205d204777afb49d6639e90caded6358619a1cc6b4fd893c61b83652ea33a8e2

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb46fba7ac18e7ce99020b71f4c9ec84_JaffaCakes118.exe
Size

110KB
MD5

fb46fba7ac18e7ce99020b71f4c9ec84
SHA1

0d3c37bc1c886961652e3f732eaa9a6e07463114
SHA256

205d204777afb49d6639e90caded6358619a1cc6b4fd893c61b83652ea33a8e2
SHA512

a728545985246be96babdb370c7d43c94ede1112da9328d8916765cade10fdc3985a1c0aa99c44ee5962b4999499bb8de86a34bbf37ef139b344a55934abd1c8
SSDEEP

1536:xV1XF99fQgtVXMWnT8YtFzii7lF/BSNL9l2xisFtVlzkAyHCVDmi:dp/LnT8YtF+ihxBSNhsisFtDyi1

Score

8^/10

defense_evasion discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
3044	takeown.exe
2328	icacls.exe

Deletes itself 1 IoCs

pid	Process
1148	regsvr32.exe

Loads dropped DLL 1 IoCs

pid	Process
1148	regsvr32.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3044	takeown.exe
2328	icacls.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\apa.dll	regsvr32.exe
File created	C:\Windows\SysWOW64\rpcss.dll	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\rpcss.dll	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb46fba7ac18e7ce99020b71f4c9ec84_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1148	regsvr32.exe
1148	regsvr32.exe
1148	regsvr32.exe
1148	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1148	regsvr32.exe
Token: SeTakeOwnershipPrivilege	3044	takeown.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 1148	632	fb46fba7ac18e7ce99020b71f4c9ec84_JaffaCakes118.exe	30
PID 632 wrote to memory of 1148	632	fb46fba7ac18e7ce99020b71f4c9ec84_JaffaCakes118.exe	30
PID 632 wrote to memory of 1148	632	fb46fba7ac18e7ce99020b71f4c9ec84_JaffaCakes118.exe	30
PID 632 wrote to memory of 1148	632	fb46fba7ac18e7ce99020b71f4c9ec84_JaffaCakes118.exe	30
PID 632 wrote to memory of 1148	632	fb46fba7ac18e7ce99020b71f4c9ec84_JaffaCakes118.exe	30
PID 632 wrote to memory of 1148	632	fb46fba7ac18e7ce99020b71f4c9ec84_JaffaCakes118.exe	30
PID 632 wrote to memory of 1148	632	fb46fba7ac18e7ce99020b71f4c9ec84_JaffaCakes118.exe	30
PID 1148 wrote to memory of 3044	1148	regsvr32.exe	31
PID 1148 wrote to memory of 3044	1148	regsvr32.exe	31
PID 1148 wrote to memory of 3044	1148	regsvr32.exe	31
PID 1148 wrote to memory of 3044	1148	regsvr32.exe	31
PID 1148 wrote to memory of 2328	1148	regsvr32.exe	33
PID 1148 wrote to memory of 2328	1148	regsvr32.exe	33
PID 1148 wrote to memory of 2328	1148	regsvr32.exe	33
PID 1148 wrote to memory of 2328	1148	regsvr32.exe	33
PID 1148 wrote to memory of 604	1148	regsvr32.exe	9
PID 1148 wrote to memory of 604	1148	regsvr32.exe	9
PID 1148 wrote to memory of 680	1148	regsvr32.exe	10
PID 1148 wrote to memory of 680	1148	regsvr32.exe	10
PID 1148 wrote to memory of 752	1148	regsvr32.exe	11
PID 1148 wrote to memory of 752	1148	regsvr32.exe	11
PID 1148 wrote to memory of 824	1148	regsvr32.exe	12
PID 1148 wrote to memory of 824	1148	regsvr32.exe	12
PID 1148 wrote to memory of 856	1148	regsvr32.exe	13
PID 1148 wrote to memory of 856	1148	regsvr32.exe	13
PID 1148 wrote to memory of 972	1148	regsvr32.exe	15
PID 1148 wrote to memory of 972	1148	regsvr32.exe	15
PID 1148 wrote to memory of 276	1148	regsvr32.exe	16
PID 1148 wrote to memory of 276	1148	regsvr32.exe	16
PID 1148 wrote to memory of 1056	1148	regsvr32.exe	18
PID 1148 wrote to memory of 1056	1148	regsvr32.exe	18
PID 1148 wrote to memory of 2448	1148	regsvr32.exe	26
PID 1148 wrote to memory of 2448	1148	regsvr32.exe	26
PID 1148 wrote to memory of 2844	1148	regsvr32.exe	35
PID 1148 wrote to memory of 2844	1148	regsvr32.exe	35
PID 1148 wrote to memory of 2844	1148	regsvr32.exe	35
PID 1148 wrote to memory of 2844	1148	regsvr32.exe	35

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
1⤵
PID:680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
1⤵
PID:824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
1⤵
PID:276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
1⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\fb46fba7ac18e7ce99020b71f4c9ec84_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb46fba7ac18e7ce99020b71f4c9ec84_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:632
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~f769b94.tmp ,C:\Users\Admin\AppData\Local\Temp\fb46fba7ac18e7ce99020b71f4c9ec84_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\system32\rpcss.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3044
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del %%SystemRoot%%\system32\rpcss.dll~*
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~~f769b94.tmp

Filesize
1.0MB

MD5
43821b168664c892c277c164697fabf5

SHA1
1194ac07bb3f05504d7849fd518b2b7fb54185fa

SHA256
0a3601cdccd57ec2756b53568a24bc1270c29ea120983efd0ed4afbfe880e691

SHA512
baaf3e4543339f195a9937342dd46af89195a23f1c9cbe0f1a881089d2e85c318522c93be2a7c7507be490a8210c0874d02f7e851b093e6a07bde0263a76ea76

Download Submit
C:\Windows\SysWOW64\apa.dll

Filesize
154B

MD5
0ec0a8c3c73e9ac749b4380405f996c6

SHA1
35c60097424f3f96fd93089e0fb2f35a91afb626

SHA256
e06911fb24c91cefd6ae7ede1996f8de7462a7816438586b92ea6060df4cdd75

SHA512
494fa8a5febeee9ebd6fca8319a3631c528630a2e0e66bbe459899f250e664f7542fada928b47ad0257ab90a3a02eeab0ed8aa6d168e9bbb9da8be2672dae145

Download Submit
memory/604-12-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download