Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 23:41
Static task
static1
Behavioral task
behavioral1
Sample
0ff5c0c167cabc1fa9c1a27273a0df18_JaffaCakes118.dll
Resource
win7-20240221-en
General
-
Target
0ff5c0c167cabc1fa9c1a27273a0df18_JaffaCakes118.dll
-
Size
166KB
-
MD5
0ff5c0c167cabc1fa9c1a27273a0df18
-
SHA1
55a6b059fe16fb37a0771cbec3ef4e0644082c8a
-
SHA256
cce1caa13d3448164cbc79a53e95d712b92a306c9390d5125b3ce37c16a2ac36
-
SHA512
87eb385486f04c7f7772f6e8043b97cfff9ec3f1766fa756fa002c8e27a81e085cbf8d07df64a87e98c84747c4547131a21c27ef3e687d2170822669eb5fcba8
-
SSDEEP
1536:+5lTUKCYmCgV5bT/2d1QYesG+sxFm2mEgW+YBOYYtV/rerTN:wTU56gVxj27NeUuFm1byOYUNqd
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 756 regsvr32mgr.exe 4888 WaterMark.exe -
resource yara_rule behavioral2/memory/756-6-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/756-7-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/756-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/756-10-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/756-8-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/756-9-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/756-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4888-28-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4888-26-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4888-36-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\regsvr32mgr.exe regsvr32.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\px41CC.tmp regsvr32mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe regsvr32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe regsvr32mgr.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 208 1248 WerFault.exe 84 -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425520779" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{78952190-334C-11EF-BA70-FA71C8F1560D} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4888 WaterMark.exe 4888 WaterMark.exe 4888 WaterMark.exe 4888 WaterMark.exe 4888 WaterMark.exe 4888 WaterMark.exe 4888 WaterMark.exe 4888 WaterMark.exe 4888 WaterMark.exe 4888 WaterMark.exe 4888 WaterMark.exe 4888 WaterMark.exe 4888 WaterMark.exe 4888 WaterMark.exe 4888 WaterMark.exe 4888 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4888 WaterMark.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2140 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2140 iexplore.exe 2140 iexplore.exe 1392 IEXPLORE.EXE 1392 IEXPLORE.EXE 1392 IEXPLORE.EXE 1392 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 756 regsvr32mgr.exe 4888 WaterMark.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1520 wrote to memory of 4612 1520 regsvr32.exe 81 PID 1520 wrote to memory of 4612 1520 regsvr32.exe 81 PID 1520 wrote to memory of 4612 1520 regsvr32.exe 81 PID 4612 wrote to memory of 756 4612 regsvr32.exe 82 PID 4612 wrote to memory of 756 4612 regsvr32.exe 82 PID 4612 wrote to memory of 756 4612 regsvr32.exe 82 PID 756 wrote to memory of 4888 756 regsvr32mgr.exe 83 PID 756 wrote to memory of 4888 756 regsvr32mgr.exe 83 PID 756 wrote to memory of 4888 756 regsvr32mgr.exe 83 PID 4888 wrote to memory of 1248 4888 WaterMark.exe 84 PID 4888 wrote to memory of 1248 4888 WaterMark.exe 84 PID 4888 wrote to memory of 1248 4888 WaterMark.exe 84 PID 4888 wrote to memory of 1248 4888 WaterMark.exe 84 PID 4888 wrote to memory of 1248 4888 WaterMark.exe 84 PID 4888 wrote to memory of 1248 4888 WaterMark.exe 84 PID 4888 wrote to memory of 1248 4888 WaterMark.exe 84 PID 4888 wrote to memory of 1248 4888 WaterMark.exe 84 PID 4888 wrote to memory of 1248 4888 WaterMark.exe 84 PID 4888 wrote to memory of 2140 4888 WaterMark.exe 88 PID 4888 wrote to memory of 2140 4888 WaterMark.exe 88 PID 4888 wrote to memory of 2664 4888 WaterMark.exe 89 PID 4888 wrote to memory of 2664 4888 WaterMark.exe 89 PID 2140 wrote to memory of 1392 2140 iexplore.exe 90 PID 2140 wrote to memory of 1392 2140 iexplore.exe 90 PID 2140 wrote to memory of 1392 2140 iexplore.exe 90
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\0ff5c0c167cabc1fa9c1a27273a0df18_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\0ff5c0c167cabc1fa9c1a27273a0df18_JaffaCakes118.dll2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\regsvr32mgr.exeC:\Windows\SysWOW64\regsvr32mgr.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵PID:1248
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 2046⤵
- Program crash
PID:208
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2140 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1392
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
PID:2664
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1248 -ip 12481⤵PID:1016
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD58c51fd9d6daa7b6137634de19a49452c
SHA1db2a11cca434bacad2bf42adeecae38e99cf64f8
SHA256528d190fc376cff62a83391a5ba10ae4ef0c02bedabd0360274ddc2784e11da3
SHA512b93dd6c86d0618798a11dbaa2ded7dac659f6516ca4a87da7297601c27f340fffa4126a852c257654d562529273d8a3f639ec020ab54b879c68226deae549837