Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 04:44
Static task
static1
Behavioral task
behavioral1
Sample
10c30b617298dff59705da9fb038394e_JaffaCakes118.dll
Resource
win7-20240508-en
General
-
Target
10c30b617298dff59705da9fb038394e_JaffaCakes118.dll
-
Size
204KB
-
MD5
10c30b617298dff59705da9fb038394e
-
SHA1
92dbaef54f355fc8806d85c4c3adb198b140a50c
-
SHA256
9391da6d8fc9a7f07b81aac67ec99d63159fae2ec3b8b13b63f6e043b535c50b
-
SHA512
b7d33ca3105c7b976fcc8ad26e1023c16f8ba0452b2ffbc90c704e7d357c89feeff5160ac6c55288b823598ce5c12f4991bc3ee4cc0ef9de31d527522d173ea1
-
SSDEEP
3072:jvXmimD0k0QRW1PhI1sItKOgGdX3DUPnObj6pZnbR3nyf65QJgz8CevPfQ:j+fD/0QSzItKOgGFYmbj6p33oJJnZ3fQ
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 2620 rundll32mgr.exe 2668 WaterMark.exe -
Loads dropped DLL 4 IoCs
pid Process 2272 rundll32.exe 2272 rundll32.exe 2620 rundll32mgr.exe 2620 rundll32mgr.exe -
resource yara_rule behavioral1/memory/2620-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2620-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2620-19-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2620-18-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2620-17-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2620-16-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2620-22-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2620-32-0x0000000000050000-0x0000000000077000-memory.dmp upx behavioral1/memory/2668-45-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2668-44-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2668-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2668-563-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2668-566-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libspudec_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\nssckbi.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationClient.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Management.Instrumentation.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libjpeg_plugin.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationProvider.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Speech.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationClient.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libsvcdsub_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libgme_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libclone_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_shmem.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe svchost.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\PurblePlace.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationClientsideProviders.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.RunTime.Serialization.Resources.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\flyout.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\MSOHEV.DLL svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClient.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libflac_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe svchost.exe File opened for modification C:\Program Files\Windows Defender\MSASCui.exe svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CoolType.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\libEGL.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\Timeline.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.Speech.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_chromecast_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libextract_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\AccessibleHandler.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationProvider.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libnsv_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MpCommu.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe svchost.exe File opened for modification C:\Program Files\Internet Explorer\Timeline_is.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Client.dll svchost.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe svchost.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxslt.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.Design.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libmad_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libvdummy_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm svchost.exe File opened for modification C:\Program Files\Internet Explorer\ieproxy.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\w2k_lsa_auth.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsFormsIntegration.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdirectory_demux_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libh26x_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libsatip_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libdolby_surround_decoder_plugin.dll svchost.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2668 WaterMark.exe 2668 WaterMark.exe 2668 WaterMark.exe 2668 WaterMark.exe 2668 WaterMark.exe 2668 WaterMark.exe 2668 WaterMark.exe 2668 WaterMark.