Malware Analysis Report

2024-09-11 05:38

Sample ID 240703-bywnvszhne
Target 20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118
SHA256 9ab0454b1c89f9ab21865516283b864de57874ced4dde085413a0ad67b47d9dc
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

9ab0454b1c89f9ab21865516283b864de57874ced4dde085413a0ad67b47d9dc

Threat Level: Likely malicious

The file 20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Loads dropped DLL

Deletes itself

Modifies file permissions

Drops file in System32 directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
File and Directory Permissions Modification
T1222
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-03 01:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-03 01:33

Reported

2024-07-03 01:36

Platform

win7-20240611-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\imm32.dll.log C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\imm32.dll.log C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\imm32.dll C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ole.dll C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe C:\Windows\SysWOW64\takeown.exe
PID 2116 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe C:\Windows\SysWOW64\takeown.exe
PID 2116 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe C:\Windows\SysWOW64\takeown.exe
PID 2116 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe C:\Windows\SysWOW64\takeown.exe
PID 2116 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 2116 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 2116 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 2116 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 2116 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe"

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\system32\imm32.dll

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\system32\imm32.dll /grant administrators:f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\delf76280a.bat

Network

N/A

Files

memory/2116-8-0x0000000076B10000-0x0000000076B70000-memory.dmp

memory/2740-13-0x0000000074790000-0x0000000074800000-memory.dmp

\Windows\SysWOW64\ole.dll

MD5 9d23fd757c88ec187865c65fbbafa363
SHA1 1c067804005581ad1cf24cd50e32f2b3a459b31b
SHA256 cb72e1246747da481932895c94a88e625b3d89e77fc55dde4742460daa6b8e1c
SHA512 93faff3e8ab568dd9ae2a8f3c4811abf78faca39301b07f585e1fe4bdd864a7a06b955ff8e4ea0ce684b556b865e31be166b5d0df24fb6059949ce192f840949

\??\c:\delf76280a.bat

MD5 b2832ab01fc2d3d9b95da3c45ea69b16
SHA1 6cf9ba87a915deaa9fd8a0c2579743e8942de28f
SHA256 4d1e0c93bd202237ca53058a8c36890c8704fc65b202a4b6c969efecf058f308
SHA512 753242935c56286306426cb7ca340fc14b78bbc306cbfe6a73da9c3c37ec4bc75f7b219618b1e86eed4d7b85b24c79f00a399990c8be7131298c51b460559c72

\Windows\SysWOW64\imm32.dll

MD5 0df4608fcaad02443e298ac40e57d599
SHA1 8333845b95783015586320b4c143eaec1542b4e4
SHA256 ae7837b596bce804197eb65c0765774c516f8ffad163b78f9d3ea49585f5e263
SHA512 38b88987481915472852bce61086d493c667fd1dc3fec3be627240bca56c0129a583eb5bf3d8926e5ca9ff0c1b8b21465b3e9936780323207306bb9c1ea50bd3

memory/2740-15-0x0000000074790000-0x0000000074800000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-03 01:33

Reported

2024-07-03 01:36

Platform

win10v2004-20240508-en

Max time kernel

120s

Max time network

50s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ole.dll C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\imm32.dll.log C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\imm32.dll.log C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\imm32.dll C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 660 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe C:\Windows\SysWOW64\takeown.exe
PID 660 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe C:\Windows\SysWOW64\takeown.exe
PID 660 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe C:\Windows\SysWOW64\takeown.exe
PID 660 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 660 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 660 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 660 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 660 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 660 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\20a0d06563330c7dbd5afe77f7e9428e_JaffaCakes118.exe"

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\system32\imm32.dll

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\system32\imm32.dll /grant administrators:f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\dele575d81.bat

Network

Files

memory/660-9-0x0000000076920000-0x0000000076945000-memory.dmp

\??\c:\dele575d81.bat

MD5 7c5fd877cf5707f1a43564637f633d28
SHA1 d2216e15e0b630019014cb2e4ecd89fe101a403f
SHA256 7377e0abd61dfced7334976a97bf323d87eb210252250e7ed6c7712f6a9b4558
SHA512 4cb6d5fd97c0a3af4de22156d4ae6d8bfc39926be90406ad641043fa58855628f11fc31c72eb38064d3ee5aba284d3876e91f687477798e013da3d2242ca85f3