Analysis Overview
SHA256
adf21ecc10cb8d7312efc5dd06d1f151f106cd696d47724f3c2b3ff9da37d25d
Threat Level: Likely malicious
The file 0298d0eda7a8bbfca9dcfa0a8ad1fa6f_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
UPX packed file
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Deletes itself
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-22 14:22
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 14:22
Reported
2024-06-22 14:24
Platform
win7-20240508-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\apa.dll | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\Windows\SysWOW64\rpcss.dll | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rpcss.dll | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Users\Admin\AppData\Local\Temp\0298d0eda7a8bbfca9dcfa0a8ad1fa6f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0298d0eda7a8bbfca9dcfa0a8ad1fa6f_JaffaCakes118.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~f7610c3.tmp ,C:\Users\Admin\AppData\Local\Temp\0298d0eda7a8bbfca9dcfa0a8ad1fa6f_JaffaCakes118.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\system32\rpcss.dll"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F
Network
Files
memory/1088-0-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1088-3-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\~f7610c3.tmp
| MD5 | ba7000cc8e81014ecd45179fc4b51b36 |
| SHA1 | f4ee075888927bfb6731b3f4c398c91f54c4028d |
| SHA256 | 7141e64d4c563f8ff79ad9b86c7c751c81e58d6b2156f769295b27970f4508ab |
| SHA512 | 73a638c26e77d614b669e2136179ab74277427a560c512d0b19eef3ab9ac0bc67bfd11de040551be9c9f1acae02aa817ee77ac135718821785df177dd699411b |
C:\Windows\SysWOW64\apa.dll
| MD5 | 4f5ec94cafab71e84b7ea116363070cd |
| SHA1 | 98e1d6cb62ea5e7506ca540026f0a0604c14f92c |
| SHA256 | 4f90dca27d4f6f792a212bcdbc0f26458f1197a585cf854e2e42f4c5c9f8e95d |
| SHA512 | 202fa50782ed6074dbf1f02393ff8fa348ffcf9212aa39d5dc77908408b80cb51bbb1367f27a2676e1f550491f226e4969fe7abc688cade316db225ed4850eb1 |
memory/600-15-0x0000000000120000-0x0000000000121000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 14:22
Reported
2024-06-22 14:24
Platform
win10v2004-20240611-en
Max time kernel
140s
Max time network
124s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0298d0eda7a8bbfca9dcfa0a8ad1fa6f_JaffaCakes118.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\apa.dll | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\Windows\SysWOW64\rpcss.dll | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rpcss.dll | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Users\Admin\AppData\Local\Temp\0298d0eda7a8bbfca9dcfa0a8ad1fa6f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0298d0eda7a8bbfca9dcfa0a8ad1fa6f_JaffaCakes118.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~e574d93.tmp ,C:\Users\Admin\AppData\Local\Temp\0298d0eda7a8bbfca9dcfa0a8ad1fa6f_JaffaCakes118.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\system32\rpcss.dll"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/4452-0-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4452-2-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\~e574d93.tmp
| MD5 | ba7000cc8e81014ecd45179fc4b51b36 |
| SHA1 | f4ee075888927bfb6731b3f4c398c91f54c4028d |
| SHA256 | 7141e64d4c563f8ff79ad9b86c7c751c81e58d6b2156f769295b27970f4508ab |
| SHA512 | 73a638c26e77d614b669e2136179ab74277427a560c512d0b19eef3ab9ac0bc67bfd11de040551be9c9f1acae02aa817ee77ac135718821785df177dd699411b |
C:\Windows\SysWOW64\apa.dll
| MD5 | 751ea963a806afd4cdb39ff9a54d7e18 |
| SHA1 | a7d493ba89277216768214cca19dc40e50328821 |
| SHA256 | 3096215dfc4259d95f51ff177b0d2e95bbd69eb0a0aeb5419958ef81204067fa |
| SHA512 | ee747399dbb17a4be3b81cf17f1e5f0ace426483d741b21df16bec82bf448720aa9a82ff7f2f11cd6e1110420ecb9f6cc1004e31c035dd04233d07a1d1c80c1d |