Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
13-08-2024 21:09
Behavioral task
behavioral1
Sample
94be68a29c3014ee15064f7824ac8136_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
94be68a29c3014ee15064f7824ac8136_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
94be68a29c3014ee15064f7824ac8136_JaffaCakes118.exe
-
Size
68KB
-
MD5
94be68a29c3014ee15064f7824ac8136
-
SHA1
f719996139aa66e311b26d417ea82f5b52db8304
-
SHA256
407ba88105aba9abdef63505654070fe5aca39d066bc6273f2aeb853e47db523
-
SHA512
002138be8b4594997d19033de749110590a7194e32b6c9bd301177d4b8def55db01efb24af508fdb8778fa58d18ba1e40d396841c321ca2abd6cd9c8d907e1ee
-
SSDEEP
1536:5Hy7EO3aKNrN01NFJDXjjX1XQTAW9VgWGMCDFpnixaeY:9y7/Dp01hXjjX1rWGMIpnN
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 264 takeown.exe 2708 icacls.exe -
Deletes itself 1 IoCs
Processes:
regsvr32.exepid process 2064 regsvr32.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 2064 regsvr32.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 264 takeown.exe 2708 icacls.exe -
Processes:
resource yara_rule behavioral1/memory/2548-0-0x0000000000400000-0x0000000000421000-memory.dmp upx -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Drops file in System32 directory 3 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\rpcss.dll regsvr32.exe File opened for modification C:\Windows\SysWOW64\apa.dll regsvr32.exe File created C:\Windows\SysWOW64\rpcss.dll regsvr32.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
icacls.exe94be68a29c3014ee15064f7824ac8136_JaffaCakes118.exeregsvr32.exetakeown.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 94be68a29c3014ee15064f7824ac8136_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
regsvr32.exepid process 2064 regsvr32.exe 2064 regsvr32.exe 2064 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
regsvr32.exetakeown.exedescription pid process Token: SeDebugPrivilege 2064 regsvr32.exe Token: SeTakeOwnershipPrivilege 264 takeown.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
94be68a29c3014ee15064f7824ac8136_JaffaCakes118.exeregsvr32.exedescription pid process target process PID 2548 wrote to memory of 2064 2548 94be68a29c3014ee15064f7824ac8136_JaffaCakes118.exe regsvr32.exe PID 2548 wrote to memory of 2064 2548 94be68a29c3014ee15064f7824ac8136_JaffaCakes118.exe regsvr32.exe PID 2548 wrote to memory of 2064 2548 94be68a29c3014ee15064f7824ac8136_JaffaCakes118.exe regsvr32.exe PID 2548 wrote to memory of 2064 2548 94be68a29c3014ee15064f7824ac8136_JaffaCakes118.exe regsvr32.exe PID 2548 wrote to memory of 2064 2548 94be68a29c3014ee15064f7824ac8136_JaffaCakes118.exe regsvr32.exe PID 2548 wrote to memory of 2064 2548 94be68a29c3014ee15064f7824ac8136_JaffaCakes118.exe regsvr32.exe PID 2548 wrote to memory of 2064 2548 94be68a29c3014ee15064f7824ac8136_JaffaCakes118.exe regsvr32.exe PID 2064 wrote to memory of 264 2064 regsvr32.exe takeown.exe PID 2064 wrote to memory of 264 2064 regsvr32.exe takeown.exe PID 2064 wrote to memory of 264 2064 regsvr32.exe takeown.exe PID 2064 wrote to memory of 264 2064 regsvr32.exe takeown.exe PID 2064 wrote to memory of 2708 2064 regsvr32.exe icacls.exe PID 2064 wrote to memory of 2708 2064 regsvr32.exe icacls.exe PID 2064 wrote to memory of 2708 2064 regsvr32.exe icacls.exe PID 2064 wrote to memory of 2708 2064 regsvr32.exe icacls.exe PID 2064 wrote to memory of 592 2064 regsvr32.exe svchost.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵PID:592
-
C:\Users\Admin\AppData\Local\Temp\94be68a29c3014ee15064f7824ac8136_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\94be68a29c3014ee15064f7824ac8136_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~f76c39d.tmp ,C:\Users\Admin\AppData\Local\Temp\94be68a29c3014ee15064f7824ac8136_JaffaCakes118.exe2⤵
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\rpcss.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:264
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\system32\rpcss.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2708
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD509b474a2a070f23d33686f13f52e7cf2
SHA171e1faccf6be787c2248f866cc93aa001201cfe0
SHA2560584c935b74e15689cbc50a9bd2416137d20a61fdde36603df1210fb82f5c4a5
SHA5120444bb327390956a239010175c45a46b994785edc3326e4455791d6ec6becfeab2a653b55bf5f30f6634946324fce0b529f0039fae26f4faacafdc02bd59c4f2
-
Filesize
221B
MD51e87cfbacd4978a75112865c344376af
SHA129966f4038f9f6ef7421f40353c41fe7b6ca7c84
SHA25683717d28af61d83ceab0fafe3670362a8f63af1b246d6d5c9a5fa32a1b8acaa1
SHA512202ee268c8d067e5116bc42c59eba87fb568b9b34a20456f4f9185e153e43c3da8e1f74c286e621cd5f6d82c2b4f51933f89ef6f6f0101780b1ce25e82568600