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2668 WaterMark.exe Token: SeDebugPrivilege 848 svchost.exe Token: SeDebugPrivilege 2668 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2620 rundll32mgr.exe 2668 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2284 wrote to memory of 2272 2284 rundll32.exe 28 PID 2284 wrote to memory of 2272 2284 rundll32.exe 28 PID 2284 wrote to memory of 2272 2284 rundll32.exe 28 PID 2284 wrote to memory of 2272 2284 rundll32.exe 28 PID 2284 wrote to memory of 2272 2284 rundll32.exe 28 PID 2284 wrote to memory of 2272 2284 rundll32.exe 28 PID 2284 wrote to memory of 2272 2284 rundll32.exe 28 PID 2272 wrote to memory of 2620 2272 rundll32.exe 29 PID 2272 wrote to memory of 2620 2272 rundll32.exe 29 PID 2272 wrote to memory of 2620 2272 rundll32.exe 29 PID 2272 wrote to memory of 2620 2272 rundll32.exe 29 PID 2620 wrote to memory of 2668 2620 rundll32mgr.exe 30 PID 2620 wrote to memory of 2668 2620 rundll32mgr.exe 30 PID 2620 wrote to memory of 2668 2620 rundll32mgr.exe 30 PID 2620 wrote to memory of 2668 2620 rundll32mgr.exe 30 PID 2668 wrote to memory of 2524 2668 WaterMark.exe 31 PID 2668 wrote to memory of 2524 2668 WaterMark.exe 31 PID 2668 wrote to memory of 2524 2668 WaterMark.exe 31 PID 2668 wrote to memory of 2524 2668 WaterMark.exe 31 PID 2668 wrote to memory of 2524 2668 WaterMark.exe 31 PID 2668 wrote to memory of 2524 2668 WaterMark.exe 31 PID 2668 wrote to memory of 2524 2668 WaterMark.exe 31 PID 2668 wrote to memory of 2524 2668 WaterMark.exe 31 PID 2668 wrote to memory of 2524 2668 WaterMark.exe 31 PID 2668 wrote to memory of 2524 2668 WaterMark.exe 31 PID 2668 wrote to memory of 848 2668 WaterMark.exe 32 PID 2668 wrote to memory of 848 2668 WaterMark.exe 32 PID 2668 wrote to memory of 848 2668 WaterMark.exe 32 PID 2668 wrote to memory of 848 2668 WaterMark.exe 32 PID 2668 wrote to memory of 848 2668 WaterMark.exe 32 PID 2668 wrote to memory of 848 2668 WaterMark.exe 32 PID 2668 wrote to memory of 848 2668 WaterMark.exe 32 PID 2668 wrote to memory of 848 2668 WaterMark.exe 32 PID 2668 wrote to memory of 848 2668 WaterMark.exe 32 PID 2668 wrote to memory of 848 2668 WaterMark.exe 32 PID 848 wrote to memory of 256 848 svchost.exe 1 PID 848 wrote to memory of 256 848 svchost.exe 1 PID 848 wrote to memory of 256 848 svchost.exe 1 PID 848 wrote to memory of 256 848 svchost.exe 1 PID 848 wrote to memory of 256 848 svchost.exe 1 PID 848 wrote to memory of 336 848 svchost.exe 2 PID 848 wrote to memory of 336 848 svchost.exe 2 PID 848 wrote to memory of 336 848 svchost.exe 2 PID 848 wrote to memory of 336 848 svchost.exe 2 PID 848 wrote to memory of 336 848 svchost.exe 2 PID 848 wrote to memory of 384 848 svchost.exe 3 PID 848 wrote to memory of 384 848 svchost.exe 3 PID 848 wrote to memory of 384 848 svchost.exe 3 PID 848 wrote to memory of 384 848 svchost.exe 3 PID 848 wrote to memory of 384 848 svchost.exe 3 PID 848 wrote to memory of 396 848 svchost.exe 4 PID 848 wrote to memory of 396 848 svchost.exe 4 PID 848 wrote to memory of 396 848 svchost.exe 4 PID 848 wrote to memory of 396 848 svchost.exe 4 PID 848 wrote to memory of 396 848 svchost.exe 4 PID 848 wrote to memory of 432 848 svchost.exe 5 PID 848 wrote to memory of 432 848 svchost.exe 5 PID 848 wrote to memory of 432 848 svchost.exe 5 PID 848 wrote to memory of 432 848 svchost.exe 5 PID 848 wrote to memory of 432 848 svchost.exe 5 PID 848 wrote to memory of 480 848 svchost.exe 6 PID 848 wrote to memory of 480 848 svchost.exe 6 PID 848 wrote to memory of 480 848 svchost.exe 6 PID 848 wrote to memory of 480 848 svchost.exe 6
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:336
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:480
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:592
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:2356
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵PID:2884
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:668
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:740
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:812
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1144
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:856
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:2792
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:964
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:108
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:356
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1064
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1084
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2012
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:1448
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:488
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:496
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:396
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1168
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\10c30b617298dff59705da9fb038394e_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\10c30b617298dff59705da9fb038394e_JaffaCakes118.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2524
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize236KB
MD59d9b866171eb6fc9bf34a98bd927c799
SHA179b6ee6e30806824ea2f7bfa86a50a11db1dc94f
SHA2567c0c6d7d6cd7ad8fe6db76dda416561d859c4c5907fa7d329fcde7595984463f
SHA5126e5828dc189150ec06f4c5f24df13881ba0f154f68a8305d3919db90424e6e7b4a1aa9e779b80e6df707c27ed2ee8d94d04b7ff52fa25d5b0adbe9166c88bd82
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize232KB
MD5381a7968c1eac800557ef9cec6b7dea0
SHA16bf8bba9039d3540042c493e2111405af7d27ac5
SHA256c09e0c56db22ce327a70b6374a1ad93de387b86276bb3f40ef4b1d44b7a3a783
SHA51204b91891d2c8be969d892cade8f13a4e4283d30819b17cfd61d17c417cb26b087bb651fdf54094266129ca0879564ce7574e2c424a4394659be5019a66cbe814
-
Filesize
111KB
MD5076b881c26b76c254df2d24b1410d64c
SHA10c3591cde9733b69f8f19be8458638a0a343adbf
SHA256e778aab6e5d2cd6372eacdb27867e5df7d4555d8497299461814d8ce51961100
SHA5125cff93b35a6497837d4dc53393bdc3e81753ef8c08b98ff880d457268208ae1ece6578450b9898dfb4b0d43c1a250b15f9e148ab4e85ff3a9a5db144c728afe8