Analysis
-
max time kernel
80s -
max time network
90s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 03:21
Static task
static1
Behavioral task
behavioral1
Sample
108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe
-
Size
240KB
-
MD5
108e9934b04e62f29361fa23c57023a2
-
SHA1
63b3ec1d09687a1051403e92f0f146e06e8eb7d5
-
SHA256
8e7e171f1f84d83de0e174bca33baf72289a7d90645d2079c26238e0dbbf18f7
-
SHA512
521be4c56a2a0fbde1cc87796bf267f9638fd2f7ef33caad482d1ae1a7a458f9c57e10ed7fe3632f18439c613701376da28fa2e27296107cdc7d0d96256461f9
-
SSDEEP
6144:lhKKXGaHs5jiGVKkblgCEjocdK4kU5qhxdo:lhq8slTVKslgUqK41wDdo
Malware Config
Signatures
-
resource yara_rule behavioral2/files/0x000f0000000233d6-36.dat aspack_v212_v242 -
Executes dropped EXE 2 IoCs
pid Process 1028 108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe 1012 WaterMark.exe -
Loads dropped DLL 1 IoCs
pid Process 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/1028-10-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1028-16-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1012-28-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1028-9-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1028-8-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1028-7-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1028-6-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1028-5-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1012-44-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\king_mg = "C:\\Windows\\system32\\mgking.exe" 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\mgking.exe 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe File created C:\Windows\SysWOW64\mgking.exe 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\mgking0.dll 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe File created C:\Windows\SysWOW64\mgking0.dll 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\WaterMark.exe 108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe 108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\px43EE.tmp 108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe -
Program crash 4 IoCs
pid pid_target Process procid_target 3116 4176 WerFault.exe 84 1588 1368 WerFault.exe 80 856 1368 WerFault.exe 80 2360 1368 WerFault.exe 80 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425533991" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3C07A3B1-336B-11EF-BA70-66D3FDB32ECD} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
pid Process 1012 WaterMark.exe 1012 WaterMark.exe 1012 WaterMark.exe 1012 WaterMark.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1012 WaterMark.exe 1012 WaterMark.exe 1012 WaterMark.exe 1012 WaterMark.exe 1012 WaterMark.exe 1012 WaterMark.exe 1012 WaterMark.exe 1012 WaterMark.exe 1012 WaterMark.exe 1012 WaterMark.exe 1012 WaterMark.exe 1012 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1012 WaterMark.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4580 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4580 iexplore.exe 4580 iexplore.exe 2224 IEXPLORE.EXE 2224 IEXPLORE.EXE 2224 IEXPLORE.EXE 2224 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1028 108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe 1012 WaterMark.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1368 wrote to memory of 1028 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 81 PID 1368 wrote to memory of 1028 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 81 PID 1368 wrote to memory of 1028 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 81 PID 1028 wrote to memory of 1012 1028 108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe 82 PID 1028 wrote to memory of 1012 1028 108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe 82 PID 1028 wrote to memory of 1012 1028 108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe 82 PID 1012 wrote to memory of 4176 1012 WaterMark.exe 84 PID 1012 wrote to memory of 4176 1012 WaterMark.exe 84 PID 1012 wrote to memory of 4176 1012 WaterMark.exe 84 PID 1012 wrote to memory of 4176 1012 WaterMark.exe 84 PID 1012 wrote to memory of 4176 1012 WaterMark.exe 84 PID 1012 wrote to memory of 4176 1012 WaterMark.exe 84 PID 1012 wrote to memory of 4176 1012 WaterMark.exe 84 PID 1012 wrote to memory of 4176 1012 WaterMark.exe 84 PID 1012 wrote to memory of 4176 1012 WaterMark.exe 84 PID 1368 wrote to memory of 3440 1368 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 56 PID 1012 wrote to memory of 4580 1012 WaterMark.exe 93 PID 1012 wrote to memory of 4580 1012 WaterMark.exe 93 PID 1012 wrote to memory of 4092 1012 WaterMark.exe 94 PID 1012 wrote to memory of 4092 1012 WaterMark.exe 94 PID 4580 wrote to memory of 2224 4580 iexplore.exe 95 PID 4580 wrote to memory of 2224 4580 iexplore.exe 95 PID 4580 wrote to memory of 2224 4580 iexplore.exe 95
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exeC:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵PID:4176
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 2046⤵
- Program crash
PID:3116
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4580 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2224
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
PID:4092
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 2363⤵
- Program crash
PID:1588
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 4723⤵
- Program crash
PID:856
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 5163⤵
- Program crash
PID:2360
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1368 -ip 13681⤵PID:2772
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4176 -ip 41761⤵PID:64
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1368 -ip 13681⤵PID:1740
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1368 -ip 13681⤵PID:2128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD594f2f6ffbba8e7644668b51b39983916
SHA163357bbdf90101969117983dbc0d4ed0e713c4d7
SHA256ede7603855cb37082c241c720a6650988c684eb3bcb263e5dd7b457458940fed
SHA512d04430ceac70c6fa71d07d9ee82ac2bb5e6c0641d5c9e7e5a3ed39d342e8b198f367676516a55f0653e0b88635a027b9ad220e223145b8be8df281bb6faf7156
-
Filesize
114KB
MD521c8f7083a59c407226363950804c4f8
SHA18a6b1d0942afa365ab4b7cd0e82c13bd9cae2524
SHA256015fc0b2cdaf8c7f2fd3b0ee1a0e03e1c4589ef21c1781a60a8ce90a8e16bde5
SHA512eb7253e85f77cc45c02bfbab25cd0324cc4b59d484bf8807561f69edfc69713330299308aace3ba3671b34bc9c852d42344d5f5c64181184f2f71bd7ced782f8