Analysis
-
max time kernel
51s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 12:16
Behavioral task
behavioral1
Sample
0e08cd297f96d093d2a76f874664775b_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
0e08cd297f96d093d2a76f874664775b_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
0e08cd297f96d093d2a76f874664775b_JaffaCakes118.exe
-
Size
68KB
-
MD5
0e08cd297f96d093d2a76f874664775b
-
SHA1
b023b4fc98d1e8b2bf0d8c1e09680fbe2eeaabf1
-
SHA256
8482ec09595a70a84a13c0a07f5e7d68b1b790951d12c0c46ddf98c03d40005e
-
SHA512
7a1c1d3863342daf921e16c277050b19ab58f5d0e73449159662256e76410bbfa796b3efc7923e0eca3b08ff9843aaa40ab7b1ebbbb4717ba7050ce25236e79b
-
SSDEEP
1536:+MXxVulAmfx/Wz30ZkHuM4ymdgIfG133EqKopXIwOpruPGBxrzbu1N3MdZRHQi0:psVS3Ckr0NCJpXBkruPG73AMdfH9
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 4520 takeown.exe 4416 icacls.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0e08cd297f96d093d2a76f874664775b_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 0e08cd297f96d093d2a76f874664775b_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
regsvr32.exepid process 4000 regsvr32.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 4000 regsvr32.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 4520 takeown.exe 4416 icacls.exe -
Processes:
resource yara_rule behavioral2/memory/4384-0-0x0000000000400000-0x0000000000421000-memory.dmp upx -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Drops file in System32 directory 3 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\apa.dll regsvr32.exe File created C:\Windows\SysWOW64\rpcss.dll regsvr32.exe File opened for modification C:\Windows\SysWOW64\rpcss.dll regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
regsvr32.exepid process 4000 regsvr32.exe 4000 regsvr32.exe 4000 regsvr32.exe 4000 regsvr32.exe 4000 regsvr32.exe 4000 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
regsvr32.exetakeown.exedescription pid process Token: SeDebugPrivilege 4000 regsvr32.exe Token: SeTakeOwnershipPrivilege 4520 takeown.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
0e08cd297f96d093d2a76f874664775b_JaffaCakes118.exeregsvr32.exedescription pid process target process PID 4384 wrote to memory of 4000 4384 0e08cd297f96d093d2a76f874664775b_JaffaCakes118.exe regsvr32.exe PID 4384 wrote to memory of 4000 4384 0e08cd297f96d093d2a76f874664775b_JaffaCakes118.exe regsvr32.exe PID 4384 wrote to memory of 4000 4384 0e08cd297f96d093d2a76f874664775b_JaffaCakes118.exe regsvr32.exe PID 4000 wrote to memory of 4520 4000 regsvr32.exe takeown.exe PID 4000 wrote to memory of 4520 4000 regsvr32.exe takeown.exe PID 4000 wrote to memory of 4520 4000 regsvr32.exe takeown.exe PID 4000 wrote to memory of 4416 4000 regsvr32.exe icacls.exe PID 4000 wrote to memory of 4416 4000 regsvr32.exe icacls.exe PID 4000 wrote to memory of 4416 4000 regsvr32.exe icacls.exe PID 4000 wrote to memory of 804 4000 regsvr32.exe svchost.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
-
C:\Users\Admin\AppData\Local\Temp\0e08cd297f96d093d2a76f874664775b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0e08cd297f96d093d2a76f874664775b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~e57446b.tmp ,C:\Users\Admin\AppData\Local\Temp\0e08cd297f96d093d2a76f874664775b_JaffaCakes118.exe2⤵
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\rpcss.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\system32\rpcss.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~~e57446b.tmpFilesize
1.0MB
MD5dcf6a68f34bd65462c8f116908838e43
SHA1441503cc74b5d8b12e7291c05ebc9aadd7072225
SHA25636545f22411ccd3a63914092b8b83f60782d7ef157b5fe31da7a7118d8bdb186
SHA5121d01f8f8d414dab670bbe2bd18dba868876e9883f9993a0a57b60a515bba7f0b9478697de49c6747942e94626519b3390b447cccb666d9da0cc2ceee5862052e
-
C:\Windows\SysWOW64\apa.dllFilesize
225B
MD5fabdc8f73f0adc5a4172ebd0fa21007e
SHA1901127f021cf5227ba3d56ea0248245dd6b392ed
SHA256a625ed2d7cfe44cf4ba6840e335dfefaec71eb837ec9e83af65fe6513c18d830
SHA512a35f08bb54ffa858dc9907fc26bda50f0486c784f39e0fe0905259645c205985ad7d10a12b41e5e4e0bfeb1253f69f232baeabc7b9647d309e4738f9e3f028a4
-
memory/4384-0-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB