Analysis
-
max time kernel
93s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 12:58
Static task
static1
Behavioral task
behavioral1
Sample
1a351e907deae966141fe7575f17c053_JaffaCakes118.dll
Resource
win7-20231129-en
General
-
Target
1a351e907deae966141fe7575f17c053_JaffaCakes118.dll
-
Size
220KB
-
MD5
1a351e907deae966141fe7575f17c053
-
SHA1
ec5f68bbde00029efb31fb32748890dab418afbe
-
SHA256
c6c1de2aba94d50a9f4f5799fd35640985166985e69b916f0a426103d57407cf
-
SHA512
ff2038281cc5a4bdb1b59b93d79c858961d3c400c928d19db97dddab4b600f000230dda949603abc779e8c47e1b1e1a72cfcbe0fcb51b4ed02a5438727db9eba
-
SSDEEP
6144:9/mmNwlmUSWIY7vDDkTGei9zAFIzF5wXn6/+magVWL:9+mNwl6wvDDJ9UFILwLmagi
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
rundll32Srv.exerundll32Srv.exeWaterMark.exeWaterMark.exepid process 4764 rundll32Srv.exe 4276 rundll32Srv.exe 3744 WaterMark.exe 3980 WaterMark.exe -
Processes:
resource yara_rule behavioral2/memory/4276-9-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/4276-16-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/3980-34-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/3980-30-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/4276-13-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/4276-12-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/3980-38-0x0000000000400000-0x0000000000418000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
rundll32Srv.exeWaterMark.exedescription pid process target process PID 4764 set thread context of 4276 4764 rundll32Srv.exe rundll32Srv.exe PID 3744 set thread context of 3980 3744 WaterMark.exe WaterMark.exe -
Drops file in Program Files directory 3 IoCs
Processes:
rundll32Srv.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\px4304.tmp rundll32Srv.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32Srv.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1984 3400 WerFault.exe svchost.exe -
Processes:
IEXPLORE.EXEiexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31115610" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1B68BE39-354E-11EF-9519-7ACDD6433640} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4024629624" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115610" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4022598410" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115610" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4022598410" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426344480" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
WaterMark.exepid process 3980 WaterMark.exe 3980 WaterMark.exe 3980 WaterMark.exe 3980 WaterMark.exe 3980 WaterMark.exe 3980 WaterMark.exe 3980 WaterMark.exe 3980 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WaterMark.exedescription pid process Token: SeDebugPrivilege 3980 WaterMark.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 368 iexplore.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
rundll32Srv.exeWaterMark.exeiexplore.exeIEXPLORE.EXEpid process 4764 rundll32Srv.exe 3744 WaterMark.exe 368 iexplore.exe 368 iexplore.exe 4420 IEXPLORE.EXE 4420 IEXPLORE.EXE 4420 IEXPLORE.EXE 4420 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
rundll32.exerundll32.exerundll32Srv.exerundll32Srv.exeWaterMark.exeWaterMark.exeiexplore.exedescription pid process target process PID 5116 wrote to memory of 4196 5116 rundll32.exe rundll32.exe PID 5116 wrote to memory of 4196 5116 rundll32.exe rundll32.exe PID 5116 wrote to memory of 4196 5116 rundll32.exe rundll32.exe PID 4196 wrote to memory of 4764 4196 rundll32.exe rundll32Srv.exe PID 4196 wrote to memory of 4764 4196 rundll32.exe rundll32Srv.exe PID 4196 wrote to memory of 4764 4196 rundll32.exe rundll32Srv.exe PID 4764 wrote to memory of 4276 4764 rundll32Srv.exe rundll32Srv.exe PID 4764 wrote to memory of 4276 4764 rundll32Srv.exe rundll32Srv.exe PID 4764 wrote to memory of 4276 4764 rundll32Srv.exe rundll32Srv.exe PID 4764 wrote to memory of 4276 4764 rundll32Srv.exe rundll32Srv.exe PID 4764 wrote to memory of 4276 4764 rundll32Srv.exe rundll32Srv.exe PID 4764 wrote to memory of 4276 4764 rundll32Srv.exe rundll32Srv.exe PID 4764 wrote to memory of 4276 4764 rundll32Srv.exe rundll32Srv.exe PID 4764 wrote to memory of 4276 4764 rundll32Srv.exe rundll32Srv.exe PID 4276 wrote to memory of 3744 4276 rundll32Srv.exe WaterMark.exe PID 4276 wrote to memory of 3744 4276 rundll32Srv.exe WaterMark.exe PID 4276 wrote to memory of 3744 4276 rundll32Srv.exe WaterMark.exe PID 3744 wrote to memory of 3980 3744 WaterMark.exe WaterMark.exe PID 3744 wrote to memory of 3980 3744 WaterMark.exe WaterMark.exe PID 3744 wrote to memory of 3980 3744 WaterMark.exe WaterMark.exe PID 3744 wrote to memory of 3980 3744 WaterMark.exe WaterMark.exe PID 3744 wrote to memory of 3980 3744 WaterMark.exe WaterMark.exe PID 3744 wrote to memory of 3980 3744 WaterMark.exe WaterMark.exe PID 3744 wrote to memory of 3980 3744 WaterMark.exe WaterMark.exe PID 3744 wrote to memory of 3980 3744 WaterMark.exe WaterMark.exe PID 3980 wrote to memory of 3400 3980 WaterMark.exe svchost.exe PID 3980 wrote to memory of 3400 3980 WaterMark.exe svchost.exe PID 3980 wrote to memory of 3400 3980 WaterMark.exe svchost.exe PID 3980 wrote to memory of 3400 3980 WaterMark.exe svchost.exe PID 3980 wrote to memory of 3400 3980 WaterMark.exe svchost.exe PID 3980 wrote to memory of 3400 3980 WaterMark.exe svchost.exe PID 3980 wrote to memory of 3400 3980 WaterMark.exe svchost.exe PID 3980 wrote to memory of 3400 3980 WaterMark.exe svchost.exe PID 3980 wrote to memory of 3400 3980 WaterMark.exe svchost.exe PID 3980 wrote to memory of 368 3980 WaterMark.exe iexplore.exe PID 3980 wrote to memory of 368 3980 WaterMark.exe iexplore.exe PID 368 wrote to memory of 4420 368 iexplore.exe IEXPLORE.EXE PID 368 wrote to memory of 4420 368 iexplore.exe IEXPLORE.EXE PID 368 wrote to memory of 4420 368 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1a351e907deae966141fe7575f17c053_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1a351e907deae966141fe7575f17c053_JaffaCakes118.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32Srv.exeC:\Windows\SysWOW64\rundll32Srv.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32Srv.exe"C:\Windows\SysWOW64\rundll32Srv.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 1968⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:368 CREDAT:17410 /prefetch:28⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3400 -ip 34001⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD5293ea21f7d2b09f447f07d065dd542b9
SHA15d30d1d814dab60840b66cb9ee7dd8ceea05df70
SHA2562203bb67fc1d126a35d05b53e3b9c39acf5a06b6f2d792099460e8caa83f2a32
SHA5127d5ff3768b8ab54f4186a325ac433eb4a1f3dfabb30d641a0a1d6b9f2f24c5dd83cc5d05c13477cab16c5644d39e45ae991d75a1ddb7c79b76e562b4f2eb2898
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD565540c7881222a180f814182a05f3288
SHA1bfdec61b095a2e5ff2b2f91b9fa11d120b709507
SHA256585f6d4a1eb16b919f7b06ee47abed375a8cf1a01cc65ebc70d76452d29c13c1
SHA5120a0bf2856132bd1b5ed368623025b5bcefc3e489cc6200ba1dd2d3d52ed42ceeebf7e4035d0d60ac85f05b8599d0f4a95660fd49acebc3886a6b3d73ab964551
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VLW1SL5J\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Windows\SysWOW64\rundll32Srv.exeFilesize
69KB
MD53284b0d95ae1f80355da5e04e79a6be1
SHA1642bbb026f238a4eed9931772869b637621d98c8
SHA256f2cf33052bb9ed658351e1ff0687d0602a1f619e0976cd45852d3eb109aacf60
SHA51213712a19409818ecb66ecb2bb045a5800e4362f0ff0e9b2d158590fd501c35861ceae195f8171301ef6e72dd3b6f28184af31188836d92c171bfa6bedeb98547
-
memory/3400-37-0x0000000000F50000-0x0000000000F51000-memory.dmpFilesize
4KB
-
memory/3400-36-0x0000000000F70000-0x0000000000F71000-memory.dmpFilesize
4KB
-
memory/3744-22-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/3744-32-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/3980-38-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/3980-34-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/3980-39-0x0000000077842000-0x0000000077843000-memory.dmpFilesize
4KB
-
memory/3980-33-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/3980-30-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/4196-1-0x000000006DAC0000-0x000000006DAFF000-memory.dmpFilesize
252KB
-
memory/4276-16-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/4276-12-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/4276-13-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/4276-9-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/4764-15-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/4764-5-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/4764-6-0x00000000001C0000-0x00000000001C3000-memory.dmpFilesize
12KB