Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
13-08-2024 13:50
Static task
static1
Behavioral task
behavioral1
Sample
935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe
-
Size
111KB
-
MD5
935a1fe3fa5654672f08e6f1d1fd0c2d
-
SHA1
d7cf2d5f345da2da2eb75c0e47df9437a0a5a870
-
SHA256
9349d0a5761fa8d56d766f2cd4b04a424d30c42f35a54b4404bc160626a57d10
-
SHA512
67fdd65b4977d4113a00c08070ccca8cd6474be43079c99d545be71aec035bd5fda4cf0f718f35126a48a42c491dd988bd64b60695426974147f0b25a4f1ad36
-
SSDEEP
1536:3tdnSFdm3D22UwhiqQ1q3BhNL782aLpFtVlNlMHCu9jOM6m2:3TkM6whtoEBhN3kLpFtciuA
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
icacls.exetakeown.exepid process 2028 icacls.exe 2296 takeown.exe -
Deletes itself 1 IoCs
Processes:
regsvr32.exepid process 1980 regsvr32.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1980 regsvr32.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 2296 takeown.exe 2028 icacls.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 3 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\apa.dll regsvr32.exe File created C:\Windows\SysWOW64\rpcss.dll regsvr32.exe File opened for modification C:\Windows\SysWOW64\rpcss.dll regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
takeown.exeicacls.execmd.exe935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exeregsvr32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
regsvr32.exepid process 1980 regsvr32.exe 1980 regsvr32.exe 1980 regsvr32.exe 1980 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
regsvr32.exetakeown.exedescription pid process Token: SeDebugPrivilege 1980 regsvr32.exe Token: SeTakeOwnershipPrivilege 2296 takeown.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exeregsvr32.exedescription pid process target process PID 2224 wrote to memory of 1980 2224 935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe regsvr32.exe PID 2224 wrote to memory of 1980 2224 935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe regsvr32.exe PID 2224 wrote to memory of 1980 2224 935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe regsvr32.exe PID 2224 wrote to memory of 1980 2224 935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe regsvr32.exe PID 2224 wrote to memory of 1980 2224 935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe regsvr32.exe PID 2224 wrote to memory of 1980 2224 935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe regsvr32.exe PID 2224 wrote to memory of 1980 2224 935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe regsvr32.exe PID 1980 wrote to memory of 2296 1980 regsvr32.exe takeown.exe PID 1980 wrote to memory of 2296 1980 regsvr32.exe takeown.exe PID 1980 wrote to memory of 2296 1980 regsvr32.exe takeown.exe PID 1980 wrote to memory of 2296 1980 regsvr32.exe takeown.exe PID 1980 wrote to memory of 2028 1980 regsvr32.exe icacls.exe PID 1980 wrote to memory of 2028 1980 regsvr32.exe icacls.exe PID 1980 wrote to memory of 2028 1980 regsvr32.exe icacls.exe PID 1980 wrote to memory of 2028 1980 regsvr32.exe icacls.exe PID 1980 wrote to memory of 588 1980 regsvr32.exe svchost.exe PID 1980 wrote to memory of 588 1980 regsvr32.exe svchost.exe PID 1980 wrote to memory of 664 1980 regsvr32.exe svchost.exe PID 1980 wrote to memory of 664 1980 regsvr32.exe svchost.exe PID 1980 wrote to memory of 740 1980 regsvr32.exe svchost.exe PID 1980 wrote to memory of 740 1980 regsvr32.exe svchost.exe PID 1980 wrote to memory of 800 1980 regsvr32.exe svchost.exe PID 1980 wrote to memory of 800 1980 regsvr32.exe svchost.exe PID 1980 wrote to memory of 836 1980 regsvr32.exe svchost.exe PID 1980 wrote to memory of 836 1980 regsvr32.exe svchost.exe PID 1980 wrote to memory of 956 1980 regsvr32.exe svchost.exe PID 1980 wrote to memory of 956 1980 regsvr32.exe svchost.exe PID 1980 wrote to memory of 1020 1980 regsvr32.exe svchost.exe PID 1980 wrote to memory of 1020 1980 regsvr32.exe svchost.exe PID 1980 wrote to memory of 372 1980 regsvr32.exe svchost.exe PID 1980 wrote to memory of 372 1980 regsvr32.exe svchost.exe PID 1980 wrote to memory of 2180 1980 regsvr32.exe svchost.exe PID 1980 wrote to memory of 2180 1980 regsvr32.exe svchost.exe PID 1980 wrote to memory of 1076 1980 regsvr32.exe cmd.exe PID 1980 wrote to memory of 1076 1980 regsvr32.exe cmd.exe PID 1980 wrote to memory of 1076 1980 regsvr32.exe cmd.exe PID 1980 wrote to memory of 1076 1980 regsvr32.exe cmd.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵PID:588
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS1⤵PID:664
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:740
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted1⤵PID:800
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:836
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵PID:956
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService1⤵PID:1020
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork1⤵PID:372
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation1⤵PID:2180
-
C:\Users\Admin\AppData\Local\Temp\935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~f76c5cf.tmp ,C:\Users\Admin\AppData\Local\Temp\935a1fe3fa5654672f08e6f1d1fd0c2d_JaffaCakes118.exe2⤵
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\rpcss.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\system32\rpcss.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2028
-
-
C:\Windows\SysWOW64\cmd.execmd /c del %%SystemRoot%%\system32\rpcss.dll~*3⤵
- System Location Discovery: System Language Discovery
PID:1076
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD58292db8bf40e3996e858197b04a8eac9
SHA14168dda0b52b441e743be70e6bc4bff88a52cfc2
SHA256e96a1f5c55c9876b39725dbe3d712d075fdd1d8b407e91bdebdda2ef53d97a14
SHA5128f8ab169d25c4fa134f995af51c572fcfe79de1ddc01dedea2d8401ba283b02390180572aa1f8b8ead4d6ab8b865fc631e7551e329106b211c8e77ffe4a335a5
-
Filesize
233B
MD5819af57393a9f8ef7f22fb812ae5abde
SHA14f3c6d3fbe22ddf39faa4bc722801f5c74b72a49
SHA256958a1d73cc679fb5c53963bd9d415268d6020333ce24d6fb53bc4a5d0b4d3eac
SHA512de8d8f18d38477b5093a9ccfe3e48b570737875fd07eb16b1f156a439f65056e7bcbb70481686aac9eaac453db37b505f9413e61b007fdec2a55b336ea400a78