Malware Analysis Report

2024-12-07 14:55

Sample ID 241011-yf5v5szgjd
Target 368242e26bfd75671a34e7ef19299ea0_JaffaCakes118
SHA256 e1a39cd36470c4ddaaf203f8dbf2192d59c423b312dfd97ca5eb947a15958b08
Tags
defense_evasion discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e1a39cd36470c4ddaaf203f8dbf2192d59c423b312dfd97ca5eb947a15958b08

Threat Level: Likely malicious

The file 368242e26bfd75671a34e7ef19299ea0_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery exploit

Possible privilege escalation attempt

Deletes itself

Checks computer location settings

Modifies file permissions

Loads dropped DLL

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-11 19:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-11 19:44

Reported

2024-10-11 19:47

Platform

win7-20240903-en

Max time kernel

121s

Max time network

121s

Command Line

C:\Windows\system32\svchost.exe -k DcomLaunch

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\apa.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\368242e26bfd75671a34e7ef19299ea0_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\regsvr32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\368242e26bfd75671a34e7ef19299ea0_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3068 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\368242e26bfd75671a34e7ef19299ea0_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3068 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\368242e26bfd75671a34e7ef19299ea0_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3068 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\368242e26bfd75671a34e7ef19299ea0_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3068 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\368242e26bfd75671a34e7ef19299ea0_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3068 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\368242e26bfd75671a34e7ef19299ea0_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3068 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\368242e26bfd75671a34e7ef19299ea0_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2628 wrote to memory of 2724 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 2628 wrote to memory of 2724 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 2628 wrote to memory of 2724 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 2628 wrote to memory of 2724 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\takeown.exe
PID 2628 wrote to memory of 2792 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 2628 wrote to memory of 2792 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 2628 wrote to memory of 2792 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 2628 wrote to memory of 2792 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\icacls.exe
PID 2628 wrote to memory of 608 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\svchost.exe

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Users\Admin\AppData\Local\Temp\368242e26bfd75671a34e7ef19299ea0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\368242e26bfd75671a34e7ef19299ea0_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~f76eea3.tmp ,C:\Users\Admin\AppData\Local\Temp\368242e26bfd75671a34e7ef19299ea0_JaffaCakes118.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\system32\rpcss.dll"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\~~f76eea3.tmp

MD5 f6472f72d70625ea560d48ba8a9cc1e0
SHA1 2c209367449c9dcd2c1f789921a64169f7d901f0
SHA256 5ba81aa28b067d14d682fcc6c747d459cceea0e37c6066f7432386d17d671879
SHA512 dd8761df48235208dc6974d182a34d8d86fbe4c9027252e3c622f59815cffd75b10e0e8a0246f907dcca7e4241114c890d3740e71be2c717a74b67f96cfec108

memory/608-12-0x00000000000D0000-0x00000000000D1000-memory.dmp

C:\Windows\SysWOW64\apa.dll

MD5 24ac0d99a89c922a291f344618cd0210
SHA1 cc37cb3e749f477693029acee46aaa53e3851b7a
SHA256 45a663fafbbf6664dcf6d9662fed09e536ee320765ddf68a87eb58085b265ded
SHA512 a0ad3c5c59052e8dbab5462e635db9f7129644e730600581331a2438bc1d673060baa51eb7f8a94f0c55e3e4391067f5b382c1cd1d1ddb1717eb40b74533a2a1

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-11 19:44

Reported

2024-10-11 19:47

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

96s

Command Line

C:\Windows\system32\svchost.exe -k DcomLaunch -p

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\368242e26bfd75671a34e7ef19299ea0_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\apa.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Windows\SysWOW64\rpcss.dll C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\368242e26bfd75671a34e7ef19299ea0_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\regsvr32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p

C:\Users\Admin\AppData\Local\Temp\368242e26bfd75671a34e7ef19299ea0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\368242e26bfd75671a34e7ef19299ea0_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~e577ddb.tmp ,C:\Users\Admin\AppData\Local\Temp\368242e26bfd75671a34e7ef19299ea0_JaffaCakes118.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\system32\rpcss.dll"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 27.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~~e577ddb.tmp

MD5 f6472f72d70625ea560d48ba8a9cc1e0
SHA1 2c209367449c9dcd2c1f789921a64169f7d901f0
SHA256 5ba81aa28b067d14d682fcc6c747d459cceea0e37c6066f7432386d17d671879
SHA512 dd8761df48235208dc6974d182a34d8d86fbe4c9027252e3c622f59815cffd75b10e0e8a0246f907dcca7e4241114c890d3740e71be2c717a74b67f96cfec108

C:\Windows\SysWOW64\apa.dll

MD5 24ac0d99a89c922a291f344618cd0210
SHA1 cc37cb3e749f477693029acee46aaa53e3851b7a
SHA256 45a663fafbbf6664dcf6d9662fed09e536ee320765ddf68a87eb58085b265ded
SHA512 a0ad3c5c59052e8dbab5462e635db9f7129644e730600581331a2438bc1d673060baa51eb7f8a94f0c55e3e4391067f5b382c1cd1d1ddb1717eb40b74533a2a1