Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 22:11
Static task
static1
Behavioral task
behavioral1
Sample
abb237ad8572d278c577aa7fda55331e_JaffaCakes118.html
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
abb237ad8572d278c577aa7fda55331e_JaffaCakes118.html
Resource
win10v2004-20240226-en
General
-
Target
abb237ad8572d278c577aa7fda55331e_JaffaCakes118.html
-
Size
189KB
-
MD5
abb237ad8572d278c577aa7fda55331e
-
SHA1
664d5403fa429d90aa080f4c67ad952d2d40838a
-
SHA256
70bd81ef6a0d0a753b35cda4b6eab3de34c4a7080c4d6ea47e51af24777da25d
-
SHA512
56fa0bc8d0fc1f2c7cb0aecfa45d1f08cdb4794d041aee427ff1e6c9b20c753471b4a3f73a4cae3ae71426dc0cc057040db3397e442addaf7b1cc0bae1c451b0
-
SSDEEP
3072:GyfkMY+BES09JXAnyrZalI+Y6XXI6EyA8:DsMYod+X3oI+YS1tA8
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2660 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
IEXPLORE.EXEpid process 2288 IEXPLORE.EXE -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\svchost.exe upx behavioral1/memory/2660-6-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2660-10-0x0000000000400000-0x0000000000436000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\px2166.tmp svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424564986" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{10DC57A1-2A9B-11EF-928E-6A2211F10352} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b000000000200000000001066000000010000200000008238cc6a8d0c41044b4fff6288d84eb76a623acf68a05669db8259e0d5916132000000000e8000000002000020000000bb3b658dcfa4e8be8a732954f941cca713a9517793e80f33c38f5b43a62ded43200000000f3c50fef0487e7f6e75b6ff4d615f5a2cc6106bede58641c84ca91e04b6556f40000000d1bf114ee62e64cc0b7c8a0b90658dd51cddfd9d1c1879eb9e7b392214508e9b5b04124ef2ed8c187daa1fddd5923e35b773a5b3c13443362332e13c745a32f7 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d070bee5a7beda01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b000000000200000000001066000000010000200000003804f54dd8563c70ded544df6ffa15de3777fccfc15221b323c139b56011e0ad000000000e8000000002000020000000eebb5972ce290d3992e98ab64a6dc78a9bf5f44d1f0818dea2f1e203c4e71c5a900000000bcbc78db8d1c8e99c01a38107e8e6d1b7984ffbd5ca5e96078880bd19af63fcf37529adc8f471c364289bd7712b4cf2446a20e81fae8da8b33bb0c7e27367eeadeb14edc4a602b54d3bf9438b9583825b73d6f6e6b0890470a0500fe60e881cac2ae9e719fad07d9043314989f5b1b71a474f3c78b25a7ebe8bb14801fbbfc59210c8c44196ad6d6b6deb1a30adf1c74000000030470167c68358e85a1b61b3e50ab8ad5ebe48fa812263fdf70329cbfd5dd5ee306b55ce8b51c27e42b73232ccbc698eae3385d630a9c3d22cfcc208d5d74b93 iexplore.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
svchost.exepid process 2660 svchost.exe -
Suspicious behavior: MapViewOfSection 23 IoCs
Processes:
svchost.exepid process 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe 2660 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 2660 svchost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 2064 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2064 iexplore.exe 2064 iexplore.exe 2288 IEXPLORE.EXE 2288 IEXPLORE.EXE 2288 IEXPLORE.EXE 2288 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
iexplore.exeIEXPLORE.EXEsvchost.exedescription pid process target process PID 2064 wrote to memory of 2288 2064 iexplore.exe IEXPLORE.EXE PID 2064 wrote to memory of 2288 2064 iexplore.exe IEXPLORE.EXE PID 2064 wrote to memory of 2288 2064 iexplore.exe IEXPLORE.EXE PID 2064 wrote to memory of 2288 2064 iexplore.exe IEXPLORE.EXE PID 2288 wrote to memory of 2660 2288 IEXPLORE.EXE svchost.exe PID 2288 wrote to memory of 2660 2288 IEXPLORE.EXE svchost.exe PID 2288 wrote to memory of 2660 2288 IEXPLORE.EXE svchost.exe PID 2288 wrote to memory of 2660 2288 IEXPLORE.EXE svchost.exe PID 2660 wrote to memory of 384 2660 svchost.exe wininit.exe PID 2660 wrote to memory of 384 2660 svchost.exe wininit.exe PID 2660 wrote to memory of 384 2660 svchost.exe