Analysis
-
max time kernel
47s -
max time network
40s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
13-08-2024 01:14
Static task
static1
Behavioral task
behavioral1
Sample
9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe
-
Size
51KB
-
MD5
9109c6b1d5530a955abc65678c5aa2f4
-
SHA1
5ff252acbc9603194b0c73444d83260f61cc5ae8
-
SHA256
113c36cccdb69a23e50d48c308608448ec2f909e2e49744625fddce58fea8455
-
SHA512
55ed35af669ebfc1dfa28573221f3338236eba2611c2aebb4816d96e3a23ecd511b54109487d7ab663ce44b84c414344b319a21cde9ab7d3ee3a4bbc7d5a862f
-
SSDEEP
768:YYewFR1mZxx7042dsW4wZ5q4ArZBhiBoiqniGNrCpybtmMtVazN4l:Yjwr1ir92kwZg4SZBhiHhl0azM
Malware Config
Signatures
-
Possible privilege escalation attempt 8 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exepid process 2740 icacls.exe 2672 takeown.exe 2952 icacls.exe 2692 takeown.exe 2916 icacls.exe 1072 takeown.exe 336 icacls.exe 2744 takeown.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2900 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exepid process 2348 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe 2348 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 2744 takeown.exe 2740 icacls.exe 2672 takeown.exe 2952 icacls.exe 2692 takeown.exe 2916 icacls.exe 1072 takeown.exe 336 icacls.exe -
Drops file in System32 directory 6 IoCs
Processes:
9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\rasapi32.dll 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\mshtml.dll 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dsound.dll 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\iphlpapi.dll 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe File created C:\Windows\SysWOW64\ghiijk.llm 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ghiijk.llm 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exeicacls.exetakeown.exe9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.execmd.exetakeown.exeicacls.execmd.exeicacls.execmd.exeicacls.exetakeown.execmd.exetakeown.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exepid process 2348 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe 2348 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe 2348 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe 2348 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe 2348 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe 2348 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 2744 takeown.exe Token: SeTakeOwnershipPrivilege 2672 takeown.exe Token: SeTakeOwnershipPrivilege 2692 takeown.exe Token: SeTakeOwnershipPrivilege 1072 takeown.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2348 wrote to memory of 1632 2348 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 2348 wrote to memory of 1632 2348 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 2348 wrote to memory of 1632 2348 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 2348 wrote to memory of 1632 2348 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 1632 wrote to memory of 2744 1632 cmd.exe takeown.exe PID 1632 wrote to memory of 2744 1632 cmd.exe takeown.exe PID 1632 wrote to memory of 2744 1632 cmd.exe takeown.exe PID 1632 wrote to memory of 2744 1632 cmd.exe takeown.exe PID 1632 wrote to memory of 2740 1632 cmd.exe icacls.exe PID 1632 wrote to memory of 2740 1632 cmd.exe icacls.exe PID 1632 wrote to memory of 2740 1632 cmd.exe icacls.exe PID 1632 wrote to memory of 2740 1632 cmd.exe icacls.exe PID 2348 wrote to memory of 2944 2348 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 2348 wrote to memory of 2944 2348 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 2348 wrote to memory of 2944 2348 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 2348 wrote to memory of 2944 2348 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 2944 wrote to memory of 2672 2944 cmd.exe takeown.exe PID 2944 wrote to memory of 2672 2944 cmd.exe takeown.exe PID 2944 wrote to memory of 2672 2944 cmd.exe takeown.exe PID 2944 wrote to memory of 2672 2944 cmd.exe takeown.exe PID 2944 wrote to memory of 2952 2944 cmd.exe icacls.exe PID 2944 wrote to memory of 2952 2944 cmd.exe icacls.exe PID 2944 wrote to memory of 2952 2944 cmd.exe icacls.exe PID 2944 wrote to memory of 2952 2944 cmd.exe icacls.exe PID 2348 wrote to memory of 1580 2348 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 2348 wrote to memory of 1580 2348 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 2348 wrote to memory of 1580 2348 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 2348 wrote to memory of 1580 2348 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 1580 wrote to memory of 2692 1580 cmd.exe takeown.exe PID 1580 wrote to memory of 2692 1580 cmd.exe takeown.exe PID 1580 wrote to memory of 2692 1580 cmd.exe takeown.exe PID 1580 wrote to memory of 2692 1580 cmd.exe takeown.exe PID 1580 wrote to memory of 2916 1580 cmd.exe icacls.exe PID 1580 wrote to memory of 2916 1580 cmd.exe icacls.exe PID 1580 wrote to memory of 2916 1580 cmd.exe icacls.exe PID 1580 wrote to memory of 2916 1580 cmd.exe icacls.exe PID 2348 wrote to memory of 2700 2348 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 2348 wrote to memory of 2700 2348 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 2348 wrote to memory of 2700 2348 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 2348 wrote to memory of 2700 2348 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 2700 wrote to memory of 1072 2700 cmd.exe takeown.exe PID 2700 wrote to memory of 1072 2700 cmd.exe takeown.exe PID 2700 wrote to memory of 1072 2700 cmd.exe takeown.exe PID 2700 wrote to memory of 1072 2700 cmd.exe takeown.exe PID 2700 wrote to memory of 336 2700 cmd.exe icacls.exe PID 2700 wrote to memory of 336 2700 cmd.exe icacls.exe PID 2700 wrote to memory of 336 2700 cmd.exe icacls.exe PID 2700 wrote to memory of 336 2700 cmd.exe icacls.exe PID 2348 wrote to memory of 2900 2348 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 2348 wrote to memory of 2900 2348 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 2348 wrote to memory of 2900 2348 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 2348 wrote to memory of 2900 2348 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\iphlpapi.dll && icacls C:\Windows\system32\iphlpapi.dll /grant administrators:F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\iphlpapi.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\iphlpapi.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2740
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\rasapi32.dll && icacls C:\Windows\system32\rasapi32.dll /grant administrators:F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\rasapi32.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\rasapi32.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\mshtml.dll && icacls C:\Windows\system32\mshtml.dll /grant administrators:F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\mshtml.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\mshtml.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2916
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\dsound.dll && icacls C:\Windows\system32\dsound.dll /grant administrators:F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\dsound.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1072
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\dsound.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:336
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\SetDelMe.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2900
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210B
MD5c6634e908ea33c8306bcdcea7034facf
SHA13faa0ca440109cba0977d7cce6cfff170dd3e946
SHA256cad7af9ff1c5b00db307eaa957449524ef7e6ab38cfb243561e517ac940f10f8
SHA51293705fd052aa5fe411ca2733266a973283c9964195b511d3eaa76b0c9f52547abd40e557c4bb381ce96a2a4a74790799beb05760d2cf853a8790c1a79782032b
-
Filesize
35KB
MD54d30266e518ae3012764d1c97d0a287f
SHA17cea399143a3f43e04bd2021841228064a402527
SHA256018e46e1ede9036708771d04db37ad5788578094d75e9d20da7fbda96ef6176d
SHA512cce640e6ecccc074490cf62c614368bb9b50d2689749d06dbc948c9c11bb305c835b52dcdbfc51f9c5fc3a41bf21fb212e811d64d2c03d15ecb10f4e47dffd3f
-
Filesize
101KB
MD58a457ae1a127147b55ee91e0034100f0
SHA16bbbc53d47a0d21b89d889c43ae77ba75fbec6f1
SHA256ff57070180ee742bb35de9b50383600ace5324c2f9a5ff618a2aa980802e1d7c
SHA51251579009ee15ad3ac8c0abfaa0351099fe4d543c179c9173b14ffe0d5b8d508ee70aab7e95b0c1ccc3529656751ff408e1a79f4be0542d20f73873aae686bb07