Analysis
-
max time kernel
81s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 23:00
Static task
static1
Behavioral task
behavioral1
Sample
0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe
-
Size
166KB
-
MD5
0fd88cfe1f9c64397fbea129ab06660a
-
SHA1
681b659890e12af234e38b2e5bb30683bc47218b
-
SHA256
15b77509dd9a565a94678c590ff9c451df621f8f7ca4ec36534f010c49849665
-
SHA512
6c729ca31867e08f5c2450cc84e1bea271109048dbf923ba4bd1ebdd6a3d2250e96952e8fb2e07278b64c49b6a1e329297d0880ca65d2fe9a2dd12719593776b
-
SSDEEP
1536:WNpbWTono2PF9yJH9KBjH7ZoSQoL+Qz6AxAvf/PqhXnzyP5xC1VXfbJpeU4KyQ5V:PdKFOoL16AOHHCRQU4S5GBWVLn
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1184 0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe 3812 WaterMark.exe -
resource yara_rule behavioral2/memory/1184-8-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1184-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1184-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1184-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1184-10-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1184-16-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1184-9-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3812-30-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3812-25-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/memory/3812-40-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\px4FC6.tmp 0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe 0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe 0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2480 4092 WerFault.exe 83 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B3922B52-3346-11EF-BCA5-6E6D447F5FDC} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425518301" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B3948DFE-3346-11EF-BCA5-6E6D447F5FDC} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 3812 WaterMark.exe 3812 WaterMark.exe 3812 WaterMark.exe 3812 WaterMark.exe 3812 WaterMark.exe 3812 WaterMark.exe 3812 WaterMark.exe 3812 WaterMark.exe 3812 WaterMark.exe 3812 WaterMark.exe 3812 WaterMark.exe 3812 WaterMark.exe 3812 WaterMark.exe 3812 WaterMark.exe 3812 WaterMark.exe 3812 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3812 WaterMark.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1524 iexplore.exe 4968 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4968 iexplore.exe 4968 iexplore.exe 1524 iexplore.exe 1524 iexplore.exe 1840 IEXPLORE.EXE 1840 IEXPLORE.EXE 1392 IEXPLORE.EXE 1392 IEXPLORE.EXE 1840 IEXPLORE.EXE 1840 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1184 0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe 3812 WaterMark.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 756 wrote to memory of 1184 756 0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe 81 PID 756 wrote to memory of 1184 756 0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe 81 PID 756 wrote to memory of 1184 756 0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe 81 PID 1184 wrote to memory of 3812 1184 0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe 82 PID 1184 wrote to memory of 3812 1184 0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe 82 PID 1184 wrote to memory of 3812 1184 0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe 82 PID 3812 wrote to memory of 4092 3812 WaterMark.exe 83 PID 3812 wrote to memory of 4092 3812 WaterMark.exe 83 PID 3812 wrote to memory of 4092 3812 WaterMark.exe 83 PID 3812 wrote to memory of 4092 3812 WaterMark.exe 83 PID 3812 wrote to memory of 4092 3812 WaterMark.exe 83 PID 3812 wrote to memory of 4092 3812 WaterMark.exe 83 PID 3812 wrote to memory of 4092 3812 WaterMark.exe 83 PID 3812 wrote to memory of 4092 3812 WaterMark.exe 83 PID 3812 wrote to memory of 4092 3812 WaterMark.exe 83 PID 3812 wrote to memory of 4968 3812 WaterMark.exe 87 PID 3812 wrote to memory of 4968 3812 WaterMark.exe 87 PID 3812 wrote to memory of 1524 3812 WaterMark.exe 88 PID 3812 wrote to memory of 1524 3812 WaterMark.exe 88 PID 1524 wrote to memory of 1840 1524 iexplore.exe 89 PID 1524 wrote to memory of 1840 1524 iexplore.exe 89 PID 1524 wrote to memory of 1840 1524 iexplore.exe 89 PID 4968 wrote to memory of 1392 4968 iexplore.exe 90 PID 4968 wrote to memory of 1392 4968 iexplore.exe 90 PID 4968 wrote to memory of 1392 4968 iexplore.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exeC:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵PID:4092
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 2045⤵
- Program crash
PID:2480
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4968 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1392
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1524 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1840
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4092 -ip 40921⤵PID:916
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B3922B52-3346-11EF-BCA5-6E6D447F5FDC}.dat
Filesize3KB
MD5f894a8c35e9d0c0457edb2c3b790914a
SHA15cbbf02e1ade749336b572a9bc9411008393fed9
SHA256c9cd1e6ee66b51661710d93b6cef3b496e681c1f1fa8e28139ef6dd9d18301c8
SHA512a4349da65b233b3e116915e2d694df212d3ebd3a6ce0c75059fbe702b2a990ff4ec6b74bffc88160ba7b2a4d187506641fc7f8bf517f65a63c28d370fdba9e9c
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B3948DFE-3346-11EF-BCA5-6E6D447F5FDC}.dat
Filesize5KB
MD5d74778961790dcad4b1b08bcd92d8c04
SHA146d2c52a6f465ed1ae7c95207776462d9ca76006
SHA2568adcaa8253624a3f24f9d7c585ac3a4297f3399bdce9280c2b8ffeb5ad68046b
SHA5127e5a3ddb12074c4c14894b0c12e11f3ea8e5c76d4ccfbb8126e1cbb55d6707c9b742f39fcce1b150bb818699599161246d4355d080e245b3eaa155a0d2657dd6
-
Filesize
96KB
MD58c51fd9d6daa7b6137634de19a49452c
SHA1db2a11cca434bacad2bf42adeecae38e99cf64f8
SHA256528d190fc376cff62a83391a5ba10ae4ef0c02bedabd0360274ddc2784e11da3
SHA512b93dd6c86d0618798a11dbaa2ded7dac659f6516ca4a87da7297601c27f340fffa4126a852c257654d562529273d8a3f639ec020ab54b879c68226deae549837