Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
25-06-2024 12:16
Behavioral task
behavioral1
Sample
0e08cd297f96d093d2a76f874664775b_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
0e08cd297f96d093d2a76f874664775b_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
0e08cd297f96d093d2a76f874664775b_JaffaCakes118.exe
-
Size
68KB
-
MD5
0e08cd297f96d093d2a76f874664775b
-
SHA1
b023b4fc98d1e8b2bf0d8c1e09680fbe2eeaabf1
-
SHA256
8482ec09595a70a84a13c0a07f5e7d68b1b790951d12c0c46ddf98c03d40005e
-
SHA512
7a1c1d3863342daf921e16c277050b19ab58f5d0e73449159662256e76410bbfa796b3efc7923e0eca3b08ff9843aaa40ab7b1ebbbb4717ba7050ce25236e79b
-
SSDEEP
1536:+MXxVulAmfx/Wz30ZkHuM4ymdgIfG133EqKopXIwOpruPGBxrzbu1N3MdZRHQi0:psVS3Ckr0NCJpXBkruPG73AMdfH9
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1632 takeown.exe 2700 icacls.exe -
Deletes itself 1 IoCs
Processes:
regsvr32.exepid process 2192 regsvr32.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 2192 regsvr32.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1632 takeown.exe 2700 icacls.exe -
Processes:
resource yara_rule behavioral1/memory/2428-0-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2428-2-0x0000000000400000-0x0000000000421000-memory.dmp upx -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Drops file in System32 directory 3 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\rpcss.dll regsvr32.exe File opened for modification C:\Windows\SysWOW64\apa.dll regsvr32.exe File created C:\Windows\SysWOW64\rpcss.dll regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
regsvr32.exepid process 2192 regsvr32.exe 2192 regsvr32.exe 2192 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
regsvr32.exetakeown.exedescription pid process Token: SeDebugPrivilege 2192 regsvr32.exe Token: SeTakeOwnershipPrivilege 1632 takeown.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
0e08cd297f96d093d2a76f874664775b_JaffaCakes118.exeregsvr32.exedescription pid process target process PID 2428 wrote to memory of 2192 2428 0e08cd297f96d093d2a76f874664775b_JaffaCakes118.exe regsvr32.exe PID 2428 wrote to memory of 2192 2428 0e08cd297f96d093d2a76f874664775b_JaffaCakes118.exe regsvr32.exe PID 2428 wrote to memory of 2192 2428 0e08cd297f96d093d2a76f874664775b_JaffaCakes118.exe regsvr32.exe PID 2428 wrote to memory of 2192 2428 0e08cd297f96d093d2a76f874664775b_JaffaCakes118.exe regsvr32.exe PID 2428 wrote to memory of 2192 2428 0e08cd297f96d093d2a76f874664775b_JaffaCakes118.exe regsvr32.exe PID 2428 wrote to memory of 2192 2428 0e08cd297f96d093d2a76f874664775b_JaffaCakes118.exe regsvr32.exe PID 2428 wrote to memory of 2192 2428 0e08cd297f96d093d2a76f874664775b_JaffaCakes118.exe regsvr32.exe PID 2192 wrote to memory of 1632 2192 regsvr32.exe takeown.exe PID 2192 wrote to memory of 1632 2192 regsvr32.exe takeown.exe PID 2192 wrote to memory of 1632 2192 regsvr32.exe takeown.exe PID 2192 wrote to memory of 1632 2192 regsvr32.exe takeown.exe PID 2192 wrote to memory of 2700 2192 regsvr32.exe icacls.exe PID 2192 wrote to memory of 2700 2192 regsvr32.exe icacls.exe PID 2192 wrote to memory of 2700 2192 regsvr32.exe icacls.exe PID 2192 wrote to memory of 2700 2192 regsvr32.exe icacls.exe PID 2192 wrote to memory of 596 2192 regsvr32.exe svchost.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
-
C:\Users\Admin\AppData\Local\Temp\0e08cd297f96d093d2a76f874664775b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0e08cd297f96d093d2a76f874664775b_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~f761cb4.tmp ,C:\Users\Admin\AppData\Local\Temp\0e08cd297f96d093d2a76f874664775b_JaffaCakes118.exe2⤵
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\rpcss.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\system32\rpcss.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~~f761cb4.tmpFilesize
1.0MB
MD5dcf6a68f34bd65462c8f116908838e43
SHA1441503cc74b5d8b12e7291c05ebc9aadd7072225
SHA25636545f22411ccd3a63914092b8b83f60782d7ef157b5fe31da7a7118d8bdb186
SHA5121d01f8f8d414dab670bbe2bd18dba868876e9883f9993a0a57b60a515bba7f0b9478697de49c6747942e94626519b3390b447cccb666d9da0cc2ceee5862052e
-
memory/596-14-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/2428-0-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2428-2-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB