Analysis Overview
SHA256
ba2429dad3052f28d4b0f818c3947aad02913da0070da6c662a6ea65713ee732
Threat Level: Likely malicious
The file 956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Loads dropped DLL
UPX packed file
Checks computer location settings
Modifies file permissions
Deletes itself
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-14 09:02
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-14 09:02
Reported
2024-08-14 09:05
Platform
win10v2004-20240802-en
Max time kernel
138s
Max time network
130s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\rpcss.dll | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\apa.dll | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\Windows\SysWOW64\rpcss.dll | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Users\Admin\AppData\Local\Temp\956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~e579191.tmp ,C:\Users\Admin\AppData\Local\Temp\956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\system32\rpcss.dll"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/528-0-0x0000000000400000-0x0000000000421000-memory.dmp
memory/528-3-0x0000000000400000-0x0000000000421000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\~~e579191.tmp
| MD5 | aa7b1b80caf7942a4f77979bd231aa7c |
| SHA1 | 3cefc5f9e1abbbdf4c8d59d7daa0b450fafbe685 |
| SHA256 | b4190768fd99c7a0964d09d66442b9b40af393938c6f0f53698044f859aad09c |
| SHA512 | 8786431ee36b62af7e69c902291697669ac67ababe9c43ed58285b8c4e6535bbcf2c0937d5908b7b432d2fc4b9b1bafd47dda344a0d97381832a3d23a28022c5 |
C:\Windows\SysWOW64\apa.dll
| MD5 | e7c435b8ac70804e964a2fd149558bae |
| SHA1 | e2671749cec17d438c2c26a1678d2c6586a73e85 |
| SHA256 | 9a37aa6fc8402fda309b862d8dbfaf0dd1e6b22c71c19ab0e9473b0ed510cf43 |
| SHA512 | b6333fca1ffe69dbcbccc7fa82b54ffa7185901487cbf6edfdf6a970f602d93bb8a51a4fc0d7397039f528e759b834d518b78dd6f45bc2dfaa535a746a7c5484 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-14 09:02
Reported
2024-08-14 09:05
Platform
win7-20240708-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\apa.dll | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\Windows\SysWOW64\rpcss.dll | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rpcss.dll | C:\Windows\SysWOW64\regsvr32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Users\Admin\AppData\Local\Temp\956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~f76b5f7.tmp ,C:\Users\Admin\AppData\Local\Temp\956ecee0b2fe1746919f1d5a5637b29e_JaffaCakes118.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\system32\rpcss.dll"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F
Network
Files
memory/2392-0-0x0000000000400000-0x0000000000421000-memory.dmp
memory/2392-3-0x0000000000400000-0x0000000000421000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\~~f76b5f7.tmp
| MD5 | aa7b1b80caf7942a4f77979bd231aa7c |
| SHA1 | 3cefc5f9e1abbbdf4c8d59d7daa0b450fafbe685 |
| SHA256 | b4190768fd99c7a0964d09d66442b9b40af393938c6f0f53698044f859aad09c |
| SHA512 | 8786431ee36b62af7e69c902291697669ac67ababe9c43ed58285b8c4e6535bbcf2c0937d5908b7b432d2fc4b9b1bafd47dda344a0d97381832a3d23a28022c5 |
C:\Windows\SysWOW64\apa.dll
| MD5 | e7c435b8ac70804e964a2fd149558bae |
| SHA1 | e2671749cec17d438c2c26a1678d2c6586a73e85 |
| SHA256 | 9a37aa6fc8402fda309b862d8dbfaf0dd1e6b22c71c19ab0e9473b0ed510cf43 |
| SHA512 | b6333fca1ffe69dbcbccc7fa82b54ffa7185901487cbf6edfdf6a970f602d93bb8a51a4fc0d7397039f528e759b834d518b78dd6f45bc2dfaa535a746a7c5484 |
memory/612-15-0x00000000001E0000-0x00000000001E1000-memory.dmp