Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 09:21
Behavioral task
behavioral1
Sample
117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe
-
Size
50KB
-
MD5
117fc5afa709ad652f2e2cb9516c890e
-
SHA1
9ca829703369afc99e0d8a6384bdc84cd98aa032
-
SHA256
753c630c22612a230b9496e424c0b2b8dc63b09db9b16484cef9e8fc5bc271eb
-
SHA512
5a4b80416938280e5baaa7beac213f810094ebff1e6f36ab098eb530a14b9edb68a4c54bebd15adbc4c667fc7adeafa39220e0d79975ce4e1a072a42e7c4213d
-
SSDEEP
768:wWeTakGUwCbvd1uDYpG15J50CKSwzAMXWsqzrcw1UbhsDNYEv6XADdmf1VXn7p4Q:5e5bv6DYpaBwzAMXkx6wD0fLnXbU4
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 2316 takeown.exe 1552 icacls.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
wlock.exepid process 2664 wlock.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 2316 takeown.exe 1552 icacls.exe -
Processes:
resource yara_rule behavioral2/memory/2576-0-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wlock = "C:\\Users\\Admin\\wlock\\wlock.exe" reg.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 1 IoCs
Processes:
wlock.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaveActive = "0" wlock.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
wlock.exepid process 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe 2664 wlock.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
takeown.exewlock.exedescription pid process Token: SeTakeOwnershipPrivilege 2316 takeown.exe Token: SeDebugPrivilege 2664 wlock.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
wlock.exepid process 2664 wlock.exe 2664 wlock.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.execmd.exedescription pid process target process PID 2576 wrote to memory of 2316 2576 117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe takeown.exe PID 2576 wrote to memory of 2316 2576 117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe takeown.exe PID 2576 wrote to memory of 2316 2576 117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe takeown.exe PID 2576 wrote to memory of 1552 2576 117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe icacls.exe PID 2576 wrote to memory of 1552 2576 117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe icacls.exe PID 2576 wrote to memory of 1552 2576 117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe icacls.exe PID 2576 wrote to memory of 4452 2576 117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe cmd.exe PID 2576 wrote to memory of 4452 2576 117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe cmd.exe PID 2576 wrote to memory of 4452 2576 117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe cmd.exe PID 2576 wrote to memory of 1204 2576 117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe cmd.exe PID 2576 wrote to memory of 1204 2576 117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe cmd.exe PID 2576 wrote to memory of 1204 2576 117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe cmd.exe PID 1204 wrote to memory of 2176 1204 cmd.exe reg.exe PID 1204 wrote to memory of 2176 1204 cmd.exe reg.exe PID 1204 wrote to memory of 2176 1204 cmd.exe reg.exe PID 2576 wrote to memory of 2664 2576 117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe wlock.exe PID 2576 wrote to memory of 2664 2576 117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe wlock.exe PID 2576 wrote to memory of 2664 2576 117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe wlock.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\System32\takeown.exe" /f "C:\Windows\System32\rstrui.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\rstrui.exe" /grant Admin:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c del /f /q "C:\Windows\System32\rstrui.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v wlock /t REG_SZ /d "C:\Users\Admin\wlock\wlock.exe" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v wlock /t REG_SZ /d "C:\Users\Admin\wlock\wlock.exe" /f3⤵
- Adds Run key to start application
-
C:\Users\Admin\wlock\wlock.exe"C:\Users\Admin\wlock\wlock.exe" f2⤵
- Executes dropped EXE
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\wlock\wlock.exeFilesize
73KB
MD568db28477509a770acbf114b0de781a8
SHA13ac88ce18f440b64e3a4bc3a16c11c01ef9b4a23
SHA25669586e31e8feac35f72e7da461dd8d4b98ce0ff1c6fec68d88d20c37156cea88
SHA512c6f9e406ea7b8d08f8d5b37b19a9849a4eeee47f60284297e0fa908bc8c94422cedabd5d6b3462c2545035578b9bc08b47cf58667c7fc8999aca7ee2e919fd5a
-
memory/2576-0-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2576-32-0x0000000002070000-0x0000000002071000-memory.dmpFilesize
4KB
-
memory/2576-8-0x0000000002070000-0x0000000002071000-memory.dmpFilesize
4KB
-
memory/2576-10-0x0000000002070000-0x0000000002071000-memory.dmpFilesize
4KB
-
memory/2664-19-0x0000000000A40000-0x0000000000A41000-memory.dmpFilesize
4KB
-
memory/2664-17-0x0000000000A40000-0x0000000000A41000-memory.dmpFilesize
4KB
-
memory/2664-21-0x0000000000A30000-0x0000000000A31000-memory.dmpFilesize
4KB
-
memory/2664-20-0x0000000000A30000-0x0000000000A31000-memory.dmpFilesize
4KB
-
memory/2664-28-0x0000000000A30000-0x0000000000A31000-memory.dmpFilesize
4KB
-
memory/2664-30-0x0000000000A30000-0x0000000000A31000-memory.dmpFilesize
4KB
-
memory/2664-15-0x0000000000A40000-0x0000000000A41000-memory.dmpFilesize
4KB
-
memory/2664-26-0x0000000000A30000-0x0000000000A31000-memory.dmpFilesize
4KB
-
memory/2664-18-0x0000000000A40000-0x0000000000A41000-memory.dmpFilesize
4KB
-
memory/2664-22-0x0000000000A30000-0x0000000000A31000-memory.dmpFilesize
4KB
-
memory/2664-16-0x0000000000A40000-0x0000000000A41000-memory.dmpFilesize
4KB
-
memory/2664-14-0x0000000000A40000-0x0000000000A41000-memory.dmpFilesize
4KB
-
memory/2664-13-0x0000000000A30000-0x0000000000A31000-memory.dmpFilesize
4KB
-
memory/2664-12-0x0000000000A30000-0x0000000000A31000-memory.dmpFilesize
4KB
-
memory/2664-11-0x0000000000A30000-0x0000000000A31000-memory.dmpFilesize
4KB
-
memory/2664-27-0x0000000000A30000-0x0000000000A31000-memory.dmpFilesize
4KB
-
memory/2664-24-0x0000000000A30000-0x0000000000A31000-memory.dmpFilesize
4KB
-
memory/2664-25-0x0000000000A30000-0x0000000000A31000-memory.dmpFilesize
4KB
-
memory/2664-23-0x0000000000A30000-0x0000000000A31000-memory.dmpFilesize
4KB