Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 11:28
Static task
static1
Behavioral task
behavioral1
Sample
19f258dc2ec48604dbc1552a8881fce1_JaffaCakes118.dll
Resource
win7-20240508-en
General
-
Target
19f258dc2ec48604dbc1552a8881fce1_JaffaCakes118.dll
-
Size
636KB
-
MD5
19f258dc2ec48604dbc1552a8881fce1
-
SHA1
9802c31fa930c682e7a7e7454263d4a484c90b07
-
SHA256
4a113e9217bfc48c1c79f17fec663637b92066af1dd82c9d8cf25cd0d5eda115
-
SHA512
4572f9cc0336c28741145bdbb2b223e08ab862c3c1cbd0ecab7ee4262bec62899770bafde7a1ff9438378b44feb0a5d91ea9a795b740dcae8a7e707f0aeda371
-
SSDEEP
12288:7ehnaNPpSVZmNxRCwnwm3W3OHIIf5B5QlqMuCqbZYJF:7eh0PpS6NxNnwYeOHXj2qMu3K
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
rundll32mgr.exerundll32mgrmgr.exeWaterMark.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exepid process 3688 rundll32mgr.exe 4708 rundll32mgrmgr.exe 2396 WaterMark.exe 852 WaterMark.exe 116 WaterMarkmgr.exe 2676 WaterMark.exe -
Processes:
resource yara_rule behavioral2/memory/3688-18-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4708-39-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2396-45-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3688-21-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3688-17-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3688-16-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3688-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3688-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3688-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2676-71-0x0000000000400000-0x0000000000461000-memory.dmp upx behavioral2/memory/116-59-0x0000000000400000-0x0000000000441000-memory.dmp upx behavioral2/memory/116-58-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2396-85-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
rundll32.exerundll32mgr.exedescription ioc process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\rundll32mgrmgr.exe rundll32mgr.exe -
Drops file in Program Files directory 10 IoCs
Processes:
rundll32mgr.exeWaterMark.exeWaterMark.exerundll32mgrmgr.exeWaterMarkmgr.exeWaterMark.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\px567C.tmp rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\px56CB.tmp rundll32mgrmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgrmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\px5728.tmp WaterMarkmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe WaterMarkmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe -
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4832 1428 WerFault.exe rundll32.exe 4656 1324 WerFault.exe svchost.exe 2184 2600 WerFault.exe svchost.exe 3404 2488 WerFault.exe svchost.exe -
Processes:
IEXPLORE.EXEiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115598" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115598" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1434460820" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31115598" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115598" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1434460820" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8118FA8F-3541-11EF-9519-FEF50CB5D633} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115598" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{811DBF8A-3541-11EF-9519-FEF50CB5D633} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31115598" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426339067" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1434460820" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1434460820" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1438367016" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1438367016" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
