Analysis
-
max time kernel
134s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 05:09
Static task
static1
Behavioral task
behavioral1
Sample
860ef4ee601e04cf718b803d396d2a73_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
860ef4ee601e04cf718b803d396d2a73_JaffaCakes118.exe
-
Size
976KB
-
MD5
860ef4ee601e04cf718b803d396d2a73
-
SHA1
d727cc9b9e6f9eb61bf0570b40bfad24b5020967
-
SHA256
81d3c02b7213337dfb139caeaa1a297ecb8a9e752fc2fc92b3210b63dba4d2cc
-
SHA512
e149ebab0c4b65ac964a4a5e2b8800b9b59ba88d82f17b2d359e5f15c0c56bb3ef69fa0ff68b8f5883f019a055bc4ab6e0ef36009be368a676fffd7702e01493
-
SSDEEP
12288:aeqRBeM+sL8E4bLwpkfSftu3rlskpp2D/SMZoS2b7HoLP:aeWBME6LekaFu7lsGp2GMaIb
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2200 860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe 464 DesktopLayer.exe -
resource yara_rule behavioral2/files/0x000900000002353a-3.dat upx behavioral2/memory/2960-25-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/2960-29-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/2960-51-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/2960-55-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/464-52-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/2960-61-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/2960-59-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/2960-57-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/2960-49-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/2960-47-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/2960-45-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/2960-43-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/2960-41-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/2960-39-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/2960-35-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/2960-33-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/2960-31-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/2960-27-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/2960-23-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/2960-21-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/2960-18-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/2960-17-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/2960-16-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/2960-14-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/2960-37-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/464-12-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/2960-19-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/2200-10-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\pxDC95.tmp 860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe 860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe 860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 1196 2960 WerFault.exe 89 2516 2960 WerFault.exe 89 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3538840373" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31109912" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3538840373" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{FE65E145-1F0B-11EF-B8C0-FA71C8F1560D} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31109912" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3544621754" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31109912" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423897159" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 464 DesktopLayer.exe 464 DesktopLayer.exe 464 DesktopLayer.exe 464 DesktopLayer.exe 464 DesktopLayer.exe 464 DesktopLayer.exe 464 DesktopLayer.exe 464 DesktopLayer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2416 iexplore.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 2960 860ef4ee601e04cf718b803d396d2a73_JaffaCakes118.exe 2960 860ef4ee601e04cf718b803d396d2a73_JaffaCakes118.exe 2960 860ef4ee601e04cf718b803d396d2a73_JaffaCakes118.exe 2416 iexplore.exe 2416 iexplore.exe 1812 IEXPLORE.EXE 1812 IEXPLORE.EXE 1812 IEXPLORE.EXE 1812 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2960 wrote to memory of 2200 2960 860ef4ee601e04cf718b803d396d2a73_JaffaCakes118.exe 90 PID 2960 wrote to memory of 2200 2960 860ef4ee601e04cf718b803d396d2a73_JaffaCakes118.exe 90 PID 2960 wrote to memory of 2200 2960 860ef4ee601e04cf718b803d396d2a73_JaffaCakes118.exe 90 PID 2200 wrote to memory of 464 2200 860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe 91 PID 2200 wrote to memory of 464 2200 860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe 91 PID 2200 wrote to memory of 464 2200 860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe 91 PID 464 wrote to memory of 2416 464 DesktopLayer.exe 92 PID 464 wrote to memory of 2416 464 DesktopLayer.exe 92 PID 2416 wrote to memory of 1812 2416 iexplore.exe 95 PID 2416 wrote to memory of 1812 2416 iexplore.exe 95 PID 2416 wrote to memory of 1812 2416 iexplore.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exeC:\Users\Admin\AppData\Local\Temp\860ef4ee601e04cf718b803d396d2a73_JaffaCakes118Srv.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2416 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1812
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 6442⤵
- Program crash
PID:1196
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 6882⤵
- Program crash
PID:2516
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2960 -ip 29601⤵PID:3824
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2960 -ip 29601⤵PID:4544
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4124,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4172 /prefetch:81⤵PID:2044
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD53d6908c3ea7ced33d2696a9ef09f8961
SHA1a7d4321bbf04cb7335522cfee2cd36edc2d19c80
SHA256fc0c60c571c30a39ce618b280cdede4a1837d2be33dfe2a4a3413c92a731b6e5
SHA512071c3fa58a08000ad898384fef6e5fcdcd080ed52b084ec80d19e45f9fb5119557a1dfb42ebba2b22d1c971baa5a852c756c7526010b6b487f3239c8f0df4af1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD50edf7f6721a887258ba37c712d049b28
SHA137786aa5df1d8d9359c51db55897ac38f5433e68
SHA256c7d93f7d1729e4c00636a21edb2e323a2d47d1dbc404fde9e0202d4c77e9b8e8
SHA51260c672a31ce2249d66bde157ade4a297bd8272e132f3e692ea35de7f26eb743cc24a1ec7e4649704f662e3728558ed0620ce4349674b69751010253e2cf9e2b1
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a