Analysis Overview
SHA256
5e38850c7d084959ee0d62fa802a9c3fd567d7c5229beb7dc6a7eb76e33bd34a
Threat Level: Likely malicious
The file 8cf26505203d553b12a389b745cc56b1_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Deletes itself
Loads dropped DLL
Checks computer location settings
Modifies file permissions
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-12 02:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-12 02:25
Reported
2024-08-12 02:28
Platform
win7-20240708-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\apa.dll | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\Windows\SysWOW64\rpcss.dll | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rpcss.dll | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8cf26505203d553b12a389b745cc56b1_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Users\Admin\AppData\Local\Temp\8cf26505203d553b12a389b745cc56b1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8cf26505203d553b12a389b745cc56b1_JaffaCakes118.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~f768585.tmp ,C:\Users\Admin\AppData\Local\Temp\8cf26505203d553b12a389b745cc56b1_JaffaCakes118.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\system32\rpcss.dll"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F
Network
Files
C:\Users\Admin\AppData\Local\Temp\~~f768585.tmp
| MD5 | 3b009b7fe9e96fb76d26425c8f6b8a59 |
| SHA1 | dd6e7ea240b7aaee747ed8b48509a64744aea995 |
| SHA256 | 073a122a22ba82652c700acdf1ef60593e5d69c068ae221b392e060b7f7235be |
| SHA512 | f4e12d3734d6510029af2322ae5e7ce057dd77d2786052cc7743d7d72d6fbe9095093eb5050e891354c2b9bf7fc2b2e348627257c3ad7d0e9f189dcd762220ab |
memory/600-12-0x00000000001E0000-0x00000000001E1000-memory.dmp
C:\Windows\SysWOW64\apa.dll
| MD5 | b37a723a56cd2aea6b461c2c1ae482ff |
| SHA1 | 51fb42b1da9a0d8a71465ac9f3044ede9ea8c8d6 |
| SHA256 | 740ccc3c65beaab40dc4ea85096a42a3afd09d5fb94261d6ca49434e848b3247 |
| SHA512 | 47d713021919d7b8f56954d20e238d81de006a135dc0b8f9c507445dcc791b0b16041436998d46b2abb0d285ccbde69768c14eadb0dfd8621a4011f0e1aa5e53 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-12 02:25
Reported
2024-08-12 02:28
Platform
win10v2004-20240802-en
Max time kernel
139s
Max time network
144s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8cf26505203d553b12a389b745cc56b1_JaffaCakes118.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\rpcss.dll | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\apa.dll | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\Windows\SysWOW64\rpcss.dll | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8cf26505203d553b12a389b745cc56b1_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Users\Admin\AppData\Local\Temp\8cf26505203d553b12a389b745cc56b1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8cf26505203d553b12a389b745cc56b1_JaffaCakes118.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~e5785ba.tmp ,C:\Users\Admin\AppData\Local\Temp\8cf26505203d553b12a389b745cc56b1_JaffaCakes118.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\system32\rpcss.dll"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\~~e5785ba.tmp
| MD5 | 3b009b7fe9e96fb76d26425c8f6b8a59 |
| SHA1 | dd6e7ea240b7aaee747ed8b48509a64744aea995 |
| SHA256 | 073a122a22ba82652c700acdf1ef60593e5d69c068ae221b392e060b7f7235be |
| SHA512 | f4e12d3734d6510029af2322ae5e7ce057dd77d2786052cc7743d7d72d6fbe9095093eb5050e891354c2b9bf7fc2b2e348627257c3ad7d0e9f189dcd762220ab |
C:\Windows\SysWOW64\apa.dll
| MD5 | b37a723a56cd2aea6b461c2c1ae482ff |
| SHA1 | 51fb42b1da9a0d8a71465ac9f3044ede9ea8c8d6 |
| SHA256 | 740ccc3c65beaab40dc4ea85096a42a3afd09d5fb94261d6ca49434e848b3247 |
| SHA512 | 47d713021919d7b8f56954d20e238d81de006a135dc0b8f9c507445dcc791b0b16041436998d46b2abb0d285ccbde69768c14eadb0dfd8621a4011f0e1aa5e53 |