Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 02:23
Static task
static1
Behavioral task
behavioral1
Sample
10686f63d7d573fc32ea32515050610c_JaffaCakes118.dll
Resource
win7-20240611-en
General
-
Target
10686f63d7d573fc32ea32515050610c_JaffaCakes118.dll
-
Size
138KB
-
MD5
10686f63d7d573fc32ea32515050610c
-
SHA1
96d4016d1c24e48871262067023195f2258e3fb1
-
SHA256
4c94988ce5410f5fa622242b0c939946ef3d30ad72f5fa5b1fb0fb2d8f2a6e6b
-
SHA512
291b3df439b1866608be3893b13f622a4b19f21de1794e8eb6642dda0b791b82c0494d428b6aa6fe2414195c6e875e59e406bbbad724ed38783384cf46f69d99
-
SSDEEP
3072:lRB6igBt/cwP9aAnI0wtFEQLOiib3wEzR4rUjS:DXgBlVpnuIwSRq
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 798kOP3 -
Executes dropped EXE 2 IoCs
pid Process 1544 798kOP3 1364 rekdojcrsytlhvaw.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\LogFiles\Cluster\10686f63d7d573fc32ea32515050610c_JaffaCakes118.log rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3480 3940 WerFault.exe 83 1900 4088 WerFault.exe 90 -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{256ECB56-3363-11EF-BCA5-5ABC67A14C95} = "0" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425530506" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeSecurityPrivilege 1544 798kOP3 Token: SeDebugPrivilege 1544 798kOP3 Token: SeSecurityPrivilege 1364 rekdojcrsytlhvaw.exe Token: SeLoadDriverPrivilege 1364 rekdojcrsytlhvaw.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4704 IEXPLORE.EXE 4704 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4704 IEXPLORE.EXE 4704 IEXPLORE.EXE 1772 IEXPLORE.EXE 1772 IEXPLORE.EXE 1772 IEXPLORE.EXE 1772 IEXPLORE.EXE 4704 IEXPLORE.EXE 4704 IEXPLORE.EXE 4792 IEXPLORE.EXE 4792 IEXPLORE.EXE 4792 IEXPLORE.EXE 4792 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 4228 wrote to memory of 4608 4228 rundll32.exe 81 PID 4228 wrote to memory of 4608 4228 rundll32.exe 81 PID 4228 wrote to memory of 4608 4228 rundll32.exe 81 PID 4608 wrote to memory of 1544 4608 rundll32.exe 82 PID 4608 wrote to memory of 1544 4608 rundll32.exe 82 PID 4608 wrote to memory of 1544 4608 rundll32.exe 82 PID 1544 wrote to memory of 3940 1544 798kOP3 83 PID 1544 wrote to memory of 3940 1544 798kOP3 83 PID 1544 wrote to memory of 3940 1544 798kOP3 83 PID 1544 wrote to memory of 3940 1544 798kOP3 83 PID 1544 wrote to memory of 3940 1544 798kOP3 83 PID 1544 wrote to memory of 3940 1544 798kOP3 83 PID 1544 wrote to memory of 3940 1544 798kOP3 83 PID 1544 wrote to memory of 3940 1544 798kOP3 83 PID 1544 wrote to memory of 3940 1544 798kOP3 83 PID 1544 wrote to memory of 3352 1544 798kOP3 87 PID 1544 wrote to memory of 3352 1544 798kOP3 87 PID 1544 wrote to memory of 3352 1544 798kOP3 87 PID 3352 wrote to memory of 4704 3352 iexplore.exe 88 PID 3352 wrote to memory of 4704 3352 iexplore.exe 88 PID 4704 wrote to memory of 1772 4704 IEXPLORE.EXE 89 PID 4704 wrote to memory of 1772 4704 IEXPLORE.EXE 89 PID 4704 wrote to memory of 1772 4704 IEXPLORE.EXE 89 PID 1544 wrote to memory of 4088 1544 798kOP3 90 PID 1544 wrote to memory of 4088 1544 798kOP3 90 PID 1544 wrote to memory of 4088 1544 798kOP3 90 PID 1544 wrote to memory of 4088 1544 798kOP3 90 PID 1544 wrote to memory of 4088 1544 798kOP3 90 PID 1544 wrote to memory of 4088 1544 798kOP3 90 PID 1544 wrote to memory of 4088 1544 798kOP3 90 PID 1544 wrote to memory of 4088 1544 798kOP3 90 PID 1544 wrote to memory of 4088 1544 798kOP3 90 PID 1544 wrote to memory of 2808 1544 798kOP3 95 PID 1544 wrote to memory of 2808 1544 798kOP3 95 PID 1544 wrote to memory of 2808 1544 798kOP3 95 PID 2808 wrote to memory of 4040 2808 iexplore.exe 96 PID 2808 wrote to memory of 4040 2808 iexplore.exe 96 PID 4704 wrote to memory of 4792 4704 IEXPLORE.EXE 97 PID 4704 wrote to memory of 4792 4704 IEXPLORE.EXE 97 PID 4704 wrote to memory of 4792 4704 IEXPLORE.EXE 97 PID 1544 wrote to memory of 1364 1544 798kOP3 100 PID 1544 wrote to memory of 1364 1544 798kOP3 100 PID 1544 wrote to memory of 1364 1544 798kOP3 100
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\10686f63d7d573fc32ea32515050610c_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\10686f63d7d573fc32ea32515050610c_JaffaCakes118.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Users\Admin\AppData\Local\Temp\798kOP3"798kOP3"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵PID:3940
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 1965⤵
- Program crash
PID:3480
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4704 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1772
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4704 CREDAT:17416 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4792
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵PID:4088
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 2085⤵
- Program crash
PID:1900
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"5⤵
- Modifies Internet Explorer settings
PID:4040
-
-
-
C:\Users\Admin\AppData\Local\Temp\rekdojcrsytlhvaw.exe"C:\Users\Admin\AppData\Local\Temp\rekdojcrsytlhvaw.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1364
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3940 -ip 39401⤵PID:848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4088 -ip 40881⤵PID:3440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD547a8ed36d375f91a1b750411d92ead7f
SHA1b46c4f789f25a704169a21b4b7e4d4ecdda62a5d
SHA2567e1f885a67c2b64aa4549a564f1008f4e96f1a2cd351cd62b6d2b44a8dd03626
SHA512c3f43e560d3b499ab3d0444cfc21a18eb0451aff7466760c0719feadeb4d47445af13968b108cd89fc36e619b9297240075f5a1eec6f6319a88c589a4bc872f7