Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    13-08-2024 16:49

General

  • Target

    93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe

  • Size

    111KB

  • MD5

    93ec999f6c60ec676d4da0affcc41bbe

  • SHA1

    66c5fd77d2c803a712c99b3275ad5372032a757c

  • SHA256

    14e82d16bd6f3390206b6f35771783f16e02b3f989e88550746af2e89158a4ea

  • SHA512

    0bd4a104202399eae7a2f422abf61d50af7391b7cf00a7ceb9d02a45d2272bef29457b8465afd926b57970040bdfe41dc3e01d97e2499302a189d23d3089b00e

  • SSDEEP

    1536:3rD679bBLGG2UwifjK1q3BhNL782aLpFtVltN2jHCu9jJM6wWO:3voltwi7GEBhN3kLpFtqiuzO

Malware Config

Signatures

  • Possible privilege escalation attempt 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
  • File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
      PID:612
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k RPCSS
      1⤵
        PID:692
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
        1⤵
          PID:776
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
          1⤵
            PID:824
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs
            1⤵
              PID:852
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k LocalService
              1⤵
                PID:976
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k NetworkService
                1⤵
                  PID:296
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                  1⤵
                    PID:1084
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                    1⤵
                      PID:2268
                    • C:\Users\Admin\AppData\Local\Temp\93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe
                      "C:\Users\Admin\AppData\Local\Temp\93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe"
                      1⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:2548
                      • C:\Windows\SysWOW64\regsvr32.exe
                        "C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~f76a506.tmp ,C:\Users\Admin\AppData\Local\Temp\93ec999f6c60ec676d4da0affcc41bbe_JaffaCakes118.exe
                        2⤵
                        • Deletes itself
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1868
                        • C:\Windows\SysWOW64\takeown.exe
                          takeown /f "C:\Windows\system32\rpcss.dll"
                          3⤵
                          • Possible privilege escalation attempt
                          • Modifies file permissions
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1276
                        • C:\Windows\SysWOW64\icacls.exe
                          icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F
                          3⤵
                          • Possible privilege escalation attempt
                          • Modifies file permissions
                          • System Location Discovery: System Language Discovery
                          PID:1268
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c del %%SystemRoot%%\system32\rpcss.dll~*
                          3⤵
                          • System Location Discovery: System Language Discovery
                          PID:2792

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\~~f76a506.tmp

                      Filesize

                      1.0MB

                      MD5

                      5288bf10a1e9f472bcdd5a41fc3d3c9c

                      SHA1

                      df401463b6e46b9fdb78e052afe3f68707ce3ee4

                      SHA256

                      1eb4d0e97fd12ecf2667b32c493abd1fcc267ecddea4c71a664d5fe64fb0e296

                      SHA512

                      21cee36333b1541cfbdd3e3b68e4a1f99de5c662ce58e65b4c637fe0ddd8b919f02dd5b3b6a139b4f4cb3d90863dcf7963419fd1d97f52426574040f6cae18e8

                    • C:\Windows\SysWOW64\apa.dll

                      Filesize

                      233B

                      MD5

                      ec1e18e126d0dc363ce376e07707aeb2

                      SHA1

                      dac292e5a1ed888b30b3eabce6a7f2ee943b48bb

                      SHA256

                      2f550a9fb42e2161665dcbcc7f1b2efde59f884bb8b7b3c5861e3251954794e3

                      SHA512

                      9716b4d4bd338e1dadcec58a398e456eb2c47d53ea275e95b3185eb4d56339cf592a342046cf27611a164b29152fe249a96d44fb1e527932fab046eb803a54cf

                    • memory/612-12-0x00000000001E0000-0x00000000001E1000-memory.dmp

                      Filesize

                      4KB