Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 00:17
Static task
static1
Behavioral task
behavioral1
Sample
100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe
-
Size
95KB
-
MD5
100f36a7d29d60a09c7a517a9611bb10
-
SHA1
bff8809dba549f5843d2abf080afe6382e5eff7d
-
SHA256
b0dc77c71f44e23480c3293493e9d5de9da43de6fec80c67db6f69ccc7fe4ddf
-
SHA512
d1ed88778f6d91e6fdfba007cca83291fb96a7c3255350a2d28797a5e307e7008b067f0405fdd60dc6cb021e96b04f7d55258f62dbdd5dbfc2043140db34e98c
-
SSDEEP
768:v06R0UKzOgnKqGR7//GPc0LOBhvBrHks3IiyhDYQbGmxlNaM+WGa1wuxnzgOYw9Y:VR0vxn3Pc0LCH9MtbvabUDzJYWu3B
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2712 WaterMark.exe -
Loads dropped DLL 2 IoCs
pid Process 2440 100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe 2440 100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2440-2-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2440-10-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2440-7-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2440-4-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2440-8-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2712-23-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2440-3-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2440-1-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2712-28-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2712-30-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2712-533-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2712-536-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libcache_read_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\settings.html svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\rtscom.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Selectors.Resources.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\decora-sse.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libvhs_plugin.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\mozavutil.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.Client.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libwin_msg_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\WindowsAccessBridge-64.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\Mahjong.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jfxwebkit.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libwall_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\attach.dll svchost.exe File opened for modification C:\Program Files\Windows Mail\WinMail.exe svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\oledb32r.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_mms_plugin.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Net.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.resources.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libvdr_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\librawvideo_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\liboldrc_plugin.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\librtp_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\liba52_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\logger\libconsole_logger_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\settings.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\MSCDM.DLL svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\gstreamer-lite.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libgnutls_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_record_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXEV.DLL svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MUOPTIN.DLL svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jawt.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Conversion.v3.5.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libbluescreen_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\hxdsui.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\java_crw_demo.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\libsubsdelay_plugin.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Engine.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.DataSetExtensions.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i420_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\settings.html svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\nssckbi.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\ucrtbase.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libg711_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libspdif_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libflacsys_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libfingerprinter_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_avi_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libdirectsound_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libball_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2712 WaterMark.exe 2712 WaterMark.exe 2712 WaterMark.exe 2712 WaterMark.exe 2712 WaterMark.exe 2712 WaterMark.exe 2712 WaterMark.exe 2712 WaterMark.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe 2540 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2712 WaterMark.exe Token: SeDebugPrivilege 2540 svchost.exe Token: SeDebugPrivilege 2712 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2440 100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe 2712 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2440 wrote to memory of 2712 2440 100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe 28 PID 2440 wrote to memory of 2712 2440 100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe 28 PID 2440 wrote to memory of 2712 2440 100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe 28 PID 2440 wrote to memory of 2712 2440 100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe 28 PID 2712 wrote to memory of 1416 2712 WaterMark.exe 29 PID 2712 wrote to memory of 1416 2712 WaterMark.exe 29 PID 2712 wrote to memory of 1416 2712 WaterMark.exe 29 PID 2712 wrote to memory of 1416 2712 WaterMark.exe 29 PID 2712 wrote to memory of 1416 2712 WaterMark.exe 29 PID 2712 wrote to memory of 1416 2712 WaterMark.exe 29 PID 2712 wrote to memory of 1416 2712 WaterMark.exe 29 PID 2712 wrote to memory of 1416 2712 WaterMark.exe 29 PID 2712 wrote to memory of 1416 2712 WaterMark.exe 29 PID 2712 wrote to memory of 1416 2712 WaterMark.exe 29 PID 2712 wrote to memory of 2540 2712 WaterMark.exe 30 PID 2712 wrote to memory of 2540 2712 WaterMark.exe 30 PID 2712 wrote to memory of 2540 2712 WaterMark.exe 30 PID 2712 wrote to memory of 2540 2712 WaterMark.exe 30 PID 2712 wrote to memory of 2540 2712 WaterMark.exe 30 PID 2712 wrote to memory of 2540 2712 WaterMark.exe 30 PID 2712 wrote to memory of 2540 2712 WaterMark.exe 30 PID 2712 wrote to memory of 2540 2712 WaterMark.exe 30 PID 2712 wrote to memory of 2540 2712 WaterMark.exe 30 PID 2712 wrote to memory of 2540 2712 WaterMark.exe 30 PID 2540 wrote to memory of 256 2540 svchost.exe 1 PID 2540 wrote to memory of 256 2540 svchost.exe 1 PID 2540 wrote to memory of 256 2540 svchost.exe 1 PID 2540 wrote to memory of 256 2540 svchost.exe 1 PID 2540 wrote to memory of 256 2540 svchost.exe 1 PID 2540 wrote to memory of 332 2540 svchost.exe 2 PID 2540 wrote to memory of 332 2540 svchost.exe 2 PID 2540 wrote to memory of 332 2540 svchost.exe 2 PID 2540 wrote to memory of 332 2540 svchost.exe 2 PID 2540 wrote to memory of 332 2540 svchost.exe 2 PID 2540 wrote to memory of 384 2540 svchost.exe 3 PID 2540 wrote to memory of 384 2540 svchost.exe 3 PID 2540 wrote to memory of 384 2540 svchost.exe 3 PID 2540 wrote to memory of 384 2540 svchost.exe 3 PID 2540 wrote to memory of 384 2540 svchost.exe 3 PID 2540 wrote to memory of 392 2540 svchost.exe 4 PID 2540 wrote to memory of 392 2540 svchost.exe 4 PID 2540 wrote to memory of 392 2540 svchost.exe 4 PID 2540 wrote to memory of 392 2540 svchost.exe 4 PID 2540 wrote to memory of 392 2540 svchost.exe 4 PID 2540 wrote to memory of 432 2540 svchost.exe 5 PID 2540 wrote to memory of 432 2540 svchost.exe 5 PID 2540 wrote to memory of 432 2540 svchost.exe 5 PID 2540 wrote to memory of 432 2540 svchost.exe 5 PID 2540 wrote to memory of 432 2540 svchost.exe 5 PID 2540 wrote to memory of 476 2540 svchost.exe 6 PID 2540 wrote to memory of 476 2540 svchost.exe 6 PID 2540 wrote to memory of 476 2540 svchost.exe 6 PID 2540 wrote to memory of 476 2540 svchost.exe 6 PID 2540 wrote to memory of 476 2540 svchost.exe 6 PID 2540 wrote to memory of 492 2540 svchost.exe 7 PID 2540 wrote to memory of 492 2540 svchost.exe 7 PID 2540 wrote to memory of 492 2540 svchost.exe 7 PID 2540 wrote to memory of 492 2540 svchost.exe 7 PID 2540 wrote to memory of 492 2540 svchost.exe 7 PID 2540 wrote to memory of 500 2540 svchost.exe 8 PID 2540 wrote to memory of 500 2540 svchost.exe 8 PID 2540 wrote to memory of 500 2540 svchost.exe 8 PID 2540 wrote to memory of 500 2540 svchost.exe 8 PID 2540 wrote to memory of 500 2540 svchost.exe 8
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:600
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1528
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵PID:2004
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:680
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:752
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:816
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1164
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:844
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:2480
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:964
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:108
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:1020
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1064
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1108
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:1536
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2412
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:392
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1416
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD5100f36a7d29d60a09c7a517a9611bb10
SHA1bff8809dba549f5843d2abf080afe6382e5eff7d
SHA256b0dc77c71f44e23480c3293493e9d5de9da43de6fec80c67db6f69ccc7fe4ddf
SHA512d1ed88778f6d91e6fdfba007cca83291fb96a7c3255350a2d28797a5e307e7008b067f0405fdd60dc6cb021e96b04f7d55258f62dbdd5dbfc2043140db34e98c
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize204KB
MD555cfc58d18a6166f8f1c141903b32656
SHA1246640bf0650c0a6b6d174980d02a6514e4d034f
SHA25675bcc61065230cbaa369a20371240e933923eafaeb391d8cfa10b29fcd7fa5a6
SHA512b40f01fefc4e1bc6c579f869312ea5813a07f341057df38796f1a5e37215c0be8ec67aeca80f748c3ffd7dc76bfa59f15538cecd78ffc3b22e8efc28fa4cd6ee
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize200KB
MD556ffcef1fe4f30d61c7ab0aad61eabf4
SHA13575efe1f68f26c4030e62778ca9f3d11f521cf1
SHA2563647fed7d3fcdbeec01c28b4382157e7375835c3658e7ae622d3a0da65834131
SHA51212eba173ddc8357e3b5b423d2912f77f0f619d2842c1e833a76e0c16099c67890fda30b03d64b450275e5ac3fa5531459b438472dc816d843fc6efc803009e4e