Analysis
-
max time kernel
140s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 07:31
Static task
static1
Behavioral task
behavioral1
Sample
11310f390d2f0f67c0fce3a325500679_JaffaCakes118.dll
Resource
win7-20240508-en
General
-
Target
11310f390d2f0f67c0fce3a325500679_JaffaCakes118.dll
-
Size
166KB
-
MD5
11310f390d2f0f67c0fce3a325500679
-
SHA1
0785526f7ca25a883ed0f134adaf2e70c413bafa
-
SHA256
a602fe8f53d36f4eab3123e2b0a4d75423250566ef909e0e0d0642bff5bab8d3
-
SHA512
7c29bb0f6dc9def79a88ef3e5275cf3b1f8871a45449b5c93e40b547b8b11f3fa9dfd60908e8d49589fa8f6bbd9b2f6636e499c88f60887f59c472036958d228
-
SSDEEP
1536:O5lTUKCYmCgV5bT/2d1QYebAvf/PqhXnzyP5xC1VXfbJpeU4KyQ5G0OYvVkoV:ATU56gVxj27NeUHHCRQU4S5GBWVLV
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3912 regsvr32mgr.exe 3504 WaterMark.exe -
resource yara_rule behavioral2/memory/3912-7-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3912-10-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3912-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3912-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3912-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3912-9-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3912-8-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3504-29-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3504-37-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3504-38-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\regsvr32mgr.exe regsvr32.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe regsvr32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\px2025.tmp regsvr32mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe regsvr32mgr.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1112 2352 WerFault.exe 93 -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4188122235" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{209BEF39-338E-11EF-B9F7-CE289885E65A} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31115162" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4128434073" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115162" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426152080" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115162" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4128434073" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 3504 WaterMark.exe 3504 WaterMark.exe 3504 WaterMark.exe 3504 WaterMark.exe 3504 WaterMark.exe 3504 WaterMark.exe 3504 WaterMark.exe 3504 WaterMark.exe 3504 WaterMark.exe 3504 WaterMark.exe 3504 WaterMark.exe 3504 WaterMark.exe 3504 WaterMark.exe 3504 WaterMark.exe 3504 WaterMark.exe 3504 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3504 WaterMark.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 832 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 832 iexplore.exe 832 iexplore.exe 1724 IEXPLORE.EXE 1724 IEXPLORE.EXE 1724 IEXPLORE.EXE 1724 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3912 regsvr32mgr.exe 3504 WaterMark.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2428 wrote to memory of 1700 2428 regsvr32.exe 90 PID 2428 wrote to memory of 1700 2428 regsvr32.exe 90 PID 2428 wrote to memory of 1700 2428 regsvr32.exe 90 PID 1700 wrote to memory of 3912 1700 regsvr32.exe 91 PID 1700 wrote to memory of 3912 1700 regsvr32.exe 91 PID 1700 wrote to memory of 3912 1700 regsvr32.exe 91 PID 3912 wrote to memory of 3504 3912 regsvr32mgr.exe 92 PID 3912 wrote to memory of 3504 3912 regsvr32mgr.exe 92 PID 3912 wrote to memory of 3504 3912 regsvr32mgr.exe 92 PID 3504 wrote to memory of 2352 3504 WaterMark.exe 93 PID 3504 wrote to memory of 2352 3504 WaterMark.exe 93 PID 3504 wrote to memory of 2352 3504 WaterMark.exe 93 PID 3504 wrote to memory of 2352 3504 WaterMark.exe 93 PID 3504 wrote to memory of 2352 3504 WaterMark.exe 93 PID 3504 wrote to memory of 2352 3504 WaterMark.exe 93 PID 3504 wrote to memory of 2352 3504 WaterMark.exe 93 PID 3504 wrote to memory of 2352 3504 WaterMark.exe 93 PID 3504 wrote to memory of 2352 3504 WaterMark.exe 93 PID 3504 wrote to memory of 832 3504 WaterMark.exe 97 PID 3504 wrote to memory of 832 3504 WaterMark.exe 97 PID 3504 wrote to memory of 2660 3504 WaterMark.exe 98 PID 3504 wrote to memory of 2660 3504 WaterMark.exe 98 PID 832 wrote to memory of 1724 832 iexplore.exe 99 PID 832 wrote to memory of 1724 832 iexplore.exe 99 PID 832 wrote to memory of 1724 832 iexplore.exe 99
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\11310f390d2f0f67c0fce3a325500679_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\11310f390d2f0f67c0fce3a325500679_JaffaCakes118.dll2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\regsvr32mgr.exeC:\Windows\SysWOW64\regsvr32mgr.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵PID:2352
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 2046⤵
- Program crash
PID:1112
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:832 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1724
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
PID:2660
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2352 -ip 23521⤵PID:4932
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:81⤵PID:3668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5b9b9f42ce6d2b20bf169d05480d239d4
SHA132b094cc2ff79f07fcd68d585846b919bc350e4d
SHA2564d16bb8c9a34d4de9d39bb5f0e87095617b5ad551112db17b38b6cb752fbdae4
SHA51236b45c544439c6b1fab4c2fa58712475a65ad467e3da61086c4a953d6587d35f5c6ae7de740863295ae0d3534cbf67d0bed6843d95b6786b50431bfeebcf1010
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD579c809caa9adb3a8b060036bd8be1f62
SHA1ef6727d68c671dd95bf16d24d68dc54168fdc32e
SHA2567cba9cd107390b6c69ed6ac9c5f04e1265404d57895ba5a9338ad021159d3ca8
SHA512a2ba9e3ea3518a7ea7c9c9f17f6bf2185e6bbcf5baa66c8962c18359ee73e2ea4214688a4a193e11bc831052e8fc14d4a85e9535c4b8edaabb05b559488c2a5e
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
96KB
MD58c51fd9d6daa7b6137634de19a49452c
SHA1db2a11cca434bacad2bf42adeecae38e99cf64f8
SHA256528d190fc376cff62a83391a5ba10ae4ef0c02bedabd0360274ddc2784e11da3
SHA512b93dd6c86d0618798a11dbaa2ded7dac659f6516ca4a87da7297601c27f340fffa4126a852c257654d562529273d8a3f639ec020ab54b879c68226deae549837