940	WaterMark.exe	svchost.exe
PID 2940 wrote to memory of 2580	2940	WaterMark.exe	svchost.exe
PID 2940 wrote to memory of 2580	2940	WaterMark.exe	svchost.exe
PID 2940 wrote to memory of 2580	2940	WaterMark.exe	svchost.exe
PID 2940 wrote to memory of 2580	2940	WaterMark.exe	svchost.exe
PID 2940 wrote to memory of 2580	2940	WaterMark.exe	svchost.exe
PID 2808 wrote to memory of 2276	2808	WaterMark.exe	svchost.exe
PID 2808 wrote to memory of 2276	2808	WaterMark.exe	svchost.exe
PID 2808 wrote to memory of 2276	2808	WaterMark.exe	svchost.exe
PID 2808 wrote to memory of 2276	2808	WaterMark.exe	svchost.exe
PID 2808 wrote to memory of 2276	2808	WaterMark.exe	svchost.exe
PID 2808 wrote to memory of 2276	2808	WaterMark.exe	svchost.exe
PID 2808 wrote to memory of 2276	2808	WaterMark.exe	svchost.exe
PID 2808 wrote to memory of 2276	2808	WaterMark.exe	svchost.exe
PID 2808 wrote to memory of 2276	2808	WaterMark.exe	svchost.exe
PID 2808 wrote to memory of 2276	2808	WaterMark.exe	svchost.exe
PID 2940 wrote to memory of 2224	2940	WaterMark.exe	svchost.exe
PID 2940 wrote to memory of 2224	2940	WaterMark.exe	svchost.exe
PID 2940 wrote to memory of 2224	2940	WaterMark.exe	svchost.exe
PID 2940 wrote to memory of 2224	2940	WaterMark.exe	svchost.exe
PID 2940 wrote to memory of 2224	2940	WaterMark.exe	svchost.exe
PID 2940 wrote to memory of 2224	2940	WaterMark.exe	svchost.exe
PID 2940 wrote to memory of 2224	2940	WaterMark.exe	svchost.exe
PID 2940 wrote to memory of 2224	2940	WaterMark.exe	svchost.exe
PID 2940 wrote to memory of 2224	2940	WaterMark.exe	svchost.exe
PID 2940 wrote to memory of 2224	2940	WaterMark.exe	svchost.exe
PID 2808 wrote to memory of 2220	2808	WaterMark.exe	svchost.exe
PID 2808 wrote to memory of 2220	2808	WaterMark.exe	svchost.exe
PID 2808 wrote to memory of 2220	2808	WaterMark.exe	svchost.exe
PID 2808 wrote to memory of 2220	2808	WaterMark.exe	svchost.exe
PID 2808 wrote to memory of 2220	2808	WaterMark.exe	svchost.exe
PID 2808 wrote to memory of 2220	2808	WaterMark.exe	svchost.exe
PID 2808 wrote to memory of 2220	2808	WaterMark.exe	svchost.exe

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:336

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
2⤵
PID:476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
3⤵
PID:592

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
4⤵
PID:1624

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
4⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
3⤵
PID:668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
3⤵
PID:740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
3⤵
PID:808

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
4⤵
PID:1168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
3⤵
PID:856

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
4⤵
PID:2044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
3⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
3⤵
PID:268

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
3⤵
PID:308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
3⤵
PID:1068

C:\Windows\system32\taskhost.exe
"taskhost.exe"
3⤵
PID:1104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
3⤵
PID:2092

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
3⤵
PID:2176

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
2⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\19f258dc2ec48604dbc1552a8881fce1_JaffaCakes118.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\19f258dc2ec48604dbc1552a8881fce1_JaffaCakes118.dll,#1
3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgr.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\SysWOW64\rundll32mgrmgr.exe
C:\Windows\SysWOW64\rundll32mgrmgr.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2696

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2276

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 224
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1312

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize
260KB

MD5
b2250e4462c5c0ce3c66d99dd4dc323b

SHA1
3bbdd8b85859c0e7420db9c5406519db8c2670a2

SHA256
f321a8ce05da996f616183ed90a0402600b309f3fecd8ba93993043e33685a73

SHA512
05583fb9db9e32e95443207c4382743c5ecba29f04b9309c71cad21422dd2d2a00b354a0cbb74d79043944461249f609349931a90aaffe7ddb9d8be997f0b9be

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize
256KB

MD5
a262340794e1a2e39853b52fde182621

SHA1
f46a805c7880b1445f8f9fe42917890353d03a6e

SHA256
8e3502670557b9ae9107d0458e90fa1e8ed4bd232bcf2038b06086bc8f69504d

SHA512
2c540c16113b8c7295744e21a563b3b8c7dee538aa4c5c330317ad92a9fefaab92bf587b2c55c78ed5562672ad7f7ab7326b3495d69b4f493f3dbf400534e34b

Download Submit
\Windows\SysWOW64\rundll32mgr.exe
Filesize
249KB

MD5
2596efab0190328fbab54d463d657ec4

SHA1
290c5fa2ca9dcc81e9017699b6bde44a9fc9d8c0

SHA256
62a0bab325cf7bf8a1f915717d21b4eb89cbb19014b01833236afafe7c4cd853

SHA512
e04309a561d35f12060e7df54a7fb22a0c75bb967d0f6fc96df0f4edfab36408a7b3837cc5b41e273d00254bb50f4db6a56c87982454a6462ac7488402b565b2

Download Submit
\Windows\SysWOW64\rundll32mgrmgr.exe
Filesize
123KB

MD5
a1a2227042e7e381d8e8e11a3524dbcd

SHA1
33982b4710c663bb80c8528fce509aec8a057815

SHA256
cba6731b757fea8a628a28a8cb77eccdbb501002bdc77d7c3c5c41287b9e4fd2

SHA512
15e75739f5326b6a4e6fd192995e176eafac82893ff57424f128873f35cd78a726176a0be7c6f9f933fcd6127605f9b88a114c6ecbb4cefe0e559d408b9b3594

Download Submit
memory/1148-27-0x00000000000B0000-0x00000000000F1000-memory.dmp

Filesize
260KB

Download
memory/1148-28-0x00000000000B0000-0x00000000000F1000-memory.dmp

Filesize
260KB

Download
memory/1148-53-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1148-54-0x0000000000416000-0x0000000000420000-memory.dmp

Filesize
40KB

Download
memory/1448-2-0x0000000010000000-0x00000000100A1000-memory.dmp

Filesize
644KB

Download
memory/1448-10-0x00000000006C0000-0x0000000000721000-memory.dmp

Filesize
388KB

Download
memory/1448-3-0x00000000006C0000-0x0000000000721000-memory.dmp

Filesize
388KB

Download
memory/2276-104-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2276-100-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2276-96-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2276-88-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2276-86-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/2696-46-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2696-19-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2696-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2696-47-0x0000000000416000-0x0000000000420000-memory.dmp

Filesize
40KB

Download
memory/2696-48-0x0000000000401000-0x0000000000416000-memory.dmp

Filesize
84KB

Download
memory/2696-33-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2696-32-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2696-31-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2696-30-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2696-21-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2696-22-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2808-71-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2808-113-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2808-73-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2940-72-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/2940-68-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2940-112-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2940-736-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2940-67-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download