Analysis
-
max time kernel
140s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
20-04-2024 04:37
Static task
static1
Behavioral task
behavioral1
Sample
fbf13e38558108839059a6df1a214d03_JaffaCakes118.dll
Resource
win7-20240221-en
General
-
Target
fbf13e38558108839059a6df1a214d03_JaffaCakes118.dll
-
Size
942KB
-
MD5
fbf13e38558108839059a6df1a214d03
-
SHA1
e070d3aeb6b50ae7dde84ecda504aedb2d284125
-
SHA256
1fa242ce013b13eccbf6adeaeec9c1c42bcc23fd2a96351e43eceb39d1408475
-
SHA512
9b95c6c7165e6c45aa66d31ea1d3dec0ea45e518c72e78dc750a86b157b1bc58c8a9c84516491ea55c6b97d6d292290185ef441c3871d7e00147d94c8a172cbb
-
SSDEEP
24576:5hTSqs13avB+054QYuNVGvogaiXK0xb7ZivKLVg:5hEIQQYYiXnRivKK
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
rundll32Srv.exerundll32Srv.exeWaterMark.exeWaterMark.exepid process 2336 rundll32Srv.exe 4560 rundll32Srv.exe 3964 WaterMark.exe 3160 WaterMark.exe -
Processes:
resource yara_rule behavioral2/memory/4560-9-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/4560-15-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/4560-13-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/4560-14-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/4560-19-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/3160-33-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/3160-39-0x0000000000400000-0x0000000000418000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
rundll32Srv.exeWaterMark.exedescription pid process target process PID 2336 set thread context of 4560 2336 rundll32Srv.exe rundll32Srv.exe PID 3964 set thread context of 3160 3964 WaterMark.exe WaterMark.exe -
Drops file in Program Files directory 3 IoCs
Processes:
rundll32Srv.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\px2F1E.tmp rundll32Srv.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32Srv.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3564 1764 WerFault.exe rundll32.exe 3768 688 WerFault.exe svchost.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C9B8ED3C-FECF-11EE-ADB6-FAEF73C7C1C1} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31101660" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2652434343" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420352864" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31101660" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31101660" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2652434343" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2657903296" IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
WaterMark.exepid process 3160 WaterMark.exe 3160 WaterMark.exe 3160 WaterMark.exe 3160 WaterMark.exe 3160 WaterMark.exe 3160 WaterMark.exe 3160 WaterMark.exe 3160 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WaterMark.exedescription pid process Token: SeDebugPrivilege 3160 WaterMark.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1716 iexplore.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
rundll32Srv.exeWaterMark.exeiexplore.exeIEXPLORE.EXEpid process 2336 rundll32Srv.exe 3964 WaterMark.exe 1716 iexplore.exe 1716 iexplore.exe 2076 IEXPLORE.EXE 2076 IEXPLORE.EXE 2076 IEXPLORE.EXE 2076 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
rundll32.exerundll32.exerundll32Srv.exerundll32Srv.exeWaterMark.exeWaterMark.exeiexplore.exedescription pid process target process PID 4528 wrote to memory of 1764 4528 rundll32.exe rundll32.exe PID 4528 wrote to memory of 1764 4528 rundll32.exe rundll32.exe PID 4528 wrote to memory of 1764 4528 rundll32.exe rundll32.exe PID 1764 wrote to memory of 2336 1764 rundll32.exe rundll32Srv.exe PID 1764 wrote to memory of 2336 1764 rundll32.exe rundll32Srv.exe PID 1764 wrote to memory of 2336 1764 rundll32.exe rundll32Srv.exe PID 2336 wrote to memory of 4560 2336 rundll32Srv.exe rundll32Srv.exe PID 2336 wrote to memory of 4560 2336 rundll32Srv.exe rundll32Srv.exe PID 2336 wrote to memory of 4560 2336 rundll32Srv.exe rundll32Srv.exe PID 2336 wrote to memory of 4560 2336 rundll32Srv.exe rundll32Srv.exe PID 2336 wrote to memory of 4560 2336 rundll32Srv.exe rundll32Srv.exe PID 2336 wrote to memory of 4560 2336 rundll32Srv.exe rundll32Srv.exe PID 2336 wrote to memory of 4560 