Analysis

  • max time kernel
    140s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-08-2024 01:14

General

  • Target

    9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe

  • Size

    51KB

  • MD5

    9109c6b1d5530a955abc65678c5aa2f4

  • SHA1

    5ff252acbc9603194b0c73444d83260f61cc5ae8

  • SHA256

    113c36cccdb69a23e50d48c308608448ec2f909e2e49744625fddce58fea8455

  • SHA512

    55ed35af669ebfc1dfa28573221f3338236eba2611c2aebb4816d96e3a23ecd511b54109487d7ab663ce44b84c414344b319a21cde9ab7d3ee3a4bbc7d5a862f

  • SSDEEP

    768:YYewFR1mZxx7042dsW4wZ5q4ArZBhiBoiqniGNrCpybtmMtVazN4l:Yjwr1ir92kwZg4SZBhiHhl0azM

Score
8/10

Malware Config

Signatures

  • Possible privilege escalation attempt 8 IoCs
  • Loads dropped DLL 3 IoCs
  • Modifies file permissions 1 TTPs 8 IoCs
  • Drops file in System32 directory 6 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4604
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\iphlpapi.dll && icacls C:\Windows\system32\iphlpapi.dll /grant administrators:F
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3368
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\system32\iphlpapi.dll
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1292
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\system32\iphlpapi.dll /grant administrators:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:2964
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\rasapi32.dll && icacls C:\Windows\system32\rasapi32.dll /grant administrators:F
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4356
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\system32\rasapi32.dll
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:800
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\system32\rasapi32.dll /grant administrators:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:2436
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\mshtml.dll && icacls C:\Windows\system32\mshtml.dll /grant administrators:F
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1036
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\system32\mshtml.dll
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2856
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\system32\mshtml.dll /grant administrators:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:440
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\dsound.dll && icacls C:\Windows\system32\dsound.dll /grant administrators:F
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4752
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\system32\dsound.dll
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2916
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\system32\dsound.dll /grant administrators:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:2548
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\SetDelMe.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1180

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SetDelMe.bat

    Filesize

    210B

    MD5

    c6634e908ea33c8306bcdcea7034facf

    SHA1

    3faa0ca440109cba0977d7cce6cfff170dd3e946

    SHA256

    cad7af9ff1c5b00db307eaa957449524ef7e6ab38cfb243561e517ac940f10f8

    SHA512

    93705fd052aa5fe411ca2733266a973283c9964195b511d3eaa76b0c9f52547abd40e557c4bb381ce96a2a4a74790799beb05760d2cf853a8790c1a79782032b

  • C:\Users\Admin\AppData\Local\Temp\iphlpapi.dll.temp

    Filesize

    192KB

    MD5

    c8dd51d765fb1b6a572e7d4848fcc011

    SHA1

    a78715ddbcbca8c15730ae3eda616239bdb68cea

    SHA256

    0956d05eaa85faeeea5a5a037d3de97cc313c3cdea8e70ff407c4eb6e575c671

    SHA512

    f25dbb5519f48efa0fee96bfd74bb8b3f3cd955d3bb5578c4ca0249e84b1709475eadeffbbe416f3036ec7a6da2d00aad7cb203a3a959578c0e6c73b125039f9

  • C:\Users\Admin\AppData\Local\Temp\rasapi32.dll.temp

    Filesize

    887KB

    MD5

    14776d9955ffd7d96178356c7710af0d

    SHA1

    e9fb9c5921751bd5ef0783fda029af1c230544f8

    SHA256

    29c559ae21dcab26ec9e5b1e488eed0cc81bf89b9f1dc6e839ec2ffb49c8ac98

    SHA512

    cf78617f8edbdaf7dcc6474b2f7efefe4b44d29571402203b1c51c65611da5b4ab48dbe00fcdabbfb9269efa0ada62fcf88e854617e4941af8bf9f9c3d1b5bc8

  • C:\Windows\SysWOW64\smvmbo.ltk

    Filesize

    35KB

    MD5

    992b98094551a2a35b2dda0c8119a23d

    SHA1

    245ec3e2cc043ac7e1d572eaac6e105658ba1890

    SHA256

    b85e1d8cac5023be9e495f1e10945f6970989c863dc6f3bf93378da9fdee18dd

    SHA512

    9bcc68d6f72430cf0bb83d070709fb317b7c15b5068e59a24fbd02dc0364a2b847632bf55c9bb0104b5d5f61f0c7f4905b08b77c9c57c15ad83e43876dfbb80b

  • memory/4604-0-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/4604-41-0x0000000002220000-0x000000000224A000-memory.dmp

    Filesize

    168KB

  • memory/4604-40-0x0000000074340000-0x00000000743A2000-memory.dmp

    Filesize

    392KB

  • memory/4604-42-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/4604-46-0x0000000074340000-0x00000000743A2000-memory.dmp

    Filesize

    392KB

  • memory/4604-47-0x0000000002220000-0x000000000224A000-memory.dmp

    Filesize

    168KB

  • memory/4604-45-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB