4b39130448c3a36628a8ba3780f11da9ca263d0a2f9f607dcc9da242f31b413a

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe
Size

66KB
MD5

26a4607c4e7fc1af090c80b2ae98142d
SHA1

43b4ada99ed75a7e088a8749db0207d37bb4580c
SHA256

4b39130448c3a36628a8ba3780f11da9ca263d0a2f9f607dcc9da242f31b413a
SHA512

c4f0d798ea0f13a86626647bca591fc943313375683da56ae6ddae4925bc8a4e9ebd787c243a13ccd9111b085f4c4dd1ff7e394cce28cf1d70557bfa4201c532
SSDEEP

1536:Lbb+nBwt6jKMVWOmmnH3GzKxo+lANgpbtU2B5DrOFBgovn:PbWeg2mHXo+lAWpOFw6

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 8 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

2572 takeown.exe
2612 icacls.exe
1636 takeown.exe
1672 icacls.exe
2812 takeown.exe
2824 icacls.exe
2104 takeown.exe
2676 icacls.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2052 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe

pid process

2120 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe
2120 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

1672 icacls.exe
2812 takeown.exe
2824 icacls.exe
2104 takeown.exe
2676 icacls.exe
2572 takeown.exe
2612 icacls.exe
1636 takeown.exe

pid	process
2572	takeown.exe
2612	icacls.exe
1636	takeown.exe
1672	icacls.exe
2812	takeown.exe
2824	icacls.exe
2104	takeown.exe
2676	icacls.exe

pid	process
2052	cmd.exe

pid	process
1672	icacls.exe
2812	takeown.exe
2824	icacls.exe
2104	takeown.exe
2676	icacls.exe
2572	takeown.exe
2612	icacls.exe
1636	takeown.exe

Drops file in System32 directory 6 IoCs

Processes:

26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\mshtml.dll	26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dsound.dll	26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\iphlpapi.dll	26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\kkdbwu.bpm	26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\kkdbwu.bpm	26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\rasapi32.dll	26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe

pid	process
2120	26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe
2120	26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe
2120	26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe
2120	26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe
2120	26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2812	takeown.exe
Token: SeTakeOwnershipPrivilege	2104	takeown.exe
Token: SeTakeOwnershipPrivilege	2572	takeown.exe
Token: SeTakeOwnershipPrivilege	1636	takeown.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2120 wrote to memory of 2680	2120	26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe	cmd.exe
PID 2120 wrote to memory of 2680	2120	26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe	cmd.exe
PID 2120 wrote to memory of 2680	2120	26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe	cmd.exe
PID 2120 wrote to memory of 2680	2120	26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe	cmd.exe
PID 2680 wrote to memory of 2812	2680	cmd.exe	takeown.exe
PID 2680 wrote to memory of 2812	2680	cmd.exe	takeown.exe
PID 2680 wrote to memory of 2812	2680	cmd.exe	takeown.exe
PID 2680 wrote to memory of 2812	2680	cmd.exe	takeown.exe
PID 2680 wrote to memory of 2824	2680	cmd.exe	icacls.exe
PID 2680 wrote to memory of 2824	2680	cmd.exe	icacls.exe
PID 2680 wrote to memory of 2824	2680	cmd.exe	icacls.exe
PID 2680 wrote to memory of 2824	2680	cmd.exe	icacls.exe
PID 2120 wrote to memory of 2140	2120	26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe	cmd.exe
PID 2120 wrote to memory of 2140	2120	26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe	cmd.exe
PID 2120 wrote to memory of 2140	2120	26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe	cmd.exe
PID 2120 wrote to memory of 2140	2120	26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe	cmd.exe
PID 2140 wrote to memory of 2104	2140	cmd.exe	takeown.exe
PID 2140 wrote to memory of 2104	2140	cmd.exe	takeown.exe
PID 2140 wrote to memory of 2104	2140	cmd.exe	takeown.exe
PID 2140 wrote to memory of 2104	2140	cmd.exe	takeown.exe
PID 2140 wrote to memory of 2676	2140	cmd.exe	icacls.exe
PID 2140 wrote to memory of 2676	2140	cmd.exe	icacls.exe
PID 2140 wrote to memory of 2676	2140	cmd.exe	icacls.exe
PID 2140 wrote to memory of 2676	2140	cmd.exe	icacls.exe
PID 2120 wrote to memory of 2544	2120	26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe	cmd.exe
PID 2120 wrote to memory of 2544	2120	26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe	cmd.exe
PID 2120 wrote to memory of 2544	2120	26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe	cmd.exe
PID 2120 wrote to memory of 2544	2120	26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe	cmd.exe
PID 2544 wrote to memory of 2572	2544	cmd.exe	takeown.exe
PID 2544 wrote to memory of 2572	2544	cmd.exe	takeown.exe
PID 2544 wrote to memory of 2572	2544	cmd.exe	takeown.exe
PID 2544 wrote to memory of 2572	2544	cmd.exe	takeown.exe
PID 2544 wrote to memory of 2612	2544	cmd.exe	icacls.exe
PID 2544 wrote to memory of 2612	2544	cmd.exe	icacls.exe
PID 2544 wrote to memory of 2612	2544	cmd.exe	icacls.exe
PID 2544 wrote to memory of 2612	2544	cmd.exe	icacls.exe
PID 2120 wrote to memory of 2384	2120	26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe	cmd.exe
PID 2120 wrote to memory of 2384	2120	26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe	cmd.exe
PID 2120 wrote to memory of 2384	2120	26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe	cmd.exe
PID 2120 wrote to memory of 2384	2120	26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe	cmd.exe
PID 2384 wrote to memory of 1636	2384	cmd.exe	takeown.exe
PID 2384 wrote to memory of 1636	2384	cmd.exe	takeown.exe
PID 2384 wrote to memory of 1636	2384	cmd.exe	takeown.exe
PID 2384 wrote to memory of 1636	2384	cmd.exe	takeown.exe
PID 2384 wrote to memory of 1672	2384	cmd.exe	icacls.exe
PID 2384 wrote to memory of 1672	2384	cmd.exe	icacls.exe
PID 2384 wrote to memory of 1672	2384	cmd.exe	icacls.exe
PID 2384 wrote to memory of 1672	2384	cmd.exe	icacls.exe
PID 2120 wrote to memory of 2052	2120	26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe	cmd.exe
PID 2120 wrote to memory of 2052	2120	26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe	cmd.exe
PID 2120 wrote to memory of 2052	2120	26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe	cmd.exe
PID 2120 wrote to memory of 2052	2120	26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\iphlpapi.dll && icacls C:\Windows\system32\iphlpapi.dll /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\iphlpapi.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\system32\iphlpapi.dll /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\rasapi32.dll && icacls C:\Windows\system32\rasapi32.dll /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\rasapi32.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\system32\rasapi32.dll /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\mshtml.dll && icacls C:\Windows\system32\mshtml.dll /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\mshtml.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\system32\mshtml.dll /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\dsound.dll && icacls C:\Windows\system32\dsound.dll /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\dsound.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\system32\dsound.dll /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1672

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\SetDelMe.bat
2⤵
- Deletes itself
PID:2052

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SetDelMe.bat
Filesize
210B

MD5
ed917ae18b8a2f511f1330c81218a828

SHA1
981f1d0c6e84a3a48346f69a39f2678f04454e06

SHA256
e123892f18d4eea4a031dc1eb511539e2e1fafacac3b956a31dd4a25269b3882

SHA512
ce851eeb6330cd60233eb233fce43a8367c10a31319be61415ba0cb66f5775631fc8b344e4cdb4283c3ed9b31112fa8211c9fdf0bca8731bd7409c88d8e38017

Download Submit
C:\Users\Admin\AppData\Local\Temp\iphlpapi.dll.temp
Filesize
101KB

MD5
70befd6065c045b7132621229cd763e3

SHA1
cd04d30d965105c43c6fceeccfe86f258f264e6d

SHA256
5a30a19643b28b84f24c93ec541ce3e4c6aa0fc6679ed989f709dffe44758695

SHA512
81a0247b991862a2af179170a6b6e3186355e1a8d67ba04f4bc10304e9ca18ecdaabce790c59bb0d0ace89cae1d7ebf6bf68da0ee5de8d2968482c41bd593cd5

Download Submit
C:\Windows\SysWOW64\dsound.dll
Filesize
443KB

MD5
432cefd29283817ddcfb98b3719887b7

SHA1
1a69178f80e53157f687344a6d93a0cb57c8e352

SHA256
6ef1cc22ed7f6d03da30746bf7c32342eb49bda83491285fa5569fa1a0e280ac

SHA512
1195c218eb7ae1002a2aadef0e16026380e39c425bc127abfb85b7b66702ee113b86a71085be682646f75c4a0099170e19eaa4b72e808f5fb3a29b00ce7b7a58

Download Submit
\Windows\SysWOW64\kkdbwu.bpm
Filesize
15KB

MD5
4ea43e03d6284850382b959e8c49755d

SHA1
7deff875e0617049a60e60c4949f713182c8df0d

SHA256
047555bae2136c20fabb3c99165bcc9a89d72cd42f456252b1ab4ba4af80226c

SHA512
290c2766c57656842ce2415a73d185cdf5fdc6247f3602f83980e034a0a9787b5fb9a9caaf64cea24c7c073892365a6c4801a7bacd7c4ec22f802f59ec1b02b2

Download Submit
memory/2120-5-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2120-37-0x0000000000490000-0x00000000004A9000-memory.dmp

Filesize
100KB

Download
memory/2120-36-0x0000000075360000-0x0000000075397000-memory.dmp

Filesize
220KB

Download
memory/2120-38-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2120-39-0x0000000075360000-0x0000000075397000-memory.dmp

Filesize
220KB

Download
memory/2120-47-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2120-49-0x0000000000490000-0x00000000004A9000-memory.dmp

Filesize
100KB

Download
memory/2120-48-0x0000000075360000-0x0000000075397000-memory.dmp

Filesize
220KB

Download