Malware Analysis Report

2024-11-16 12:52

Sample ID 240814-kzqcxatdqc
Target 956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118
SHA256 ba2429dad3052f28d4b0f818c3947aad02913da0070da6c662a6ea65713ee732
Tags
defense_evasion discovery exploit upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

ba2429dad3052f28d4b0f818c3947aad02913da0070da6c662a6ea65713ee732

Threat Level: Likely malicious

The file 956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery exploit upx

Possible privilege escalation attempt

Loads dropped DLL

UPX packed file

Checks computer location settings

Modifies file permissions

Deletes itself

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-14 09:02

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 09:02

Reported

2024-08-14 09:05

Platform

win10v2004-20240802-en

Max time kernel

138s

Max time network

130s

Command Line

C:\Windows\system32\svchost.exe -k DcomLaunch -p

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Windows\SysWOW64\apa.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\regsvr32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p

C:\Users\Admin\AppData\Local\Temp\956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~e579191.tmp ,C:\Users\Admin\AppData\Local\Temp\956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\system32\rpcss.dll"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/528-0-0x0000000000400000-0x0000000000421000-memory.dmp

memory/528-3-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~~e579191.tmp

MD5 aa7b1b80caf7942a4f77979bd231aa7c
SHA1 3cefc5f9e1abbbdf4c8d59d7daa0b450fafbe685
SHA256 b4190768fd99c7a0964d09d66442b9b40af393938c6f0f53698044f859aad09c
SHA512 8786431ee36b62af7e69c902291697669ac67ababe9c43ed58285b8c4e6535bbcf2c0937d5908b7b432d2fc4b9b1bafd47dda344a0d97381832a3d23a28022c5

C:\Windows\SysWOW64\apa.dll

MD5 e7c435b8ac70804e964a2fd149558bae
SHA1 e2671749cec17d438c2c26a1678d2c6586a73e85
SHA256 9a37aa6fc8402fda309b862d8dbfaf0dd1e6b22c71c19ab0e9473b0ed510cf43
SHA512 b6333fca1ffe69dbcbccc7fa82b54ffa7185901487cbf6edfdf6a970f602d93bb8a51a4fc0d7397039f528e759b834d518b78dd6f45bc2dfaa535a746a7c5484

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 09:02

Reported

2024-08-14 09:05

Platform

win7-20240708-en

Max time kernel

121s

Max time network

125s

Command Line

C:\Windows\system32\svchost.exe -k DcomLaunch

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\apa.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\regsvr32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2392 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2392 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2392 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2392 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2392 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2392 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1924 wrote to memory of 2052 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 1924 wrote to memory of 2052 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 1924 wrote to memory of 2052 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 1924 wrote to memory of 2052 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 1924 wrote to memory of 2080 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 1924 wrote to memory of 2080 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 1924 wrote to memory of 2080 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 1924 wrote to memory of 2080 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 1924 wrote to memory of 612 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Users\Admin\AppData\Local\Temp\956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~f76b5f7.tmp ,C:\Users\Admin\AppData\Local\Temp\956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\system32\rpcss.dll"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F

Network

N/A

Files

memory/2392-0-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2392-3-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~~f76b5f7.tmp

MD5 aa7b1b80caf7942a4f77979bd231aa7c
SHA1 3cefc5f9e1abbbdf4c8d59d7daa0b450fafbe685
SHA256 b4190768fd99c7a0964d09d66442b9b40af393938c6f0f53698044f859aad09c
SHA512 8786431ee36b62af7e69c902291697669ac67ababe9c43ed58285b8c4e6535bbcf2c0937d5908b7b432d2fc4b9b1bafd47dda344a0d97381832a3d23a28022c5

C:\Windows\SysWOW64\apa.dll

MD5 e7c435b8ac70804e964a2fd149558bae
SHA1 e2671749cec17d438c2c26a1678d2c6586a73e85
SHA256 9a37aa6fc8402fda309b862d8dbfaf0dd1e6b22c71c19ab0e9473b0ed510cf43
SHA512 b6333fca1ffe69dbcbccc7fa82b54ffa7185901487cbf6edfdf6a970f602d93bb8a51a4fc0d7397039f528e759b834d518b78dd6f45bc2dfaa535a746a7c5484

memory/612-15-0x00000000001E0000-0x00000000001E1000-memory.dmp