wininit.exe PID 2660 wrote to memory of 384 2660 svchost.exe wininit.exe PID 2660 wrote to memory of 384 2660 svchost.exe wininit.exe PID 2660 wrote to memory of 384 2660 svchost.exe wininit.exe PID 2660 wrote to memory of 384 2660 svchost.exe wininit.exe PID 2660 wrote to memory of 392 2660 svchost.exe csrss.exe PID 2660 wrote to memory of 392 2660 svchost.exe csrss.exe PID 2660 wrote to memory of 392 2660 svchost.exe csrss.exe PID 2660 wrote to memory of 392 2660 svchost.exe csrss.exe PID 2660 wrote to memory of 392 2660 svchost.exe csrss.exe PID 2660 wrote to memory of 392 2660 svchost.exe csrss.exe PID 2660 wrote to memory of 392 2660 svchost.exe csrss.exe PID 2660 wrote to memory of 432 2660 svchost.exe winlogon.exe PID 2660 wrote to memory of 432 2660 svchost.exe winlogon.exe PID 2660 wrote to memory of 432 2660 svchost.exe winlogon.exe PID 2660 wrote to memory of 432 2660 svchost.exe winlogon.exe PID 2660 wrote to memory of 432 2660 svchost.exe winlogon.exe PID 2660 wrote to memory of 432 2660 svchost.exe winlogon.exe PID 2660 wrote to memory of 432 2660 svchost.exe winlogon.exe PID 2660 wrote to memory of 476 2660 svchost.exe services.exe PID 2660 wrote to memory of 476 2660 svchost.exe services.exe PID 2660 wrote to memory of 476 2660 svchost.exe services.exe PID 2660 wrote to memory of 476 2660 svchost.exe services.exe PID 2660 wrote to memory of 476 2660 svchost.exe services.exe PID 2660 wrote to memory of 476 2660 svchost.exe services.exe PID 2660 wrote to memory of 476 2660 svchost.exe services.exe PID 2660 wrote to memory of 492 2660 svchost.exe lsass.exe PID 2660 wrote to memory of 492 2660 svchost.exe lsass.exe PID 2660 wrote to memory of 492 2660 svchost.exe lsass.exe PID 2660 wrote to memory of 492 2660 svchost.exe lsass.exe PID 2660 wrote to memory of 492 2660 svchost.exe lsass.exe PID 2660 wrote to memory of 492 2660 svchost.exe lsass.exe PID 2660 wrote to memory of 492 2660 svchost.exe lsass.exe PID 2660 wrote to memory of 500 2660 svchost.exe lsm.exe PID 2660 wrote to memory of 500 2660 svchost.exe lsm.exe PID 2660 wrote to memory of 500 2660 svchost.exe lsm.exe PID 2660 wrote to memory of 500 2660 svchost.exe lsm.exe PID 2660 wrote to memory of 500 2660 svchost.exe lsm.exe PID 2660 wrote to memory of 500 2660 svchost.exe lsm.exe PID 2660 wrote to memory of 500 2660 svchost.exe lsm.exe PID 2660 wrote to memory of 596 2660 svchost.exe svchost.exe PID 2660 wrote to memory of 596 2660 svchost.exe svchost.exe PID 2660 wrote to memory of 596 2660 svchost.exe svchost.exe PID 2660 wrote to memory of 596 2660 svchost.exe svchost.exe PID 2660 wrote to memory of 596 2660 svchost.exe svchost.exe PID 2660 wrote to memory of 596 2660 svchost.exe svchost.exe PID 2660 wrote to memory of 596 2660 svchost.exe svchost.exe PID 2660 wrote to memory of 676 2660 svchost.exe svchost.exe PID 2660 wrote to memory of 676 2660 svchost.exe svchost.exe PID 2660 wrote to memory of 676 2660 svchost.exe svchost.exe PID 2660 wrote to memory of 676 2660 svchost.exe svchost.exe PID 2660 wrote to memory of 676 2660 svchost.exe svchost.exe PID 2660 wrote to memory of 676 2660 svchost.exe svchost.exe PID 2660 wrote to memory of 676 2660 svchost.exe svchost.exe
Processes
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\abb237ad8572d278c577aa7fda55331e_JaffaCakes118.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2064 CREDAT:275457 /prefetch:23⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
84KB
MD5df455f0fa8fb3fa4e6699ad57ef54db6
SHA151a06248c251d614d3a81ac9d842ba807204d17c
SHA25615068b86edc0473a4f96f109830318e0540af348197e2b65f2e90ff32cfb14a1
SHA512f69dea5b68e4fc8737fc0e6ef48476d3ed0a5ebd2f9dccc9d966df137f9ffdbb51e413a0852c22399afab53ea8a2755664afdcee6897a1cf387a9a620481b2a6
-
memory/2660-6-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/2660-10-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB