Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2024 07:23
Static task
static1
Behavioral task
behavioral1
Sample
9346471e3b4106f54d20f2c167c193e7_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
9346471e3b4106f54d20f2c167c193e7_JaffaCakes118.exe
-
Size
64KB
-
MD5
9346471e3b4106f54d20f2c167c193e7
-
SHA1
2e151b1db2a91d08d4f03f31a19d07acaa78f1f7
-
SHA256
ef6dd6131521b34ab9898d602c4d32740c078e34857d7fc766d2d1e88f0f1291
-
SHA512
b4cd4909308dd1c2c533dc1da9b44cf220eb641501821ea348bf1d2a83fe1f5dd140ef3974866fa2c79961d31a021420be931d3ce9565c6d6ccd7f6b8df9f204
-
SSDEEP
768:2cmBsIqHpm/zP4axYXeW3yWanZ12cDsldKM6cMfdutNYZV5JAmL7VWMXAfTK9rxP:pazpPGdKMrMZP6qZWD6N7gx/m5
Malware Config
Signatures
-
Ramnit family
-
Executes dropped EXE 1 IoCs
pid Process 736 WaterMark.exe -
resource yara_rule behavioral2/memory/3764-0-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3764-4-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/736-6-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/736-8-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/736-17-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/736-19-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\px7D6D.tmp 9346471e3b4106f54d20f2c167c193e7_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe 9346471e3b4106f54d20f2c167c193e7_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe 9346471e3b4106f54d20f2c167c193e7_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1856 2368 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9346471e3b4106f54d20f2c167c193e7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31145537" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3797078174" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0DD894AC-AA35-11EF-B9B6-EE81E66BE9E9} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439198006" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3797078174" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31145537" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31145537" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3798327916" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31145537" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0DDAF6F0-AA35-11EF-B9B6-EE81E66BE9E9} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3798327916" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 736 WaterMark.exe 736 WaterMark.exe 736 WaterMark.exe 736 WaterMark.exe 736 WaterMark.exe 736 WaterMark.exe 736 WaterMark.exe 736 WaterMark.exe 736 WaterMark.exe 736 WaterMark.exe 736 WaterMark.exe 736 WaterMark.exe 736 WaterMark.exe 736 WaterMark.exe 736 WaterMark.exe 736 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 736 WaterMark.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4824 iexplore.exe 4160 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4824 iexplore.exe 4824 iexplore.exe 4160 iexplore.exe 4160 iexplore.exe 844 IEXPLORE.EXE 844 IEXPLORE.EXE 4220 IEXPLORE.EXE 4220 IEXPLORE.EXE 844 IEXPLORE.EXE 844 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 3764 wrote to memory of 736 3764 9346471e3b4106f54d20f2c167c193e7_JaffaCakes118.exe 83 PID 3764 wrote to memory of 736 3764 9346471e3b4106f54d20f2c167c193e7_JaffaCakes118.exe 83 PID 3764 wrote to memory of 736 3764 9346471e3b4106f54d20f2c167c193e7_JaffaCakes118.exe 83 PID 736 wrote to memory of 2368 736 WaterMark.exe 84 PID 736 wrote to memory of 2368 736 WaterMark.exe 84 PID 736 wrote to memory of 2368 736 WaterMark.exe 84 PID 736 wrote to memory of 2368 736 WaterMark.exe 84 PID 736 wrote to memory of 2368 736 WaterMark.exe 84 PID 736 wrote to memory of 2368 736 WaterMark.exe 84 PID 736 wrote to memory of 2368 736 WaterMark.exe 84 PID 736 wrote to memory of 2368 736 WaterMark.exe 84 PID 736 wrote to memory of 2368 736 WaterMark.exe 84 PID 736 wrote to memory of 4160 736 WaterMark.exe 89 PID 736 wrote to memory of 4160 736 WaterMark.exe 89 PID 736 wrote to memory of 4824 736 WaterMark.exe 90 PID 736 wrote to memory of 4824 736 WaterMark.exe 90 PID 4824 wrote to memory of 844 4824 iexplore.exe 92 PID 4824 wrote to memory of 844 4824 iexplore.exe 92 PID 4824 wrote to memory of 844 4824 iexplore.exe 92 PID 4160 wrote to memory of 4220 4160 iexplore.exe 93 PID 4160 wrote to memory of 4220 4160 iexplore.exe 93 PID 4160 wrote to memory of 4220 4160 iexplore.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\9346471e3b4106f54d20f2c167c193e7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9346471e3b4106f54d20f2c167c193e7_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2368
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 2044⤵
- Program crash
PID:1856
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4160 CREDAT:17410 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4220
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4824 CREDAT:17410 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:844
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2368 -ip 23681⤵PID:2824
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD59346471e3b4106f54d20f2c167c193e7
SHA12e151b1db2a91d08d4f03f31a19d07acaa78f1f7
SHA256ef6dd6131521b34ab9898d602c4d32740c078e34857d7fc766d2d1e88f0f1291
SHA512b4cd4909308dd1c2c533dc1da9b44cf220eb641501821ea348bf1d2a83fe1f5dd140ef3974866fa2c79961d31a021420be931d3ce9565c6d6ccd7f6b8df9f204
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD57fecd001d472e28495336306d3e0b570
SHA17dabf5687a11d1d8f92f8ffd348fb73bf077e960
SHA256d3b1b54dfa02ea5cf017cd692023d382defa55e40749816bbddcc3e8ef5e9bff
SHA5125255e2e7897f3abc246464dacea7d32b54a8bdb88806e9d0f54a3d23e76074e2a88adaa35789c32b68d0ca8d6f67726c9ceec31597f3b05628b29cd52af613db
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5828d71f2f4309e570725f356a2dc9c44
SHA1dbf713ed72faa4794d44294efae8107219455c9f
SHA2563ab2df122d80f4b99e8d7420d32d31b949cbaecadffb3ff11f8ca4c183643f54
SHA512d68098a66ff23a4441021c83528928490a4c61ffd86cdb80541414193ce39341d9248f3e86beec74f8b469808964bcf6bf8da6bd0cb09c516a2af1864adb8d84
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0DD894AC-AA35-11EF-B9B6-EE81E66BE9E9}.dat
Filesize3KB
MD5542dba324b7886e4b6f7321d16a7483f
SHA113d6290aa9c8ff1ab6790b8f37561ece02fec431
SHA256db52534e371e3d648b4013cc67e4ac2233c090f19a0dfaaae29c35597d2d8c52
SHA512ea16b309c4bad6b2e9c8636c2e2ff7b9740cafa94ebd4861619d546ad406c6a404a26dcb86d4b129f876eacf0c4c68c17804c039cae495ed91535b0325d6e51b
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0DDAF6F0-AA35-11EF-B9B6-EE81E66BE9E9}.dat
Filesize5KB
MD58175b4c14447815ae8d7193ca1c516fe
SHA1b21be623e753cf0e6b5967792a36fc9dd18a6126
SHA2568fbefa3d9a3505c500cb8ccbea13391b3435e035575df054dbf6a4442720c974
SHA5120375da8d1376b273ff3143701037b45c5844acd24acad079bf1bcb89f9e5522591cffd9a5488677965d3ff6e5c5ba4f36343ecc642197eb973fce42aba87b7db
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee