Analysis

  • max time kernel
    138s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-08-2024 09:02

General

  • Target

    956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe

  • Size

    68KB

  • MD5

    956ecee0b2fe1746919f1d5a5637b29e

  • SHA1

    969e47b3ec246ad2f21750b02bd529ca5574ba2d

  • SHA256

    ba2429dad3052f28d4b0f818c3947aad02913da0070da6c662a6ea65713ee732

  • SHA512

    273f648dad365ea70c6bd8decdd46bce695e7b623ea14547e64f6e4a972f6dcd492769956d4516a90df0d5048b177b9a0670c504afe1b4cfae3c04583252de39

  • SSDEEP

    1536:w0vb1vAZdvIHPhfkGxJXk6CnKZ/Ld08KKvP1x:w0D1vAZVI5fvwKZ/B08K+

Malware Config

Signatures

  • Possible privilege escalation attempt 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
      PID:784
    • C:\Users\Admin\AppData\Local\Temp\956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe"
      1⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:528
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~e579191.tmp ,C:\Users\Admin\AppData\Local\Temp\956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe
        2⤵
        • Deletes itself
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4632
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f "C:\Windows\system32\rpcss.dll"
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4920
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • System Location Discovery: System Language Discovery
          PID:4332

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\~~e579191.tmp

      Filesize

      1.0MB

      MD5

      aa7b1b80caf7942a4f77979bd231aa7c

      SHA1

      3cefc5f9e1abbbdf4c8d59d7daa0b450fafbe685

      SHA256

      b4190768fd99c7a0964d09d66442b9b40af393938c6f0f53698044f859aad09c

      SHA512

      8786431ee36b62af7e69c902291697669ac67ababe9c43ed58285b8c4e6535bbcf2c0937d5908b7b432d2fc4b9b1bafd47dda344a0d97381832a3d23a28022c5

    • C:\Windows\SysWOW64\apa.dll

      Filesize

      225B

      MD5

      e7c435b8ac70804e964a2fd149558bae

      SHA1

      e2671749cec17d438c2c26a1678d2c6586a73e85

      SHA256

      9a37aa6fc8402fda309b862d8dbfaf0dd1e6b22c71c19ab0e9473b0ed510cf43

      SHA512

      b6333fca1ffe69dbcbccc7fa82b54ffa7185901487cbf6edfdf6a970f602d93bb8a51a4fc0d7397039f528e759b834d518b78dd6f45bc2dfaa535a746a7c5484

    • memory/528-0-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/528-3-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB