9ab0454b1c89f9ab21865516283b864de57874ced4dde085413a0ad67b47d9dc

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe
Size

84KB
MD5

20a0d06563330c7dbd5afe77f7e9428e
SHA1

ebb0e2cd05461eedfe6f09a3d4c4a587d5de2bca
SHA256

9ab0454b1c89f9ab21865516283b864de57874ced4dde085413a0ad67b47d9dc
SHA512

af4dc6002d073b6b4a82081eccd12b27d5f17aea31d4c16d2565dd7e929b49152c04e1ca728f67bc2896743e94b2c6ada26c9910fe61f9b575961eec0a6cb9aa
SSDEEP

1536:LCjPJjywFDzVUMKQNxGjgukyWKw9ufa6WuGvP:L+PJ/h7K2yNwsC6q

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

3036 takeown.exe
2364 icacls.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2740 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2740 cmd.exe
2740 cmd.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

3036 takeown.exe
2364 icacls.exe

pid	process
3036	takeown.exe
2364	icacls.exe

pid	process
2740	cmd.exe

pid	process
2740	cmd.exe
2740	cmd.exe

pid	process
3036	takeown.exe
2364	icacls.exe

Drops file in System32 directory 4 IoCs

Processes:

20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\imm32.dll.log	20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\imm32.dll.log	20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\imm32.dll	20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ole.dll	20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe

pid process

2116 20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exetakeown.exe

description pid process

Token: SeDebugPrivilege 2116 20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege 3036 takeown.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe

pid process

2116 20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe
2116 20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe

pid	process
2116	20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2116	20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	3036	takeown.exe

pid	process
2116	20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe
2116	20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe

description	pid	process	target process
PID 2116 wrote to memory of 3036	2116	20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe	takeown.exe
PID 2116 wrote to memory of 3036	2116	20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe	takeown.exe
PID 2116 wrote to memory of 3036	2116	20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe	takeown.exe
PID 2116 wrote to memory of 3036	2116	20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe	takeown.exe
PID 2116 wrote to memory of 2364	2116	20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe	icacls.exe
PID 2116 wrote to memory of 2364	2116	20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe	icacls.exe
PID 2116 wrote to memory of 2364	2116	20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe	icacls.exe
PID 2116 wrote to memory of 2364	2116	20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe	icacls.exe
PID 2116 wrote to memory of 2740	2116	20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe	cmd.exe
PID 2116 wrote to memory of 2740	2116	20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe	cmd.exe
PID 2116 wrote to memory of 2740	2116	20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe	cmd.exe
PID 2116 wrote to memory of 2740	2116	20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\system32\imm32.dll
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\system32\imm32.dll /grant administrators:f
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\delf76280a.bat
2⤵
- Deletes itself
- Loads dropped DLL
PID:2740

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\delf76280a.bat
Filesize
235B

MD5
b2832ab01fc2d3d9b95da3c45ea69b16

SHA1
6cf9ba87a915deaa9fd8a0c2579743e8942de28f

SHA256
4d1e0c93bd202237ca53058a8c36890c8704fc65b202a4b6c969efecf058f308

SHA512
753242935c56286306426cb7ca340fc14b78bbc306cbfe6a73da9c3c37ec4bc75f7b219618b1e86eed4d7b85b24c79f00a399990c8be7131298c51b460559c72

Download Submit
\Windows\SysWOW64\imm32.dll
Filesize
121KB

MD5
0df4608fcaad02443e298ac40e57d599

SHA1
8333845b95783015586320b4c143eaec1542b4e4

SHA256
ae7837b596bce804197eb65c0765774c516f8ffad163b78f9d3ea49585f5e263

SHA512
38b88987481915472852bce61086d493c667fd1dc3fec3be627240bca56c0129a583eb5bf3d8926e5ca9ff0c1b8b21465b3e9936780323207306bb9c1ea50bd3

Download Submit
\Windows\SysWOW64\ole.dll
Filesize
56KB

MD5
9d23fd757c88ec187865c65fbbafa363

SHA1
1c067804005581ad1cf24cd50e32f2b3a459b31b

SHA256
cb72e1246747da481932895c94a88e625b3d89e77fc55dde4742460daa6b8e1c

SHA512
93faff3e8ab568dd9ae2a8f3c4811abf78faca39301b07f585e1fe4bdd864a7a06b955ff8e4ea0ce684b556b865e31be166b5d0df24fb6059949ce192f840949

Download Submit
memory/2116-8-0x0000000076B10000-0x0000000076B70000-memory.dmp

Filesize
384KB

Download
memory/2740-13-0x0000000074790000-0x0000000074800000-memory.dmp

Filesize
448KB

Download
memory/2740-15-0x0000000074790000-0x0000000074800000-memory.dmp

Filesize
448KB

Download