Analysis

  • max time kernel
    47s
  • max time network
    40s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    13-08-2024 01:14

General

  • Target

    9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe

  • Size

    51KB

  • MD5

    9109c6b1d5530a955abc65678c5aa2f4

  • SHA1

    5ff252acbc9603194b0c73444d83260f61cc5ae8

  • SHA256

    113c36cccdb69a23e50d48c308608448ec2f909e2e49744625fddce58fea8455

  • SHA512

    55ed35af669ebfc1dfa28573221f3338236eba2611c2aebb4816d96e3a23ecd511b54109487d7ab663ce44b84c414344b319a21cde9ab7d3ee3a4bbc7d5a862f

  • SSDEEP

    768:YYewFR1mZxx7042dsW4wZ5q4ArZBhiBoiqniGNrCpybtmMtVazN4l:Yjwr1ir92kwZg4SZBhiHhl0azM

Score
8/10

Malware Config

Signatures

  • Possible privilege escalation attempt 8 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies file permissions 1 TTPs 8 IoCs
  • Drops file in System32 directory 6 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\iphlpapi.dll && icacls C:\Windows\system32\iphlpapi.dll /grant administrators:F
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1632
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\system32\iphlpapi.dll
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2744
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\system32\iphlpapi.dll /grant administrators:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:2740
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\rasapi32.dll && icacls C:\Windows\system32\rasapi32.dll /grant administrators:F
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2944
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\system32\rasapi32.dll
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2672
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\system32\rasapi32.dll /grant administrators:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:2952
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\mshtml.dll && icacls C:\Windows\system32\mshtml.dll /grant administrators:F
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1580
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\system32\mshtml.dll
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2692
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\system32\mshtml.dll /grant administrators:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:2916
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\dsound.dll && icacls C:\Windows\system32\dsound.dll /grant administrators:F
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\system32\dsound.dll
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1072
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\system32\dsound.dll /grant administrators:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:336
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\SetDelMe.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2900

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SetDelMe.bat

    Filesize

    210B

    MD5

    c6634e908ea33c8306bcdcea7034facf

    SHA1

    3faa0ca440109cba0977d7cce6cfff170dd3e946

    SHA256

    cad7af9ff1c5b00db307eaa957449524ef7e6ab38cfb243561e517ac940f10f8

    SHA512

    93705fd052aa5fe411ca2733266a973283c9964195b511d3eaa76b0c9f52547abd40e557c4bb381ce96a2a4a74790799beb05760d2cf853a8790c1a79782032b

  • C:\Windows\SysWOW64\ghiijk.llm

    Filesize

    35KB

    MD5

    4d30266e518ae3012764d1c97d0a287f

    SHA1

    7cea399143a3f43e04bd2021841228064a402527

    SHA256

    018e46e1ede9036708771d04db37ad5788578094d75e9d20da7fbda96ef6176d

    SHA512

    cce640e6ecccc074490cf62c614368bb9b50d2689749d06dbc948c9c11bb305c835b52dcdbfc51f9c5fc3a41bf21fb212e811d64d2c03d15ecb10f4e47dffd3f

  • \Windows\SysWOW64\iphlpapi.dll

    Filesize

    101KB

    MD5

    8a457ae1a127147b55ee91e0034100f0

    SHA1

    6bbbc53d47a0d21b89d889c43ae77ba75fbec6f1

    SHA256

    ff57070180ee742bb35de9b50383600ace5324c2f9a5ff618a2aa980802e1d7c

    SHA512

    51579009ee15ad3ac8c0abfaa0351099fe4d543c179c9173b14ffe0d5b8d508ee70aab7e95b0c1ccc3529656751ff408e1a79f4be0542d20f73873aae686bb07

  • memory/2348-0-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/2348-37-0x00000000003D0000-0x00000000003FA000-memory.dmp

    Filesize

    168KB

  • memory/2348-34-0x0000000074C30000-0x0000000074C67000-memory.dmp

    Filesize

    220KB

  • memory/2348-38-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/2348-39-0x0000000074C30000-0x0000000074C67000-memory.dmp

    Filesize

    220KB

  • memory/2348-40-0x00000000003D0000-0x00000000003FA000-memory.dmp

    Filesize

    168KB

  • memory/2348-50-0x00000000003D0000-0x00000000003FA000-memory.dmp

    Filesize

    168KB

  • memory/2348-49-0x0000000074C30000-0x0000000074C67000-memory.dmp

    Filesize

    220KB

  • memory/2348-48-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB