Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 04:44
Static task
static1
Behavioral task
behavioral1
Sample
10c30b617298dff59705da9fb038394e_JaffaCakes118.dll
Resource
win7-20240508-en
General
-
Target
10c30b617298dff59705da9fb038394e_JaffaCakes118.dll
-
Size
204KB
-
MD5
10c30b617298dff59705da9fb038394e
-
SHA1
92dbaef54f355fc8806d85c4c3adb198b140a50c
-
SHA256
9391da6d8fc9a7f07b81aac67ec99d63159fae2ec3b8b13b63f6e043b535c50b
-
SHA512
b7d33ca3105c7b976fcc8ad26e1023c16f8ba0452b2ffbc90c704e7d357c89feeff5160ac6c55288b823598ce5c12f4991bc3ee4cc0ef9de31d527522d173ea1
-
SSDEEP
3072:jvXmimD0k0QRW1PhI1sItKOgGdX3DUPnObj6pZnbR3nyf65QJgz8CevPfQ:j+fD/0QSzItKOgGFYmbj6p33oJJnZ3fQ
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 920 rundll32mgr.exe 4388 WaterMark.exe -
resource yara_rule behavioral2/memory/920-8-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/920-6-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/920-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4388-28-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4388-33-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/920-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/920-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/920-10-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/920-7-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/920-9-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4388-38-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\px4A57.tmp rundll32mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3496 2924 WerFault.exe 85 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425538973" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D504574D-3376-11EF-BCA5-F2AC8AF4D319} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D501F50E-3376-11EF-BCA5-F2AC8AF4D319} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4388 WaterMark.exe 4388 WaterMark.exe 4388 WaterMark.exe 4388 WaterMark.exe 4388 WaterMark.exe 4388 WaterMark.exe 4388 WaterMark.exe 4388 WaterMark.exe 4388 WaterMark.exe 4388 WaterMark.exe 4388 WaterMark.exe 4388 WaterMark.exe 4388 WaterMark.exe 4388 WaterMark.exe 4388 WaterMark.exe 4388 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4388 WaterMark.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4064 iexplore.exe 740 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 740 iexplore.exe 740 iexplore.exe 4064 iexplore.exe 4064 iexplore.exe 4992 IEXPLORE.EXE 4992 IEXPLORE.EXE 3912 IEXPLORE.EXE 3912 IEXPLORE.EXE 4992 IEXPLORE.EXE 4992 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 920 rundll32mgr.exe 4388 WaterMark.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 744 wrote to memory of 4232 744 rundll32.exe 82 PID 744 wrote to memory of 4232 744 rundll32.exe 82 PID 744 wrote to memory of 4232 744 rundll32.exe 82 PID 4232 wrote to memory of 920 4232 rundll32.exe 83 PID 4232 wrote to memory of 920 4232 rundll32.exe 83 PID 4232 wrote to memory of 920 4232 rundll32.exe 83 PID 920 wrote to memory of 4388 920 rundll32mgr.exe 84 PID 920 wrote to memory of 4388 920 rundll32mgr.exe 84 PID 920 wrote to memory of 4388 920 rundll32mgr.exe 84 PID 4388 wrote to memory of 2924 4388 WaterMark.exe 85 PID 4388 wrote to memory of 2924 4388 WaterMark.exe 85 PID 4388 wrote to memory of 2924 4388 WaterMark.exe 85 PID 4388 wrote to memory of 2924 4388 WaterMark.exe 85 PID 4388 wrote to memory of 2924 4388 WaterMark.exe 85 PID 4388 wrote to memory of 2924 4388 WaterMark.exe 85 PID 4388 wrote to memory of 2924 4388 WaterMark.exe 85 PID 4388 wrote to memory of 2924 4388 WaterMark.exe 85 PID 4388 wrote to memory of 2924 4388 WaterMark.exe 85 PID 4388 wrote to memory of 740 4388 WaterMark.exe 89 PID 4388 wrote to memory of 740 4388 WaterMark.exe 89 PID 4388 wrote to memory of 4064 4388 WaterMark.exe 90 PID 4388 wrote to memory of 4064 4388 WaterMark.exe 90 PID 740 wrote to memory of 3912 740 iexplore.exe 91 PID 740 wrote to memory of 3912 740 iexplore.exe 91 PID 740 wrote to memory of 3912 740 iexplore.exe 91 PID 4064 wrote to memory of 4992 4064 iexplore.exe 92 PID 4064 wrote to memory of 4992 4064 iexplore.exe 92 PID 4064 wrote to memory of 4992 4064 iexplore.exe 92
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\10c30b617298dff59705da9fb038394e_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\10c30b617298dff59705da9fb038394e_JaffaCakes118.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵PID:2924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 2046⤵
- Program crash
PID:3496
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:740 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3912
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4064 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4992
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2924 -ip 29241⤵PID:2096
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D501F50E-3376-11EF-BCA5-F2AC8AF4D319}.dat
Filesize3KB
MD53a459b6862dc0161d540489d93a36a4b
SHA1bed779ce081a3b0f0103143a0343333d8c2a0a52
SHA256234af64c4d1766d29018226bc1861c89dca6539c222199f9f8e610a462ecf408
SHA5125d74aa0b492b460995ce937cc0b11f45aae7ebb61a0168e8321ff54183f57aa2451bed763cb4cafa00ae789d3b8e42d7320781e043e96ff6f2cf21f9b5d567a3
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D504574D-3376-11EF-BCA5-F2AC8AF4D319}.dat
Filesize5KB
MD5e85ba23a54ad26addef31d4200173caa
SHA1f714f64e602406738d58fa354ee2803c08023966
SHA256f06390bf1387a4eb6bf3b287a3999d9b1ad548c42dfe16e2933172699e320774
SHA5123dfdd27fea0d71ca08a83ef2c7b864b289edcfb8537e8643753b3211437d387e479c032c90ea2fa1ad3a85fb9186e0b943b1a0527d75c4de1e1f34e90d071b0f
-
Filesize
111KB
MD5076b881c26b76c254df2d24b1410d64c
SHA10c3591cde9733b69f8f19be8458638a0a343adbf
SHA256e778aab6e5d2cd6372eacdb27867e5df7d4555d8497299461814d8ce51961100
SHA5125cff93b35a6497837d4dc53393bdc3e81753ef8c08b98ff880d457268208ae1ece6578450b9898dfb4b0d43c1a250b15f9e148ab4e85ff3a9a5db144c728afe8