Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/10/2024, 19:10
Static task
static1
Behavioral task
behavioral1
Sample
1031a7522135743752fcdeb85cb09927_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
1031a7522135743752fcdeb85cb09927_JaffaCakes118.exe
-
Size
121KB
-
MD5
1031a7522135743752fcdeb85cb09927
-
SHA1
26390eb7153fa98099e19f89f3d4556ca472597c
-
SHA256
239b147235909178af52bb8a20f20c01fe3e6d55306e0942c0e656307e573e37
-
SHA512
4ae65497dcfb46b9dde5e3123a1d9ce891f58218befe499a02aa71d9d668afc991405f94674e6db1756bd2ce7549ae83d2a0d1ec71a0be2a5428c3ac0b147a8b
-
SSDEEP
768:9Qxkwi8BsIqHpcrkMEYEhA7P4RhAtmaZFb79U9MKAjBEig6/1k21m3uHRdMNDj2z:98kwiWTEhU4HDa1KkjWXUa21mc/Mue9K
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2344 WaterMark.exe -
Loads dropped DLL 2 IoCs
pid Process 2384 1031a7522135743752fcdeb85cb09927_JaffaCakes118.exe 2384 1031a7522135743752fcdeb85cb09927_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
resource yara_rule behavioral1/memory/2384-1-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/2344-13-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/2344-40-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/2344-49-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/2344-571-0x0000000000400000-0x0000000000426000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libscene_plugin.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Xml.Linq.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libhttps_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\logger\libfile_logger_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libadf_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\cpu.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEODBC.DLL svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Management.Instrumentation.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jaas_nt.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jawt.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2iexp.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Selectors.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationFramework.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libdca_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe svchost.exe File opened for modification C:\Program Files\Windows Defender\MpClient.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\MSCDM.DLL svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\calendar.html svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\hprof.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\axvlc.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libkaraoke_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Journal\JNWDRV.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\freebl3.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\mozavcodec.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationBuildTasks.resources.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jdwp.dll svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.RunTime.Serialization.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Speech.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libfloat_mixer_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\cpu.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\splashscreen.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\WindowsFormsIntegration.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Design.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Utilities.v3.5.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libshm_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libvmem_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libpanoramix_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxslt.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\profilerinterface.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationClient.resources.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\settings.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.RunTime.Serialization.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsBase.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_shout_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1031a7522135743752fcdeb85cb09927_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2344 WaterMark.exe 2344 WaterMark.exe 2344 WaterMark.exe 2344 WaterMark.exe 2344 WaterMark.exe 2344 WaterMark.exe 2344 WaterMark.exe 2344 WaterMark.exe 3048 svchost.exe 3048 svchost.exe 3048 svchost.exe 3048 svchost.exe 3048 svchost.exe 3048 svchost.exe 3048 svchost.exe 3048 svchost.exe 3048 svchost.exe 3048 svchost.exe 3048 svchost.exe 3048 svchost.exe 3048 svchost.exe 3048 svchost.exe 3048 svchost.exe 3048 svchost.exe 3048 svchost.exe 3048 svchost.exe 3048 svchost.exe 3048 svchost.exe 3048 svchost.exe 3048 svchost.exe 3048 svchost.exe 3048 svchost.exe 3048 svchost.exe 3048 svchost.exe 3048 svchost.exe 3048 svchost.exe 3048 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2344 WaterMark.exe Token: SeDebugPrivilege 3048 svchost.exe Token: SeDebugPrivilege 2344 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2344 2384 1031a7522135743752fcdeb85cb09927_JaffaCakes118.exe 30 PID 2384 wrote to memory of 2344 2384 1031a7522135743752fcdeb85cb09927_JaffaCakes118.exe 30 PID 2384 wrote to memory of 2344 2384 1031a7522135743752fcdeb85cb09927_JaffaCakes118.exe 30 PID 2384 wrote to memory of 2344 2384 1031a7522135743752fcdeb85cb09927_JaffaCakes118.exe 30 PID 2344 wrote to memory of 1400 2344 WaterMark.exe 31 PID 2344 wrote to memory of 1400 2344 WaterMark.exe 31 PID 2344 wrote to memory of 1400 2344 WaterMark.exe 31 PID 2344 wrote to memory of 1400 2344 WaterMark.exe 31 PID 2344 wrote to memory of 1400 2344 WaterMark.exe 31 PID 2344 wrote to memory of 1400 2344 WaterMark.exe 31 PID 2344 wrote to memory of 1400 2344 WaterMark.exe 31 PID 2344 wrote to memory of 1400 2344 WaterMark.exe 31 PID 2344 wrote to memory of 1400 2344 WaterMark.exe 31 PID 2344 wrote to memory of 1400 2344 WaterMark.exe 31 PID 2344 wrote to memory of 3048 2344 WaterMark.exe 32 PID 2344 wrote to memory of 3048 2344 WaterMark.exe 32 PID 2344 wrote to memory of 3048 2344 WaterMark.exe 32 PID 2344 wrote to memory of 3048 2344 WaterMark.exe 32 PID 2344 wrote to memory of 3048 2344 WaterMark.exe 32 PID 2344 wrote to memory of 3048 2344 WaterMark.exe 32 PID 2344 wrote to memory of 3048 2344 WaterMark.exe 32 PID 2344 wrote to memory of 3048 2344 WaterMark.exe 32 PID 2344 wrote to memory of 3048 2344 WaterMark.exe 32 PID 2344 wrote to memory of 3048 2344 WaterMark.exe 32 PID 3048 wrote to memory of 256 3048 svchost.exe 1 PID 3048 wrote to memory of 256 3048 svchost.exe 1 PID 3048 wrote to memory of 256 3048 svchost.exe 1 PID 3048 wrote to memory of 256 3048 svchost.exe 1 PID 3048 wrote to memory of 256 3048 svchost.exe 1 PID 3048 wrote to memory of 332 3048 svchost.exe 2 PID 3048 wrote to memory of 332 3048 svchost.exe 2 PID 3048 wrote to memory of 332 3048 svchost.exe 2 PID 3048 wrote to memory of 332 3048 svchost.exe 2 PID 3048 wrote to memory of 332 3048 svchost.exe 2 PID 3048 wrote to memory of 380 3048 svchost.exe 3 PID 3048 wrote to memory of 380 3048 svchost.exe 3 PID 3048 wrote to memory of 380 3048 svchost.exe 3 PID 3048 wrote to memory of 380 3048 svchost.exe 3 PID 3048 wrote to memory of 380 3048 svchost.exe 3 PID 3048 wrote to memory of 388 3048 svchost.exe 4 PID 3048 wrote to memory of 388 3048 svchost.exe 4 PID 3048 wrote to memory of 388 3048 svchost.exe 4 PID 3048 wrote to memory of 388 3048 svchost.exe 4 PID 3048 wrote to memory of 388 3048 svchost.exe 4 PID 3048 wrote to memory of 428 3048 svchost.exe 5 PID 3048 wrote to memory of 428 3048 svchost.exe 5 PID 3048 wrote to memory of 428 3048 svchost.exe 5 PID 3048 wrote to memory of 428 3048 svchost.exe 5 PID 3048 wrote to memory of 428 3048 svchost.exe 5 PID 3048 wrote to memory of 472 3048 svchost.exe 6 PID 3048 wrote to memory of 472 3048 svchost.exe 6 PID 3048 wrote to memory of 472 3048 svchost.exe 6 PID 3048 wrote to memory of 472 3048 svchost.exe 6 PID 3048 wrote to memory of 472 3048 svchost.exe 6 PID 3048 wrote to memory of 488 3048 svchost.exe 7 PID 3048 wrote to memory of 488 3048 svchost.exe 7 PID 3048 wrote to memory of 488 3048 svchost.exe 7 PID 3048 wrote to memory of 488 3048 svchost.exe 7 PID 3048 wrote to memory of 488 3048 svchost.exe 7 PID 3048 wrote to memory of 496 3048 svchost.exe 8 PID 3048 wrote to memory of 496 3048 svchost.exe 8 PID 3048 wrote to memory of 496 3048 svchost.exe 8 PID 3048 wrote to memory of 496 3048 svchost.exe 8 PID 3048 wrote to memory of 496 3048 svchost.exe 8
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:380
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:588
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1236
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1496
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:668
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:744
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:808
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1160
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:836
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:1136
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:964
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:112
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:1020
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1072
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1112
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:2044
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2256
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2480
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:488
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:496
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:388
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:428
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\1031a7522135743752fcdeb85cb09927_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1031a7522135743752fcdeb85cb09927_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1400
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
121KB
MD51031a7522135743752fcdeb85cb09927
SHA126390eb7153fa98099e19f89f3d4556ca472597c
SHA256239b147235909178af52bb8a20f20c01fe3e6d55306e0942c0e656307e573e37
SHA5124ae65497dcfb46b9dde5e3123a1d9ce891f58218befe499a02aa71d9d668afc991405f94674e6db1756bd2ce7549ae83d2a0d1ec71a0be2a5428c3ac0b147a8b
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize255KB
MD5cf846008cc7cd8dc35b35b7364c7f402
SHA1a6e8d706fc4597f23115f96ce7292cdfb4e7b60e
SHA256df34c641643cf244a4c1357735660fca7550840fe93c9e4a2b230e6bccce0ec1
SHA512302367e3412082ee709e92584f8edea8b28fdc2c5dfe52d6dae0b53158fe9880190a46b2e6ab2d45a3bc76ab80cbfb171ad5ee57c95ed8761975c2c4dcc60c8f
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize251KB
MD52c4724250f0ee18074d584c5263a6bc2
SHA1bf302d37e2bc51ef67c8f1664c216ca19db34ae1
SHA25650e839ead96428aa647b9133319fc1f8f369593a37b8204ce79a57b04cd0e249
SHA5128eeac12c1701ce79b901eba2f7963d76314ad94e3407be9b7c46bffba2049c47b0d71f2c6718c38fa6191a8009fc6319bc569478dd4dc66ef130cc91f1352e2a