7aaffd165e5afc593a062d7390ebb9236271d09f8b51efa96b35c5f285bf5fb9

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
02-07-2024 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe
Size

24KB
MD5

1f21f94ba45380359311002a4e1d3da5
SHA1

465670e0b865c35a92b04057c453c14141f7634f
SHA256

7aaffd165e5afc593a062d7390ebb9236271d09f8b51efa96b35c5f285bf5fb9
SHA512

9d4fe824a01c111f61a20561890babbdb2c08ae98348f5e659e0186141e75ab67ff8eaae043f5b83ec8a063b608e4593f28900810767c6bd390cd4c3f276d3a7
SSDEEP

384:E0dJn1nUzy5q/AsprougOc4QUrFheclmfSp6A/fG3+RoRR5N0zw:vyzyU/DroV0eclmfCVe3+K9m

Score

8^/10

discovery exploit upx

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1564 takeown.exe
2692 icacls.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3064 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

3064 cmd.exe
3064 cmd.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1564 takeown.exe
2692 icacls.exe
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

behavioral1/memory/1688-0-0x0000000000400000-0x0000000000415000-memory.dmp upx
behavioral1/memory/1688-11-0x0000000000400000-0x0000000000415000-memory.dmp upx

pid	process
1564	takeown.exe
2692	icacls.exe

pid	process
3064	cmd.exe

pid	process
3064	cmd.exe
3064	cmd.exe

pid	process
1564	takeown.exe
2692	icacls.exe

resource	yara_rule
behavioral1/memory/1688-0-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/memory/1688-11-0x0000000000400000-0x0000000000415000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

Processes:

1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ole.dll	1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\imm32.dll.log	1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\imm32.dll.log	1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\imm32.dll	1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe

pid process

1688 1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exetakeown.exe

description pid process

Token: SeDebugPrivilege 1688 1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege 1564 takeown.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe

pid process

1688 1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe
1688 1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe

pid	process
1688	1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1688	1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	1564	takeown.exe

pid	process
1688	1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe
1688	1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe

description	pid	process	target process
PID 1688 wrote to memory of 1564	1688	1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe	takeown.exe
PID 1688 wrote to memory of 1564	1688	1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe	takeown.exe
PID 1688 wrote to memory of 1564	1688	1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe	takeown.exe
PID 1688 wrote to memory of 1564	1688	1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe	takeown.exe
PID 1688 wrote to memory of 2692	1688	1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe	icacls.exe
PID 1688 wrote to memory of 2692	1688	1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe	icacls.exe
PID 1688 wrote to memory of 2692	1688	1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe	icacls.exe
PID 1688 wrote to memory of 2692	1688	1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe	icacls.exe
PID 1688 wrote to memory of 3064	1688	1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe	cmd.exe
PID 1688 wrote to memory of 3064	1688	1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe	cmd.exe
PID 1688 wrote to memory of 3064	1688	1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe	cmd.exe
PID 1688 wrote to memory of 3064	1688	1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\system32\imm32.dll
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\system32\imm32.dll /grant administrators:f
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\delf766ce6.bat
2⤵
- Deletes itself
- Loads dropped DLL
PID:3064

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ole.dll
Filesize
44KB

MD5
c072f6aa14018be34db5fc5665f1886c

SHA1
e199df559aaa64265904bf33b177fedf2e16b91c

SHA256
5e5e798681cad5f5857fd3cb14119d059ff8effd7712ef58fe46682e7f74d3ab

SHA512
7a02554628c6d8ef6d38acd44fe65adfd99b8078002a35a71f50f25625693c125fd7e52cd7fa04c8b843fe7da57229efb67fc84b5dda2f7263c4539239922bfa

Download Submit
\??\c:\delf766ce6.bat
Filesize
235B

MD5
93fd3a4312d639c635dc97498cc9e394

SHA1
62a1044a8db5c848a62c4c21ff9121d3abcfdf85

SHA256
1b2e99046dec583b68e9040397c02bfd25d77c13646849b88f3f3703b1349e08

SHA512
1083982750463bc11d7e7585c3d4eef420cd16be4b68aae9324d45d12f6f27f042ce5c7dda468d34a2f9221271cb7c7d1f094a26d8b06aac3817176e45a919cc

Download Submit
\Windows\SysWOW64\imm32.dll
Filesize
121KB

MD5
ee8a95afbe7cfd7dd7a14f11fc1c057c

SHA1
63f127c7b44e7ece6bc7d757482ff4f4f815e7ba

SHA256
fadc12ffa9b439dafbb9ed871099f124305b858fbc2d23a4cbefa8aad8002794

SHA512
fc6b80ac0be03ea0692917ca3f4a2bb85adce52e1c5d2b816031a04e702b66c91e18b578244c420578a770278025ee97e8b8d58b0a205af5d2d547413416a03e

Download Submit
memory/1688-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1688-11-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1688-10-0x00000000758E0000-0x0000000075940000-memory.dmp

Filesize
384KB

Download
memory/3064-16-0x00000000755D0000-0x0000000075640000-memory.dmp

Filesize
448KB

Download
memory/3064-18-0x00000000755D0000-0x0000000075640000-memory.dmp

Filesize
448KB

Download