be39e5680f06b8b03772e880ea622aa4a75ce381d13c8c285954c197281afe84

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a9319f703bf6a53735f04958044e557_JaffaCakes118.exe
Size

108KB
MD5

0a9319f703bf6a53735f04958044e557
SHA1

54143a9c60eed4204cb3adb161e12d3c3b5550bc
SHA256

be39e5680f06b8b03772e880ea622aa4a75ce381d13c8c285954c197281afe84
SHA512

a5cc37d0676814cd0ec5138383e81baa4ec2cb7f459b7f05602a12f4ac36f8b6e503b364ba43245f2eb8db8ca79f67bf4cc20ea986e89887eac12d559fc70270
SSDEEP

1536:jSXz96Wg+1yMC8nTAd/visDXWBiNLk6l2xyQFtVltJQCHCPjZ747Joxl:ibJpnTAd3iOmBiN46syQFtACibsS

Score

8^/10

defense_evasion discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

icacls.exetakeown.exe

pid process

2496 icacls.exe
2688 takeown.exe
Deletes itself 1 IoCs

Processes:

regsvr32.exe

pid process

2468 regsvr32.exe
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2468 regsvr32.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

2688 takeown.exe
2496 icacls.exe
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

pid	process
2496	icacls.exe
2688	takeown.exe

pid	process
2468	regsvr32.exe

pid	process
2468	regsvr32.exe

pid	process
2688	takeown.exe
2496	icacls.exe

Drops file in System32 directory 3 IoCs

Processes:

regsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\apa.dll	regsvr32.exe
File created	C:\Windows\SysWOW64\rpcss.dll	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\rpcss.dll	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

regsvr32.exe

pid process

2468 regsvr32.exe
2468 regsvr32.exe
2468 regsvr32.exe
2468 regsvr32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

regsvr32.exetakeown.exe

description pid process

Token: SeDebugPrivilege 2468 regsvr32.exe
Token: SeTakeOwnershipPrivilege 2688 takeown.exe

pid	process
2468	regsvr32.exe
2468	regsvr32.exe
2468	regsvr32.exe
2468	regsvr32.exe

description	pid	process
Token: SeDebugPrivilege	2468	regsvr32.exe
Token: SeTakeOwnershipPrivilege	2688	takeown.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

0a9319f703bf6a53735f04958044e557_JaffaCakes118.exeregsvr32.exe

description	pid	process	target process
PID 1728 wrote to memory of 2468	1728	0a9319f703bf6a53735f04958044e557_JaffaCakes118.exe	regsvr32.exe
PID 1728 wrote to memory of 2468	1728	0a9319f703bf6a53735f04958044e557_JaffaCakes118.exe	regsvr32.exe
PID 1728 wrote to memory of 2468	1728	0a9319f703bf6a53735f04958044e557_JaffaCakes118.exe	regsvr32.exe
PID 1728 wrote to memory of 2468	1728	0a9319f703bf6a53735f04958044e557_JaffaCakes118.exe	regsvr32.exe
PID 1728 wrote to memory of 2468	1728	0a9319f703bf6a53735f04958044e557_JaffaCakes118.exe	regsvr32.exe
PID 1728 wrote to memory of 2468	1728	0a9319f703bf6a53735f04958044e557_JaffaCakes118.exe	regsvr32.exe
PID 1728 wrote to memory of 2468	1728	0a9319f703bf6a53735f04958044e557_JaffaCakes118.exe	regsvr32.exe
PID 2468 wrote to memory of 2688	2468	regsvr32.exe	takeown.exe
PID 2468 wrote to memory of 2688	2468	regsvr32.exe	takeown.exe
PID 2468 wrote to memory of 2688	2468	regsvr32.exe	takeown.exe
PID 2468 wrote to memory of 2688	2468	regsvr32.exe	takeown.exe
PID 2468 wrote to memory of 2496	2468	regsvr32.exe	icacls.exe
PID 2468 wrote to memory of 2496	2468	regsvr32.exe	icacls.exe
PID 2468 wrote to memory of 2496	2468	regsvr32.exe	icacls.exe
PID 2468 wrote to memory of 2496	2468	regsvr32.exe	icacls.exe
PID 2468 wrote to memory of 616	2468	regsvr32.exe	svchost.exe
PID 2468 wrote to memory of 616	2468	regsvr32.exe	svchost.exe
PID 2468 wrote to memory of 696	2468	regsvr32.exe	svchost.exe
PID 2468 wrote to memory of 696	2468	regsvr32.exe	svchost.exe
PID 2468 wrote to memory of 764	2468	regsvr32.exe	svchost.exe
PID 2468 wrote to memory of 764	2468	regsvr32.exe	svchost.exe
PID 2468 wrote to memory of 836	2468	regsvr32.exe	svchost.exe
PID 2468 wrote to memory of 836	2468	regsvr32.exe	svchost.exe
PID 2468 wrote to memory of 876	2468	regsvr32.exe	svchost.exe
PID 2468 wrote to memory of 876	2468	regsvr32.exe	svchost.exe
PID 2468 wrote to memory of 984	2468	regsvr32.exe	svchost.exe
PID 2468 wrote to memory of 984	2468	regsvr32.exe	svchost.exe
PID 2468 wrote to memory of 304	2468	regsvr32.exe	svchost.exe
PID 2468 wrote to memory of 304	2468	regsvr32.exe	svchost.exe
PID 2468 wrote to memory of 1188	2468	regsvr32.exe	svchost.exe
PID 2468 wrote to memory of 1188	2468	regsvr32.exe	svchost.exe
PID 2468 wrote to memory of 2096	2468	regsvr32.exe	svchost.exe
PID 2468 wrote to memory of 2096	2468	regsvr32.exe	svchost.exe
PID 2468 wrote to memory of 2420	2468	regsvr32.exe	cmd.exe
PID 2468 wrote to memory of 2420	2468	regsvr32.exe	cmd.exe
PID 2468 wrote to memory of 2420	2468	regsvr32.exe	cmd.exe
PID 2468 wrote to memory of 2420	2468	regsvr32.exe	cmd.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
1⤵
PID:696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
1⤵
PID:836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
1⤵
PID:304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
1⤵
PID:2096

C:\Users\Admin\AppData\Local\Temp\0a9319f703bf6a53735f04958044e557_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a9319f703bf6a53735f04958044e557_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\f7615a3~.tmp ,C:\Users\Admin\AppData\Local\Temp\0a9319f703bf6a53735f04958044e557_JaffaCakes118.exe
2⤵
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\system32\rpcss.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2496

C:\Windows\SysWOW64\cmd.exe
cmd /c del %%SystemRoot%%\system32\rpcss.dll~*
3⤵
PID:2420

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f7615a3~.tmp
Filesize
1020KB

MD5
b016f0b91d083319c2d388e9464d1778

SHA1
8fe8c6d6392cb15ea15341eea46757527625afc8

SHA256
bf2255d73b7d528f0bab9b166279dd90c9b15bbba6e17a0a24be4a988df1d1d2

SHA512
95a2939de7aa9cc119d177d9bde630bb20f36bdb16a1f63671d8bbf7261b9a493db06c4c7f1a61499886865bf11bb7a79b4ae79a0c9799e7f89840e5aa8f695a

Download Submit
C:\Windows\SysWOW64\apa.dll
Filesize
229B

MD5
d866864081b1025ec9cb73b8462c6ed1

SHA1
251603d190bd448bd33157714c130c1bd5c17aeb

SHA256
180c0a37cc370f1498d89030efa06cc3e1f1206a3ae6fa4939911c9700a8c051

SHA512
cf34db99b344ec9fea20f79f39e42590f2af94cd176ed7bb780ed44ab0337a44ed6e616097cb2f2bd6be633f1e2ef2a0263462d327d48f16d7e1a902eca58208

Download Submit
memory/616-12-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download