Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
13-08-2024 16:49
Static task
static1
Behavioral task
behavioral1
Sample
93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe
-
Size
111KB
-
MD5
93ec999f6c60ec676d4da0affcc41bbe
-
SHA1
66c5fd77d2c803a712c99b3275ad5372032a757c
-
SHA256
14e82d16bd6f3390206b6f35771783f16e02b3f989e88550746af2e89158a4ea
-
SHA512
0bd4a104202399eae7a2f422abf61d50af7391b7cf00a7ceb9d02a45d2272bef29457b8465afd926b57970040bdfe41dc3e01d97e2499302a189d23d3089b00e
-
SSDEEP
1536:3rD679bBLGG2UwifjK1q3BhNL782aLpFtVltN2jHCu9jJM6wWO:3voltwi7GEBhN3kLpFtqiuzO
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1276 takeown.exe 1268 icacls.exe -
Deletes itself 1 IoCs
Processes:
regsvr32.exepid process 1868 regsvr32.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1868 regsvr32.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1276 takeown.exe 1268 icacls.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 3 IoCs
Processes:
regsvr32.exedescription ioc process File created C:\Windows\SysWOW64\rpcss.dll regsvr32.exe File opened for modification C:\Windows\SysWOW64\rpcss.dll regsvr32.exe File opened for modification C:\Windows\SysWOW64\apa.dll regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exeregsvr32.exetakeown.exeicacls.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
regsvr32.exepid process 1868 regsvr32.exe 1868 regsvr32.exe 1868 regsvr32.exe 1868 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
regsvr32.exetakeown.exedescription pid process Token: SeDebugPrivilege 1868 regsvr32.exe Token: SeTakeOwnershipPrivilege 1276 takeown.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exeregsvr32.exedescription pid process target process PID 2548 wrote to memory of 1868 2548 93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe regsvr32.exe PID 2548 wrote to memory of 1868 2548 93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe regsvr32.exe PID 2548 wrote to memory of 1868 2548 93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe regsvr32.exe PID 2548 wrote to memory of 1868 2548 93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe regsvr32.exe PID 2548 wrote to memory of 1868 2548 93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe regsvr32.exe PID 2548 wrote to memory of 1868 2548 93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe regsvr32.exe PID 2548 wrote to memory of 1868 2548 93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe regsvr32.exe PID 1868 wrote to memory of 1276 1868 regsvr32.exe takeown.exe PID 1868 wrote to memory of 1276 1868 regsvr32.exe takeown.exe PID 1868 wrote to memory of 1276 1868 regsvr32.exe takeown.exe PID 1868 wrote to memory of 1276 1868 regsvr32.exe takeown.exe PID 1868 wrote to memory of 1268 1868 regsvr32.exe icacls.exe PID 1868 wrote to memory of 1268 1868 regsvr32.exe icacls.exe PID 1868 wrote to memory of 1268 1868 regsvr32.exe icacls.exe PID 1868 wrote to memory of 1268 1868 regsvr32.exe icacls.exe PID 1868 wrote to memory of 612 1868 regsvr32.exe svchost.exe PID 1868 wrote to memory of 612 1868 regsvr32.exe svchost.exe PID 1868 wrote to memory of 692 1868 regsvr32.exe svchost.exe PID 1868 wrote to memory of 692 1868 regsvr32.exe svchost.exe PID 1868 wrote to memory of 776 1868 regsvr32.exe svchost.exe PID 1868 wrote to memory of 776 1868 regsvr32.exe svchost.exe PID 1868 wrote to memory of 824 1868 regsvr32.exe svchost.exe PID 1868 wrote to memory of 824 1868 regsvr32.exe svchost.exe PID 1868 wrote to memory of 852 1868 regsvr32.exe svchost.exe PID 1868 wrote to memory of 852 1868 regsvr32.exe svchost.exe PID 1868 wrote to memory of 976 1868 regsvr32.exe svchost.exe PID 1868 wrote to memory of 976 1868 regsvr32.exe svchost.exe PID 1868 wrote to memory of 296 1868 regsvr32.exe svchost.exe PID 1868 wrote to memory of 296 1868 regsvr32.exe svchost.exe PID 1868 wrote to memory of 1084 1868 regsvr32.exe svchost.exe PID 1868 wrote to memory of 1084 1868 regsvr32.exe svchost.exe PID 1868 wrote to memory of 2268 1868 regsvr32.exe svchost.exe PID 1868 wrote to memory of 2268 1868 regsvr32.exe svchost.exe PID 1868 wrote to memory of 2792 1868 regsvr32.exe cmd.exe PID 1868 wrote to memory of 2792 1868 regsvr32.exe cmd.exe PID 1868 wrote to memory of 2792 1868 regsvr32.exe cmd.exe PID 1868 wrote to memory of 2792 1868 regsvr32.exe cmd.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵PID:612
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS1⤵PID:692
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:776
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted1⤵PID:824
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:852
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵PID:976
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService1⤵PID:296
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork1⤵PID:1084
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation1⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~f76a506.tmp ,C:\Users\Admin\AppData\Local\Temp\93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe2⤵
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\rpcss.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1276
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\system32\rpcss.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1268
-
-
C:\Windows\SysWOW64\cmd.execmd /c del %%SystemRoot%%\system32\rpcss.dll~*3⤵
- System Location Discovery: System Language Discovery
PID:2792
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD55288bf10a1e9f472bcdd5a41fc3d3c9c
SHA1df401463b6e46b9fdb78e052afe3f68707ce3ee4
SHA2561eb4d0e97fd12ecf2667b32c493abd1fcc267ecddea4c71a664d5fe64fb0e296
SHA51221cee36333b1541cfbdd3e3b68e4a1f99de5c662ce58e65b4c637fe0ddd8b919f02dd5b3b6a139b4f4cb3d90863dcf7963419fd1d97f52426574040f6cae18e8
-
Filesize
233B
MD5ec1e18e126d0dc363ce376e07707aeb2
SHA1dac292e5a1ed888b30b3eabce6a7f2ee943b48bb
SHA2562f550a9fb42e2161665dcbcc7f1b2efde59f884bb8b7b3c5861e3251954794e3
SHA5129716b4d4bd338e1dadcec58a398e456eb2c47d53ea275e95b3185eb4d56339cf592a342046cf27611a164b29152fe249a96d44fb1e527932fab046eb803a54cf