WaterMark.exeWaterMark.exeWaterMark.exepid process 2396 WaterMark.exe 2396 WaterMark.exe 2396 WaterMark.exe 2396 WaterMark.exe 852 WaterMark.exe 852 WaterMark.exe 852 WaterMark.exe 852 WaterMark.exe 2676 WaterMark.exe 2676 WaterMark.exe 2676 WaterMark.exe 2676 WaterMark.exe 2396 WaterMark.exe 2396 WaterMark.exe 2396 WaterMark.exe 2396 WaterMark.exe 2396 WaterMark.exe 2396 WaterMark.exe 2396 WaterMark.exe 2396 WaterMark.exe 2396 WaterMark.exe 2396 WaterMark.exe 2396 WaterMark.exe 2396 WaterMark.exe 852 WaterMark.exe 852 WaterMark.exe 852 WaterMark.exe 852 WaterMark.exe 852 WaterMark.exe 852 WaterMark.exe 852 WaterMark.exe 852 WaterMark.exe 852 WaterMark.exe 852 WaterMark.exe 852 WaterMark.exe 852 WaterMark.exe 2676 WaterMark.exe 2676 WaterMark.exe 2676 WaterMark.exe 2676 WaterMark.exe 2676 WaterMark.exe 2676 WaterMark.exe 2676 WaterMark.exe 2676 WaterMark.exe 2676 WaterMark.exe 2676 WaterMark.exe 2676 WaterMark.exe 2676 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WaterMark.exeWaterMark.exeWaterMark.exedescription pid process Token: SeDebugPrivilege 2396 WaterMark.exe Token: SeDebugPrivilege 852 WaterMark.exe Token: SeDebugPrivilege 2676 WaterMark.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exeiexplore.exepid process 3684 iexplore.exe 4436 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEpid process 3684 iexplore.exe 3684 iexplore.exe 4436 iexplore.exe 4436 iexplore.exe 4316 IEXPLORE.EXE 4316 IEXPLORE.EXE 1272 IEXPLORE.EXE 1272 IEXPLORE.EXE 4316 IEXPLORE.EXE 4316 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 6 IoCs
Processes:
rundll32mgr.exerundll32mgrmgr.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exeWaterMark.exepid process 3688 rundll32mgr.exe 4708 rundll32mgrmgr.exe 2396 WaterMark.exe 116 WaterMarkmgr.exe 852 WaterMark.exe 2676 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exerundll32mgr.exeWaterMark.exerundll32mgrmgr.exeWaterMarkmgr.exeWaterMark.exeWaterMark.exeiexplore.exeiexplore.exedescription pid process target process PID 4660 wrote to memory of 1428 4660 rundll32.exe rundll32.exe PID 4660 wrote to memory of 1428 4660 rundll32.exe rundll32.exe PID 4660 wrote to memory of 1428 4660 rundll32.exe rundll32.exe PID 1428 wrote to memory of 3688 1428 rundll32.exe rundll32mgr.exe PID 1428 wrote to memory of 3688 1428 rundll32.exe rundll32mgr.exe PID 1428 wrote to memory of 3688 1428 rundll32.exe rundll32mgr.exe PID 3688 wrote to memory of 4708 3688 rundll32mgr.exe rundll32mgrmgr.exe PID 3688 wrote to memory of 4708 3688 rundll32mgr.exe rundll32mgrmgr.exe PID 3688 wrote to memory of 4708 3688 rundll32mgr.exe rundll32mgrmgr.exe PID 3688 wrote to memory of 2396 3688 rundll32mgr.exe WaterMark.exe PID 3688 wrote to memory of 2396 3688 rundll32mgr.exe WaterMark.exe PID 3688 wrote to memory of 2396 3688 rundll32mgr.exe WaterMark.exe PID 2396 wrote to memory of 116 2396 WaterMark.exe WaterMarkmgr.exe PID 2396 wrote to memory of 116 2396 WaterMark.exe WaterMarkmgr.exe PID 2396 wrote to memory of 116 2396 WaterMark.exe WaterMarkmgr.exe PID 4708 wrote to memory of 852 4708 rundll32mgrmgr.exe WaterMark.exe PID 4708 wrote to memory of 852 4708 rundll32mgrmgr.exe WaterMark.exe PID 4708 wrote to memory of 852 4708 rundll32mgrmgr.exe WaterMark.exe PID 116 wrote to memory of 2676 116 WaterMarkmgr.exe WaterMark.exe PID 116 wrote to memory of 2676 116 WaterMarkmgr.exe WaterMark.exe PID 116 wrote to memory of 2676 116 WaterMarkmgr.exe WaterMark.exe PID 2396 wrote to memory of 2600 2396 WaterMark.exe svchost.exe PID 2396 wrote to memory of 2600 2396 WaterMark.exe svchost.exe PID 2396 wrote to memory of 2600 2396 WaterMark.exe svchost.exe PID 2396 wrote to memory of 2600 2396 WaterMark.exe svchost.exe PID 2396 wrote to memory of 2600 2396 WaterMark.exe svchost.exe PID 2396 wrote to memory of 2600 2396 WaterMark.exe svchost.exe PID 2396 wrote to memory of 2600 2396 WaterMark.exe svchost.exe PID 2396 wrote to memory of 2600 2396 