Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 01:53
Static task
static1
Behavioral task
behavioral1
Sample
105471cd9d4eb09ec42bac2b0290f889_JaffaCakes118.dll
Resource
win7-20240508-en
General
-
Target
105471cd9d4eb09ec42bac2b0290f889_JaffaCakes118.dll
-
Size
532KB
-
MD5
105471cd9d4eb09ec42bac2b0290f889
-
SHA1
eb25bc1ab8a97b3a2b4272938a009fef7de51c05
-
SHA256
7e08634dac987ef53fb2fc692f6788221bde14b3b48cf28650539b0c24c89c41
-
SHA512
32be63e092fc98dd035e385527b084ad49ddc1847e6208ceda8db4bcd19e4bee9b2b781b96c60ca85ff5ca50e14a8dcd7a9da86f654ebf3c56ce5cc4152c8658
-
SSDEEP
6144:0ZLT3A5Dp0HvFIc5vBlcQGSgS62iiiiiSySYSGS+8c8c8AAANA/AA0fMGrgPhclc:0ZL7A5l0711g8onrOcWAqVvv/JYeiJI
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3856 rundll32mgr.exe 1896 WaterMark.exe -
resource yara_rule behavioral2/memory/3856-9-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3856-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3856-10-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3856-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3856-8-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3856-7-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3856-6-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1896-27-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1896-30-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1896-39-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1896-41-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\px4527.tmp rundll32mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 4900 1920 WerFault.exe 80 4092 3500 WerFault.exe 85 -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E21B62A3-335E-11EF-BA70-4A6FEDA150B9} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E21DC531-335E-11EF-BA70-4A6FEDA150B9} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425528687" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1896 WaterMark.exe 1896 WaterMark.exe 1896 WaterMark.exe 1896 WaterMark.exe 1896 WaterMark.exe 1896 WaterMark.exe 1896 WaterMark.exe 1896 WaterMark.exe 1896 WaterMark.exe 1896 WaterMark.exe 1896 WaterMark.exe 1896 WaterMark.exe 1896 WaterMark.exe 1896 WaterMark.exe 1896 WaterMark.exe 1896 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1896 WaterMark.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3544 iexplore.exe 996 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 996 iexplore.exe 996 iexplore.exe 3544 iexplore.exe 3544 iexplore.exe 2120 IEXPLORE.EXE 2120 IEXPLORE.EXE 540 IEXPLORE.EXE 540 IEXPLORE.EXE 2120 IEXPLORE.EXE 2120 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3856 rundll32mgr.exe 1896 WaterMark.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 4480 wrote to memory of 1920 4480 rundll32.exe 80 PID 4480 wrote to memory of 1920 4480 rundll32.exe 80 PID 4480 wrote to memory of 1920 4480 rundll32.exe 80 PID 1920 wrote to memory of 3856 1920 rundll32.exe 81 PID 1920 wrote to memory of 3856 1920 rundll32.exe 81 PID 1920 wrote to memory of 3856 1920 rundll32.exe 81 PID 3856 wrote to memory of 1896 3856 rundll32mgr.exe 83 PID 3856 wrote to memory of 1896 3856 rundll32mgr.exe 83 PID 3856 wrote to memory of 1896 3856 rundll32mgr.exe 83 PID 1896 wrote to memory of 3500 1896 WaterMark.exe 85 PID 1896 wrote to memory of 3500 1896 WaterMark.exe 85 PID 1896 wrote to memory of 3500 1896 WaterMark.exe 85 PID 1896 wrote to memory of 3500 1896 WaterMark.exe 85 PID 1896 wrote to memory of 3500 1896 WaterMark.exe 85 PID 1896 wrote to memory of 3500 1896 WaterMark.exe 85 PID 1896 wrote to memory of 3500 1896 WaterMark.exe 85 PID 1896 wrote to memory of 3500 1896 WaterMark.exe 85 PID 1896 wrote to memory of 3500 1896 WaterMark.exe 85 PID 1896 wrote to memory of 3544 1896 WaterMark.exe 89 PID 1896 wrote to memory of 3544 1896 WaterMark.exe 89 PID 1896 wrote to memory of 996 1896 WaterMark.exe 90 PID 1896 wrote to memory of 996 1896 WaterMark.exe 90 PID 3544 wrote to memory of 2120 3544 iexplore.exe 91 PID 3544 wrote to memory of 2120 3544 iexplore.exe 91 PID 3544 wrote to memory of 2120 3544 iexplore.exe 91 PID 996 wrote to memory of 540 996 iexplore.exe 92 PID 996 wrote to memory of 540 996 iexplore.exe 92 PID 996 wrote to memory of 540 996 iexplore.exe 92
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\105471cd9d4eb09ec42bac2b0290f889_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\105471cd9d4eb09ec42bac2b0290f889_JaffaCakes118.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵PID:3500
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 2046⤵
- Program crash
PID:4092
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3544 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2120
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:996 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:540
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 6123⤵
- Program crash
PID:4900
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1920 -ip 19201⤵PID:1148
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3500 -ip 35001⤵PID:1836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E21B62A3-335E-11EF-BA70-4A6FEDA150B9}.dat
Filesize5KB
MD5591af6151bb0829176f8edec4fb399d9
SHA138152118fca1142ec28ae692fe279f58ac049fa7
SHA256dda11e48e6cb25213bc94b0538ee4957b20ccbc9f5dd853614df416cba277733
SHA51267160915a087f6e2a368c321b9992546cc6796a2dd7b5794df6b42b80e96902af8dd5adfd831ff75a3685d47061caa4aa83a1cdf8f73bf5192a1075d31665fe3
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E21DC531-335E-11EF-BA70-4A6FEDA150B9}.dat
Filesize3KB
MD5e34e82adaf08e2ee4ec44c42b8fe5f48
SHA1b8c92a7c810a7e4f70c6dac2d59669959b6b66a0
SHA2563a659f8decef1fb10207fa3cd9cfd87d723e46119125b59210055935fee9a123
SHA512a3b85bcfa9716bba14afd6e8cf8d9f2153492b82f354ee61a97d9d217f024d5e148cfeaec5affef8d8ac989a0e8c0bf20420b5c815f1898cea9dc20026dac4da
-
Filesize
60KB
MD5c27dc77f49f2be740e3bf1b64387882e
SHA182f4ce73d55f46e1ecccbf406f9420364a82872f
SHA256a0bac67a54681dcc7ec8204eb959a540356568b06b1a03cec6ec42ed6e9f1715
SHA51214880de329428973dbcc2c726fee09dcc3666ab7aab69e32864577e01216ca8a58ac901d261ad1a84e0d3d6926c328b53d92beb695cc3dd1d6f453a5d853314e