Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
10-06-2024 23:01
Static task
static1
Behavioral task
behavioral1
Sample
9c3af1f3f6dfd7fe9a7661f9b0b6f965_JaffaCakes118.html
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9c3af1f3f6dfd7fe9a7661f9b0b6f965_JaffaCakes118.html
Resource
win10v2004-20240508-en
General
-
Target
9c3af1f3f6dfd7fe9a7661f9b0b6f965_JaffaCakes118.html
-
Size
189KB
-
MD5
9c3af1f3f6dfd7fe9a7661f9b0b6f965
-
SHA1
d5906e321d966b4dc427fbb48dadd674861f59f3
-
SHA256
0d75f9cf55f29a003fa99ee0b99ee20670e10dd790295aeb40dcc19771988100
-
SHA512
1983d58c703f4337542ae8e8c9fc117364492c30b694977eef65ffed5a8f8b4408218e0ba1352e2411538fa632ebdaf07dfd22daf603ed8f4eef922da4b474fc
-
SSDEEP
3072:CXTVhcyfkMY+BES09JXAnyrZalI+YqQoc3OSu:CXpnsMYod+X3oI+Yq1c3Ju
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2916 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
IEXPLORE.EXEpid process 2616 IEXPLORE.EXE -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\svchost.exe upx behavioral1/memory/2916-6-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2916-12-0x0000000000400000-0x0000000000435000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\px9A2D.tmp svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000f49d706714b85be8f291f7a99a704fbc586e37d4a530c27b069f949141a0c2cc000000000e8000000002000020000000321bc534b6836adbe8ae98a90423747a7c129dd7abd55d56fc5c23d3bc2595d4200000008409c2a90b5eba0f87c288ca7799f9bd0004b7f784f74caa111f7334b83076d840000000faa330d9e11a779ad23cc4ad0ba56c094b537ccffaeb797a2ad606db28bf44a00defb83be9bd1d4ca4722dd878f24d6084c42bced9b1be618445f460be24b9c5 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424222375" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5CCCFD21-277D-11EF-8962-7678A7DAE141} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f06ea5428abbda01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000b630eb94bef9937cb0314ca82556a2cc67783a42f7d204213ced769ba3c5c6c5000000000e8000000002000020000000f28ac83e52873e057cc5206bdbb4c002b1aff7b2f7d012a3463f66a49e0eb28390000000de6c429a755262532ace4d73cb01b68dc6eb9fe0d7ce04305f53475c77faf240617d8cf7cd962c0e92dafe98559bd2af679f96d37d92183189947ffa6a6932677dc224ad64a7011d6bd613711ce224c395e969c8c07a9b741a8915451b3e2c0da6a3e4b89a4342d31c18177926ddb7e37eab4ea2f2e4d60626ba6ee30a1e2d89780bf4559f7b5f1f1af85ade2c5400f5400000003a5e2467e708116d7ed4bdafd987dea6f1a4ab832237605eeca5862b5c6cc498c5154379a740d47a66aa10741261b5039bd15d6219a35ac559c6b225676c62e6 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
svchost.exepid process 2916 svchost.exe -
Suspicious behavior: MapViewOfSection 23 IoCs
Processes:
svchost.exepid process 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe 2916 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 2916 svchost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 2400 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2400 iexplore.exe 2400 iexplore.exe 2616 IEXPLORE.EXE 2616 IEXPLORE.EXE 2616 IEXPLORE.EXE 2616 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
iexplore.exeIEXPLORE.EXEsvchost.exedescription pid process target process PID 2400 wrote to memory of 2616 2400 iexplore.exe IEXPLORE.EXE PID 2400 wrote to memory of 2616 2400 iexplore.exe IEXPLORE.EXE PID 2400 wrote to memory of 2616 2400 iexplore.exe IEXPLORE.EXE PID 2400 wrote to memory of 2616 2400 iexplore.exe IEXPLORE.EXE PID 2616 wrote to memory of 2916 2616 IEXPLORE.EXE svchost.exe PID 2616 wrote to memory of 2916 2616 IEXPLORE.EXE svchost.exe PID 2616 wrote to memory of 2916 2616 IEXPLORE.EXE svchost.exe PID 2616 wrote to memory of 2916 2616 IEXPLORE.EXE svchost.exe PID 2916 wrote to memory of 380 2916 svchost.exe wininit.exe PID 2916 wrote to memory of 380 2916 svchost.exe wininit.exe PID 2916 wrote to memory of 380 2916 svchost.exe wininit.exe PID 2916 wrote to memory of 380 2916 svchost.exe wininit.exe PID 2916 wrote to memory of 380 2916 svchost.exe wininit.exe PID 2916 wrote to memory of 380 2916 svchost.exe wininit.exe PID 2916 wrote to memory of 380 2916 svchost.exe wininit.exe PID 2916 wrote to memory of 388 2916 svchost.exe csrss.exe PID 2916 wrote to memory of 388 2916 svchost.exe csrss.exe PID 2916 wrote to memory of 388 2916 svchost.exe csrss.exe PID 2916 wrote to memory of 388 2916 svchost.exe csrss.exe PID 2916 wrote to memory of 388 2916 svchost.exe csrss.exe PID 2916 wrote to memory of 388 2916 svchost.exe csrss.exe PID 2916 wrote to memory of 388 2916 svchost.exe csrss.exe PID 2916 wrote to memory of 428 2916 svchost.exe winlogon.exe PID 2916 wrote to memory of 428 2916 svchost.exe winlogon.exe PID 2916 wrote to memory of 428 2916 svchost.exe winlogon.exe PID 2916 wrote to memory of 428 2916 svchost.exe winlogon.exe PID 2916 wrote to memory of 428 2916 svchost.exe winlogon.exe PID 2916 wrote to memory of 428 2916 svchost.exe winlogon.exe PID 2916 wrote to memory of 428 2916 svchost.exe winlogon.exe PID 2916 wrote to memory of 472 2916 svchost.exe services.exe PID 2916 wrote to memory of 472 2916 svchost.exe services.exe PID 2916 wrote to memory of 472 2916 svchost.exe services.exe PID 2916 wrote to memory of 472 2916 svchost.exe services.exe PID 2916 wrote to memory of 472 2916 svchost.exe services.exe PID 2916 wrote to memory of 472 2916 svchost.exe services.exe PID 2916 wrote to memory of 472 2916 svchost.exe services.exe PID 2916 wrote to memory of 488 2916 svchost.exe lsass.exe PID 2916 wrote to memory of 488 2916 svchost.exe lsass.exe PID 2916 wrote to memory of 488 2916 svchost.exe lsass.exe PID 2916 wrote to memory of 488 2916 svchost.exe lsass.exe PID 2916 wrote to memory of 488 2916 svchost.exe lsass.exe PID 2916 wrote to memory of 488 2916 svchost.exe lsass.exe PID 2916 wrote to memory of 488 2916 svchost.exe lsass.exe PID 2916 wrote to memory of 496 2916 svchost.exe lsm.exe PID 2916 wrote to memory of 496 2916 svchost.exe lsm.exe PID 2916 wrote to memory of 496 2916 svchost.exe lsm.exe PID 2916 wrote to memory of 496 2916 svchost.exe lsm.exe PID 2916 wrote to memory of 496 2916 svchost.exe lsm.exe PID 2916 wrote to memory of 496 2916 svchost.exe lsm.exe PID 2916 wrote to memory of 496 2916 svchost.exe lsm.exe PID 2916 wrote to memory of 596 2916 svchost.exe svchost.exe PID 2916 wrote to memory of 596 2916 svchost.exe svchost.exe PID 2916 wrote to memory of 596 2916 svchost.exe svchost.exe PID 2916 wrote to memory of 596 2916 svchost.exe svchost.exe PID 2916 wrote to memory of 596 2916 svchost.exe svchost.exe PID 2916 wrote to memory of 596 2916 svchost.exe svchost.exe PID 2916 wrote to memory of 596 2916 svchost.exe svchost.exe PID 2916 wrote to memory of 672 2916 svchost.exe svchost.exe PID 2916 wrote to memory of 672 2916 svchost.exe svchost.exe PID 2916 wrote to memory of 672 2916 svchost.exe svchost.exe PID 2916 wrote to memory of 672 2916 svchost.exe svchost.exe PID 2916 wrote to memory of 672 2916 svchost.exe svchost.exe PID 2916 wrote to memory of 672 2916 svchost.exe svchost.exe PID 2916 wrote to memory of 672 2916 svchost.exe svchost.exe
Processes
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:380
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:596
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1788
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:672
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:740
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:808
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1088
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:832
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:964
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:112
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:1064
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1080
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1140
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2116
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2392
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:488
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:496
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:388
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:428
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1168
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\9c3af1f3f6dfd7fe9a7661f9b0b6f965_JaffaCakes118.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:275457 /prefetch:23⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84KB
MD5edecf326547a172812e19e959ae0a3ab
SHA138d27b9faec6b872063e09b76a92489660c0d4a6
SHA256e28a84dec39e994f7c1b7c53ae7b9e802be68492b31104ce71570d4ddd1082c2
SHA5125819edbd978cf4c507af924794a66631df858eb008f000f50123bc9eb7aa424ec898d6cbdbbf290d222f338f94935582bc06eaa62c189792555bbcc9f14ad4b3