Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2025, 06:26
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_6dcfa9e1f6477356a7e6986c692abaee.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_6dcfa9e1f6477356a7e6986c692abaee.exe
-
Size
112KB
-
MD5
6dcfa9e1f6477356a7e6986c692abaee
-
SHA1
d0ec609fd686286e818d78d163137e3854743b6d
-
SHA256
2ce0b6461c8e68ab43fc51d9e0b71e8709db9a30f5dfa7cea845e4ad5ee8ac1a
-
SHA512
74bdfdfd625843eb274a221a861362702f5660f581bc199b31b1689b0462edc40e72718e3fd44700a435fedd73020f02196a13be2c744e5717942186324d99d3
-
SSDEEP
1536:lVZnxm6MG9xgfrvEaoiT/GyphjXDYjKwttoswRmhApEjD0N9Y6js+uTAbeP:1nxwgxgfR/DVG7wBpEsNDj4AU
Malware Config
Signatures
-
Ramnit family
-
Executes dropped EXE 1 IoCs
pid Process 4268 WaterMark.exe -
resource yara_rule behavioral2/memory/2624-4-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2624-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2624-9-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2624-8-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2624-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4268-30-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4268-27-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2624-3-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2624-2-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4268-37-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4268-38-0x0000000000400000-0x00000000004CB000-memory.dmp upx behavioral2/memory/4268-39-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\px6F73.tmp JaffaCakes118_6dcfa9e1f6477356a7e6986c692abaee.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe JaffaCakes118_6dcfa9e1f6477356a7e6986c692abaee.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe JaffaCakes118_6dcfa9e1f6477356a7e6986c692abaee.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3768 1204 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6dcfa9e1f6477356a7e6986c692abaee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156191" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E1165EC5-D3D2-11EF-ADF2-CA65FB447F0B} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3045996568" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3045996568" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156191" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E118C121-D3D2-11EF-ADF2-CA65FB447F0B} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443773789" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156191" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3047559550" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3047559550" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156191" IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4268 WaterMark.exe 4268 WaterMark.exe 4268 WaterMark.exe 4268 WaterMark.exe 4268 WaterMark.exe 4268 WaterMark.exe 4268 WaterMark.exe 4268 WaterMark.exe 4268 WaterMark.exe 4268 WaterMark.exe 4268 WaterMark.exe 4268 WaterMark.exe 4268 WaterMark.exe 4268 WaterMark.exe 4268 WaterMark.exe 4268 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4268 WaterMark.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3764 iexplore.exe 3928 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 3928 iexplore.exe 3928 iexplore.exe 3764 iexplore.exe 3764 iexplore.exe 436 IEXPLORE.EXE 436 IEXPLORE.EXE 1256 IEXPLORE.EXE 1256 IEXPLORE.EXE 436 IEXPLORE.EXE 436 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2624 JaffaCakes118_6dcfa9e1f6477356a7e6986c692abaee.exe 4268 WaterMark.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2624 wrote to memory of 4268 2624 JaffaCakes118_6dcfa9e1f6477356a7e6986c692abaee.exe 82 PID 2624 wrote to memory of 4268 2624 JaffaCakes118_6dcfa9e1f6477356a7e6986c692abaee.exe 82 PID 2624 wrote to memory of 4268 2624 JaffaCakes118_6dcfa9e1f6477356a7e6986c692abaee.exe 82 PID 4268 wrote to memory of 1204 4268 WaterMark.exe 83 PID 4268 wrote to memory of 1204 4268 WaterMark.exe 83 PID 4268 wrote to memory of 1204 4268 WaterMark.exe 83 PID 4268 wrote to memory of 1204 4268 WaterMark.exe 83 PID 4268 wrote to memory of 1204 4268 WaterMark.exe 83 PID 4268 wrote to memory of 1204 4268 WaterMark.exe 83 PID 4268 wrote to memory of 1204 4268 WaterMark.exe 83 PID 4268 wrote to memory of 1204 4268 WaterMark.exe 83 PID 4268 wrote to memory of 1204 4268 WaterMark.exe 83 PID 4268 wrote to memory of 3764 4268 WaterMark.exe 87 PID 4268 wrote to memory of 3764 4268 WaterMark.exe 87 PID 4268 wrote to memory of 3928 4268 WaterMark.exe 88 PID 4268 wrote to memory of 3928 4268 WaterMark.exe 88 PID 3764 wrote to memory of 436 3764 iexplore.exe 90 PID 3764 wrote to memory of 436 3764 iexplore.exe 90 PID 3764 wrote to memory of 436 3764 iexplore.exe 90 PID 3928 wrote to memory of 1256 3928 iexplore.exe 89 PID 3928 wrote to memory of 1256 3928 iexplore.exe 89 PID 3928 wrote to memory of 1256 3928 iexplore.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6dcfa9e1f6477356a7e6986c692abaee.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6dcfa9e1f6477356a7e6986c692abaee.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:1204
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 2084⤵
- Program crash
PID:3768
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3764 CREDAT:17410 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:436
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3928 CREDAT:17410 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1256
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1204 -ip 12041⤵PID:3208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD56dcfa9e1f6477356a7e6986c692abaee
SHA1d0ec609fd686286e818d78d163137e3854743b6d
SHA2562ce0b6461c8e68ab43fc51d9e0b71e8709db9a30f5dfa7cea845e4ad5ee8ac1a
SHA51274bdfdfd625843eb274a221a861362702f5660f581bc199b31b1689b0462edc40e72718e3fd44700a435fedd73020f02196a13be2c744e5717942186324d99d3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD59e22a9c34466faf7bc9cf642444b3f30
SHA10ac45262532cce40083cc9049fb12d4efb06c01f
SHA25657569469879a3144b391cf9def258ad9ef29d7fd1d3d70a28cfb506443d7a119
SHA512c60649fb0ecdd14c9a6d8f9ea7ac4356b24a5e1a238705bbc8294b72ea2fda21965af200746ae20dd5f45e386fc30e2189de6007e08ff3d7ec72b8dfc39435fe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD573f9b0ed2c3d3ac130615bf6a684f27e
SHA171ba303e99623424e9fef9aafd0bb7dabd758850
SHA256c14dc12e0168fd5cafb3e79a357dd0cf6fd88b6383e783fbbae3f95a2c7b5972
SHA5126c40b50b34e585962adcd294429c6d163372bb26b874d061be80878d938fd8f3dd362686622253bc0091057ee7bdae098a2212d6b2c4c756ce9bb12aa3842251
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E1165EC5-D3D2-11EF-ADF2-CA65FB447F0B}.dat
Filesize5KB
MD56cc4c2115ee73f98aa06ac923cd0c2eb
SHA18abb0bfec058d8367258623a8e2575716140483a
SHA256012bccd3217a3a820efaeb4c96b4c30bae67e531dc3b8b703ddba1c9907f9fcc
SHA512f13dd33db459b3573a3bde6968ea0d4bac678a21a9f9cc6cd434691722b273c67d6424a8a2af42e8791f48c91a338573d374feb0c17fdc4af01a1144200aa658
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E118C121-D3D2-11EF-ADF2-CA65FB447F0B}.dat
Filesize3KB
MD567c9b108b7d243af95c9ff53292a82f8
SHA1ab595a6ca5a8f7cf099d5368d8a4014e5c93afe3
SHA256fd3b5edf3e6d61b1b8704e1cf23460f8ba8058dd94c613c23e6a2f02644e8dac
SHA512d6b2c909e7253de4797979000d28cfe27f4ba294be50160b33670b9c90f60b95fd90de4bbf9194bd92301e6623901362b4d7eccdc488d5a595ce7343158054cf
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee