Analysis
-
max time kernel
93s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2024, 19:12
Static task
static1
Behavioral task
behavioral1
Sample
10337612da603f1161073c76d05d688f_JaffaCakes118.dll
Resource
win7-20240903-en
General
-
Target
10337612da603f1161073c76d05d688f_JaffaCakes118.dll
-
Size
200KB
-
MD5
10337612da603f1161073c76d05d688f
-
SHA1
25f1156fc48b4e228e5b82ae3a5abbb3b488daa1
-
SHA256
ced6fbce9082d81bfcd1667693a93057a0a19c00af72d6d797681fd84b9ee54a
-
SHA512
f8927557114c81163a2261fcc42d92f771de1143e709b7e112b3daaf3ec152db89d2941686e575035316c1d2846d19f2a3642c16c2ddd779276e574d6bf8ecc9
-
SSDEEP
3072:fNEqkap78EQfA32wSYHj7oJjKetpsHV0l3LSIVJxb/ymJywQyis:FEqkE4uHholKetpsWk+b/pywQyP
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 3496 rundll32Srv.exe 4900 rundll32Srvmgr.exe 4028 DesktopLayer.exe 776 DesktopLayermgr.exe -
Loads dropped DLL 2 IoCs
pid Process 4900 rundll32Srvmgr.exe 776 DesktopLayermgr.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe File created C:\Windows\SysWOW64\rundll32Srvmgr.exe rundll32Srv.exe -
resource yara_rule behavioral2/files/0x0009000000023390-3.dat upx behavioral2/memory/3496-4-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral2/memory/4028-19-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral2/memory/4900-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-13-0x0000000000400000-0x0000000000447000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\px8CFE.tmp rundll32Srv.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe File created C:\Program Files (x86)\Microsoft\DesktopLayermgr.exe DesktopLayer.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 392 776 WerFault.exe 86 4928 4900 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DesktopLayermgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32Srv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32Srvmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DesktopLayer.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1431331834" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7FD70BEA-81BB-11EF-BFD9-66FD5BE5AD11} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1486175737" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1431331834" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135176" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135176" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135176" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135176" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1486175737" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434747752" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4028 DesktopLayer.exe 4028 DesktopLayer.exe 4028 DesktopLayer.exe 4028 DesktopLayer.exe 4028 DesktopLayer.exe 4028 DesktopLayer.exe 4028 DesktopLayer.exe 4028 DesktopLayer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3472 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3472 iexplore.exe 3472 iexplore.exe 4480 IEXPLORE.EXE 4480 IEXPLORE.EXE 4480 IEXPLORE.EXE 4480 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4540 wrote to memory of 5048 4540 rundll32.exe 82 PID 4540 wrote to memory of 5048 4540 rundll32.exe 82 PID 4540 wrote to memory of 5048 4540 rundll32.exe 82 PID 5048 wrote to memory of 3496 5048 rundll32.exe 83 PID 5048 wrote to memory of 3496 5048 rundll32.exe 83 PID 5048 wrote to memory of 3496 5048 rundll32.exe 83 PID 3496 wrote to memory of 4900 3496 rundll32Srv.exe 84 PID 3496 wrote to memory of 4900 3496 rundll32Srv.exe 84 PID 3496 wrote to memory of 4900 3496 rundll32Srv.exe 84 PID 3496 wrote to memory of 4028 3496 rundll32Srv.exe 85 PID 3496 wrote to memory of 4028 3496 rundll32Srv.exe 85 PID 3496 wrote to memory of 4028 3496 rundll32Srv.exe 85 PID 4028 wrote to memory of 776 4028 DesktopLayer.exe 86 PID 4028 wrote to memory of 776 4028 DesktopLayer.exe 86 PID 4028 wrote to memory of 776 4028 DesktopLayer.exe 86 PID 4028 wrote to memory of 3472 4028 DesktopLayer.exe 87 PID 4028 wrote to memory of 3472 4028 DesktopLayer.exe 87 PID 3472 wrote to memory of 4480 3472 iexplore.exe 91 PID 3472 wrote to memory of 4480 3472 iexplore.exe 91 PID 3472 wrote to memory of 4480 3472 iexplore.exe 91
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\10337612da603f1161073c76d05d688f_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\10337612da603f1161073c76d05d688f_JaffaCakes118.dll,#12⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\rundll32Srv.exeC:\Windows\SysWOW64\rundll32Srv.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\rundll32Srvmgr.exeC:\Windows\SysWOW64\rundll32Srvmgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4900 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 101765⤵
- Program crash
PID:4928
-
-
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Program Files (x86)\Microsoft\DesktopLayermgr.exe"C:\Program Files (x86)\Microsoft\DesktopLayermgr.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:776 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 101766⤵
- Program crash
PID:392
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3472 CREDAT:17410 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4480
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4900 -ip 49001⤵PID:4176
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 776 -ip 7761⤵PID:4152
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD5f8434f362add5334f4f050f4b4b373a7
SHA1f5915cb0d72c8faffe11126bc29da1b1db8092bc
SHA256d34b378ede04c585c2bff8cf32112904e8512ee80c5a9fbb34ba224d8dbc868b
SHA5126c6b4ea2b0e37a346145ee2814789d9da4c2688aff1c3e1cced16a620e8dc81566670336a3fe8a510b1754bbac6c3c6ac20aa7e20359b9c322bb220b50ac30b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD56de4427d02d49cee2c46a8fead1fafa8
SHA1bee49bf0e4452ca72442face8e655bf4a8c3af17
SHA25646d5cd7ff558e5c788807eb674587359c6a660cef091eb420676977e49833d53
SHA512c80311bb92f9f49de96d06e9a76a3ef0310365999f00f401fd003d438b66744a88f093b5887e1723c6b8179798697ec24c4b2bda489323337f6cec6d28ef6434
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD51c22da1a91e0cea40d82919c5a90295d
SHA19671b1b0f396b0f81893ad3a3b72a3293f4a43b6
SHA256d55e46eda70ab824d5f036793f9876c69828adffd3dc51d3688198abf42c46d3
SHA512cf8d01819f2cd00c20c8b57631b403b44683703c9592486e82380794e0261af337727cdf9202032d53cd6cece9fec463287c8b47be6827b934e67745638bc4e4
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
Filesize
152KB
MD52c60a0eb60587e6e9dbd389576a30d91
SHA19fc335861b437bb6cb3079fb07e420d8f39a4b12
SHA256e8452f0b8c328b8737d3244729cfb9b5e4295167bfda075b2679c0c9978ab631
SHA51210f7f201c1c6a36d23df72bf333663de844b7dc1b7ab7cdfeb787e66bff2bc47cda3dbe96db2d6ecb2b33364923c8334310ba1a00937e7de3e1cf8e4869e3697