WaterMark.exe svchost.exe PID 2396 wrote to memory of 2600 2396 WaterMark.exe svchost.exe PID 852 wrote to memory of 1324 852 WaterMark.exe svchost.exe PID 852 wrote to memory of 1324 852 WaterMark.exe svchost.exe PID 852 wrote to memory of 1324 852 WaterMark.exe svchost.exe PID 852 wrote to memory of 1324 852 WaterMark.exe svchost.exe PID 852 wrote to memory of 1324 852 WaterMark.exe svchost.exe PID 852 wrote to memory of 1324 852 WaterMark.exe svchost.exe PID 852 wrote to memory of 1324 852 WaterMark.exe svchost.exe PID 852 wrote to memory of 1324 852 WaterMark.exe svchost.exe PID 852 wrote to memory of 1324 852 WaterMark.exe svchost.exe PID 2676 wrote to memory of 2488 2676 WaterMark.exe svchost.exe PID 2676 wrote to memory of 2488 2676 WaterMark.exe svchost.exe PID 2676 wrote to memory of 2488 2676 WaterMark.exe svchost.exe PID 2676 wrote to memory of 2488 2676 WaterMark.exe svchost.exe PID 2676 wrote to memory of 2488 2676 WaterMark.exe svchost.exe PID 2676 wrote to memory of 2488 2676 WaterMark.exe svchost.exe PID 2676 wrote to memory of 2488 2676 WaterMark.exe svchost.exe PID 2676 wrote to memory of 2488 2676 WaterMark.exe svchost.exe PID 2676 wrote to memory of 2488 2676 WaterMark.exe svchost.exe PID 2396 wrote to memory of 4436 2396 WaterMark.exe iexplore.exe PID 2396 wrote to memory of 4436 2396 WaterMark.exe iexplore.exe PID 2396 wrote to memory of 3684 2396 WaterMark.exe iexplore.exe PID 2396 wrote to memory of 3684 2396 WaterMark.exe iexplore.exe PID 852 wrote to memory of 4924 852 WaterMark.exe iexplore.exe PID 852 wrote to memory of 4924 852 WaterMark.exe iexplore.exe PID 852 wrote to memory of 996 852 WaterMark.exe iexplore.exe PID 852 wrote to memory of 996 852 WaterMark.exe iexplore.exe PID 2676 wrote to memory of 4752 2676 WaterMark.exe iexplore.exe PID 2676 wrote to memory of 4752 2676 WaterMark.exe iexplore.exe PID 2676 wrote to memory of 3408 2676 WaterMark.exe iexplore.exe PID 2676 wrote to memory of 3408 2676 WaterMark.exe iexplore.exe PID 4436 wrote to memory of 1272 4436 iexplore.exe IEXPLORE.EXE PID 4436 wrote to memory of 1272 4436 iexplore.exe IEXPLORE.EXE PID 4436 wrote to memory of 1272 4436 iexplore.exe IEXPLORE.EXE PID 3684 wrote to memory of 4316 3684 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\19f258dc2ec48604dbc1552a8881fce1_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\19f258dc2ec48604dbc1552a8881fce1_JaffaCakes118.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgrmgr.exeC:\Windows\SysWOW64\rundll32mgrmgr.exe4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 2047⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 2048⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 2046⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4436 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3684 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 6083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1428 -ip 14281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2600 -ip 26001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1324 -ip 13241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2488 -ip 24881⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD5293ea21f7d2b09f447f07d065dd542b9
SHA15d30d1d814dab60840b66cb9ee7dd8ceea05df70
SHA2562203bb67fc1d126a35d05b53e3b9c39acf5a06b6f2d792099460e8caa83f2a32
SHA5127d5ff3768b8ab54f4186a325ac433eb4a1f3dfabb30d641a0a1d6b9f2f24c5dd83cc5d05c13477cab16c5644d39e45ae991d75a1ddb7c79b76e562b4f2eb2898
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD515acdef3c2a559966eecf4cb660151c8
SHA18696ecf01d97214b8446a7e0bed6a3f6fe6b0c4e
SHA2565aaf61d5aaf8a4887d301ed1af721dfe99b3e81e0e3abafb4851f17c3a4f52ee
SHA5122a39f1ab4eadaeec654a4481beae2596baee295527bccab836b151594a11d9ac8660d8f49c9c7e2100bc94b0ff84fbb1b1dae97552d5605ca8f5f992e6f649bf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD5c0d2f41fad29dd15652742eb9416a495
