Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    13-08-2024 21:09

General

  • Target

    94be68a29c3014ee15064f7824ac8136_JaffaCakes118.exe

  • Size

    68KB

  • MD5

    94be68a29c3014ee15064f7824ac8136

  • SHA1

    f719996139aa66e311b26d417ea82f5b52db8304

  • SHA256

    407ba88105aba9abdef63505654070fe5aca39d066bc6273f2aeb853e47db523

  • SHA512

    002138be8b4594997d19033de749110590a7194e32b6c9bd301177d4b8def55db01efb24af508fdb8778fa58d18ba1e40d396841c321ca2abd6cd9c8d907e1ee

  • SSDEEP

    1536:5Hy7EO3aKNrN01NFJDXjjX1XQTAW9VgWGMCDFpnixaeY:9y7/Dp01hXjjX1rWGMIpnN

Malware Config

Signatures

  • Possible privilege escalation attempt 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
  • Drops file in System32 directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    1⤵
      PID:592
    • C:\Users\Admin\AppData\Local\Temp\94be68a29c3014ee15064f7824ac8136_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\94be68a29c3014ee15064f7824ac8136_JaffaCakes118.exe"
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~f76c39d.tmp ,C:\Users\Admin\AppData\Local\Temp\94be68a29c3014ee15064f7824ac8136_JaffaCakes118.exe
        2⤵
        • Deletes itself
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2064
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f "C:\Windows\system32\rpcss.dll"
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:264
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • System Location Discovery: System Language Discovery
          PID:2708

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\~~f76c39d.tmp

      Filesize

      1.0MB

      MD5

      09b474a2a070f23d33686f13f52e7cf2

      SHA1

      71e1faccf6be787c2248f866cc93aa001201cfe0

      SHA256

      0584c935b74e15689cbc50a9bd2416137d20a61fdde36603df1210fb82f5c4a5

      SHA512

      0444bb327390956a239010175c45a46b994785edc3326e4455791d6ec6becfeab2a653b55bf5f30f6634946324fce0b529f0039fae26f4faacafdc02bd59c4f2

    • C:\Windows\SysWOW64\apa.dll

      Filesize

      221B

      MD5

      1e87cfbacd4978a75112865c344376af

      SHA1

      29966f4038f9f6ef7421f40353c41fe7b6ca7c84

      SHA256

      83717d28af61d83ceab0fafe3670362a8f63af1b246d6d5c9a5fa32a1b8acaa1

      SHA512

      202ee268c8d067e5116bc42c59eba87fb568b9b34a20456f4f9185e153e43c3da8e1f74c286e621cd5f6d82c2b4f51933f89ef6f6f0101780b1ce25e82568600

    • memory/592-14-0x00000000003D0000-0x00000000003D1000-memory.dmp

      Filesize

      4KB

    • memory/2548-0-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB