Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    13-08-2024 13:50

General

  • Target

    935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe

  • Size

    111KB

  • MD5

    935a1fe3fa5654672f08e6f1d1fd0c2d

  • SHA1

    d7cf2d5f345da2da2eb75c0e47df9437a0a5a870

  • SHA256

    9349d0a5761fa8d56d766f2cd4b04a424d30c42f35a54b4404bc160626a57d10

  • SHA512

    67fdd65b4977d4113a00c08070ccca8cd6474be43079c99d545be71aec035bd5fda4cf0f718f35126a48a42c491dd988bd64b60695426974147f0b25a4f1ad36

  • SSDEEP

    1536:3tdnSFdm3D22UwhiqQ1q3BhNL782aLpFtVlNlMHCu9jOM6m2:3TkM6whtoEBhN3kLpFtciuA

Malware Config

Signatures

  • Possible privilege escalation attempt 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
  • File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
      PID:588
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k RPCSS
      1⤵
        PID:664
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
        1⤵
          PID:740
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
          1⤵
            PID:800
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs
            1⤵
              PID:836
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k LocalService
              1⤵
                PID:956
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k NetworkService
                1⤵
                  PID:1020
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                  1⤵
                    PID:372
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                    1⤵
                      PID:2180
                    • C:\Users\Admin\AppData\Local\Temp\935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe
                      "C:\Users\Admin\AppData\Local\Temp\935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe"
                      1⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:2224
                      • C:\Windows\SysWOW64\regsvr32.exe
                        "C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~f76c5cf.tmp ,C:\Users\Admin\AppData\Local\Temp\935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe
                        2⤵
                        • Deletes itself
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1980
                        • C:\Windows\SysWOW64\takeown.exe
                          takeown /f "C:\Windows\system32\rpcss.dll"
                          3⤵
                          • Possible privilege escalation attempt
                          • Modifies file permissions
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2296
                        • C:\Windows\SysWOW64\icacls.exe
                          icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F
                          3⤵
                          • Possible privilege escalation attempt
                          • Modifies file permissions
                          • System Location Discovery: System Language Discovery
                          PID:2028
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c del %%SystemRoot%%\system32\rpcss.dll~*
                          3⤵
                          • System Location Discovery: System Language Discovery
                          PID:1076

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\~~f76c5cf.tmp

                      Filesize

                      1.0MB

                      MD5

                      8292db8bf40e3996e858197b04a8eac9

                      SHA1

                      4168dda0b52b441e743be70e6bc4bff88a52cfc2

                      SHA256

                      e96a1f5c55c9876b39725dbe3d712d075fdd1d8b407e91bdebdda2ef53d97a14

                      SHA512

                      8f8ab169d25c4fa134f995af51c572fcfe79de1ddc01dedea2d8401ba283b02390180572aa1f8b8ead4d6ab8b865fc631e7551e329106b211c8e77ffe4a335a5

                    • C:\Windows\SysWOW64\apa.dll

                      Filesize

                      233B

                      MD5

                      819af57393a9f8ef7f22fb812ae5abde

                      SHA1

                      4f3c6d3fbe22ddf39faa4bc722801f5c74b72a49

                      SHA256

                      958a1d73cc679fb5c53963bd9d415268d6020333ce24d6fb53bc4a5d0b4d3eac

                      SHA512

                      de8d8f18d38477b5093a9ccfe3e48b570737875fd07eb16b1f156a439f65056e7bcbb70481686aac9eaac453db37b505f9413e61b007fdec2a55b336ea400a78

                    • memory/588-12-0x00000000003E0000-0x00000000003E1000-memory.dmp

                      Filesize

                      4KB