Overview

overview

8

Static

static

7

0e08cd297f...18.exe

windows7-x64

8

0e08cd297f...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    51s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-06-2024 12:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e08cd297f96d093d2a76f874664775b_JaffaCakes118.exe

  • Size

    68KB

  • MD5

    0e08cd297f96d093d2a76f874664775b

  • SHA1

    b023b4fc98d1e8b2bf0d8c1e09680fbe2eeaabf1

  • SHA256

    8482ec09595a70a84a13c0a07f5e7d68b1b790951d12c0c46ddf98c03d40005e

  • SHA512

    7a1c1d3863342daf921e16c277050b19ab58f5d0e73449159662256e76410bbfa796b3efc7923e0eca3b08ff9843aaa40ab7b1ebbbb4717ba7050ce25236e79b

  • SSDEEP

    1536:+MXxVulAmfx/Wz30ZkHuM4ymdgIfG133EqKopXIwOpruPGBxrzbu1N3MdZRHQi0:psVS3Ckr0NCJpXBkruPG73AMdfH9

Score
8/10
defense_evasiondiscoveryexploitupx

Malware Config

Signatures

  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
    defense_evasion
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
      PID:804
    • C:\Users\Admin\AppData\Local\Temp\0e08cd297f96d093d2a76f874664775b_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0e08cd297f96d093d2a76f874664775b_JaffaCakes118.exe"
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4384
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~e57446b.tmp ,C:\Users\Admin\AppData\Local\Temp\0e08cd297f96d093d2a76f874664775b_JaffaCakes118.exe
        2⤵
        • Deletes itself
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4000
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f "C:\Windows\system32\rpcss.dll"
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:4520
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:4416

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    File and Directory Permissions Modification

    2
    T1222

    Windows File and Directory Permissions Modification

    1
    T1222.001

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\~~e57446b.tmp
      Filesize

      1.0MB

      MD5

      dcf6a68f34bd65462c8f116908838e43

      SHA1

      441503cc74b5d8b12e7291c05ebc9aadd7072225

      SHA256

      36545f22411ccd3a63914092b8b83f60782d7ef157b5fe31da7a7118d8bdb186

      SHA512

      1d01f8f8d414dab670bbe2bd18dba868876e9883f9993a0a57b60a515bba7f0b9478697de49c6747942e94626519b3390b447cccb666d9da0cc2ceee5862052e

      Download Submit
    • C:\Windows\SysWOW64\apa.dll
      Filesize

      225B

      MD5

      fabdc8f73f0adc5a4172ebd0fa21007e

      SHA1

      901127f021cf5227ba3d56ea0248245dd6b392ed

      SHA256

      a625ed2d7cfe44cf4ba6840e335dfefaec71eb837ec9e83af65fe6513c18d830

      SHA512

      a35f08bb54ffa858dc9907fc26bda50f0486c784f39e0fe0905259645c205985ad7d10a12b41e5e4e0bfeb1253f69f232baeabc7b9647d309e4738f9e3f028a4

      Download Submit
    • memory/4384-0-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download