Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 07:18
Static task
static1
Behavioral task
behavioral1
Sample
1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe
-
Size
92KB
-
MD5
1128a69bef2a54b8c04e4232db4cf045
-
SHA1
d51dc1c53356399c2cfac0b3398d684015663dd8
-
SHA256
72af033ddfe9ad63fecc9121a96b2e502667160e0c0a71743bb7c591eb82d0c6
-
SHA512
46b8231e3a8d87c36dc5dba0f097aeb1b2f135434991b18eb99c6ff2d562f2e3f32cc1c73de6380787e903ee5cb3efa870dfe8acd4c1c4a6ace9086a1ca0a108
-
SSDEEP
1536:jVZnxm6MG9xgfrvEaoiT/GyphjXDYjKwttoswRmhApE:7nxwgxgfR/DVG7wBpE
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2540 WaterMark.exe -
Loads dropped DLL 2 IoCs
pid Process 1812 1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe 1812 1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2540-29-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2540-28-0x0000000000400000-0x00000000004B0000-memory.dmp upx behavioral1/memory/1812-9-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1812-8-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1812-7-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1812-3-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1812-2-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1812-1-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1812-0-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2540-551-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2540-554-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libsapi_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mshwgst.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEES.DLL svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\optimization_guide_internal.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\msvcr100.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationProvider.resources.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\cpu.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\attach.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.DataSetExtensions.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\lua\liblua_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxslt.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\server\jvm.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Design.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libstereo_widen_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libedummy_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MpClient.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\JSProfilerCore.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\settings.html svchost.exe File opened for modification C:\Program Files\Windows Defender\MpSvc.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckg.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_es_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblendbench_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Journal\NBDoc.DLL svchost.exe File opened for modification C:\Program Files\Windows Journal\NBMapTIP.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msdaprst.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_socket.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jawt.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\mozwer.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationProvider.resources.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libugly_resampler_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mraut.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.Client.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegaudio_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\d3d11\libdirect3d11_filters_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdvdnav_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libdxva2_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libx264_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libaiff_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblend_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mlp_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\librv32_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libvhs_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGM.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ALRTINTL.DLL svchost.exe File opened for modification C:\Program Files\Common Files\System\DirectDB.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Design.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_livehttp_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\librawvideo_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\wmprph.exe svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2540 WaterMark.exe 2540 WaterMark.exe 2540 WaterMark.exe 2540 WaterMark.exe 2540 WaterMark.exe 2540 WaterMark.exe 2540 WaterMark.exe 2540 WaterMark.exe 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe 3052 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2540 WaterMark.exe Token: SeDebugPrivilege 3052 svchost.exe Token: SeDebugPrivilege 2540 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1812 1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe 2540 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1812 wrote to memory of 2540 1812 1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe 28 PID 1812 wrote to memory of 2540 1812 1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe 28 PID 1812 wrote to memory of 2540 1812 1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe 28 PID 1812 wrote to memory of 2540 1812 1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe 28 PID 2540 wrote to memory of 2720 2540 WaterMark.exe 29 PID 2540 wrote to memory of 2720 2540 WaterMark.exe 29 PID 2540 wrote to memory of 2720 2540 WaterMark.exe 29 PID 2540 wrote to memory of 2720 2540 WaterMark.exe 29 PID 2540 wrote to memory of 2720 2540 WaterMark.exe 29 PID 2540 wrote to memory of 2720 2540 WaterMark.exe 29 PID 2540 wrote to memory of 2720 2540 WaterMark.exe 29 PID 2540 wrote to memory of 2720 2540 WaterMark.exe 29 PID 2540 wrote to memory of 2720 2540 WaterMark.exe 29 PID 2540 wrote to memory of 2720 2540 WaterMark.exe 29 PID 2540 wrote to memory of 3052 2540 WaterMark.exe 30 PID 2540 wrote to memory of 3052 2540 WaterMark.exe 30 PID 2540 wrote to memory of 3052 2540 WaterMark.exe 30 PID 2540 wrote to memory of 3052 2540 WaterMark.exe 30 PID 2540 wrote to memory of 3052 2540 WaterMark.exe 30 PID 2540 wrote to memory of 3052 2540 WaterMark.exe 30 PID 2540 wrote to memory of 3052 2540 WaterMark.exe 30 PID 2540 wrote to memory of 3052 2540 WaterMark.exe 30 PID 2540 wrote to memory of 3052 2540 WaterMark.exe 30 PID 2540 wrote to memory of 3052 2540 WaterMark.exe 30 PID 3052 wrote to memory of 260 3052 svchost.exe 1 PID 3052 wrote to memory of 260 3052 svchost.exe 1 PID 3052 wrote to memory of 260 3052 svchost.exe 1 PID 3052 wrote to memory of 260 3052 svchost.exe 1 PID 3052 wrote to memory of 260 3052 svchost.exe 1 PID 3052 wrote to memory of 336 3052 svchost.exe 2 PID 3052 wrote to memory of 336 3052 svchost.exe 2 PID 3052 wrote to memory of 336 3052 svchost.exe 2 PID 3052 wrote to memory of 336 3052 svchost.exe 2 PID 3052 wrote to memory of 336 3052 svchost.exe 2 PID 3052 wrote to memory of 388 3052 svchost.exe 3 PID 3052 wrote to memory of 388 3052 svchost.exe 3 PID 3052 wrote to memory of 388 3052 svchost.exe 3 PID 3052 wrote to memory of 388 3052 svchost.exe 3 PID 3052 wrote to memory of 388 3052 svchost.exe 3 PID 3052 wrote to memory of 396 3052 svchost.exe 4 PID 3052 wrote to memory of 396 3052 svchost.exe 4 PID 3052 wrote to memory of 396 3052 svchost.exe 4 PID 3052 wrote to memory of 396 3052 svchost.exe 4 PID 3052 wrote to memory of 396 3052 svchost.exe 4 PID 3052 wrote to memory of 428 3052 svchost.exe 5 PID 3052 wrote to memory of 428 3052 svchost.exe 5 PID 3052 wrote to memory of 428 3052 svchost.exe 5 PID 3052 wrote to memory of 428 3052 svchost.exe 5 PID 3052 wrote to memory of 428 3052 svchost.exe 5 PID 3052 wrote to memory of 480 3052 svchost.exe 6 PID 3052 wrote to memory of 480 3052 svchost.exe 6 PID 3052 wrote to memory of 480 3052 svchost.exe 6 PID 3052 wrote to memory of 480 3052 svchost.exe 6 PID 3052 wrote to memory of 480 3052 svchost.exe 6 PID 3052 wrote to memory of 496 3052 svchost.exe 7 PID 3052 wrote to memory of 496 3052 svchost.exe 7 PID 3052 wrote to memory of 496 3052 svchost.exe 7 PID 3052 wrote to memory of 496 3052 svchost.exe 7 PID 3052 wrote to memory of 496 3052 svchost.exe 7 PID 3052 wrote to memory of 504 3052 svchost.exe 8 PID 3052 wrote to memory of 504 3052 svchost.exe 8 PID 3052 wrote to memory of 504 3052 svchost.exe 8 PID 3052 wrote to memory of 504 3052 svchost.exe 8 PID 3052 wrote to memory of 504 3052 svchost.exe 8
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:260
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:336
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:388
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:396
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:480
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:600
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1732
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵PID:2616
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:680
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:764
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:820
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1180
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:856
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:2072
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:968
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:288
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:1048
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1080
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1128
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2116
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2884
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:496
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:504
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:428
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2720
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD51128a69bef2a54b8c04e4232db4cf045
SHA1d51dc1c53356399c2cfac0b3398d684015663dd8
SHA25672af033ddfe9ad63fecc9121a96b2e502667160e0c0a71743bb7c591eb82d0c6
SHA51246b8231e3a8d87c36dc5dba0f097aeb1b2f135434991b18eb99c6ff2d562f2e3f32cc1c73de6380787e903ee5cb3efa870dfe8acd4c1c4a6ace9086a1ca0a108
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize197KB
MD558b7dcd5bbb2761eb3efe8882147f83d
SHA17d639303163ba87b3667ba7942df18aaa2e90342
SHA256c1fcc4e9fc1fe356ccc8b6b47bd9dfab72ad6d5f42afc5acf2aa46d6b7534c60
SHA5120946f3b44fe3838c4deccb0940e78b4207d83c7ca0907570d49921aef86a12f2c6b749209b6876308ca2fedb8fe9d14c6f07b87d1c58cfb59009a7a3b985befb
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize193KB
MD5499eaae9fad91a8c2fe3f0eddfdb70e5
SHA192dbdd446f89b303281663317f89bcb71b2701d0
SHA256e313bf2d56dd44b44fe5c4ba34fa4b949473ebba55f02d7d0bec2958a2427b27
SHA512a015f50d91182e5f49af36bc38129b7381ea0acddfa6aa203875f5cd1137e43264d217f20015b9fdfb21bb25efe62a67364eaacbd635acfd5f168656a3058a0d