Malware Analysis Report

2024-09-11 05:38

Sample ID 240702-nebksszcpc
Target 1f21f94ba45380359311002a4e1d3da5_JaffaCakes118
SHA256 7aaffd165e5afc593a062d7390ebb9236271d09f8b51efa96b35c5f285bf5fb9
Tags
discovery exploit upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

7aaffd165e5afc593a062d7390ebb9236271d09f8b51efa96b35c5f285bf5fb9

Threat Level: Likely malicious

The file 1f21f94ba45380359311002a4e1d3da5_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit upx

Possible privilege escalation attempt

Modifies file permissions

Deletes itself

UPX packed file

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
File and Directory Permissions Modification
T1222
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-02 11:18

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-02 11:18

Reported

2024-07-02 11:20

Platform

win10v2004-20240611-en

Max time kernel

134s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ole.dll C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\imm32.dll.log C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\imm32.dll.log C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\imm32.dll C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe C:\Windows\SysWOW64\takeown.exe
PID 2072 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe C:\Windows\SysWOW64\takeown.exe
PID 2072 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe C:\Windows\SysWOW64\takeown.exe
PID 2072 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 2072 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 2072 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 2072 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe"

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\system32\imm32.dll

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\system32\imm32.dll /grant administrators:f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\dele57753f.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/2072-0-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2072-10-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2072-11-0x0000000075C80000-0x0000000075CA5000-memory.dmp

\??\c:\dele57753f.bat

MD5 5fb19fe926faa7b3895d54fc86d2a74c
SHA1 999fc16efdb9ec673699cd2bbefcf47ee3d7d4a6
SHA256 db4f9c474517a8eb468ab0bc48d09682c56d0aeebbb9e93bb3b7a135e1ecca53
SHA512 81bae8972c0cde24c877518db6bdc4abb475c67f5c00fe1ca1579c1943fb65686f0fa1e934e5e42b5c9142122f9dc6fb461ceacbeaad67ee6e975cd68123a1af

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-02 11:18

Reported

2024-07-02 11:20

Platform

win7-20240611-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ole.dll C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\imm32.dll.log C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\imm32.dll.log C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\imm32.dll C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe C:\Windows\SysWOW64\takeown.exe
PID 1688 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe C:\Windows\SysWOW64\takeown.exe
PID 1688 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe C:\Windows\SysWOW64\takeown.exe
PID 1688 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe C:\Windows\SysWOW64\takeown.exe
PID 1688 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 1688 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 1688 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 1688 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 1688 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1f21f94ba45380359311002a4e1d3da5_JaffaCakes118.exe"

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\system32\imm32.dll

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\system32\imm32.dll /grant administrators:f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\delf766ce6.bat

Network

N/A

Files

memory/1688-0-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1688-11-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1688-10-0x00000000758E0000-0x0000000075940000-memory.dmp

C:\Windows\SysWOW64\ole.dll

MD5 c072f6aa14018be34db5fc5665f1886c
SHA1 e199df559aaa64265904bf33b177fedf2e16b91c
SHA256 5e5e798681cad5f5857fd3cb14119d059ff8effd7712ef58fe46682e7f74d3ab
SHA512 7a02554628c6d8ef6d38acd44fe65adfd99b8078002a35a71f50f25625693c125fd7e52cd7fa04c8b843fe7da57229efb67fc84b5dda2f7263c4539239922bfa

\Windows\SysWOW64\imm32.dll

MD5 ee8a95afbe7cfd7dd7a14f11fc1c057c
SHA1 63f127c7b44e7ece6bc7d757482ff4f4f815e7ba
SHA256 fadc12ffa9b439dafbb9ed871099f124305b858fbc2d23a4cbefa8aad8002794
SHA512 fc6b80ac0be03ea0692917ca3f4a2bb85adce52e1c5d2b816031a04e702b66c91e18b578244c420578a770278025ee97e8b8d58b0a205af5d2d547413416a03e

memory/3064-16-0x00000000755D0000-0x0000000075640000-memory.dmp

\??\c:\delf766ce6.bat

MD5 93fd3a4312d639c635dc97498cc9e394
SHA1 62a1044a8db5c848a62c4c21ff9121d3abcfdf85
SHA256 1b2e99046dec583b68e9040397c02bfd25d77c13646849b88f3f3703b1349e08
SHA512 1083982750463bc11d7e7585c3d4eef420cd16be4b68aae9324d45d12f6f27f042ce5c7dda468d34a2f9221271cb7c7d1f094a26d8b06aac3817176e45a919cc

memory/3064-18-0x00000000755D0000-0x0000000075640000-memory.dmp