Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 00:17
Static task
static1
Behavioral task
behavioral1
Sample
100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe
-
Size
95KB
-
MD5
100f36a7d29d60a09c7a517a9611bb10
-
SHA1
bff8809dba549f5843d2abf080afe6382e5eff7d
-
SHA256
b0dc77c71f44e23480c3293493e9d5de9da43de6fec80c67db6f69ccc7fe4ddf
-
SHA512
d1ed88778f6d91e6fdfba007cca83291fb96a7c3255350a2d28797a5e307e7008b067f0405fdd60dc6cb021e96b04f7d55258f62dbdd5dbfc2043140db34e98c
-
SSDEEP
768:v06R0UKzOgnKqGR7//GPc0LOBhvBrHks3IiyhDYQbGmxlNaM+WGa1wuxnzgOYw9Y:VR0vxn3Pc0LCH9MtbvabUDzJYWu3B
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3608 WaterMark.exe -
resource yara_rule behavioral2/memory/3128-2-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3128-4-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3128-6-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3128-7-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3608-25-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/memory/3608-30-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3608-24-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3608-23-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3128-10-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3128-5-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3128-3-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3608-35-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\px465F.tmp 100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe 100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe 100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4560 972 WerFault.exe 81 -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{795FE5E9-3351-11EF-BCA5-56103091DE06} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425522928" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{795D8455-3351-11EF-BCA5-56103091DE06} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 3608 WaterMark.exe 3608 WaterMark.exe 3608 WaterMark.exe 3608 WaterMark.exe 3608 WaterMark.exe 3608 WaterMark.exe 3608 WaterMark.exe 3608 WaterMark.exe 3608 WaterMark.exe 3608 WaterMark.exe 3608 WaterMark.exe 3608 WaterMark.exe 3608 WaterMark.exe 3608 WaterMark.exe 3608 WaterMark.exe 3608 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3608 WaterMark.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4808 iexplore.exe 4624 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4808 iexplore.exe 4808 iexplore.exe 4624 iexplore.exe 4624 iexplore.exe 1420 IEXPLORE.EXE 1420 IEXPLORE.EXE 2112 IEXPLORE.EXE 2112 IEXPLORE.EXE 1420 IEXPLORE.EXE 1420 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3128 100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe 3608 WaterMark.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 3128 wrote to memory of 3608 3128 100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe 80 PID 3128 wrote to memory of 3608 3128 100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe 80 PID 3128 wrote to memory of 3608 3128 100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe 80 PID 3608 wrote to memory of 972 3608 WaterMark.exe 81 PID 3608 wrote to memory of 972 3608 WaterMark.exe 81 PID 3608 wrote to memory of 972 3608 WaterMark.exe 81 PID 3608 wrote to memory of 972 3608 WaterMark.exe 81 PID 3608 wrote to memory of 972 3608 WaterMark.exe 81 PID 3608 wrote to memory of 972 3608 WaterMark.exe 81 PID 3608 wrote to memory of 972 3608 WaterMark.exe 81 PID 3608 wrote to memory of 972 3608 WaterMark.exe 81 PID 3608 wrote to memory of 972 3608 WaterMark.exe 81 PID 3608 wrote to memory of 4624 3608 WaterMark.exe 85 PID 3608 wrote to memory of 4624 3608 WaterMark.exe 85 PID 3608 wrote to memory of 4808 3608 WaterMark.exe 86 PID 3608 wrote to memory of 4808 3608 WaterMark.exe 86 PID 4624 wrote to memory of 2112 4624 iexplore.exe 88 PID 4624 wrote to memory of 2112 4624 iexplore.exe 88 PID 4624 wrote to memory of 2112 4624 iexplore.exe 88 PID 4808 wrote to memory of 1420 4808 iexplore.exe 87 PID 4808 wrote to memory of 1420 4808 iexplore.exe 87 PID 4808 wrote to memory of 1420 4808 iexplore.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\100f36a7d29d60a09c7a517a9611bb10_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:972
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 2044⤵
- Program crash
PID:4560
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4624 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2112
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4808 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1420
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 972 -ip 9721⤵PID:4776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD5100f36a7d29d60a09c7a517a9611bb10
SHA1bff8809dba549f5843d2abf080afe6382e5eff7d
SHA256b0dc77c71f44e23480c3293493e9d5de9da43de6fec80c67db6f69ccc7fe4ddf
SHA512d1ed88778f6d91e6fdfba007cca83291fb96a7c3255350a2d28797a5e307e7008b067f0405fdd60dc6cb021e96b04f7d55258f62dbdd5dbfc2043140db34e98c
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{795D8455-3351-11EF-BCA5-56103091DE06}.dat
Filesize3KB
MD59becd12ab477ae2987a6426397f09380
SHA1aa899889d66fdde6bac8ab45ad0c2c34ccea8b3d
SHA256ad056ff06825728b1aad8ba18b0bda8301f92ce1d5d0b0d09d6e37e660eb0c1e
SHA512a3b156e5a31809d787b6ea98645f0dcc93af94863f053d687a28162169451ad1af0a6d7642ed8472519232fb193da1d50189439239989f8f772e8c7a743d3691
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{795FE5E9-3351-11EF-BCA5-56103091DE06}.dat
Filesize5KB
MD5269a27d080c734bdacc30835a7dee18a
SHA1cfa614f59b8061a1148368f5971096a7c1dae86f
SHA256d5e3f0d64094980acf1dc6d52a2e11e108bb412c55da8b1979be683fa1ebcb6f
SHA512d5f877c434da051333c62da715fe4c6e30f50c2b544482ff4ccf9d549b67824f22b281264bac3952f0d4322b865b5df04fc76a8f0a7db5c5420b061378ef8189