Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
24-06-2024 20:01
Static task
static1
Behavioral task
behavioral1
Sample
0a9319f703bf6a53735f04958044e557_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
0a9319f703bf6a53735f04958044e557_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
0a9319f703bf6a53735f04958044e557_JaffaCakes118.exe
-
Size
108KB
-
MD5
0a9319f703bf6a53735f04958044e557
-
SHA1
54143a9c60eed4204cb3adb161e12d3c3b5550bc
-
SHA256
be39e5680f06b8b03772e880ea622aa4a75ce381d13c8c285954c197281afe84
-
SHA512
a5cc37d0676814cd0ec5138383e81baa4ec2cb7f459b7f05602a12f4ac36f8b6e503b364ba43245f2eb8db8ca79f67bf4cc20ea986e89887eac12d559fc70270
-
SSDEEP
1536:jSXz96Wg+1yMC8nTAd/visDXWBiNLk6l2xyQFtVltJQCHCPjZ747Joxl:ibJpnTAd3iOmBiN46syQFtACibsS
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
icacls.exetakeown.exepid process 2496 icacls.exe 2688 takeown.exe -
Deletes itself 1 IoCs
Processes:
regsvr32.exepid process 2468 regsvr32.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 2468 regsvr32.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 2688 takeown.exe 2496 icacls.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Drops file in System32 directory 3 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\apa.dll regsvr32.exe File created C:\Windows\SysWOW64\rpcss.dll regsvr32.exe File opened for modification C:\Windows\SysWOW64\rpcss.dll regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
regsvr32.exepid process 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe 2468 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
regsvr32.exetakeown.exedescription pid process Token: SeDebugPrivilege 2468 regsvr32.exe Token: SeTakeOwnershipPrivilege 2688 takeown.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
0a9319f703bf6a53735f04958044e557_JaffaCakes118.exeregsvr32.exedescription pid process target process PID 1728 wrote to memory of 2468 1728 0a9319f703bf6a53735f04958044e557_JaffaCakes118.exe regsvr32.exe PID 1728 wrote to memory of 2468 1728 0a9319f703bf6a53735f04958044e557_JaffaCakes118.exe regsvr32.exe PID 1728 wrote to memory of 2468 1728 0a9319f703bf6a53735f04958044e557_JaffaCakes118.exe regsvr32.exe PID 1728 wrote to memory of 2468 1728 0a9319f703bf6a53735f04958044e557_JaffaCakes118.exe regsvr32.exe PID 1728 wrote to memory of 2468 1728 0a9319f703bf6a53735f04958044e557_JaffaCakes118.exe regsvr32.exe PID 1728 wrote to memory of 2468 1728 0a9319f703bf6a53735f04958044e557_JaffaCakes118.exe regsvr32.exe PID 1728 wrote to memory of 2468 1728 0a9319f703bf6a53735f04958044e557_JaffaCakes118.exe regsvr32.exe PID 2468 wrote to memory of 2688 2468 regsvr32.exe takeown.exe PID 2468 wrote to memory of 2688 2468 regsvr32.exe takeown.exe PID 2468 wrote to memory of 2688 2468 regsvr32.exe takeown.exe PID 2468 wrote to memory of 2688 2468 regsvr32.exe takeown.exe PID 2468 wrote to memory of 2496 2468 regsvr32.exe icacls.exe PID 2468 wrote to memory of 2496 2468 regsvr32.exe icacls.exe PID 2468 wrote to memory of 2496 2468 regsvr32.exe icacls.exe PID 2468 wrote to memory of 2496 2468 regsvr32.exe icacls.exe PID 2468 wrote to memory of 616 2468 regsvr32.exe svchost.exe PID 2468 wrote to memory of 616 2468 regsvr32.exe svchost.exe PID 2468 wrote to memory of 696 2468 regsvr32.exe svchost.exe PID 2468 wrote to memory of 696 2468 regsvr32.exe svchost.exe PID 2468 wrote to memory of 764 2468 regsvr32.exe svchost.exe PID 2468 wrote to memory of 764 2468 regsvr32.exe svchost.exe PID 2468 wrote to memory of 836 2468 regsvr32.exe svchost.exe PID 2468 wrote to memory of 836 2468 regsvr32.exe svchost.exe PID 2468 wrote to memory of 876 2468 regsvr32.exe svchost.exe PID 2468 wrote to memory of 876 2468 regsvr32.exe svchost.exe PID 2468 wrote to memory of 984 2468 regsvr32.exe svchost.exe PID 2468 wrote to memory of 984 2468 regsvr32.exe svchost.exe PID 2468 wrote to memory of 304 2468 regsvr32.exe svchost.exe PID 2468 wrote to memory of 304 2468 regsvr32.exe svchost.exe PID 2468 wrote to memory of 1188 2468 regsvr32.exe svchost.exe PID 2468 wrote to memory of 1188 2468 regsvr32.exe svchost.exe PID 2468 wrote to memory of 2096 2468 regsvr32.exe svchost.exe PID 2468 wrote to memory of 2096 2468 regsvr32.exe svchost.exe PID 2468 wrote to memory of 2420 2468 regsvr32.exe cmd.exe PID 2468 wrote to memory of 2420 2468 regsvr32.exe cmd.exe PID 2468 wrote to memory of 2420 2468 regsvr32.exe cmd.exe PID 2468 wrote to memory of 2420 2468 regsvr32.exe cmd.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation1⤵
-
C:\Users\Admin\AppData\Local\Temp\0a9319f703bf6a53735f04958044e557_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0a9319f703bf6a53735f04958044e557_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\f7615a3~.tmp ,C:\Users\Admin\AppData\Local\Temp\0a9319f703bf6a53735f04958044e557_JaffaCakes118.exe2⤵
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\rpcss.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\system32\rpcss.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c del %%SystemRoot%%\system32\rpcss.dll~*3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\f7615a3~.tmpFilesize
1020KB
MD5b016f0b91d083319c2d388e9464d1778
SHA18fe8c6d6392cb15ea15341eea46757527625afc8
SHA256bf2255d73b7d528f0bab9b166279dd90c9b15bbba6e17a0a24be4a988df1d1d2
SHA51295a2939de7aa9cc119d177d9bde630bb20f36bdb16a1f63671d8bbf7261b9a493db06c4c7f1a61499886865bf11bb7a79b4ae79a0c9799e7f89840e5aa8f695a
-
C:\Windows\SysWOW64\apa.dllFilesize
229B
MD5d866864081b1025ec9cb73b8462c6ed1
SHA1251603d190bd448bd33157714c130c1bd5c17aeb
SHA256180c0a37cc370f1498d89030efa06cc3e1f1206a3ae6fa4939911c9700a8c051
SHA512cf34db99b344ec9fea20f79f39e42590f2af94cd176ed7bb780ed44ab0337a44ed6e616097cb2f2bd6be633f1e2ef2a0263462d327d48f16d7e1a902eca58208
-
memory/616-12-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB