Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
15/07/2024, 03:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
47f0682b499469e0c38adb8cbc7bd46a_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
11 signatures
150 seconds
General
-
Target
47f0682b499469e0c38adb8cbc7bd46a_JaffaCakes118.exe
-
Size
156KB
-
MD5
47f0682b499469e0c38adb8cbc7bd46a
-
SHA1
458da22900e17a270173de6a02dd90b75d7f402a
-
SHA256
f50b428eb35286adf0ed9c726c01a50aec44e5b4de145a411f17b76f8731d07c
-
SHA512
80e81da4c151bec23c1b9113859333c2083aae82808db174968d574d2c6431d4af814c91a5a2d81b912e30428ed1448bb153c9bbb9f76dbc73b5e1bb531d3f49
-
SSDEEP
1536:LVZnxm6MG9xgfrvEaoiT/GyphjXDYjKwttoswRmhApEY:DnxwgxgfR/DVG7wBpEY
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1988 WaterMark.exe -
Loads dropped DLL 2 IoCs
pid Process 2500 47f0682b499469e0c38adb8cbc7bd46a_JaffaCakes118.exe 2500 47f0682b499469e0c38adb8cbc7bd46a_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2500-4-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2500-7-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2500-6-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2500-3-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2500-2-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2500-1-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2500-8-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1988-27-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral1/memory/1988-25-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1988-39-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1988-28-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1988-604-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\System\ado\msadox.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpnr.dll svchost.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSFrontendENU.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msaddsr.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libsdp_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\cpu.html svchost.exe File opened for modification C:\Program Files\Windows Sidebar\wlsrvc.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libcaca_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\clock.html svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\currency.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jfxwebkit.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_concat_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\liblibbluray_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libntservice_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsound.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\JdbcOdbc.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationBuildTasks.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmpc_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libwav_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_record_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d11_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\mpvis.DLL svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msadrh15.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Entity.Design.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libdvbsub_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_chromecast_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\weather.html svchost.exe File opened for modification C:\Program Files\DVD Maker\OmdProject.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdshow_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libafile_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\clock.html svchost.exe File opened for modification C:\Program Files\Internet Explorer\F12Tools.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\management.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\Mahjong.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.IdentityModel.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Web.Entity.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\d3d9\libdirect3d9_filters_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libfreetype_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EURO\MSOEURO.DLL svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\fontmanager.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2ssv.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Linq.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libgain_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libts_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\vdk150.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\lgpllibs.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Net.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.WorkflowServices.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\liblogo_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll svchost.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 1988 WaterMark.exe 1988 WaterMark.exe 1988 WaterMark.exe 1988 WaterMark.exe 1988 WaterMark.exe 1988 WaterMark.exe 1988 WaterMark.exe 1988 WaterMark.exe 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1988 WaterMark.exe Token: SeDebugPrivilege 1636 svchost.exe Token: SeDebugPrivilege 1988 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2500 47f0682b499469e0c38adb8cbc7bd46a_JaffaCakes118.exe 1988 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2500 wrote to memory of 1988 2500 47f0682b499469e0c38adb8cbc7bd46a_JaffaCakes118.exe 30 PID 2500 wrote to memory of 1988 2500 47f0682b499469e0c38adb8cbc7bd46a_JaffaCakes118.exe 30 PID 2500 wrote to memory of 1988 2500 47f0682b499469e0c38adb8cbc7bd46a_JaffaCakes118.exe 30 PID 2500 wrote to memory of 1988 2500 47f0682b499469e0c38adb8cbc7bd46a_JaffaCakes118.exe 30 PID 1988 wrote to memory of 776 1988 WaterMark.exe 31 PID 1988 wrote to memory of 776 1988 WaterMark.exe 31 PID 1988 wrote to memory of 776 1988 WaterMark.exe 31 PID 1988 wrote to memory of 776 1988 WaterMark.exe 31 PID 1988 wrote to memory of 776 1988 WaterMark.exe 31 PID 1988 wrote to memory of 776 1988 WaterMark.exe 31 PID 1988 wrote to memory of 776 1988 WaterMark.exe 31 PID 1988 wrote to memory of 776 1988 WaterMark.exe 31 PID 1988 wrote to memory of 776 1988 WaterMark.exe 31 PID 1988 wrote to memory of 776 1988 WaterMark.exe 31 PID 1988 wrote to memory of 1636 1988 WaterMark.exe 33 PID 1988 wrote to memory of 1636 1988 WaterMark.exe 33 PID 1988 wrote to memory of 1636 1988 WaterMark.exe 33 PID 1988 wrote to memory of 1636 1988 WaterMark.exe 33 PID 1988 wrote to memory of 1636 1988 WaterMark.exe 33 PID 1988 wrote to memory of 1636 1988 WaterMark.exe 33 PID 1988 wrote to memory of 1636 1988 WaterMark.exe 33 PID 1988 wrote to memory of 1636 1988 WaterMark.exe 33 PID 1988 wrote to memory of 1636 1988 WaterMark.exe 33 PID 1988 wrote to memory of 1636 1988 WaterMark.exe 33 PID 1636 wrote to memory of 256 1636 svchost.exe 1 PID 1636 wrote to memory of 256 1636 svchost.exe 1 PID 1636 wrote to memory of 256 1636 svchost.exe 1 PID 1636 wrote to memory of 256 1636 svchost.exe 1 PID 1636 wrote to memory of 256 1636 svchost.exe 1 PID 1636 wrote to memory of 336 1636 svchost.exe 2 PID 1636 wrote to memory of 336 1636 svchost.exe 2 PID 1636 wrote to memory of 336 1636 svchost.exe 2 PID 1636 wrote to memory of 336 1636 svchost.exe 2 PID 1636 wrote to memory of 336 1636 svchost.exe 2 PID 1636 wrote to memory of 384 1636 svchost.exe 3 PID 1636 wrote to memory of 384 1636 svchost.exe 3 PID 1636 wrote to memory of 384 1636 svchost.exe 3 PID 1636 wrote to memory of 384 1636 svchost.exe 3 PID 1636 wrote to memory of 384 1636 svchost.exe 3 PID 1636 wrote to memory of 392 1636 svchost.exe 4 PID 1636 wrote to memory of 392 1636 svchost.exe 4 PID 1636 wrote to memory of 392 1636 svchost.exe 4 PID 1636 wrote to memory of 392 1636 svchost.exe 4 PID 1636 wrote to memory of 392 1636 svchost.exe 4 PID 1636 wrote to memory of 432 1636 svchost.exe 5 PID 1636 wrote to memory of 432 1636 svchost.exe 5 PID 1636 wrote to memory of 432 1636 svchost.exe 5 PID 1636 wrote to memory of 432 1636 svchost.exe 5 PID 1636 wrote to memory of 432 1636 svchost.exe 5 PID 1636 wrote to memory of 476 1636 svchost.exe 6 PID 1636 wrote to memory of 476 1636 svchost.exe 6 PID 1636 wrote to memory of 476 1636 svchost.exe 6 PID 1636 wrote to memory of 476 1636 svchost.exe 6 PID 1636 wrote to memory of 476 1636 svchost.exe 6 PID 1636 wrote to memory of 492 1636 svchost.exe 7 PID 1636 wrote to memory of 492 1636 svchost.exe 7 PID 1636 wrote to memory of 492 1636 svchost.exe 7 PID 1636 wrote to memory of 492 1636 svchost.exe 7 PID 1636 wrote to memory of 492 1636 svchost.exe 7 PID 1636 wrote to memory of 500 1636 svchost.exe 8 PID 1636 wrote to memory of 500 1636 svchost.exe 8 PID 1636 wrote to memory of 500 1636 svchost.exe 8 PID 1636 wrote to memory of 500 1636 svchost.exe 8 PID 1636 wrote to memory of 500 1636 svchost.exe 8
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:336
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:384
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:392
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:600
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:2028
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1520
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:676
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:760
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:804
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1172
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:840
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:2736
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:964
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:272
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:352
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1064
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1104
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:1396
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:984
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2464
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\47f0682b499469e0c38adb8cbc7bd46a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\47f0682b499469e0c38adb8cbc7bd46a_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:776
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156KB
MD547f0682b499469e0c38adb8cbc7bd46a
SHA1458da22900e17a270173de6a02dd90b75d7f402a
SHA256f50b428eb35286adf0ed9c726c01a50aec44e5b4de145a411f17b76f8731d07c
SHA51280e81da4c151bec23c1b9113859333c2083aae82808db174968d574d2c6431d4af814c91a5a2d81b912e30428ed1448bb153c9bbb9f76dbc73b5e1bb531d3f49
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize326KB
MD5e0b03dc8dacb5d9f720c6f1716b88268
SHA174f115360b1dfc956f2554c84a2ccc9ee7a2f14e
SHA2568be004801335e780ca0e2ea4dadb2a012c30f634ac9d38b6afa386f33ca1f34f
SHA51207fbd8d67b6226559cab5ce5463d90ad31eaf5d7063cfd23d52837cae4d9828fad26c995b06a0bd249cbb6e743b720d49944427174f57f04344c7497411a725a
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize322KB
MD5b79f848ab72dc59a429bf2cc7d772a7c
SHA19c08ce7a9b5ecedd13b69d50359c02a91582e419
SHA25694f2d1449ff85f5469a0ef028be313daf317f9855d6a2cc3eaf9b4dd25ab5879
SHA51246cee80f01de6e43047d23bb5269f10ca7b0d4b431297001855a4f0728d8e01d945f809f08896ee9cc58bda0111fe6b4c633b143892e89b93b825fedd7f41e17