753c630c22612a230b9496e424c0b2b8dc63b09db9b16484cef9e8fc5bc271eb

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe
Size

50KB
MD5

117fc5afa709ad652f2e2cb9516c890e
SHA1

9ca829703369afc99e0d8a6384bdc84cd98aa032
SHA256

753c630c22612a230b9496e424c0b2b8dc63b09db9b16484cef9e8fc5bc271eb
SHA512

5a4b80416938280e5baaa7beac213f810094ebff1e6f36ab098eb530a14b9edb68a4c54bebd15adbc4c667fc7adeafa39220e0d79975ce4e1a072a42e7c4213d
SSDEEP

768:wWeTakGUwCbvd1uDYpG15J50CKSwzAMXWsqzrcw1UbhsDNYEv6XADdmf1VXn7p4Q:5e5bv6DYpaBwzAMXkx6wD0fLnXbU4

Score

8^/10

defense_evasion discovery exploit persistence upx

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

2316 takeown.exe
1552 icacls.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe
Executes dropped EXE 1 IoCs

Processes:

wlock.exe

pid process

2664 wlock.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

2316 takeown.exe
1552 icacls.exe
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

behavioral2/memory/2576-0-0x0000000000400000-0x000000000041D000-memory.dmp upx
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wlock = "C:\\Users\\Admin\\wlock\\wlock.exe" reg.exe
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Control Panel 1 IoCs
evasion

Processes:

wlock.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaveActive = "0" wlock.exe

pid	process
2316	takeown.exe
1552	icacls.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe

pid	process
2316	takeown.exe
1552	icacls.exe

resource	yara_rule
behavioral2/memory/2576-0-0x0000000000400000-0x000000000041D000-memory.dmp	upx

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wlock = "C:\\Users\\Admin\\wlock\\wlock.exe"	reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaveActive = "0"	wlock.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

wlock.exe

pid	process
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe
2664	wlock.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

takeown.exewlock.exe

description pid process

Token: SeTakeOwnershipPrivilege 2316 takeown.exe
Token: SeDebugPrivilege 2664 wlock.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

wlock.exe

pid process

2664 wlock.exe
2664 wlock.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2316	takeown.exe
Token: SeDebugPrivilege	2664	wlock.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 2576 wrote to memory of 2316	2576	117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe	takeown.exe
PID 2576 wrote to memory of 2316	2576	117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe	takeown.exe
PID 2576 wrote to memory of 2316	2576	117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe	takeown.exe
PID 2576 wrote to memory of 1552	2576	117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe	icacls.exe
PID 2576 wrote to memory of 1552	2576	117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe	icacls.exe
PID 2576 wrote to memory of 1552	2576	117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe	icacls.exe
PID 2576 wrote to memory of 4452	2576	117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe	cmd.exe
PID 2576 wrote to memory of 4452	2576	117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe	cmd.exe
PID 2576 wrote to memory of 4452	2576	117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe	cmd.exe
PID 2576 wrote to memory of 1204	2576	117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe	cmd.exe
PID 2576 wrote to memory of 1204	2576	117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe	cmd.exe
PID 2576 wrote to memory of 1204	2576	117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe	cmd.exe
PID 1204 wrote to memory of 2176	1204	cmd.exe	reg.exe
PID 1204 wrote to memory of 2176	1204	cmd.exe	reg.exe
PID 1204 wrote to memory of 2176	1204	cmd.exe	reg.exe
PID 2576 wrote to memory of 2664	2576	117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe	wlock.exe
PID 2576 wrote to memory of 2664	2576	117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe	wlock.exe
PID 2576 wrote to memory of 2664	2576	117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe	wlock.exe

C:\Users\Admin\AppData\Local\Temp\117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\117fc5afa709ad652f2e2cb9516c890e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Windows\System32\rstrui.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\rstrui.exe" /grant Admin:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c del /f /q "C:\Windows\System32\rstrui.exe"
2⤵
PID:4452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v wlock /t REG_SZ /d "C:\Users\Admin\wlock\wlock.exe" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v wlock /t REG_SZ /d "C:\Users\Admin\wlock\wlock.exe" /f
3⤵
- Adds Run key to start application
PID:2176

C:\Users\Admin\wlock\wlock.exe
"C:\Users\Admin\wlock\wlock.exe" f
2⤵
- Executes dropped EXE
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2664

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\wlock\wlock.exe
Filesize
73KB

MD5
68db28477509a770acbf114b0de781a8

SHA1
3ac88ce18f440b64e3a4bc3a16c11c01ef9b4a23

SHA256
69586e31e8feac35f72e7da461dd8d4b98ce0ff1c6fec68d88d20c37156cea88

SHA512
c6f9e406ea7b8d08f8d5b37b19a9849a4eeee47f60284297e0fa908bc8c94422cedabd5d6b3462c2545035578b9bc08b47cf58667c7fc8999aca7ee2e919fd5a

Download Submit
memory/2576-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2576-32-0x0000000002070000-0x0000000002071000-memory.dmp

Filesize
4KB

Download
memory/2576-8-0x0000000002070000-0x0000000002071000-memory.dmp

Filesize
4KB

Download
memory/2576-10-0x0000000002070000-0x0000000002071000-memory.dmp

Filesize
4KB

Download
memory/2664-19-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/2664-17-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/2664-21-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2664-20-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2664-28-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2664-30-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2664-15-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/2664-26-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2664-18-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/2664-22-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2664-16-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/2664-14-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/2664-13-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2664-12-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2664-11-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2664-27-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2664-24-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2664-25-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2664-23-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download