SHA19d4514de5f91a93a9e5f06eb8ad9c3881f6cfb23
SHA256a140006db4f76680dcd6e106055ed9361a40bd41b198b384ce91152e4da30e5b
SHA512f9b660fe538360f2c757cf3945cce161310ce82d553547b5b13d4a352a86617986efe34d922455cc77dee2ffb58aaf12d18d0f28226a31e3524ad1aa3a8ed2db
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8118FA8F-3541-11EF-9519-FEF50CB5D633}.datFilesize
3KB
MD5beca2bf7ccbccf5f13d552d10dffeaaa
SHA15395af5401450c0050a171864632302c7506e9ef
SHA2562feee18b133e3eae0fd79f1682a5b3f2f85e2de3f388463a2fac7cec4a915e6e
SHA512e88ef3a771db0feca32c3bf8a03ab13cb0b6de13b845f894720924aa74c04bba8a5ec4fd488e4d523f680e1c4a1c1d0454163982d402b01cfbc4e6ca130b6995
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{811DBF8A-3541-11EF-9519-FEF50CB5D633}.datFilesize
5KB
MD5cab214a2d22def466e2324e2cde99326
SHA1bc1b6017ced08747d1449438515484f57c54e7b1
SHA2560fec6718951e5b04f2b59367461e623df5f9c4f25beda8dd969df41394793a0e
SHA512c3d041ab65ab6293308249f90bcd1a336b2579a0044ed79a996a1fcfe2de7443be9e331c68ec8d642ad157697b1d3acdf9c561a56cf4d6e39d21b0d7999170bd
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verD978.tmpFilesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VLW1SL5J\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Windows\SysWOW64\rundll32mgr.exeFilesize
249KB
MD52596efab0190328fbab54d463d657ec4
SHA1290c5fa2ca9dcc81e9017699b6bde44a9fc9d8c0
SHA25662a0bab325cf7bf8a1f915717d21b4eb89cbb19014b01833236afafe7c4cd853
SHA512e04309a561d35f12060e7df54a7fb22a0c75bb967d0f6fc96df0f4edfab36408a7b3837cc5b41e273d00254bb50f4db6a56c87982454a6462ac7488402b565b2
-
C:\Windows\SysWOW64\rundll32mgrmgr.exeFilesize
123KB
MD5a1a2227042e7e381d8e8e11a3524dbcd
SHA133982b4710c663bb80c8528fce509aec8a057815
SHA256cba6731b757fea8a628a28a8cb77eccdbb501002bdc77d7c3c5c41287b9e4fd2
SHA51215e75739f5326b6a4e6fd192995e176eafac82893ff57424f128873f35cd78a726176a0be7c6f9f933fcd6127605f9b88a114c6ecbb4cefe0e559d408b9b3594
-
memory/116-59-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/116-58-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/852-73-0x0000000000900000-0x0000000000901000-memory.dmpFilesize
4KB
-
memory/1428-2-0x0000000010000000-0x00000000100A1000-memory.dmpFilesize
644KB
-
memory/1428-79-0x0000000010000000-0x00000000100A1000-memory.dmpFilesize
644KB
-
memory/2396-85-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2396-43-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/2396-45-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2396-80-0x0000000000070000-0x0000000000071000-memory.dmpFilesize
4KB
-
memory/2396-46-0x0000000077972000-0x0000000077973000-memory.dmpFilesize
4KB
-
memory/2396-31-0x0000000000400000-0x0000000000461000-memory.dmpFilesize
388KB
-
memory/2676-82-0x00000000008E0000-0x00000000008E1000-memory.dmpFilesize
4KB
-
memory/2676-75-0x00000000008D0000-0x00000000008D1000-memory.dmpFilesize
4KB
-
memory/2676-71-0x0000000000400000-0x0000000000461000-memory.dmpFilesize
388KB
-
memory/3688-14-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3688-10-0x0000000000404000-0x0000000000406000-memory.dmpFilesize
8KB
-
memory/3688-12-0x0000000000400000-0x0000000000461000-memory.dmpFilesize
388KB
-
memory/3688-13-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3688-15-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3688-16-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3688-17-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3688-21-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3688-30-0x00000000008E0000-0x00000000008E1000-memory.dmpFilesize
4KB
-
memory/3688-18-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3688-5-0x0000000000400000-0x0000000000461000-memory.dmpFilesize
388KB
-
memory/4708-9-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/4708-39-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB