Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 02:29
Static task
static1
Behavioral task
behavioral1
Sample
106bc9c7056d9b34b276292cd4304863_JaffaCakes118.dll
Resource
win7-20240221-en
General
-
Target
106bc9c7056d9b34b276292cd4304863_JaffaCakes118.dll
-
Size
166KB
-
MD5
106bc9c7056d9b34b276292cd4304863
-
SHA1
cf970a1c94e04efaa250b0e870d223d53c6cdb17
-
SHA256
186fff28e57c20fe7dc492dd70cfc2afa683c2eae5d80c5a5d7dde1f78685015
-
SHA512
25f41bff5de05763010e6a6d33f9d3ec9c3dd3547e25635873fee79f0c1da1fff4fc474a9bb073a65292494f7c383ce99396d5324b220f6a4cc544d79044de10
-
SSDEEP
1536:f5lTUKCYmCgV5bT/2d1QYePvaLj30b9KVv6q7pbhD3fdaAsU3wNBz0KXs:TTU56gVxj27NePy330wN6qb3MAxwgK8
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 2888 regsvr32mgr.exe 2620 WaterMark.exe -
Loads dropped DLL 4 IoCs
pid Process 3000 regsvr32.exe 3000 regsvr32.exe 2888 regsvr32mgr.exe 2888 regsvr32mgr.exe -
resource yara_rule behavioral1/memory/2888-10-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2888-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2888-20-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2888-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2888-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2888-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2888-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2620-39-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2620-563-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\regsvr32mgr.exe regsvr32.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\lgpllibs.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClientsideProviders.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libhds_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\nio.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\liblibbluray_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Mail\MSOERES.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\MSSOAPR3.DLL svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_i420_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\settings.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\sawindbg.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libcompressor_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_vc1_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\flyout.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\ITIRCL55.DLL svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.ServiceModel.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libcvdsub_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\InkObj.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\settings.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mraut.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.Design.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.WorkflowServices.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libopus_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmpgv_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsoundds.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\index.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_srt_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_stl_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\keystore\libfile_keystore_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libpodcast_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Journal\MSPVWCTL.DLL svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\settings.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunmscapi.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\profilerinterface.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\axvlc.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IO.Log.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IO.Log.Resources.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\JP2KLib.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\jsprofilerui.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationFramework.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationClientsideProviders.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_mmx_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_sse2_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mshwgst.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ACERECR.DLL svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\IACOM2.DLL svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msdaprst.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_wasapi_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdtv_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Journal\Journal.exe svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\sqloledb.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\networkinspection.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.IO.Log.Resources.dll svchost.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2620 WaterMark.exe 2620 WaterMark.exe 2620 WaterMark.exe 2620 WaterMark.exe 2620 WaterMark.exe 2620 WaterMark.exe 2620 WaterMark.exe 2620 WaterMark.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe 640 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2620 WaterMark.exe Token: SeDebugPrivilege 640 svchost.exe Token: SeDebugPrivilege 2620 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2888 regsvr32mgr.exe 2620 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1984 wrote to memory of 3000 1984 regsvr32.exe 28 PID 1984 wrote to memory of 3000 1984 regsvr32.exe 28 PID 1984 wrote to memory of 3000 1984 regsvr32.exe 28 PID 1984 wrote to memory of 3000 1984 regsvr32.exe 28 PID 1984 wrote to memory of 3000 1984 regsvr32.exe 28 PID 1984 wrote to memory of 3000 1984 regsvr32.exe 28 PID 1984 wrote to memory of 3000 1984 regsvr32.exe 28 PID 3000 wrote to memory of 2888 3000 regsvr32.exe 29 PID 3000 wrote to memory of 2888 3000 regsvr32.exe 29 PID 3000 wrote to memory of 2888 3000 regsvr32.exe 29 PID 3000 wrote to memory of 2888 3000 regsvr32.exe 29 PID 2888 wrote to memory of 2620 2888 regsvr32mgr.exe 30 PID 2888 wrote to memory of 2620 2888 regsvr32mgr.exe 30 PID 2888 wrote to memory of 2620 2888 regsvr32mgr.exe 30 PID 2888 wrote to memory of 2620 2888 regsvr32mgr.exe 30 PID 2620 wrote to memory of 2388 2620 WaterMark.exe 31 PID 2620 wrote to memory of 2388 2620 WaterMark.exe 31 PID 2620 wrote to memory of 2388 2620 WaterMark.exe 31 PID 2620 wrote to memory of 2388 2620 WaterMark.exe 31 PID 2620 wrote to memory of 2388 2620 WaterMark.exe 31 PID 2620 wrote to memory of 2388 2620 WaterMark.exe 31 PID 2620 wrote to memory of 2388 2620 WaterMark.exe 31 PID 2620 wrote to memory of 2388 2620 WaterMark.exe 31 PID 2620 wrote to memory of 2388 2620 WaterMark.exe 31 PID 2620 wrote to memory of 2388 2620 WaterMark.exe 31 PID 2620 wrote to memory of 640 2620 WaterMark.exe 32 PID 2620 wrote to memory of 640 2620 WaterMark.exe 32 PID 2620 wrote to memory of 640 2620 WaterMark.exe 32 PID 2620 wrote to memory of 640 2620 WaterMark.exe 32 PID 2620 wrote to memory of 640 2620 WaterMark.exe 32 PID 2620 wrote to memory of 640 2620 WaterMark.exe 32 PID 2620 wrote to memory of 640 2620 WaterMark.exe 32 PID 2620 wrote to memory of 640 2620 WaterMark.exe 32 PID 2620 wrote to memory of 640 2620 WaterMark.exe 32 PID 2620 wrote to memory of 640 2620 WaterMark.exe 32 PID 640 wrote to memory of 260 640 svchost.exe 1 PID 640 wrote to memory of 260 640 svchost.exe 1 PID 640 wrote to memory of 260 640 svchost.exe 1 PID 640 wrote to memory of 260 640 svchost.exe 1 PID 640 wrote to memory of 260 640 svchost.exe 1 PID 640 wrote to memory of 340 640 svchost.exe 2 PID 640 wrote to memory of 340 640 svchost.exe 2 PID 640 wrote to memory of 340 640 svchost.exe 2 PID 640 wrote to memory of 340 640 svchost.exe 2 PID 640 wrote to memory of 340 640 svchost.exe 2 PID 640 wrote to memory of 388 640 svchost.exe 3 PID 640 wrote to memory of 388 640 svchost.exe 3 PID 640 wrote to memory of 388 640 svchost.exe 3 PID 640 wrote to memory of 388 640 svchost.exe 3 PID 640 wrote to memory of 388 640 svchost.exe 3 PID 640 wrote to memory of 400 640 svchost.exe 4 PID 640 wrote to memory of 400 640 svchost.exe 4 PID 640 wrote to memory of 400 640 svchost.exe 4 PID 640 wrote to memory of 400 640 svchost.exe 4 PID 640 wrote to memory of 400 640 svchost.exe 4 PID 640 wrote to memory of 436 640 svchost.exe 5 PID 640 wrote to memory of 436 640 svchost.exe 5 PID 640 wrote to memory of 436 640 svchost.exe 5 PID 640 wrote to memory of 436 640 svchost.exe 5 PID 640 wrote to memory of 436 640 svchost.exe 5 PID 640 wrote to memory of 484 640 svchost.exe 6 PID 640 wrote to memory of 484 640 svchost.exe 6 PID 640 wrote to memory of 484 640 svchost.exe 6 PID 640 wrote to memory of 484 640 svchost.exe 6
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:260
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:340
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:388
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:484
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:612
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:2136
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵PID:1460
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:688
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:772
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:828
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1048
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:856
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:624
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:976
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:300
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1060
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:1080
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1164
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2104
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2772
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:400
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:436
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1144
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\106bc9c7056d9b34b276292cd4304863_JaffaCakes118.dll2⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\106bc9c7056d9b34b276292cd4304863_JaffaCakes118.dll3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\regsvr32mgr.exeC:\Windows\SysWOW64\regsvr32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2388
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize206KB
MD5a1c7c6b3fec83876735559b007704b0f
SHA1a52a3d2dd16bec3f51299787ece05a1d4e281690
SHA256b89c0f8c8c53a0597a4094c0170e658eee1306ee0f4208724270d9314bc33cd6
SHA512d0f8951f1799a140ecdaf63d908b3d659e57677f7736358bed5fcf2d3e60ba8f90ece254bd4292846e093502d3f7623fdaa9ff9295ffec276e7052a20a39cda6
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize202KB
MD5b96d389722ac47f83c4e313bf08d94c1
SHA1a84ba5f0049e5c6e818f24ab72246f05f88fd4a0
SHA256ad3ef4e42a29e979c5b363f82f9a94015f7a0263632f464f6bbc2851d2886558
SHA5122d82516be38884226c98ccb71f0c3673a70e12a51742c9d23096d8e9f6b7b6ea4e5ca5600fad1f77c5f1f28735ae0e5fe8ec693c312d09286cfcc4c2395f8587
-
Filesize
96KB
MD58c51fd9d6daa7b6137634de19a49452c
SHA1db2a11cca434bacad2bf42adeecae38e99cf64f8
SHA256528d190fc376cff62a83391a5ba10ae4ef0c02bedabd0360274ddc2784e11da3
SHA512b93dd6c86d0618798a11dbaa2ded7dac659f6516ca4a87da7297601c27f340fffa4126a852c257654d562529273d8a3f639ec020ab54b879c68226deae549837