Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 12:58
Static task
static1
Behavioral task
behavioral1
Sample
1a351e907deae966141fe7575f17c053_JaffaCakes118.dll
Resource
win7-20231129-en
General
-
Target
1a351e907deae966141fe7575f17c053_JaffaCakes118.dll
-
Size
220KB
-
MD5
1a351e907deae966141fe7575f17c053
-
SHA1
ec5f68bbde00029efb31fb32748890dab418afbe
-
SHA256
c6c1de2aba94d50a9f4f5799fd35640985166985e69b916f0a426103d57407cf
-
SHA512
ff2038281cc5a4bdb1b59b93d79c858961d3c400c928d19db97dddab4b600f000230dda949603abc779e8c47e1b1e1a72cfcbe0fcb51b4ed02a5438727db9eba
-
SSDEEP
6144:9/mmNwlmUSWIY7vDDkTGei9zAFIzF5wXn6/+magVWL:9+mNwl6wvDDJ9UFILwLmagi
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
rundll32Srv.exerundll32Srv.exeWaterMark.exeWaterMark.exepid process 2148 rundll32Srv.exe 2920 rundll32Srv.exe 2676 WaterMark.exe 2476 WaterMark.exe -
Loads dropped DLL 6 IoCs
Processes:
rundll32.exerundll32Srv.exerundll32Srv.exeWaterMark.exepid process 2552 rundll32.exe 2552 rundll32.exe 2148 rundll32Srv.exe 2920 rundll32Srv.exe 2920 rundll32Srv.exe 2676 WaterMark.exe -
Processes:
resource yara_rule behavioral1/memory/2920-16-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral1/memory/2920-19-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral1/memory/2920-20-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral1/memory/2920-24-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral1/memory/2476-48-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral1/memory/2476-72-0x0000000000400000-0x0000000000418000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
Processes:
rundll32.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
rundll32Srv.exeWaterMark.exedescription pid process target process PID 2148 set thread context of 2920 2148 rundll32Srv.exe rundll32Srv.exe PID 2676 set thread context of 2476 2676 WaterMark.exe WaterMark.exe -
Drops file in Program Files directory 64 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\clock.html svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\slideShow.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\README.HTM svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_dts_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsoundds.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libvorbis_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\visualization\libvisual_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pencht.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\weather.html svchost.exe File opened for modification C:\Program Files\DVD Maker\PipeTran.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\hprof.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2ssv.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libspudec_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libcache_block_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\InkDiv.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Xml.Linq.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libfingerprinter_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_cycle_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MpCmdRun.exe svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\eula.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Printing.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Web.Entity.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Entity.Design.Resources.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DAO\dao360.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\ShvlRes.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.ServiceModel.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClient.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Web.Entity.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdiracsys_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipres.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\fxplugins.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libps_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadcs.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\profilerinterface.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Abstractions.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libavi_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\picturePuzzle.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACER3X.DLL svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\awt.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_mmx_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\java_crw_demo.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Xml.Linq.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libpodcast_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_mosaic_bridge_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\ieproxy.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\Hearts.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmod_plugin.dll svchost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WaterMark.exepid process 2476 WaterMark.exe 2476 WaterMark.exe 2476 WaterMark.exe 2476 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WaterMark.exedescription pid process Token: SeDebugPrivilege 2476 WaterMark.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
rundll32Srv.exeWaterMark.exepid process 2148 rundll32Srv.exe 2676 WaterMark.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
rundll32.exerundll32.exerundll32Srv.exerundll32Srv.exeWaterMark.exeWaterMark.exedescription pid process target process PID 2912 wrote to memory of 2552 2912 rundll32.exe rundll32.exe PID 2912 wrote to memory of 2552 2912 rundll32.exe rundll32.exe PID 2912 wrote to memory of 2552 2912 rundll32.exe rundll32.exe PID 2912 wrote to memory of 2552 2912 rundll32.exe rundll32.exe PID 2912 wrote to memory of 2552 2912 rundll32.exe rundll32.exe PID 2912 wrote to memory of 2552 2912 rundll32.exe rundll32.exe PID 2912 wrote to memory of 2552 2912 rundll32.exe rundll32.exe PID 2552 wrote to memory of 2148 2552 rundll32.exe rundll32Srv.exe PID 2552 wrote to memory of 2148 2552 rundll32.exe rundll32Srv.exe PID 2552 wrote to memory of 2148 2552 rundll32.exe rundll32Srv.exe PID 2552 wrote to memory of 2148 2552 rundll32.exe rundll32Srv.exe PID 2148 wrote to memory of 2920 2148 rundll32Srv.exe rundll32Srv.exe PID 2148 wrote to memory of 2920 2148 rundll32Srv.exe rundll32Srv.exe PID 2148 wrote to memory of 2920 2148 rundll32Srv.exe rundll32Srv.exe PID 2148 wrote to memory of 2920 2148 rundll32Srv.exe rundll32Srv.exe PID 2148 wrote to memory of 2920 2148 rundll32Srv.exe rundll32Srv.exe PID 2148 wrote to memory of 2920 2148 rundll32Srv.exe rundll32Srv.exe PID 2148 wrote to memory of 2920 2148 rundll32Srv.exe rundll32Srv.exe PID 2148 wrote to memory of 2920 2148 rundll32Srv.exe rundll32Srv.exe PID 2148 wrote to memory of 2920 2148 rundll32Srv.exe rundll32Srv.exe PID 2920 wrote to memory of 2676 2920 rundll32Srv.exe WaterMark.exe PID 2920 wrote to memory of 2676 2920 rundll32Srv.exe WaterMark.exe PID 2920 wrote to memory of 2676 2920 rundll32Srv.exe WaterMark.exe PID 2920 wrote to memory of 2676 2920 rundll32Srv.exe WaterMark.exe PID 2676 wrote to memory of 2476 2676 WaterMark.exe WaterMark.exe PID 2676 wrote to memory of 2476 2676 WaterMark.exe WaterMark.exe PID 2676 wrote to memory of 2476 2676 WaterMark.exe WaterMark.exe PID 2676 wrote to memory of 2476 2676 WaterMark.exe WaterMark.exe PID 2676 wrote to memory of 2476 2676 WaterMark.exe WaterMark.exe PID 2676 wrote to memory of 2476 2676 WaterMark.exe WaterMark.exe PID 2676 wrote to memory of 2476 2676 WaterMark.exe WaterMark.exe PID 2676 wrote to memory of 2476 2676 WaterMark.exe WaterMark.exe PID 2676 wrote to memory of 2476 2676 WaterMark.exe WaterMark.exe PID 2476 wrote to memory of 2876 2476 WaterMark.exe svchost.exe PID 2476 wrote to memory of 2876 2476 WaterMark.exe svchost.exe PID 2476 wrote to memory of 2876 2476 WaterMark.exe svchost.exe PID 2476 wrote to memory of 2876 2476 WaterMark.exe svchost.exe PID 2476 wrote to memory of 2876 2476 WaterMark.exe svchost.exe PID 2476 wrote to memory of 2876 2476 WaterMark.exe svchost.exe PID 2476 wrote to memory of 2876 2476 WaterMark.exe svchost.exe PID 2476 wrote to memory of 2876 2476 WaterMark.exe svchost.exe PID 2476 wrote to memory of 2876 2476 WaterMark.exe svchost.exe PID 2476 wrote to memory of 2876 2476 WaterMark.exe svchost.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1a351e907deae966141fe7575f17c053_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1a351e907deae966141fe7575f17c053_JaffaCakes118.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32Srv.exeC:\Windows\SysWOW64\rundll32Srv.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32Srv.exe"C:\Windows\SysWOW64\rundll32Srv.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.htmlFilesize
151KB
MD58f91179e0d119bb413ed77f27127342b
SHA12ce532228678c0be8f3fa1b8996872fc8f9eeea9
SHA2561006a05a1bff9bee4edee6ddf2889a9fc2b64e4d7fd6a4acd757ea0ae0d715af
SHA5128e0c4f5cc999bb6c9436acf60de876c15db69102a2f34bbb60def41f3f1a60740d2efa3a3c3e91a9697f88fbfd5220336adc4cf12301021fa0c5c6c2e5990bf1
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.htmlFilesize
148KB
MD54095157371434b5efce5eacceb3cac49
SHA1e843b7f54f4e6caa37291cec42b840082bd31c31
SHA2566c02ffdbfd9969fd5cb984bba8d84bb07bac13ef0d5fafbfa68c5c50b9806031
SHA512ff589847446d43f524239174e02c01648a1c9c05ef7d43bbf54245a4f5707c141232a0235818a2480e96a4e2f5ae9a998d4ce09505e81b0815815ef575396e11
-
\Windows\SysWOW64\rundll32Srv.exeFilesize
69KB
MD53284b0d95ae1f80355da5e04e79a6be1
SHA1642bbb026f238a4eed9931772869b637621d98c8
SHA256f2cf33052bb9ed658351e1ff0687d0602a1f619e0976cd45852d3eb109aacf60
SHA51213712a19409818ecb66ecb2bb045a5800e4362f0ff0e9b2d158590fd501c35861ceae195f8171301ef6e72dd3b6f28184af31188836d92c171bfa6bedeb98547
-
memory/2148-11-0x0000000000020000-0x0000000000023000-memory.dmpFilesize
12KB
-
memory/2148-10-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2148-22-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2476-48-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2476-72-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2476-47-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/2552-3-0x0000000000230000-0x0000000000289000-memory.dmpFilesize
356KB
-
memory/2552-1-0x000000006DAC0000-0x000000006DAFF000-memory.dmpFilesize
252KB
-
memory/2676-35-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2676-46-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2876-62-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/2876-61-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/2876-52-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/2876-51-0x0000000020010000-0x0000000020020000-memory.dmpFilesize
64KB
-
memory/2876-56-0x0000000020010000-0x0000000020020000-memory.dmpFilesize
64KB
-
memory/2876-74-0x0000000020010000-0x0000000020020000-memory.dmpFilesize
64KB
-
memory/2876-63-0x0000000020010000-0x0000000020020000-memory.dmpFilesize
64KB
-
memory/2876-70-0x0000000020010000-0x0000000020020000-memory.dmpFilesize
64KB
-
memory/2876-60-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/2920-27-0x0000000000490000-0x00000000004E9000-memory.dmpFilesize
356KB
-
memory/2920-20-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2920-24-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2920-19-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2920-16-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB