Analysis
-
max time kernel
147s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 11:08
Static task
static1
Behavioral task
behavioral1
Sample
19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe
-
Size
108KB
-
MD5
19e46408cdf85c1790728b2ad1e00dec
-
SHA1
f5c355b93840cb4038852d67611ca7160a5692f3
-
SHA256
be984dcb05ac824b5ffcab2d7c0c2c5f131da0801c8efb93e953a65d71cadd41
-
SHA512
641dda503ec23dec97562952d297bac137f0064b47f47837c73f8d42c76e8c4c26f69eae5e0e5bf2653c8ad754f5520460b54d5410cc5c359676cf4415523754
-
SSDEEP
3072:AxCuqnzsUkYrPHl5dBONYIoriXIrKfiHpI61FFTF:Ax/YrLdBONYH+IrK0I61
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 5052 takeown.exe 2876 icacls.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
regsvr32.exepid process 916 regsvr32.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 916 regsvr32.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 5052 takeown.exe 2876 icacls.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\N: svchost.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Drops file in System32 directory 4 IoCs
Processes:
regsvr32.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\apa.dll regsvr32.exe File created C:\Windows\SysWOW64\rpcss.dll regsvr32.exe File opened for modification C:\Windows\SysWOW64\rpcss.dll regsvr32.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
svchost.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018400E3FB4E05F" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
regsvr32.exepid process 916 regsvr32.exe 916 regsvr32.exe 916 regsvr32.exe 916 regsvr32.exe 916 regsvr32.exe 916 regsvr32.exe 916 regsvr32.exe 916 regsvr32.exe 916 regsvr32.exe 916 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
regsvr32.exetakeown.exesvchost.exedescription pid process Token: SeDebugPrivilege 916 regsvr32.exe Token: SeTakeOwnershipPrivilege 5052 takeown.exe Token: SeAssignPrimaryTokenPrivilege 2084 svchost.exe Token: SeIncreaseQuotaPrivilege 2084 svchost.exe Token: SeSecurityPrivilege 2084 svchost.exe Token: SeTakeOwnershipPrivilege 2084 svchost.exe Token: SeLoadDriverPrivilege 2084 svchost.exe Token: SeSystemtimePrivilege 2084 svchost.exe Token: SeBackupPrivilege 2084 svchost.exe Token: SeRestorePrivilege 2084 svchost.exe Token: SeShutdownPrivilege 2084 svchost.exe Token: SeSystemEnvironmentPrivilege 2084 svchost.exe Token: SeUndockPrivilege 2084 svchost.exe Token: SeManageVolumePrivilege 2084 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2084 svchost.exe Token: SeIncreaseQuotaPrivilege 2084 svchost.exe Token: SeSecurityPrivilege 2084 svchost.exe Token: SeTakeOwnershipPrivilege 2084 svchost.exe Token: SeLoadDriverPrivilege 2084 svchost.exe Token: SeSystemtimePrivilege 2084 svchost.exe Token: SeBackupPrivilege 2084 svchost.exe Token: SeRestorePrivilege 2084 svchost.exe Token: SeShutdownPrivilege 2084 svchost.exe Token: SeSystemEnvironmentPrivilege 2084 svchost.exe Token: SeUndockPrivilege 2084 svchost.exe Token: SeManageVolumePrivilege 2084 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2084 svchost.exe Token: SeIncreaseQuotaPrivilege 2084 svchost.exe Token: SeSecurityPrivilege 2084 svchost.exe Token: SeTakeOwnershipPrivilege 2084 svchost.exe Token: SeLoadDriverPrivilege 2084 svchost.exe Token: SeSystemtimePrivilege 2084 svchost.exe Token: SeBackupPrivilege 2084 svchost.exe Token: SeRestorePrivilege 2084 svchost.exe Token: SeShutdownPrivilege 2084 svchost.exe Token: SeSystemEnvironmentPrivilege 2084 svchost.exe Token: SeUndockPrivilege 2084 svchost.exe Token: SeManageVolumePrivilege 2084 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2084 svchost.exe Token: SeIncreaseQuotaPrivilege 2084 svchost.exe Token: SeSecurityPrivilege 2084 svchost.exe Token: SeTakeOwnershipPrivilege 2084 svchost.exe Token: SeLoadDriverPrivilege 2084 svchost.exe Token: SeSystemtimePrivilege 2084 svchost.exe Token: SeBackupPrivilege 2084 svchost.exe Token: SeRestorePrivilege 2084 svchost.exe Token: SeShutdownPrivilege 2084 svchost.exe Token: SeSystemEnvironmentPrivilege 2084 svchost.exe Token: SeUndockPrivilege 2084 svchost.exe Token: SeManageVolumePrivilege 2084 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2084 svchost.exe Token: SeIncreaseQuotaPrivilege 2084 svchost.exe Token: SeSecurityPrivilege 2084 svchost.exe Token: SeTakeOwnershipPrivilege 2084 svchost.exe Token: SeLoadDriverPrivilege 2084 svchost.exe Token: SeSystemtimePrivilege 2084 svchost.exe Token: SeBackupPrivilege 2084 svchost.exe Token: SeRestorePrivilege 2084 svchost.exe Token: SeShutdownPrivilege 2084 svchost.exe Token: SeSystemEnvironmentPrivilege 2084 svchost.exe Token: SeUndockPrivilege 2084 svchost.exe Token: SeManageVolumePrivilege 2084 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2084 svchost.exe Token: SeIncreaseQuotaPrivilege 2084 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exeregsvr32.exedescription pid process target process PID 2520 wrote to memory of 916 2520 19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe regsvr32.exe PID 2520 wrote to memory of 916 2520 19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe regsvr32.exe PID 2520 wrote to memory of 916 2520 19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe regsvr32.exe PID 916 wrote to memory of 5052 916 regsvr32.exe takeown.exe PID 916 wrote to memory of 5052 916 regsvr32.exe takeown.exe PID 916 wrote to memory of 5052 916 regsvr32.exe takeown.exe PID 916 wrote to memory of 2876 916 regsvr32.exe icacls.exe PID 916 wrote to memory of 2876 916 regsvr32.exe icacls.exe PID 916 wrote to memory of 2876 916 regsvr32.exe icacls.exe PID 916 wrote to memory of 796 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 796 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 908 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 908 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 956 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 956 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 748 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 748 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1048 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1048 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1056 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1056 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1108 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1108 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1116 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1116 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1156 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1156 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1188 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1188 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1280 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1280 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1320 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1320 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1336 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1336 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1436 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1436 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1460 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1460 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1576 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1576 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1588 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1588 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1632 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1632 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1728 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1728 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1760 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1760 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1772 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1772 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1880 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1880 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 2020 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 2020 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 2028 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 2028 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1100 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 1100 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 2052 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 2052 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 2084 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 2084 916 regsvr32.exe svchost.exe PID 916 wrote to memory of 2196 916 regsvr32.exe svchost.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Enumerates connected drives
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\e5757a5~.tmp ,C:\Users\Admin\AppData\Local\Temp\19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe2⤵
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\rpcss.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\system32\rpcss.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c del %SystemRoot%\system32\rpcss.dll~*3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e5757a5~.tmpFilesize
915KB
MD536f922a60f155a6f3559bdb5f85a2701
SHA12f3b4b2dd7e66910288d3e932968b21544db8343
SHA2563077dfd2d02e710597f6b398a9b9c5bb0f797f6ad6c6013ef0e222d6c7b13bbd
SHA5126567f10e5b426e55e83370593bd62046d63f8c020f83451f72fde08aee5f2f38f480fe1cba5312efd5bb863d81971f60cbd49ba31cf6dbcac55e7fd3cb84947f
-
C:\Windows\SysWOW64\apa.dllFilesize
221B
MD5ff5f253c12dd8373c347b218fc46adf9
SHA1a42b85049849d001cb83ffab4cefc6edcb863613
SHA2567a45df2b7128f24e56986db32feedd12694a34cdab9d86cede6f871fe1f9b3e0
SHA512ca3c5f36d07c75c41c174baaa9d077f336c666c55de7139eda8593f0e95f7d2fa63bde9578cd1defd5fd6f44e53266d0555fac86fd98c1eed00b04db5c845645