Analysis
-
max time kernel
138s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-08-2024 09:02
Behavioral task
behavioral1
Sample
956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe
-
Size
68KB
-
MD5
956ecee0b2fe1746919f1d5a5637b29e
-
SHA1
969e47b3ec246ad2f21750b02bd529ca5574ba2d
-
SHA256
ba2429dad3052f28d4b0f818c3947aad02913da0070da6c662a6ea65713ee732
-
SHA512
273f648dad365ea70c6bd8decdd46bce695e7b623ea14547e64f6e4a972f6dcd492769956d4516a90df0d5048b177b9a0670c504afe1b4cfae3c04583252de39
-
SSDEEP
1536:w0vb1vAZdvIHPhfkGxJXk6CnKZ/Ld08KKvP1x:w0D1vAZVI5fvwKZ/B08K+
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 4920 takeown.exe 4332 icacls.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation 956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
regsvr32.exepid process 4632 regsvr32.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 4632 regsvr32.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
icacls.exetakeown.exepid process 4332 icacls.exe 4920 takeown.exe -
Processes:
resource yara_rule behavioral2/memory/528-0-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/528-3-0x0000000000400000-0x0000000000421000-memory.dmp upx -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Drops file in System32 directory 3 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\rpcss.dll regsvr32.exe File opened for modification C:\Windows\SysWOW64\apa.dll regsvr32.exe File created C:\Windows\SysWOW64\rpcss.dll regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exeregsvr32.exetakeown.exeicacls.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
regsvr32.exepid process 4632 regsvr32.exe 4632 regsvr32.exe 4632 regsvr32.exe 4632 regsvr32.exe 4632 regsvr32.exe 4632 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
regsvr32.exetakeown.exedescription pid process Token: SeDebugPrivilege 4632 regsvr32.exe Token: SeTakeOwnershipPrivilege 4920 takeown.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exeregsvr32.exedescription pid process target process PID 528 wrote to memory of 4632 528 956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe regsvr32.exe PID 528 wrote to memory of 4632 528 956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe regsvr32.exe PID 528 wrote to memory of 4632 528 956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe regsvr32.exe PID 4632 wrote to memory of 4920 4632 regsvr32.exe takeown.exe PID 4632 wrote to memory of 4920 4632 regsvr32.exe takeown.exe PID 4632 wrote to memory of 4920 4632 regsvr32.exe takeown.exe PID 4632 wrote to memory of 4332 4632 regsvr32.exe icacls.exe PID 4632 wrote to memory of 4332 4632 regsvr32.exe icacls.exe PID 4632 wrote to memory of 4332 4632 regsvr32.exe icacls.exe PID 4632 wrote to memory of 784 4632 regsvr32.exe svchost.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:784
-
C:\Users\Admin\AppData\Local\Temp\956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~e579191.tmp ,C:\Users\Admin\AppData\Local\Temp\956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe2⤵
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\rpcss.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\system32\rpcss.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4332
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5aa7b1b80caf7942a4f77979bd231aa7c
SHA13cefc5f9e1abbbdf4c8d59d7daa0b450fafbe685
SHA256b4190768fd99c7a0964d09d66442b9b40af393938c6f0f53698044f859aad09c
SHA5128786431ee36b62af7e69c902291697669ac67ababe9c43ed58285b8c4e6535bbcf2c0937d5908b7b432d2fc4b9b1bafd47dda344a0d97381832a3d23a28022c5
-
Filesize
225B
MD5e7c435b8ac70804e964a2fd149558bae
SHA1e2671749cec17d438c2c26a1678d2c6586a73e85
SHA2569a37aa6fc8402fda309b862d8dbfaf0dd1e6b22c71c19ab0e9473b0ed510cf43
SHA512b6333fca1ffe69dbcbccc7fa82b54ffa7185901487cbf6edfdf6a970f602d93bb8a51a4fc0d7397039f528e759b834d518b78dd6f45bc2dfaa535a746a7c5484