2336 rundll32Srv.exe rundll32Srv.exe PID 2336 wrote to memory of 4560 2336 rundll32Srv.exe rundll32Srv.exe PID 4560 wrote to memory of 3964 4560 rundll32Srv.exe WaterMark.exe PID 4560 wrote to memory of 3964 4560 rundll32Srv.exe WaterMark.exe PID 4560 wrote to memory of 3964 4560 rundll32Srv.exe WaterMark.exe PID 3964 wrote to memory of 3160 3964 WaterMark.exe WaterMark.exe PID 3964 wrote to memory of 3160 3964 WaterMark.exe WaterMark.exe PID 3964 wrote to memory of 3160 3964 WaterMark.exe WaterMark.exe PID 3964 wrote to memory of 3160 3964 WaterMark.exe WaterMark.exe PID 3964 wrote to memory of 3160 3964 WaterMark.exe WaterMark.exe PID 3964 wrote to memory of 3160 3964 WaterMark.exe WaterMark.exe PID 3964 wrote to memory of 3160 3964 WaterMark.exe WaterMark.exe PID 3964 wrote to memory of 3160 3964 WaterMark.exe WaterMark.exe PID 3160 wrote to memory of 688 3160 WaterMark.exe svchost.exe PID 3160 wrote to memory of 688 3160 WaterMark.exe svchost.exe PID 3160 wrote to memory of 688 3160 WaterMark.exe svchost.exe PID 3160 wrote to memory of 688 3160 WaterMark.exe svchost.exe PID 3160 wrote to memory of 688 3160 WaterMark.exe svchost.exe PID 3160 wrote to memory of 688 3160 WaterMark.exe svchost.exe PID 3160 wrote to memory of 688 3160 WaterMark.exe svchost.exe PID 3160 wrote to memory of 688 3160 WaterMark.exe svchost.exe PID 3160 wrote to memory of 688 3160 WaterMark.exe svchost.exe PID 3160 wrote to memory of 1716 3160 WaterMark.exe iexplore.exe PID 3160 wrote to memory of 1716 3160 WaterMark.exe iexplore.exe PID 1716 wrote to memory of 2076 1716 iexplore.exe IEXPLORE.EXE PID 1716 wrote to memory of 2076 1716 iexplore.exe IEXPLORE.EXE PID 1716 wrote to memory of 2076 1716 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fbf13e38558108839059a6df1a214d03_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fbf13e38558108839059a6df1a214d03_JaffaCakes118.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32Srv.exeC:\Windows\SysWOW64\rundll32Srv.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32Srv.exe"C:\Windows\SysWOW64\rundll32Srv.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 2168⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1716 CREDAT:17410 /prefetch:28⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 6483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1764 -ip 17641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 688 -ip 6881⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UM8YFV59\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Windows\SysWOW64\rundll32Srv.exeFilesize
69KB
MD53284b0d95ae1f80355da5e04e79a6be1
SHA1642bbb026f238a4eed9931772869b637621d98c8
SHA256f2cf33052bb9ed658351e1ff0687d0602a1f619e0976cd45852d3eb109aacf60
SHA51213712a19409818ecb66ecb2bb045a5800e4362f0ff0e9b2d158590fd501c35861ceae195f8171301ef6e72dd3b6f28184af31188836d92c171bfa6bedeb98547
-
memory/688-36-0x0000000001260000-0x0000000001261000-memory.dmpFilesize
4KB
-
memory/688-37-0x0000000001240000-0x0000000001241000-memory.dmpFilesize
4KB
-
memory/1764-38-0x00000000623F0000-0x00000000624E1000-memory.dmpFilesize
964KB
-
memory/1764-0-0x00000000623F0000-0x00000000624E1000-memory.dmpFilesize
964KB
-
memory/2336-16-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2336-6-0x00000000001C0000-0x00000000001C3000-memory.dmpFilesize
12KB
-
memory/2336-4-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/3160-40-0x0000000077CD2000-0x0000000077CD3000-memory.dmpFilesize
4KB
-
memory/3160-39-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/3160-32-0x0000000000530000-0x0000000000531000-memory.dmpFilesize
4KB
-
memory/3160-33-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/3160-35-0x0000000077CD2000-0x0000000077CD3000-memory.dmpFilesize
4KB
-
memory/3964-23-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/3964-31-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/4560-15-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/4560-19-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/4560-14-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/4560-13-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/4560-9-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB