Analysis
-
max time kernel
81s -
max time network
91s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 07:18
Static task
static1
Behavioral task
behavioral1
Sample
1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe
-
Size
92KB
-
MD5
1128a69bef2a54b8c04e4232db4cf045
-
SHA1
d51dc1c53356399c2cfac0b3398d684015663dd8
-
SHA256
72af033ddfe9ad63fecc9121a96b2e502667160e0c0a71743bb7c591eb82d0c6
-
SHA512
46b8231e3a8d87c36dc5dba0f097aeb1b2f135434991b18eb99c6ff2d562f2e3f32cc1c73de6380787e903ee5cb3efa870dfe8acd4c1c4a6ace9086a1ca0a108
-
SSDEEP
1536:jVZnxm6MG9xgfrvEaoiT/GyphjXDYjKwttoswRmhApE:7nxwgxgfR/DVG7wBpE
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 764 WaterMark.exe -
resource yara_rule behavioral2/memory/2196-4-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2196-5-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2196-7-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2196-6-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2196-3-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2196-2-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2196-8-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/764-22-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/764-23-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/764-27-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/764-34-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/764-35-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe 1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\px41AC.tmp 1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe 1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2268 2964 WerFault.exe 82 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4E51C2EE-338C-11EF-BA70-F2AC8AF4D319} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425548196" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4E4F60CB-338C-11EF-BA70-F2AC8AF4D319} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 764 WaterMark.exe 764 WaterMark.exe 764 WaterMark.exe 764 WaterMark.exe 764 WaterMark.exe 764 WaterMark.exe 764 WaterMark.exe 764 WaterMark.exe 764 WaterMark.exe 764 WaterMark.exe 764 WaterMark.exe 764 WaterMark.exe 764 WaterMark.exe 764 WaterMark.exe 764 WaterMark.exe 764 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 764 WaterMark.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1252 iexplore.exe 4900 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4900 iexplore.exe 4900 iexplore.exe 1252 iexplore.exe 1252 iexplore.exe 4936 IEXPLORE.EXE 4936 IEXPLORE.EXE 548 IEXPLORE.EXE 548 IEXPLORE.EXE 4936 IEXPLORE.EXE 4936 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2196 1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe 764 WaterMark.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2196 wrote to memory of 764 2196 1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe 81 PID 2196 wrote to memory of 764 2196 1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe 81 PID 2196 wrote to memory of 764 2196 1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe 81 PID 764 wrote to memory of 2964 764 WaterMark.exe 82 PID 764 wrote to memory of 2964 764 WaterMark.exe 82 PID 764 wrote to memory of 2964 764 WaterMark.exe 82 PID 764 wrote to memory of 2964 764 WaterMark.exe 82 PID 764 wrote to memory of 2964 764 WaterMark.exe 82 PID 764 wrote to memory of 2964 764 WaterMark.exe 82 PID 764 wrote to memory of 2964 764 WaterMark.exe 82 PID 764 wrote to memory of 2964 764 WaterMark.exe 82 PID 764 wrote to memory of 2964 764 WaterMark.exe 82 PID 764 wrote to memory of 4900 764 WaterMark.exe 86 PID 764 wrote to memory of 4900 764 WaterMark.exe 86 PID 764 wrote to memory of 1252 764 WaterMark.exe 87 PID 764 wrote to memory of 1252 764 WaterMark.exe 87 PID 1252 wrote to memory of 4936 1252 iexplore.exe 89 PID 1252 wrote to memory of 4936 1252 iexplore.exe 89 PID 1252 wrote to memory of 4936 1252 iexplore.exe 89 PID 4900 wrote to memory of 548 4900 iexplore.exe 88 PID 4900 wrote to memory of 548 4900 iexplore.exe 88 PID 4900 wrote to memory of 548 4900 iexplore.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1128a69bef2a54b8c04e4232db4cf045_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2964
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 2044⤵
- Program crash
PID:2268
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4900 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:548
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1252 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4936
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2964 -ip 29641⤵PID:3352
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD51128a69bef2a54b8c04e4232db4cf045
SHA1d51dc1c53356399c2cfac0b3398d684015663dd8
SHA25672af033ddfe9ad63fecc9121a96b2e502667160e0c0a71743bb7c591eb82d0c6
SHA51246b8231e3a8d87c36dc5dba0f097aeb1b2f135434991b18eb99c6ff2d562f2e3f32cc1c73de6380787e903ee5cb3efa870dfe8acd4c1c4a6ace9086a1ca0a108
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4E4F60CB-338C-11EF-BA70-F2AC8AF4D319}.dat
Filesize3KB
MD5b471e17a33ea3e6f2589e1a1ee2dd927
SHA18492a8375ea662ddaffa964c2cdce5cc6f65dd87
SHA2569bd830ee1b3c7060ee716ed18183df3b36338022066dbd58aa9f6fac76af6bbd
SHA512398a31f14649f952d4cf688d52030fe2409e69bae583330a02225cf5f76b66012ca9b54dbf075bfa040ab6bc724f0e1ca0cc47d7acfe86694bf71b00874d0828
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4E51C2EE-338C-11EF-BA70-F2AC8AF4D319}.dat
Filesize5KB
MD5812924d45332ef34cd141728d613c88f
SHA11bce12bc403e2c824e4f74369749d6fe87f23453
SHA256ff284d20537d834ce1c05206e1d034d02f40b80b33d58b2129ae6a35467f7a26
SHA512507e4d1fa806397f1d76b5ca0df9975526a99615e634c2042586c2e3ee7b8855b41d0ffc8bd0c97def245705a99da56b55c3d4d1f9fde28d9590b8147b45f2af