Analysis
-
max time kernel
140s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-08-2024 01:14
Static task
static1
Behavioral task
behavioral1
Sample
9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe
-
Size
51KB
-
MD5
9109c6b1d5530a955abc65678c5aa2f4
-
SHA1
5ff252acbc9603194b0c73444d83260f61cc5ae8
-
SHA256
113c36cccdb69a23e50d48c308608448ec2f909e2e49744625fddce58fea8455
-
SHA512
55ed35af669ebfc1dfa28573221f3338236eba2611c2aebb4816d96e3a23ecd511b54109487d7ab663ce44b84c414344b319a21cde9ab7d3ee3a4bbc7d5a862f
-
SSDEEP
768:YYewFR1mZxx7042dsW4wZ5q4ArZBhiBoiqniGNrCpybtmMtVazN4l:Yjwr1ir92kwZg4SZBhiHhl0azM
Malware Config
Signatures
-
Possible privilege escalation attempt 8 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 2856 takeown.exe 440 icacls.exe 2916 takeown.exe 2548 icacls.exe 1292 takeown.exe 2964 icacls.exe 800 takeown.exe 2436 icacls.exe -
Loads dropped DLL 3 IoCs
Processes:
9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exepid process 4604 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe 4604 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe 4604 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exepid process 440 icacls.exe 2916 takeown.exe 2548 icacls.exe 1292 takeown.exe 2964 icacls.exe 800 takeown.exe 2436 icacls.exe 2856 takeown.exe -
Drops file in System32 directory 6 IoCs
Processes:
9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\iphlpapi.dll 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe File created C:\Windows\SysWOW64\smvmbo.ltk 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\smvmbo.ltk 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rasapi32.dll 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\mshtml.dll 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dsound.dll 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
takeown.execmd.execmd.exetakeown.execmd.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.execmd.exe9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.execmd.exeicacls.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exepid process 4604 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe 4604 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe 4604 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe 4604 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe 4604 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe 4604 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe 4604 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe 4604 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe 4604 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe 4604 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe 4604 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe 4604 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 1292 takeown.exe Token: SeTakeOwnershipPrivilege 800 takeown.exe Token: SeTakeOwnershipPrivilege 2856 takeown.exe Token: SeTakeOwnershipPrivilege 2916 takeown.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4604 wrote to memory of 3368 4604 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 4604 wrote to memory of 3368 4604 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 4604 wrote to memory of 3368 4604 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 3368 wrote to memory of 1292 3368 cmd.exe takeown.exe PID 3368 wrote to memory of 1292 3368 cmd.exe takeown.exe PID 3368 wrote to memory of 1292 3368 cmd.exe takeown.exe PID 3368 wrote to memory of 2964 3368 cmd.exe icacls.exe PID 3368 wrote to memory of 2964 3368 cmd.exe icacls.exe PID 3368 wrote to memory of 2964 3368 cmd.exe icacls.exe PID 4604 wrote to memory of 4356 4604 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 4604 wrote to memory of 4356 4604 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 4604 wrote to memory of 4356 4604 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 4356 wrote to memory of 800 4356 cmd.exe takeown.exe PID 4356 wrote to memory of 800 4356 cmd.exe takeown.exe PID 4356 wrote to memory of 800 4356 cmd.exe takeown.exe PID 4356 wrote to memory of 2436 4356 cmd.exe icacls.exe PID 4356 wrote to memory of 2436 4356 cmd.exe icacls.exe PID 4356 wrote to memory of 2436 4356 cmd.exe icacls.exe PID 4604 wrote to memory of 1036 4604 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 4604 wrote to memory of 1036 4604 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 4604 wrote to memory of 1036 4604 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 1036 wrote to memory of 2856 1036 cmd.exe takeown.exe PID 1036 wrote to memory of 2856 1036 cmd.exe takeown.exe PID 1036 wrote to memory of 2856 1036 cmd.exe takeown.exe PID 1036 wrote to memory of 440 1036 cmd.exe icacls.exe PID 1036 wrote to memory of 440 1036 cmd.exe icacls.exe PID 1036 wrote to memory of 440 1036 cmd.exe icacls.exe PID 4604 wrote to memory of 4752 4604 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 4604 wrote to memory of 4752 4604 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 4604 wrote to memory of 4752 4604 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 4752 wrote to memory of 2916 4752 cmd.exe takeown.exe PID 4752 wrote to memory of 2916 4752 cmd.exe takeown.exe PID 4752 wrote to memory of 2916 4752 cmd.exe takeown.exe PID 4752 wrote to memory of 2548 4752 cmd.exe icacls.exe PID 4752 wrote to memory of 2548 4752 cmd.exe icacls.exe PID 4752 wrote to memory of 2548 4752 cmd.exe icacls.exe PID 4604 wrote to memory of 1180 4604 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 4604 wrote to memory of 1180 4604 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe PID 4604 wrote to memory of 1180 4604 9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9109c6b1d5530a955abc65678c5aa2f4_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\iphlpapi.dll && icacls C:\Windows\system32\iphlpapi.dll /grant administrators:F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\iphlpapi.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1292
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\iphlpapi.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2964
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\rasapi32.dll && icacls C:\Windows\system32\rasapi32.dll /grant administrators:F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\rasapi32.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:800
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\rasapi32.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2436
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\mshtml.dll && icacls C:\Windows\system32\mshtml.dll /grant administrators:F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\mshtml.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2856
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\mshtml.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:440
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c takeown /f C:\Windows\system32\dsound.dll && icacls C:\Windows\system32\dsound.dll /grant administrators:F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\system32\dsound.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\dsound.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2548
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\SetDelMe.bat2⤵
- System Location Discovery: System Language Discovery
PID:1180
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210B
MD5c6634e908ea33c8306bcdcea7034facf
SHA13faa0ca440109cba0977d7cce6cfff170dd3e946
SHA256cad7af9ff1c5b00db307eaa957449524ef7e6ab38cfb243561e517ac940f10f8
SHA51293705fd052aa5fe411ca2733266a973283c9964195b511d3eaa76b0c9f52547abd40e557c4bb381ce96a2a4a74790799beb05760d2cf853a8790c1a79782032b
-
Filesize
192KB
MD5c8dd51d765fb1b6a572e7d4848fcc011
SHA1a78715ddbcbca8c15730ae3eda616239bdb68cea
SHA2560956d05eaa85faeeea5a5a037d3de97cc313c3cdea8e70ff407c4eb6e575c671
SHA512f25dbb5519f48efa0fee96bfd74bb8b3f3cd955d3bb5578c4ca0249e84b1709475eadeffbbe416f3036ec7a6da2d00aad7cb203a3a959578c0e6c73b125039f9
-
Filesize
887KB
MD514776d9955ffd7d96178356c7710af0d
SHA1e9fb9c5921751bd5ef0783fda029af1c230544f8
SHA25629c559ae21dcab26ec9e5b1e488eed0cc81bf89b9f1dc6e839ec2ffb49c8ac98
SHA512cf78617f8edbdaf7dcc6474b2f7efefe4b44d29571402203b1c51c65611da5b4ab48dbe00fcdabbfb9269efa0ada62fcf88e854617e4941af8bf9f9c3d1b5bc8
-
Filesize
35KB
MD5992b98094551a2a35b2dda0c8119a23d
SHA1245ec3e2cc043ac7e1d572eaac6e105658ba1890
SHA256b85e1d8cac5023be9e495f1e10945f6970989c863dc6f3bf93378da9fdee18dd
SHA5129bcc68d6f72430cf0bb83d070709fb317b7c15b5068e59a24fbd02dc0364a2b847632bf55c9bb0104b5d5f61f0c7f4905b08b77c9c57c15ad83e43876dfbb80b