Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 18:16
Static task
static1
Behavioral task
behavioral1
Sample
1702ec3e1294c664987fee120474a0a2_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
1702ec3e1294c664987fee120474a0a2_JaffaCakes118.exe
-
Size
216KB
-
MD5
1702ec3e1294c664987fee120474a0a2
-
SHA1
f62f43fc48413168b47b122d8fbe793009d698a0
-
SHA256
3c0f144939f2009cb2f8c835c9b1493b43d7bed1c78f6a76d2fab732c546dfdf
-
SHA512
bf5a1e15e8339557cfbc8c7b6b7d9a34bc046b318dd06144571cde02e4deafefe58f88f0876b00fb2f3f1865579f5962a54547c1fe1dbfa39aef1210cc8dd402
-
SSDEEP
3072:blFQnZn9H/W07Uhh3jxswLE97oAy3kZ5zR65RBviWaIixrDMmAkS2IuAQ:4fOEUhTLU7oA7vITBSVRDMmLe
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exeWaterMark.exeWaterMark.exepid process 4768 1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe 5056 1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe 5044 WaterMark.exe 2800 WaterMark.exe -
Processes:
resource yara_rule behavioral2/memory/5056-10-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/5056-14-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/5056-13-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/5056-15-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/2800-32-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/2800-35-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/2800-39-0x0000000000400000-0x0000000000418000-memory.dmp upx -
Suspicious use of SetThreadContext 2 IoCs
Processes:
1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exeWaterMark.exedescription pid process target process PID 4768 set thread context of 5056 4768 1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe 1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe PID 5044 set thread context of 2800 5044 WaterMark.exe WaterMark.exe -
Drops file in Program Files directory 3 IoCs
Processes:
1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\px74E.tmp 1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe 1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe 1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1328 404 WerFault.exe svchost.exe -
Processes:
IEXPLORE.EXEiexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "973912093" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426277181" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{64FC4097-34B1-11EF-B9F7-4A48D699C5C8} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115454" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31115454" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1084694693" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "973912093" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115454" IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
WaterMark.exepid process 2800 WaterMark.exe 2800 WaterMark.exe 2800 WaterMark.exe 2800 WaterMark.exe 2800 WaterMark.exe 2800 WaterMark.exe 2800 WaterMark.exe 2800 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WaterMark.exedescription pid process Token: SeDebugPrivilege 2800 WaterMark.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 4232 iexplore.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exeWaterMark.exeiexplore.exeIEXPLORE.EXEpid process 4768 1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe 5044 WaterMark.exe 4232 iexplore.exe 4232 iexplore.exe 688 IEXPLORE.EXE 688 IEXPLORE.EXE 688 IEXPLORE.EXE 688 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
1702ec3e1294c664987fee120474a0a2_JaffaCakes118.exe1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exeWaterMark.exeWaterMark.exeiexplore.exedescription pid process target process PID 3080 wrote to memory of 4768 3080 1702ec3e1294c664987fee120474a0a2_JaffaCakes118.exe 1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe PID 3080 wrote to memory of 4768 3080 1702ec3e1294c664987fee120474a0a2_JaffaCakes118.exe 1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe PID 3080 wrote to memory of 4768 3080 1702ec3e1294c664987fee120474a0a2_JaffaCakes118.exe 1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe PID 4768 wrote to memory of 5056 4768 1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe 1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe PID 4768 wrote to memory of 5056 4768 1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe 1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe PID 4768 wrote to memory of 5056 4768 1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe 1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe PID 4768 wrote to memory of 5056 4768 1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe 1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe PID 4768 wrote to memory of 5056 4768 1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe 1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe PID 4768 wrote to memory of 5056 4768 1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe 1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe PID 4768 wrote to memory of 5056 4768 1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe 1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe PID 4768 wrote to memory of 5056 4768 1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe 1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe PID 5056 wrote to memory of 5044 5056 1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe WaterMark.exe PID 5056 wrote to memory of 5044 5056 1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe WaterMark.exe PID 5056 wrote to memory of 5044 5056 1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe WaterMark.exe PID 5044 wrote to memory of 2800 5044 WaterMark.exe WaterMark.exe PID 5044 wrote to memory of 2800 5044 WaterMark.exe WaterMark.exe PID 5044 wrote to memory of 2800 5044 WaterMark.exe WaterMark.exe PID 5044 wrote to memory of 2800 5044 WaterMark.exe WaterMark.exe PID 5044 wrote to memory of 2800 5044 WaterMark.exe WaterMark.exe PID 5044 wrote to memory of 2800 5044 WaterMark.exe WaterMark.exe PID 5044 wrote to memory of 2800 5044 WaterMark.exe WaterMark.exe PID 5044 wrote to memory of 2800 5044 WaterMark.exe WaterMark.exe PID 2800 wrote to memory of 404 2800 WaterMark.exe svchost.exe PID 2800 wrote to memory of 404 2800 WaterMark.exe svchost.exe PID 2800 wrote to memory of 404 2800 WaterMark.exe svchost.exe PID 2800 wrote to memory of 404 2800 WaterMark.exe svchost.exe PID 2800 wrote to memory of 404 2800 WaterMark.exe svchost.exe PID 2800 wrote to memory of 404 2800 WaterMark.exe svchost.exe PID 2800 wrote to memory of 404 2800 WaterMark.exe svchost.exe PID 2800 wrote to memory of 404 2800 WaterMark.exe svchost.exe PID 2800 wrote to memory of 404 2800 WaterMark.exe svchost.exe PID 2800 wrote to memory of 4232 2800 WaterMark.exe iexplore.exe PID 2800 wrote to memory of 4232 2800 WaterMark.exe iexplore.exe PID 4232 wrote to memory of 688 4232 iexplore.exe IEXPLORE.EXE PID 4232 wrote to memory of 688 4232 iexplore.exe IEXPLORE.EXE PID 4232 wrote to memory of 688 4232 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1702ec3e1294c664987fee120474a0a2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1702ec3e1294c664987fee120474a0a2_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exeC:\Users\Admin\AppData\Local\Temp\1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe"C:\Users\Admin\AppData\Local\Temp\1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 2047⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4232 CREDAT:17410 /prefetch:27⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 404 -ip 4041⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1312 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD5fa34ecb8815a2d98849888cb1cdbf38b
SHA184fd0e04586009efb3683c98da8d9aa41487cd42
SHA2565077a54924f80491a74ed78bbd73ff7bf85a27caddb80ceaa9ccb86f8b9a11be
SHA512ccfdb76ccedd0076601e17272d346229e2b9c0dd884c09bb7701b32c5dc177da8a91bb539ce751297d8ea44716fc497e8a337a9499c93a474ba85915f28f1053
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD540ae790ed08608487d862ae728a1ef63
SHA174daa296e844acd34e426d025e06c664c88873b7
SHA256199990c201948ad53d41fcf0d5b51f347c84097d9a450c96e8c1bf954a2e4db3
SHA5123cbed48d4098f7a3d06ee90d7048c44341ab1a39320e1c04a7ea556f1fc6f103361ccfe5340552fb3e76c1a6b08ee3895399464cda082e21b3a91a99099b82c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Temp\1702ec3e1294c664987fee120474a0a2_JaffaCakes118Srv.exeFilesize
69KB
MD53284b0d95ae1f80355da5e04e79a6be1
SHA1642bbb026f238a4eed9931772869b637621d98c8
SHA256f2cf33052bb9ed658351e1ff0687d0602a1f619e0976cd45852d3eb109aacf60
SHA51213712a19409818ecb66ecb2bb045a5800e4362f0ff0e9b2d158590fd501c35861ceae195f8171301ef6e72dd3b6f28184af31188836d92c171bfa6bedeb98547
-
memory/404-38-0x0000000000490000-0x0000000000491000-memory.dmpFilesize
4KB
-
memory/404-37-0x00000000004B0000-0x00000000004B1000-memory.dmpFilesize
4KB
-
memory/2800-32-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2800-39-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2800-40-0x0000000077552000-0x0000000077553000-memory.dmpFilesize
4KB
-
memory/2800-34-0x0000000000640000-0x0000000000641000-memory.dmpFilesize
4KB
-
memory/2800-35-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2800-36-0x0000000020010000-0x0000000020020000-memory.dmpFilesize
64KB
-
memory/3080-7-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/3080-0-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/4768-18-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/4768-6-0x00000000001C0000-0x00000000001C3000-memory.dmpFilesize
12KB
-
memory/4768-4-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/5044-24-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/5044-33-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/5056-15-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/5056-13-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/5056-14-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/5056-10-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB