Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
03-07-2024 01:33
Static task
static1
Behavioral task
behavioral1
Sample
20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe
-
Size
84KB
-
MD5
20a0d06563330c7dbd5afe77f7e9428e
-
SHA1
ebb0e2cd05461eedfe6f09a3d4c4a587d5de2bca
-
SHA256
9ab0454b1c89f9ab21865516283b864de57874ced4dde085413a0ad67b47d9dc
-
SHA512
af4dc6002d073b6b4a82081eccd12b27d5f17aea31d4c16d2565dd7e929b49152c04e1ca728f67bc2896743e94b2c6ada26c9910fe61f9b575961eec0a6cb9aa
-
SSDEEP
1536:LCjPJjywFDzVUMKQNxGjgukyWKw9ufa6WuGvP:L+PJ/h7K2yNwsC6q
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 3036 takeown.exe 2364 icacls.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2740 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2740 cmd.exe 2740 cmd.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 3036 takeown.exe 2364 icacls.exe -
Drops file in System32 directory 4 IoCs
Processes:
20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\imm32.dll.log 20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\imm32.dll.log 20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe File created C:\Windows\SysWOW64\imm32.dll 20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe File created C:\Windows\SysWOW64\ole.dll 20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exepid process 2116 20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exetakeown.exedescription pid process Token: SeDebugPrivilege 2116 20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3036 takeown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exepid process 2116 20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe 2116 20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exedescription pid process target process PID 2116 wrote to memory of 3036 2116 20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe takeown.exe PID 2116 wrote to memory of 3036 2116 20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe takeown.exe PID 2116 wrote to memory of 3036 2116 20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe takeown.exe PID 2116 wrote to memory of 3036 2116 20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe takeown.exe PID 2116 wrote to memory of 2364 2116 20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe icacls.exe PID 2116 wrote to memory of 2364 2116 20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe icacls.exe PID 2116 wrote to memory of 2364 2116 20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe icacls.exe PID 2116 wrote to memory of 2364 2116 20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe icacls.exe PID 2116 wrote to memory of 2740 2116 20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe cmd.exe PID 2116 wrote to memory of 2740 2116 20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe cmd.exe PID 2116 wrote to memory of 2740 2116 20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe cmd.exe PID 2116 wrote to memory of 2740 2116 20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\system32\imm32.dll2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\imm32.dll /grant administrators:f2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\delf76280a.bat2⤵
- Deletes itself
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\delf76280a.batFilesize
235B
MD5b2832ab01fc2d3d9b95da3c45ea69b16
SHA16cf9ba87a915deaa9fd8a0c2579743e8942de28f
SHA2564d1e0c93bd202237ca53058a8c36890c8704fc65b202a4b6c969efecf058f308
SHA512753242935c56286306426cb7ca340fc14b78bbc306cbfe6a73da9c3c37ec4bc75f7b219618b1e86eed4d7b85b24c79f00a399990c8be7131298c51b460559c72
-
\Windows\SysWOW64\imm32.dllFilesize
121KB
MD50df4608fcaad02443e298ac40e57d599
SHA18333845b95783015586320b4c143eaec1542b4e4
SHA256ae7837b596bce804197eb65c0765774c516f8ffad163b78f9d3ea49585f5e263
SHA51238b88987481915472852bce61086d493c667fd1dc3fec3be627240bca56c0129a583eb5bf3d8926e5ca9ff0c1b8b21465b3e9936780323207306bb9c1ea50bd3
-
\Windows\SysWOW64\ole.dllFilesize
56KB
MD59d23fd757c88ec187865c65fbbafa363
SHA11c067804005581ad1cf24cd50e32f2b3a459b31b
SHA256cb72e1246747da481932895c94a88e625b3d89e77fc55dde4742460daa6b8e1c
SHA51293faff3e8ab568dd9ae2a8f3c4811abf78faca39301b07f585e1fe4bdd864a7a06b955ff8e4ea0ce684b556b865e31be166b5d0df24fb6059949ce192f840949
-
memory/2116-8-0x0000000076B10000-0x0000000076B70000-memory.dmpFilesize
384KB
-
memory/2740-13-0x0000000074790000-0x0000000074800000-memory.dmpFilesize
448KB
-
memory/2740-15-0x0000000074790000-0x0000000074800000-memory.dmpFilesize
448KB