Malware Analysis Report

2024-12-07 14:41

Sample ID 241007-bnebts1bqa
Target 1ab18ab1b70d91a73d643983798a1af6_JaffaCakes118
SHA256 19c40ea4fc905abaa2b3bc7d2f0babf9c72cffbba4f3218a1393792a6ac6a3d1
Tags
defense_evasion discovery exploit upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

19c40ea4fc905abaa2b3bc7d2f0babf9c72cffbba4f3218a1393792a6ac6a3d1

Threat Level: Likely malicious

The file 1ab18ab1b70d91a73d643983798a1af6_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery exploit upx

Possible privilege escalation attempt

Checks computer location settings

Deletes itself

Modifies file permissions

Loads dropped DLL

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

UPX packed file

Drops file in System32 directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-07 01:17

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-07 01:17

Reported

2024-10-07 01:19

Platform

win7-20240708-en

Max time kernel

119s

Max time network

120s

Command Line

C:\Windows\system32\svchost.exe -k DcomLaunch

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\apa.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1ab18ab1b70d91a73d643983798a1af6_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\regsvr32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1920 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\1ab18ab1b70d91a73d643983798a1af6_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1920 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\1ab18ab1b70d91a73d643983798a1af6_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1920 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\1ab18ab1b70d91a73d643983798a1af6_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1920 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\1ab18ab1b70d91a73d643983798a1af6_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1920 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\1ab18ab1b70d91a73d643983798a1af6_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1920 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\1ab18ab1b70d91a73d643983798a1af6_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1920 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\1ab18ab1b70d91a73d643983798a1af6_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2356 wrote to memory of 1848 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 2356 wrote to memory of 1848 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 2356 wrote to memory of 1848 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 2356 wrote to memory of 1848 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 2356 wrote to memory of 2936 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 2356 wrote to memory of 2936 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 2356 wrote to memory of 2936 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 2356 wrote to memory of 2936 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 2356 wrote to memory of 600 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Users\Admin\AppData\Local\Temp\1ab18ab1b70d91a73d643983798a1af6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1ab18ab1b70d91a73d643983798a1af6_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~f768594.tmp ,C:\Users\Admin\AppData\Local\Temp\1ab18ab1b70d91a73d643983798a1af6_JaffaCakes118.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\system32\rpcss.dll"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F

Network

N/A

Files

memory/1920-0-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~f768594.tmp

MD5 8ea505496c77eeee84183008ca643fa8
SHA1 91f434cfa411597e3db967cb1bc0d5fde1ebaf59
SHA256 638799000bf98c3e69c0e97087df8cd494fb8035fcbbfc13a73482e62967d0ec
SHA512 c8a44976485f1bdb32c6624fe5fe57644923076b867b72c38c66becbeb2513267ba531f9a2b9a5393f78a06ab685c54fe08f0ffc780d5c71e6216f52255973cc

C:\Windows\SysWOW64\apa.dll

MD5 0d194f315e3f28297f94af9ae0b81bff
SHA1 dba11f576fff11a5d97cd6413a6a83068e2167bf
SHA256 17cdb7cca4008c44ab73b64b5ee67942c440d7fc619efc35f0d749829b825e35
SHA512 22a0e6e1c62ec70a8cb4d48544e64c7969967c2d6b7ae617c982e3848e106f14e24d3c7f1973332e410939bc62b7e3681f67a9ed56f880c5d5397ffa99184fb5

memory/600-14-0x00000000001E0000-0x00000000001E1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-07 01:17

Reported

2024-10-07 01:19

Platform

win10v2004-20240802-en

Max time kernel

91s

Max time network

139s

Command Line

C:\Windows\system32\svchost.exe -k DcomLaunch -p

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1ab18ab1b70d91a73d643983798a1af6_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\apa.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1ab18ab1b70d91a73d643983798a1af6_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\regsvr32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p

C:\Users\Admin\AppData\Local\Temp\1ab18ab1b70d91a73d643983798a1af6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1ab18ab1b70d91a73d643983798a1af6_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~e57b4b9.tmp ,C:\Users\Admin\AppData\Local\Temp\1ab18ab1b70d91a73d643983798a1af6_JaffaCakes118.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\system32\rpcss.dll"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/1696-0-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1696-3-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~e57b4b9.tmp

MD5 8ea505496c77eeee84183008ca643fa8
SHA1 91f434cfa411597e3db967cb1bc0d5fde1ebaf59
SHA256 638799000bf98c3e69c0e97087df8cd494fb8035fcbbfc13a73482e62967d0ec
SHA512 c8a44976485f1bdb32c6624fe5fe57644923076b867b72c38c66becbeb2513267ba531f9a2b9a5393f78a06ab685c54fe08f0ffc780d5c71e6216f52255973cc

C:\Windows\SysWOW64\apa.dll

MD5 0d194f315e3f28297f94af9ae0b81bff
SHA1 dba11f576fff11a5d97cd6413a6a83068e2167bf
SHA256 17cdb7cca4008c44ab73b64b5ee67942c440d7fc619efc35f0d749829b825e35
SHA512 22a0e6e1c62ec70a8cb4d48544e64c7969967c2d6b7ae617c982e3848e106f14e24d3c7f1973332e410939bc62b7e3681f67a9ed56f880c5d5397ffa99184fb5