Analysis
-
max time kernel
81s -
max time network
91s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 23:33
Static task
static1
Behavioral task
behavioral1
Sample
0ff09f374cdab927fcb1745237943c6d_JaffaCakes118.dll
Resource
win7-20240508-en
General
-
Target
0ff09f374cdab927fcb1745237943c6d_JaffaCakes118.dll
-
Size
104KB
-
MD5
0ff09f374cdab927fcb1745237943c6d
-
SHA1
e545ba440733088b12f7d62273e7b2e82ba3f8af
-
SHA256
f83ceacc2db5a00a91af105fa593e483d251106117f63f8a517f06a4ad229f9e
-
SHA512
395fb095bc76e614abb4ced8851b5287e36d4c583639bd20d6b52fe6b76cc5a6f063660acd4b87be34b86bd0ca4d71d4bc5e7cdae409a6f50e510e6dfaef5458
-
SSDEEP
1536:EFb/gIdEvnFbOaE/CCVD2DophGdE45fIJLYOMvedtYYBhp1:EFVd8nllE/CEp149IGNedtY6p1
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2176 rundll32mgr.exe 2332 WaterMark.exe -
resource yara_rule behavioral2/memory/2176-8-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2176-7-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2176-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2176-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2176-6-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2176-5-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2332-25-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2332-29-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2176-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2332-36-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\px4EBC.tmp rundll32mgr.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2568 2376 WerFault.exe 80 3868 4956 WerFault.exe 84 -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6488D726-334B-11EF-BA70-F6C903454AA3} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425520316" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{648674EB-334B-11EF-BA70-F6C903454AA3} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2332 WaterMark.exe 2332 WaterMark.exe 2332 WaterMark.exe 2332 WaterMark.exe 2332 WaterMark.exe 2332 WaterMark.exe 2332 WaterMark.exe 2332 WaterMark.exe 2332 WaterMark.exe 2332 WaterMark.exe 2332 WaterMark.exe 2332 WaterMark.exe 2332 WaterMark.exe 2332 WaterMark.exe 2332 WaterMark.exe 2332 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2332 WaterMark.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4196 iexplore.exe 3984 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4196 iexplore.exe 4196 iexplore.exe 3984 iexplore.exe 3984 iexplore.exe 960 IEXPLORE.EXE 960 IEXPLORE.EXE 2232 IEXPLORE.EXE 2232 IEXPLORE.EXE 960 IEXPLORE.EXE 960 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2176 rundll32mgr.exe 2332 WaterMark.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1696 wrote to memory of 2376 1696 rundll32.exe 80 PID 1696 wrote to memory of 2376 1696 rundll32.exe 80 PID 1696 wrote to memory of 2376 1696 rundll32.exe 80 PID 2376 wrote to memory of 2176 2376 rundll32.exe 81 PID 2376 wrote to memory of 2176 2376 rundll32.exe 81 PID 2376 wrote to memory of 2176 2376 rundll32.exe 81 PID 2176 wrote to memory of 2332 2176 rundll32mgr.exe 83 PID 2176 wrote to memory of 2332 2176 rundll32mgr.exe 83 PID 2176 wrote to memory of 2332 2176 rundll32mgr.exe 83 PID 2332 wrote to memory of 4956 2332 WaterMark.exe 84 PID 2332 wrote to memory of 4956 2332 WaterMark.exe 84 PID 2332 wrote to memory of 4956 2332 WaterMark.exe 84 PID 2332 wrote to memory of 4956 2332 WaterMark.exe 84 PID 2332 wrote to memory of 4956 2332 WaterMark.exe 84 PID 2332 wrote to memory of 4956 2332 WaterMark.exe 84 PID 2332 wrote to memory of 4956 2332 WaterMark.exe 84 PID 2332 wrote to memory of 4956 2332 WaterMark.exe 84 PID 2332 wrote to memory of 4956 2332 WaterMark.exe 84 PID 2332 wrote to memory of 3984 2332 WaterMark.exe 89 PID 2332 wrote to memory of 3984 2332 WaterMark.exe 89 PID 2332 wrote to memory of 4196 2332 WaterMark.exe 90 PID 2332 wrote to memory of 4196 2332 WaterMark.exe 90 PID 4196 wrote to memory of 960 4196 iexplore.exe 91 PID 4196 wrote to memory of 960 4196 iexplore.exe 91 PID 4196 wrote to memory of 960 4196 iexplore.exe 91 PID 3984 wrote to memory of 2232 3984 iexplore.exe 92 PID 3984 wrote to memory of 2232 3984 iexplore.exe 92 PID 3984 wrote to memory of 2232 3984 iexplore.exe 92
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0ff09f374cdab927fcb1745237943c6d_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0ff09f374cdab927fcb1745237943c6d_JaffaCakes118.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵PID:4956
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 2046⤵
- Program crash
PID:3868
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3984 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2232
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4196 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:960
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 6083⤵
- Program crash
PID:2568
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4956 -ip 49561⤵PID:2236
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2376 -ip 23761⤵PID:760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{648674EB-334B-11EF-BA70-F6C903454AA3}.dat
Filesize3KB
MD5c7b2e0699b6c63cc862eb5b4442bfae5
SHA11ef4d95f89d742c03d99963a97c9179f7f6e77ea
SHA2563b9f9f1e72c2fffb5b0774f07e797ec6485bf2c62b0f29d39d911c9310b89b5d
SHA512d25cdbebd5b1cb9d595cd11491c781f2828a605373150990785cc8e23a7939e24ff9ff9105fabdb9dd7eb590f0bdd4f726ea6ecfd50949d37ea2618e170fd6c8
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6488D726-334B-11EF-BA70-F6C903454AA3}.dat
Filesize5KB
MD575ec7e6b412a4fc178d4958b17b5902d
SHA1b03b96b35f00169f1ee1a57910773347ffb49a57
SHA25624494f4610ea8e9197b21583c11c1318b88ef20296863e8aa8b5e24b78cba9c5
SHA51221b710270b7c6e26821c63232dfc0aa97ee008540535eeab2d593e8d1df1be85471b3f8ec9430113d9b14475cc966203df36e777a39eb305e961cf872c825aa3
-
Filesize
59KB
MD50e0f0ae845d89c22bb6385f64a6b85fd
SHA10f3f1e7f18ab81572c5ce938d3880d4a5d7100ac
SHA2565a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd
SHA512baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350