Analysis
-
max time kernel
134s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
02-07-2024 11:18
Behavioral task
behavioral1
Sample
1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe
-
Size
24KB
-
MD5
1f21f94ba45380359311002a4e1d3da5
-
SHA1
465670e0b865c35a92b04057c453c14141f7634f
-
SHA256
7aaffd165e5afc593a062d7390ebb9236271d09f8b51efa96b35c5f285bf5fb9
-
SHA512
9d4fe824a01c111f61a20561890babbdb2c08ae98348f5e659e0186141e75ab67ff8eaae043f5b83ec8a063b608e4593f28900810767c6bd390cd4c3f276d3a7
-
SSDEEP
384:E0dJn1nUzy5q/AsprougOc4QUrFheclmfSp6A/fG3+RoRR5N0zw:vyzyU/DroV0eclmfCVe3+K9m
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 4272 takeown.exe 4448 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 4272 takeown.exe 4448 icacls.exe -
Processes:
resource yara_rule behavioral2/memory/2072-0-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral2/memory/2072-10-0x0000000000400000-0x0000000000415000-memory.dmp upx -
Drops file in System32 directory 4 IoCs
Processes:
1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\ole.dll 1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe File created C:\Windows\SysWOW64\imm32.dll.log 1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\imm32.dll.log 1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe File created C:\Windows\SysWOW64\imm32.dll 1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exepid process 2072 1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe 2072 1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exetakeown.exedescription pid process Token: SeDebugPrivilege 2072 1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 4272 takeown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exepid process 2072 1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe 2072 1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exedescription pid process target process PID 2072 wrote to memory of 4272 2072 1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe takeown.exe PID 2072 wrote to memory of 4272 2072 1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe takeown.exe PID 2072 wrote to memory of 4272 2072 1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe takeown.exe PID 2072 wrote to memory of 4448 2072 1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe icacls.exe PID 2072 wrote to memory of 4448 2072 1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe icacls.exe PID 2072 wrote to memory of 4448 2072 1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe icacls.exe PID 2072 wrote to memory of 4776 2072 1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe cmd.exe PID 2072 wrote to memory of 4776 2072 1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe cmd.exe PID 2072 wrote to memory of 4776 2072 1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\system32\imm32.dll2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\imm32.dll /grant administrators:f2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\dele57753f.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\dele57753f.batFilesize
235B
MD55fb19fe926faa7b3895d54fc86d2a74c
SHA1999fc16efdb9ec673699cd2bbefcf47ee3d7d4a6
SHA256db4f9c474517a8eb468ab0bc48d09682c56d0aeebbb9e93bb3b7a135e1ecca53
SHA51281bae8972c0cde24c877518db6bdc4abb475c67f5c00fe1ca1579c1943fb65686f0fa1e934e5e42b5c9142122f9dc6fb461ceacbeaad67ee6e975cd68123a1af
-
memory/2072-0-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/2072-10-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/2072-11-0x0000000075C80000-0x0000000075CA5000-memory.dmpFilesize
148KB