Malware Analysis Report

2024-11-16 12:52

Sample ID 240812-cwjrysvgpc
Target 8cf26505203d553b12a389b745cc56b1_JaffaCakes118
SHA256 5e38850c7d084959ee0d62fa802a9c3fd567d7c5229beb7dc6a7eb76e33bd34a
Tags
defense_evasion discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

5e38850c7d084959ee0d62fa802a9c3fd567d7c5229beb7dc6a7eb76e33bd34a

Threat Level: Likely malicious

The file 8cf26505203d553b12a389b745cc56b1_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery exploit

Possible privilege escalation attempt

Deletes itself

Loads dropped DLL

Checks computer location settings

Modifies file permissions

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 02:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 02:25

Reported

2024-08-12 02:28

Platform

win7-20240708-en

Max time kernel

119s

Max time network

120s

Command Line

C:\Windows\system32\svchost.exe -k DcomLaunch

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\apa.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8cf26505203d553b12a389b745cc56b1_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\regsvr32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3016 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\8cf26505203d553b12a389b745cc56b1_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3016 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\8cf26505203d553b12a389b745cc56b1_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3016 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\8cf26505203d553b12a389b745cc56b1_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3016 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\8cf26505203d553b12a389b745cc56b1_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3016 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\8cf26505203d553b12a389b745cc56b1_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3016 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\8cf26505203d553b12a389b745cc56b1_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3016 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\8cf26505203d553b12a389b745cc56b1_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2536 wrote to memory of 2412 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 2536 wrote to memory of 2412 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 2536 wrote to memory of 2412 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 2536 wrote to memory of 2412 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 2536 wrote to memory of 2252 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 2536 wrote to memory of 2252 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 2536 wrote to memory of 2252 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 2536 wrote to memory of 2252 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 2536 wrote to memory of 600 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Users\Admin\AppData\Local\Temp\8cf26505203d553b12a389b745cc56b1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8cf26505203d553b12a389b745cc56b1_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~f768585.tmp ,C:\Users\Admin\AppData\Local\Temp\8cf26505203d553b12a389b745cc56b1_JaffaCakes118.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\system32\rpcss.dll"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\~~f768585.tmp

MD5 3b009b7fe9e96fb76d26425c8f6b8a59
SHA1 dd6e7ea240b7aaee747ed8b48509a64744aea995
SHA256 073a122a22ba82652c700acdf1ef60593e5d69c068ae221b392e060b7f7235be
SHA512 f4e12d3734d6510029af2322ae5e7ce057dd77d2786052cc7743d7d72d6fbe9095093eb5050e891354c2b9bf7fc2b2e348627257c3ad7d0e9f189dcd762220ab

memory/600-12-0x00000000001E0000-0x00000000001E1000-memory.dmp

C:\Windows\SysWOW64\apa.dll

MD5 b37a723a56cd2aea6b461c2c1ae482ff
SHA1 51fb42b1da9a0d8a71465ac9f3044ede9ea8c8d6
SHA256 740ccc3c65beaab40dc4ea85096a42a3afd09d5fb94261d6ca49434e848b3247
SHA512 47d713021919d7b8f56954d20e238d81de006a135dc0b8f9c507445dcc791b0b16041436998d46b2abb0d285ccbde69768c14eadb0dfd8621a4011f0e1aa5e53

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-12 02:25

Reported

2024-08-12 02:28

Platform

win10v2004-20240802-en

Max time kernel

139s

Max time network

144s

Command Line

C:\Windows\system32\svchost.exe -k DcomLaunch -p

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8cf26505203d553b12a389b745cc56b1_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Windows\SysWOW64\apa.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8cf26505203d553b12a389b745cc56b1_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\regsvr32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p

C:\Users\Admin\AppData\Local\Temp\8cf26505203d553b12a389b745cc56b1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8cf26505203d553b12a389b745cc56b1_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~e5785ba.tmp ,C:\Users\Admin\AppData\Local\Temp\8cf26505203d553b12a389b745cc56b1_JaffaCakes118.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\system32\rpcss.dll"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\~~e5785ba.tmp

MD5 3b009b7fe9e96fb76d26425c8f6b8a59
SHA1 dd6e7ea240b7aaee747ed8b48509a64744aea995
SHA256 073a122a22ba82652c700acdf1ef60593e5d69c068ae221b392e060b7f7235be
SHA512 f4e12d3734d6510029af2322ae5e7ce057dd77d2786052cc7743d7d72d6fbe9095093eb5050e891354c2b9bf7fc2b2e348627257c3ad7d0e9f189dcd762220ab

C:\Windows\SysWOW64\apa.dll

MD5 b37a723a56cd2aea6b461c2c1ae482ff
SHA1 51fb42b1da9a0d8a71465ac9f3044ede9ea8c8d6
SHA256 740ccc3c65beaab40dc4ea85096a42a3afd09d5fb94261d6ca49434e848b3247
SHA512 47d713021919d7b8f56954d20e238d81de006a135dc0b8f9c507445dcc791b0b16041436998d46b2abb0d285ccbde69768c14eadb0dfd8621a4011f0e1aa5e53