Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
04-07-2024 23:33
Static task
static1
Behavioral task
behavioral1
Sample
26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe
-
Size
66KB
-
MD5
26a4607c4e7fc1af090c80b2ae98142d
-
SHA1
43b4ada99ed75a7e088a8749db0207d37bb4580c
-
SHA256
4b39130448c3a36628a8ba3780f11da9ca263d0a2f9f607dcc9da242f31b413a
-
SHA512
c4f0d798ea0f13a86626647bca591fc943313375683da56ae6ddae4925bc8a4e9ebd787c243a13ccd9111b085f4c4dd1ff7e394cce28cf1d70557bfa4201c532
-
SSDEEP
1536:Lbb+nBwt6jKMVWOmmnH3GzKxo+lANgpbtU2B5DrOFBgovn:PbWeg2mHXo+lAWpOFw6
Malware Config
Signatures
-
Possible privilege escalation attempt 8 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 2572 takeown.exe 2612 icacls.exe 1636 takeown.exe 1672 icacls.exe 2812 takeown.exe 2824 icacls.exe 2104 takeown.exe 2676 icacls.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2052 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exepid process 2120 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe 2120 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exepid process 1672 icacls.exe 2812 takeown.exe 2824 icacls.exe 2104 takeown.exe 2676 icacls.exe 2572 takeown.exe 2612 icacls.exe 1636 takeown.exe -
Drops file in System32 directory 6 IoCs
Processes:
26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\mshtml.dll 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dsound.dll 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\iphlpapi.dll 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe File created C:\Windows\SysWOW64\kkdbwu.bpm 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\kkdbwu.bpm 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rasapi32.dll 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exepid process 2120 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe 2120 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe 2120 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe 2120 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe 2120 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 2812 takeown.exe Token: SeTakeOwnershipPrivilege 2104 takeown.exe Token: SeTakeOwnershipPrivilege 2572 takeown.exe Token: SeTakeOwnershipPrivilege 1636 takeown.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2120 wrote to memory of 2680 2120 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe cmd.exe PID 2120 wrote to memory of 2680 2120 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe cmd.exe PID 2120 wrote to memory of 2680 2120 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe cmd.exe PID 2120 wrote to memory of 2680 2120 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe cmd.exe PID 2680 wrote to memory of 2812 2680 cmd.exe takeown.exe PID 2680 wrote to memory of 2812 2680 cmd.exe takeown.exe PID 2680 wrote to memory of 2812 2680 cmd.exe takeown.exe PID 2680 wrote to memory of 2812 2680 cmd.exe takeown.exe PID 2680 wrote to memory of 2824 2680 cmd.exe icacls.exe PID 2680 wrote to memory of 2824 2680 cmd.exe icacls.exe PID 2680 wrote to memory of 2824 2680 cmd.exe icacls.exe PID 2680 wrote to memory of 2824 2680 cmd.exe icacls.exe PID 2120 wrote to memory of 2140 2120 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe cmd.exe PID 2120 wrote to memory of 2140 2120 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe cmd.exe PID 2120 wrote to memory of 2140 2120 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe cmd.exe PID 2120 wrote to memory of 2140 2120 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe cmd.exe PID 2140 wrote to memory of 2104 2140 cmd.exe takeown.exe PID 2140 wrote to memory of 2104 2140 cmd.exe takeown.exe PID 2140 wrote to memory of 2104 2140 cmd.exe takeown.exe PID 2140 wrote to memory of 2104 2140 cmd.exe takeown.exe PID 2140 wrote to memory of 2676 2140 cmd.exe icacls.exe PID 2140 wrote to memory of 2676 2140 cmd.exe icacls.exe PID 2140 wrote to memory of 2676 2140 cmd.exe icacls.exe PID 2140 wrote to memory of 2676 2140 cmd.exe icacls.exe PID 2120 wrote to memory of 2544 2120 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe cmd.exe PID 2120 wrote to memory of 2544 2120 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe cmd.exe PID 2120 wrote to memory of 2544 2120 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe cmd.exe PID 2120 wrote to memory of 2544 2120 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe cmd.exe PID 2544 wrote to memory of 2572 2544 cmd.exe takeown.exe PID 2544 wrote to memory of 2572 2544 cmd.exe takeown.exe PID 2544 wrote to memory of 2572 2544 cmd.exe takeown.exe PID 2544 wrote to memory of 2572 2544 cmd.exe takeown.exe PID 2544 wrote to memory of 2612 2544 cmd.exe icacls.exe PID 2544 wrote to memory of 2612 2544 cmd.exe icacls.exe PID 2544 wrote to memory of 2612 2544 cmd.exe icacls.exe PID 2544 wrote to memory of 2612 2544 cmd.exe icacls.exe PID 2120 wrote to memory of 2384 2120 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe cmd.exe PID 2120 wrote to memory of 2384 2120 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe cmd.exe PID 2120 wrote to memory of 2384 2120 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe cmd.exe PID 2120 wrote to memory of 2384 2120 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe cmd.exe PID 2384 wrote to memory of 1636 2384 cmd.exe takeown.exe PID 2384 wrote to memory of 1636 2384 cmd.exe takeown.exe PID 2384 wrote to memory of 1636 2384 cmd.exe takeown.exe PID 2384 wrote to memory of 1636 2384 cmd.exe takeown.exe PID 2384 wrote to memory of 1672 2384 cmd.exe icacls.exe PID 2384 wrote to memory of 1672 2384 cmd.exe icacls.exe PID 2384 wrote to memory of 1672 2384 cmd.exe icacls.exe PID 2384 wrote to memory of 1672 2384 cmd.exe icacls.exe PID 2120 wrote to memory of 2052 2120 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe cmd.exe PID 2120 wrote to memory of 2052 2120 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe cmd.exe PID 2120 wrote to memory of 2052 2120 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe cmd.exe PID 2120 wrote to memory of 2052 2120 26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\26a4607c4e7fc1af090c80b2ae98142d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\iphlpapi.dll && icacls C:\Windows\system32\iphlpapi.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\iphlpapi.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\iphlpapi.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\rasapi32.dll && icacls C:\Windows\system32\rasapi32.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\rasapi32.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\rasapi32.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\mshtml.dll && icacls C:\Windows\system32\mshtml.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\mshtml.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\mshtml.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\dsound.dll && icacls C:\Windows\system32\dsound.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\dsound.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\dsound.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\SetDelMe.bat2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SetDelMe.batFilesize
210B
MD5ed917ae18b8a2f511f1330c81218a828
SHA1981f1d0c6e84a3a48346f69a39f2678f04454e06
SHA256e123892f18d4eea4a031dc1eb511539e2e1fafacac3b956a31dd4a25269b3882
SHA512ce851eeb6330cd60233eb233fce43a8367c10a31319be61415ba0cb66f5775631fc8b344e4cdb4283c3ed9b31112fa8211c9fdf0bca8731bd7409c88d8e38017
-
C:\Users\Admin\AppData\Local\Temp\iphlpapi.dll.tempFilesize
101KB
MD570befd6065c045b7132621229cd763e3
SHA1cd04d30d965105c43c6fceeccfe86f258f264e6d
SHA2565a30a19643b28b84f24c93ec541ce3e4c6aa0fc6679ed989f709dffe44758695
SHA51281a0247b991862a2af179170a6b6e3186355e1a8d67ba04f4bc10304e9ca18ecdaabce790c59bb0d0ace89cae1d7ebf6bf68da0ee5de8d2968482c41bd593cd5
-
C:\Windows\SysWOW64\dsound.dllFilesize
443KB
MD5432cefd29283817ddcfb98b3719887b7
SHA11a69178f80e53157f687344a6d93a0cb57c8e352
SHA2566ef1cc22ed7f6d03da30746bf7c32342eb49bda83491285fa5569fa1a0e280ac
SHA5121195c218eb7ae1002a2aadef0e16026380e39c425bc127abfb85b7b66702ee113b86a71085be682646f75c4a0099170e19eaa4b72e808f5fb3a29b00ce7b7a58
-
\Windows\SysWOW64\kkdbwu.bpmFilesize
15KB
MD54ea43e03d6284850382b959e8c49755d
SHA17deff875e0617049a60e60c4949f713182c8df0d
SHA256047555bae2136c20fabb3c99165bcc9a89d72cd42f456252b1ab4ba4af80226c
SHA512290c2766c57656842ce2415a73d185cdf5fdc6247f3602f83980e034a0a9787b5fb9a9caaf64cea24c7c073892365a6c4801a7bacd7c4ec22f802f59ec1b02b2
-
memory/2120-5-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2120-37-0x0000000000490000-0x00000000004A9000-memory.dmpFilesize
100KB
-
memory/2120-36-0x0000000075360000-0x0000000075397000-memory.dmpFilesize
220KB
-
memory/2120-38-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2120-39-0x0000000075360000-0x0000000075397000-memory.dmpFilesize
220KB
-
memory/2120-47-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2120-49-0x0000000000490000-0x00000000004A9000-memory.dmpFilesize
100KB
-
memory/2120-48-0x0000000075360000-0x0000000075397000-memory.dmpFilesize
220KB