6f48ee57a66e9beac78c2ee53b9adb57abb0bc42231877a5d73c8a039e35e287

Analysis

max time kernel
150s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 08:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1554ba4da5ebb3f1a3569f76fbcf8fcf_JaffaCakes118.exe
Size

47KB
MD5

1554ba4da5ebb3f1a3569f76fbcf8fcf
SHA1

f41f1adc228d717686f802da4c3cf8e5d7979f64
SHA256

6f48ee57a66e9beac78c2ee53b9adb57abb0bc42231877a5d73c8a039e35e287
SHA512

ae0abb5dfbbd667dcb11d5c975ebc1f9ec0987e5eacf6036b45e3f6f1ff76ad95e0a877f46242838719b2b91c49049011cc8185c10b4de3877ea9ddc6c7d3041
SSDEEP

768:23nOcThRrURtoEc2vQ3qJJqMUJBtM2W+NA1RGbI8zWzgmQPhlISITA5JBFN09dLf:2eUCwXSJJABeENnbp6z5SQkHi

Score

8^/10

defense_evasion discovery exploit persistence upx

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

4968 takeown.exe
3168 icacls.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

1554ba4da5ebb3f1a3569f76fbcf8fcf_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation 1554ba4da5ebb3f1a3569f76fbcf8fcf_JaffaCakes118.exe
Executes dropped EXE 1 IoCs

Processes:

wlock.exe

pid process

4108 wlock.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

4968 takeown.exe
3168 icacls.exe
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

behavioral2/memory/2760-0-0x0000000000400000-0x000000000041D000-memory.dmp upx
behavioral2/memory/2760-212-0x0000000000400000-0x000000000041D000-memory.dmp upx
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wlock = "C:\\Users\\Admin\\wlock\\wlock.exe" reg.exe
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Control Panel 1 IoCs
evasion

Processes:

wlock.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\ScreenSaveActive = "0" wlock.exe

pid	process
4968	takeown.exe
3168	icacls.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	1554ba4da5ebb3f1a3569f76fbcf8fcf_JaffaCakes118.exe

pid	process
4968	takeown.exe
3168	icacls.exe

resource	yara_rule
behavioral2/memory/2760-0-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2760-212-0x0000000000400000-0x000000000041D000-memory.dmp	upx

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wlock = "C:\\Users\\Admin\\wlock\\wlock.exe"	reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\ScreenSaveActive = "0"	wlock.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

wlock.exe

pid	process
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe
4108	wlock.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

takeown.exewlock.exe

description pid process

Token: SeTakeOwnershipPrivilege 4968 takeown.exe
Token: SeDebugPrivilege 4108 wlock.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

wlock.exe

pid process

4108 wlock.exe
4108 wlock.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4968	takeown.exe
Token: SeDebugPrivilege	4108	wlock.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

1554ba4da5ebb3f1a3569f76fbcf8fcf_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 2760 wrote to memory of 4968	2760	1554ba4da5ebb3f1a3569f76fbcf8fcf_JaffaCakes118.exe	takeown.exe
PID 2760 wrote to memory of 4968	2760	1554ba4da5ebb3f1a3569f76fbcf8fcf_JaffaCakes118.exe	takeown.exe
PID 2760 wrote to memory of 4968	2760	1554ba4da5ebb3f1a3569f76fbcf8fcf_JaffaCakes118.exe	takeown.exe
PID 2760 wrote to memory of 3168	2760	1554ba4da5ebb3f1a3569f76fbcf8fcf_JaffaCakes118.exe	icacls.exe
PID 2760 wrote to memory of 3168	2760	1554ba4da5ebb3f1a3569f76fbcf8fcf_JaffaCakes118.exe	icacls.exe
PID 2760 wrote to memory of 3168	2760	1554ba4da5ebb3f1a3569f76fbcf8fcf_JaffaCakes118.exe	icacls.exe
PID 2760 wrote to memory of 976	2760	1554ba4da5ebb3f1a3569f76fbcf8fcf_JaffaCakes118.exe	cmd.exe
PID 2760 wrote to memory of 976	2760	1554ba4da5ebb3f1a3569f76fbcf8fcf_JaffaCakes118.exe	cmd.exe
PID 2760 wrote to memory of 976	2760	1554ba4da5ebb3f1a3569f76fbcf8fcf_JaffaCakes118.exe	cmd.exe
PID 2760 wrote to memory of 4224	2760	1554ba4da5ebb3f1a3569f76fbcf8fcf_JaffaCakes118.exe	cmd.exe
PID 2760 wrote to memory of 4224	2760	1554ba4da5ebb3f1a3569f76fbcf8fcf_JaffaCakes118.exe	cmd.exe
PID 2760 wrote to memory of 4224	2760	1554ba4da5ebb3f1a3569f76fbcf8fcf_JaffaCakes118.exe	cmd.exe
PID 4224 wrote to memory of 3320	4224	cmd.exe	reg.exe
PID 4224 wrote to memory of 3320	4224	cmd.exe	reg.exe
PID 4224 wrote to memory of 3320	4224	cmd.exe	reg.exe
PID 2760 wrote to memory of 4108	2760	1554ba4da5ebb3f1a3569f76fbcf8fcf_JaffaCakes118.exe	wlock.exe
PID 2760 wrote to memory of 4108	2760	1554ba4da5ebb3f1a3569f76fbcf8fcf_JaffaCakes118.exe	wlock.exe
PID 2760 wrote to memory of 4108	2760	1554ba4da5ebb3f1a3569f76fbcf8fcf_JaffaCakes118.exe	wlock.exe

C:\Users\Admin\AppData\Local\Temp\1554ba4da5ebb3f1a3569f76fbcf8fcf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1554ba4da5ebb3f1a3569f76fbcf8fcf_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\SysWOW64\takeown.exe
"C:\Windows\System32\takeown.exe" /f "C:\Windows\System32\rstrui.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\rstrui.exe" /grant Admin:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c del /f /q "C:\Windows\System32\rstrui.exe"
2⤵
PID:976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v wlock /t REG_SZ /d "C:\Users\Admin\wlock\wlock.exe" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4224

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v wlock /t REG_SZ /d "C:\Users\Admin\wlock\wlock.exe" /f
3⤵
- Adds Run key to start application
PID:3320

C:\Users\Admin\wlock\wlock.exe
"C:\Users\Admin\wlock\wlock.exe" f
2⤵
- Executes dropped EXE
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4108

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\wlock\wlock.exe
Filesize
74KB

MD5
c9b7915921c107fbe94cc2e93116de9c

SHA1
71fead17a27e6bde48154554fd3be23e423e9f32

SHA256
4fc53ad0b883367a7d4817f48f4315509f1f9ed16f9b7c8fdbf09b1b47b39daf

SHA512
03fdc64ba3a8b9160e6b9e08d1e854a70ee85fe04fa4dd19979b19193406c2daafab6f8f5db2b7563ad78c3a7a4ceaa90a50398830b27affbd461d7faa1dba30

Download Submit
memory/2760-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2760-7-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/2760-8-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/2760-212-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2760-223-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/4108-14-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/4108-12-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/4108-11-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/4108-15-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/4108-22-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/4108-21-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/4108-27-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/4108-72-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/4108-71-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/4108-70-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/4108-69-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/4108-68-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/4108-26-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/4108-25-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/4108-24-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/4108-23-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/4108-20-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/4108-19-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/4108-18-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/4108-17-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/4108-154-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-153-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-152-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-151-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-150-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-149-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-148-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-147-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-146-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-145-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-144-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-143-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-142-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-141-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-140-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-139-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-138-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-137-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-136-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-135-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-134-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-133-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-132-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-131-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-130-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-129-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-128-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-127-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-126-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-125-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-124-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-123-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-122-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-232-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/4108-253-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-252-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/4108-293-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-296-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-295-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-294-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-292-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-291-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-290-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-289-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-288-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-287-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-286-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-285-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-284-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-283-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-282-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-281-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-280-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-279-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-278-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-277-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-276-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-275-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-274-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-273-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-272-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-271-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-270-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-269-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-268-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-267-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-266-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-265-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4108-264-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/4108-307-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download