Description	Indicator	Process	Target
File opened for modification	C:\Windows\SysWOW64\apa.dll	C:\Windows\SysWOW64\regsvr32.exe	N/A
File created	C:\Windows\SysWOW64\rpcss.dll	C:\Windows\SysWOW64\regsvr32.exe	N/A
File opened for modification	C:\Windows\SysWOW64\rpcss.dll	C:\Windows\SysWOW64\regsvr32.exe	N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\regsvr32.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\regsvr32.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\regsvr32.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\regsvr32.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\SysWOW64\takeown.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2440 wrote to memory of 2840	N/A	C:\Users\Admin\AppData\Local\Temp\01e6247b38f50d0c1e905d7a1a5f3a9d_JaffaCakes118.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 2840	N/A	C:\Users\Admin\AppData\Local\Temp\01e6247b38f50d0c1e905d7a1a5f3a9d_JaffaCakes118.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 2840	N/A	C:\Users\Admin\AppData\Local\Temp\01e6247b38f50d0c1e905d7a1a5f3a9d_JaffaCakes118.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 2840	N/A	C:\Users\Admin\AppData\Local\Temp\01e6247b38f50d0c1e905d7a1a5f3a9d_JaffaCakes118.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 2840	N/A	C:\Users\Admin\AppData\Local\Temp\01e6247b38f50d0c1e905d7a1a5f3a9d_JaffaCakes118.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 2840	N/A	C:\Users\Admin\AppData\Local\Temp\01e6247b38f50d0c1e905d7a1a5f3a9d_JaffaCakes118.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 2840	N/A	C:\Users\Admin\AppData\Local\Temp\01e6247b38f50d0c1e905d7a1a5f3a9d_JaffaCakes118.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 2840 wrote to memory of 1972	N/A	C:\Windows\SysWOW64\regsvr32.exe	C:\Windows\SysWOW64\takeown.exe
PID 2840 wrote to memory of 1972	N/A	C:\Windows\SysWOW64\regsvr32.exe	C:\Windows\SysWOW64\takeown.exe
PID 2840 wrote to memory of 1972	N/A	C:\Windows\SysWOW64\regsvr32.exe	C:\Windows\SysWOW64\takeown.exe
PID 2840 wrote to memory of 1972	N/A	C:\Windows\SysWOW64\regsvr32.exe	C:\Windows\SysWOW64\takeown.exe
PID 2840 wrote to memory of 3028	N/A	C:\Windows\SysWOW64\regsvr32.exe	C:\Windows\SysWOW64\icacls.exe
PID 2840 wrote to memory of 3028	N/A	C:\Windows\SysWOW64\regsvr32.exe	C:\Windows\SysWOW64\icacls.exe
PID 2840 wrote to memory of 3028	N/A	C:\Windows\SysWOW64\regsvr32.exe	C:\Windows\SysWOW64\icacls.exe
PID 2840 wrote to memory of 3028	N/A	C:\Windows\SysWOW64\regsvr32.exe	C:\Windows\SysWOW64\icacls.exe
PID 2840 wrote to memory of 604	N/A	C:\Windows\SysWOW64\regsvr32.exe	C:\Windows\system32\svchost.exe

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Users\Admin\AppData\Local\Temp\01e6247b38f50d0c1e905d7a1a5f3a9d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\01e6247b38f50d0c1e905d7a1a5f3a9d_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~f760fc9.tmp ,C:\Users\Admin\AppData\Local\Temp\01e6247b38f50d0c1e905d7a1a5f3a9d_JaffaCakes118.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\system32\rpcss.dll"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F

Network

N/A

Files

memory/2440-0-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~~f760fc9.tmp

MD5	2f04e5bff3a0394a341b45b2ed431400
SHA1	ac45ab352963f5bc226f5f9bdfea2fbc0115d097
SHA256	a9ceb027a478a5d3d9a2b0065fa251b19ea977f245f3085e399762463c6912d5
SHA512	cbfa27e643a0ee773a23c339ba017ad4dc44b8354907ca3f9e93e1c1a9236cf8c321a075b28f93a47c128c9be589fc6190bc132deacc727b6b853067af56901f

memory/2440-3-0x0000000000400000-0x0000000000421000-memory.dmp

memory/604-15-0x00000000001D0000-0x00000000001D1000-memory.dmp

C:\Windows\SysWOW64\apa.dll

MD5	d93e0b12fcee42e7d6fbc5c28cae6177
SHA1	d1b60e77bf0019a45fd1d635e8cc0f48722f1789
SHA256	e7c727376b692b2d94f65912c5349adf795c884826b6904ecb5d19e6bea21c9b
SHA512	b8ca54d262c0f1636b191144938d22342e7bcc8bbb348f9c66fb03e5236bb1d2c91485b5ed5ce43d9360127605e8849d1656b2fab1b0ac204d0b39e1846f2c08

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:27

Platform

win10v2004-20240611-en

Max time kernel

138s

Max time network

132s

Command Line

C:\Windows\system32\svchost.exe -k DcomLaunch -p

Signatures

Possible privilege escalation attempt

exploit

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\takeown.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\icacls.exe	N/A

Checks computer location settings

Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Local\Temp\01e6247b38f50d0c1e905d7a1a5f3a9d_JaffaCakes118.exe	N/A

Deletes itself

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\regsvr32.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\regsvr32.exe	N/A

Modifies file permissions

discovery

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\takeown.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\icacls.exe	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Drops file in System32 directory

Description	Indicator	Process	Target
File opened for modification	C:\Windows\SysWOW64\apa.dll	C:\Windows\SysWOW64\regsvr32.exe	N/A
File created	C:\Windows\SysWOW64\rpcss.dll	C:\Windows\SysWOW64\regsvr32.exe	N/A
File opened for modification	C:\Windows\SysWOW64\rpcss.dll	C:\Windows\SysWOW64\regsvr32.exe	N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\regsvr32.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\regsvr32.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\regsvr32.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\regsvr32.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\regsvr32.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\regsvr32.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\regsvr32.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\SysWOW64\takeown.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1932 wrote to memory of 1176	N/A	C:\Users\Admin\AppData\Local\Temp\01e6247b38f50d0c1e905d7a1a5f3a9d_JaffaCakes118.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 1932 wrote to memory of 1176	N/A	C:\Users\Admin\AppData\Local\Temp\01e6247b38f50d0c1e905d7a1a5f3a9d_JaffaCakes118.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 1932 wrote to memory of 1176	N/A	C:\Users\Admin\AppData\Local\Temp\01e6247b38f50d0c1e905d7a1a5f3a9d_JaffaCakes118.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 1176 wrote to memory of 396	N/A	C:\Windows\SysWOW64\regsvr32.exe	C:\Windows\SysWOW64\takeown.exe
PID 1176 wrote to memory of 396	N/A	C:\Windows\SysWOW64\regsvr32.exe	C:\Windows\SysWOW64\takeown.exe
PID 1176 wrote to memory of 396	N/A	C:\Windows\SysWOW64\regsvr32.exe	C:\Windows\SysWOW64\takeown.exe
PID 1176 wrote to memory of 4044	N/A	C:\Windows\SysWOW64\regsvr32.exe	C:\Windows\SysWOW64\icacls.exe
PID 1176 wrote to memory of 4044	N/A	C:\Windows\SysWOW64\regsvr32.exe	C:\Windows\SysWOW64\icacls.exe
PID 1176 wrote to memory of 4044	N/A	C:\Windows\SysWOW64\regsvr32.exe	C:\Windows\SysWOW64\icacls.exe
PID 1176 wrote to memory of 792	N/A	C:\Windows\SysWOW64\regsvr32.exe	C:\Windows\system32\svchost.exe

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p

C:\Users\Admin\AppData\Local\Temp\01e6247b38f50d0c1e905d7a1a5f3a9d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\01e6247b38f50d0c1e905d7a1a5f3a9d_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~e578414.tmp ,C:\Users\Admin\AppData\Local\Temp\01e6247b38f50d0c1e905d7a1a5f3a9d_JaffaCakes118.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\system32\rpcss.dll"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	183.142.211.20.in-addr.arpa	udp
US	8.8.8.8:53	95.221.229.192.in-addr.arpa	udp
US	8.8.8.8:53	88.156.103.20.in-addr.arpa	udp
US	8.8.8.8:53	196.249.167.52.in-addr.arpa	udp
US	8.8.8.8:53	58.55.71.13.in-addr.arpa	udp
US	52.182.143.211:443		tcp
US	8.8.8.8:53	50.23.12.20.in-addr.arpa	udp
US	8.8.8.8:53	198.187.3.20.in-addr.arpa	udp
US	8.8.8.8:53	140.71.91.104.in-addr.arpa	udp
PL	93.184.221.240:80		tcp
US	8.8.8.8:53	23.236.111.52.in-addr.arpa	udp
US	8.8.8.8:53	tse1.mm.bing.net	udp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	8.8.8.8:53	26.35.223.20.in-addr.arpa	udp
US	8.8.8.8:53	10.27.171.150.in-addr.arpa	udp

Files

memory/1932-0-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1932-2-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~~e578414.tmp

MD5	2f04e5bff3a0394a341b45b2ed431400
SHA1	ac45ab352963f5bc226f5f9bdfea2fbc0115d097
SHA256	a9ceb027a478a5d3d9a2b0065fa251b19ea977f245f3085e399762463c6912d5
SHA512	cbfa27e643a0ee773a23c339ba017ad4dc44b8354907ca3f9e93e1c1a9236cf8c321a075b28f93a47c128c9be589fc6190bc132deacc727b6b853067af56901f

C:\Windows\SysWOW64\apa.dll

MD5	d93e0b12fcee42e7d6fbc5c28cae6177
SHA1	d1b60e77bf0019a45fd1d635e8cc0f48722f1789
SHA256	e7c727376b692b2d94f65912c5349adf795c884826b6904ecb5d19e6bea21c9b
SHA512	b8ca54d262c0f1636b191144938d22342e7bcc8bbb348f9c66fb03e5236bb1d2c91485b5ed5ce43d9360127605e8849d1656b2fab1b0ac204d0b39e1846f2c08

Sample ID	240622-nh8dyazejj
Target	01e6247b38f50d0c1e905d7a1a5f3a9d_JaffaCakes118
SHA256	ea579cce78b11bb3e8d8ddcc088d787aaf0df8d138da523ae5bffd3aba6c8266
Tags	upx defense_evasion discovery exploit

Malware Analysis Report

2024-09-11 04:31

Table of Contents

Analysis Overview

Threat Level: Likely malicious

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files