Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 11:08
Static task
static1
Behavioral task
behavioral1
Sample
19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe
-
Size
108KB
-
MD5
19e46408cdf85c1790728b2ad1e00dec
-
SHA1
f5c355b93840cb4038852d67611ca7160a5692f3
-
SHA256
be984dcb05ac824b5ffcab2d7c0c2c5f131da0801c8efb93e953a65d71cadd41
-
SHA512
641dda503ec23dec97562952d297bac137f0064b47f47837c73f8d42c76e8c4c26f69eae5e0e5bf2653c8ad754f5520460b54d5410cc5c359676cf4415523754
-
SSDEEP
3072:AxCuqnzsUkYrPHl5dBONYIoriXIrKfiHpI61FFTF:Ax/YrLdBONYH+IrK0I61
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1980 takeown.exe 2256 icacls.exe -
Deletes itself 1 IoCs
Processes:
regsvr32.exepid process 2300 regsvr32.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 2300 regsvr32.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1980 takeown.exe 2256 icacls.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Drops file in System32 directory 3 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\apa.dll regsvr32.exe File created C:\Windows\SysWOW64\rpcss.dll regsvr32.exe File opened for modification C:\Windows\SysWOW64\rpcss.dll regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
regsvr32.exepid process 2300 regsvr32.exe 2300 regsvr32.exe 2300 regsvr32.exe 2300 regsvr32.exe 2300 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
regsvr32.exetakeown.exedescription pid process Token: SeDebugPrivilege 2300 regsvr32.exe Token: SeTakeOwnershipPrivilege 1980 takeown.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exeregsvr32.exedescription pid process target process PID 2976 wrote to memory of 2300 2976 19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe regsvr32.exe PID 2976 wrote to memory of 2300 2976 19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe regsvr32.exe PID 2976 wrote to memory of 2300 2976 19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe regsvr32.exe PID 2976 wrote to memory of 2300 2976 19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe regsvr32.exe PID 2976 wrote to memory of 2300 2976 19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe regsvr32.exe PID 2976 wrote to memory of 2300 2976 19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe regsvr32.exe PID 2976 wrote to memory of 2300 2976 19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe regsvr32.exe PID 2300 wrote to memory of 1980 2300 regsvr32.exe takeown.exe PID 2300 wrote to memory of 1980 2300 regsvr32.exe takeown.exe PID 2300 wrote to memory of 1980 2300 regsvr32.exe takeown.exe PID 2300 wrote to memory of 1980 2300 regsvr32.exe takeown.exe PID 2300 wrote to memory of 2256 2300 regsvr32.exe icacls.exe PID 2300 wrote to memory of 2256 2300 regsvr32.exe icacls.exe PID 2300 wrote to memory of 2256 2300 regsvr32.exe icacls.exe PID 2300 wrote to memory of 2256 2300 regsvr32.exe icacls.exe PID 2300 wrote to memory of 604 2300 regsvr32.exe svchost.exe PID 2300 wrote to memory of 604 2300 regsvr32.exe svchost.exe PID 2300 wrote to memory of 684 2300 regsvr32.exe svchost.exe PID 2300 wrote to memory of 684 2300 regsvr32.exe svchost.exe PID 2300 wrote to memory of 748 2300 regsvr32.exe svchost.exe PID 2300 wrote to memory of 748 2300 regsvr32.exe svchost.exe PID 2300 wrote to memory of 808 2300 regsvr32.exe svchost.exe PID 2300 wrote to memory of 808 2300 regsvr32.exe svchost.exe PID 2300 wrote to memory of 856 2300 regsvr32.exe svchost.exe PID 2300 wrote to memory of 856 2300 regsvr32.exe svchost.exe PID 2300 wrote to memory of 972 2300 regsvr32.exe svchost.exe PID 2300 wrote to memory of 972 2300 regsvr32.exe svchost.exe PID 2300 wrote to memory of 240 2300 regsvr32.exe svchost.exe PID 2300 wrote to memory of 240 2300 regsvr32.exe svchost.exe PID 2300 wrote to memory of 1076 2300 regsvr32.exe svchost.exe PID 2300 wrote to memory of 1076 2300 regsvr32.exe svchost.exe PID 2300 wrote to memory of 1704 2300 regsvr32.exe svchost.exe PID 2300 wrote to memory of 1704 2300 regsvr32.exe svchost.exe PID 2300 wrote to memory of 2672 2300 regsvr32.exe cmd.exe PID 2300 wrote to memory of 2672 2300 regsvr32.exe cmd.exe PID 2300 wrote to memory of 2672 2300 regsvr32.exe cmd.exe PID 2300 wrote to memory of 2672 2300 regsvr32.exe cmd.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation1⤵
-
C:\Users\Admin\AppData\Local\Temp\19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\f760e24~.tmp ,C:\Users\Admin\AppData\Local\Temp\19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe2⤵
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\rpcss.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\system32\rpcss.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c del %SystemRoot%\system32\rpcss.dll~*3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\f760e24~.tmpFilesize
915KB
MD536f922a60f155a6f3559bdb5f85a2701
SHA12f3b4b2dd7e66910288d3e932968b21544db8343
SHA2563077dfd2d02e710597f6b398a9b9c5bb0f797f6ad6c6013ef0e222d6c7b13bbd
SHA5126567f10e5b426e55e83370593bd62046d63f8c020f83451f72fde08aee5f2f38f480fe1cba5312efd5bb863d81971f60cbd49ba31cf6dbcac55e7fd3cb84947f
-
memory/604-12-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB