Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-10-2024 07:26
Static task
static1
Behavioral task
behavioral1
Sample
0988c935717178e91e8acd06450283a2_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
0988c935717178e91e8acd06450283a2_JaffaCakes118.exe
-
Size
3.5MB
-
MD5
0988c935717178e91e8acd06450283a2
-
SHA1
1a79ee358a1a7c36d4eef2c2c8fad16927d8390d
-
SHA256
a4dfc90bf63745e6c476ccdd748cb097064b4334478a6cc08ab517f67e6cf13d
-
SHA512
ac595eea9cb306644d2db40a092b76091eaf8b5b3a28ace83a63524eb16caf93e59845ff68241d18c4986611236451453a67a382e374fbd421a4b5d926ffa193
-
SSDEEP
98304:8p9FJR47Hh4AtBq2HmvcEcKrslUDwsUWhuqf:8/DIH7HyUEfrmATlTf
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid Process 824 takeown.exe 1160 icacls.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
temp.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion temp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate temp.exe -
Executes dropped EXE 2 IoCs
Processes:
temp.exebootsect.exepid Process 2132 temp.exe 2508 bootsect.exe -
Loads dropped DLL 1 IoCs
Processes:
0988c935717178e91e8acd06450283a2_JaffaCakes118.exepid Process 2872 0988c935717178e91e8acd06450283a2_JaffaCakes118.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid Process 824 takeown.exe 1160 icacls.exe -
Uses the VBS compiler for execution 1 TTPs
-
Processes:
resource yara_rule behavioral1/files/0x000c00000001227e-21.dat upx behavioral1/memory/2132-26-0x0000000000400000-0x0000000000623000-memory.dmp upx behavioral1/memory/2132-97-0x0000000000400000-0x0000000000623000-memory.dmp upx behavioral1/memory/2132-98-0x0000000000400000-0x0000000000623000-memory.dmp upx behavioral1/memory/2132-105-0x0000000000400000-0x0000000000623000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cvtres.exetakeown.exevbc.exebootsect.execmd.execmd.exeicacls.execmd.execscript.execscript.exetemp.execmd.execmd.execmd.exe0988c935717178e91e8acd06450283a2_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bootsect.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language temp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0988c935717178e91e8acd06450283a2_JaffaCakes118.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
temp.exedescription ioc Process Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS temp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct temp.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
temp.exepid Process 2132 temp.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
temp.exetakeown.exedescription pid Process Token: 33 2132 temp.exe Token: SeIncBasePriorityPrivilege 2132 temp.exe Token: 33 2132 temp.exe Token: SeIncBasePriorityPrivilege 2132 temp.exe Token: SeTakeOwnershipPrivilege 824 takeown.exe -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
0988c935717178e91e8acd06450283a2_JaffaCakes118.exevbc.exetemp.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 2872 wrote to memory of 3024 2872 0988c935717178e91e8acd06450283a2_JaffaCakes118.exe 31 PID 2872 wrote to memory of 3024 2872 0988c935717178e91e8acd06450283a2_JaffaCakes118.exe 31 PID 2872 wrote to memory of 3024 2872 0988c935717178e91e8acd06450283a2_JaffaCakes118.exe 31 PID 2872 wrote to memory of 3024 2872 0988c935717178e91e8acd06450283a2_JaffaCakes118.exe 31 PID 2872 wrote to memory of 2132 2872 0988c935717178e91e8acd06450283a2_JaffaCakes118.exe 33 PID 2872 wrote to memory of 2132 2872 0988c935717178e91e8acd06450283a2_JaffaCakes118.exe 33 PID 2872 wrote to memory of 2132 2872 0988c935717178e91e8acd06450283a2_JaffaCakes118.exe 33 PID 2872 wrote to memory of 2132 2872 0988c935717178e91e8acd06450283a2_JaffaCakes118.exe 33 PID 3024 wrote to memory of 2608 3024 vbc.exe 34 PID 3024 wrote to memory of 2608 3024 vbc.exe 34 PID 3024 wrote to memory of 2608 3024 vbc.exe 34 PID 3024 wrote to memory of 2608 3024 vbc.exe 34 PID 2132 wrote to memory of 1948 2132 temp.exe 37 PID 2132 wrote to memory of 1948 2132 temp.exe 37 PID 2132 wrote to memory of 1948 2132 temp.exe 37 PID 2132 wrote to memory of 1948 2132 temp.exe 37 PID 1948 wrote to memory of 1276 1948 cmd.exe 39 PID 1948 wrote to memory of 1276 1948 cmd.exe 39 PID 1948 wrote to memory of 1276 1948 cmd.exe 39 PID 1948 wrote to memory of 1276 1948 cmd.exe 39 PID 1276 wrote to memory of 824 1276 cmd.exe 40 PID 1276 wrote to memory of 824 1276 cmd.exe 40 PID 1276 wrote to memory of 824 1276 cmd.exe 40 PID 1276 wrote to memory of 824 1276 cmd.exe 40 PID 2132 wrote to memory of 2644 2132 temp.exe 41 PID 2132 wrote to memory of 2644 2132 temp.exe 41 PID 2132 wrote to memory of 2644 2132 temp.exe 41 PID 2132 wrote to memory of 2644 2132 temp.exe 41 PID 2644 wrote to memory of 1160 2644 cmd.exe 43 PID 2644 wrote to memory of 1160 2644 cmd.exe 43 PID 2644 wrote to memory of 1160 2644 cmd.exe 43 PID 2644 wrote to memory of 1160 2644 cmd.exe 43 PID 2132 wrote to memory of 1944 2132 temp.exe 44 PID 2132 wrote to memory of 1944 2132 temp.exe 44 PID 2132 wrote to memory of 1944 2132 temp.exe 44 PID 2132 wrote to memory of 1944 2132 temp.exe 44 PID 1944 wrote to memory of 2508 1944 cmd.exe 46 PID 1944 wrote to memory of 2508 1944 cmd.exe 46 PID 1944 wrote to memory of 2508 1944 cmd.exe 46 PID 1944 wrote to memory of 2508 1944 cmd.exe 46 PID 2132 wrote to memory of 1912 2132 temp.exe 47 PID 2132 wrote to memory of 1912 2132 temp.exe 47 PID 2132 wrote to memory of 1912 2132 temp.exe 47 PID 2132 wrote to memory of 1912 2132 temp.exe 47 PID 1912 wrote to memory of 1624 1912 cmd.exe 49 PID 1912 wrote to memory of 1624 1912 cmd.exe 49 PID 1912 wrote to memory of 1624 1912 cmd.exe 49 PID 1912 wrote to memory of 1624 1912 cmd.exe 49 PID 2132 wrote to memory of 844 2132 temp.exe 51 PID 2132 wrote to memory of 844 2132 temp.exe 51 PID 2132 wrote to memory of 844 2132 temp.exe 51 PID 2132 wrote to memory of 844 2132 temp.exe 51 PID 844 wrote to memory of 1344 844 cmd.exe 53 PID 844 wrote to memory of 1344 844 cmd.exe 53 PID 844 wrote to memory of 1344 844 cmd.exe 53 PID 844 wrote to memory of 1344 844 cmd.exe 53
Processes
-
C:\Users\Admin\AppData\Local\Temp\0988c935717178e91e8acd06450283a2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0988c935717178e91e8acd06450283a2_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gazv90lv.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE966.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE965.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2608
-
-
-
C:\Users\Admin\AppData\Roaming\temp.exe"C:\Users\Admin\AppData\Roaming\temp.exe"2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\ldrscan\bootwin4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\ldrscan\bootwin5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:824
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\icacls.exeicacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1160
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\bootsect.exeC:\bootsect.exe /nt60 SYS /force4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2508
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -upk"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\cscript.exeC:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -upk4⤵
- System Location Discovery: System Language Discovery
PID:1624
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\cscript.exeC:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV4⤵
- System Location Discovery: System Language Discovery
PID:1344
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c7ec7c78d41236384c986863ffecf15e
SHA182eb65753fefa29c0ef0601ed3047b128f0cd40e
SHA2562c0c1398ec3fd50c126051ed7ae9b47a2b2244bb9c03f1bd4ee46f35161824f8
SHA512bb38e9f696d9e5b08039980211373731586b4036427920c42d4e2639d19fb85300f9d4402c4fcb2c6d266df8b20886de6094d85fc82e35056f99fd2db5fdc422
-
Filesize
892KB
MD5f376af31deadaf2deeded400b19e6c85
SHA1e6b7552076f57f2712e0a1b137c0b829954f4738
SHA2564c91daef9324fb4744f8a4e904bdedd0f9703c5ab758d7ed717c8f6ced8a9c0a
SHA51202c152b01397f424d44f3fd4ed73e04365468ad7fd2861a796d788de7f549ab068359e66d21b632c42a8a8b02446867af67dda090582a61ab175a3969aac4aef
-
Filesize
138B
MD5bb406a95d4c6233a5bc504818537873a
SHA1b0fe8b350a01a00b634814b2b7b878ce1a7d1f6d
SHA25645b38d5b25b64c5976ca2bcb6c835a44313b41e9ded4a38500feb0ce269a8dee
SHA5123c40ffd0196b75ccf868dc9312d835dc49fb1bdec70c5b03a0502066abb0faa32f5a2a27c58cb5b4d9dafebc3101c121dd91993a3eb3c19e95722c9e7429fccc
-
Filesize
1.7MB
MD5ece057a5d2c1d62ad3450728c7219b22
SHA11ae530ba9eb0645a715362d1629b2562de7d58e3
SHA256cfa8762ea791e0b0f8a3c58ea9f5335ad34d83b4dbe682427e03f9eab0b34b30
SHA51287e52199c023aff0917225d01115d808057f553b61a8756f29f7f35afb568c17b449da980390d6749a6db8957bf61124e3572deb18621af3331a0ee21c90edf9
-
Filesize
652B
MD53657a9ea37c4879952df6e111d56c5b1
SHA11f39680bdb12a7064a7c2bc23737a70d8ac81d31
SHA256e1a507cb7106b4b8fc401e8881f9b55fa425f1f4394e9073097fe551eb357a31
SHA5123c6e5801c6290c79ee24f18573135e6f99ad949fc7b38c2092558eb64187c7264fc7553c8c6ee207b3c4e781d5e1cc152f70f4507c37e2e7ee938a8984272a44
-
Filesize
95KB
MD517b18a2feb3dcfe8a165af86ebc29fe7
SHA1bf00a8ef28200a3bbc73633b360e1484ee2874d5
SHA25699c4970f1f4b9dc50a5db9ff6f3a581754a1631f0751bdec2b5e3a261f35d85a
SHA512034e809a3f2a2eaa633b7c1c9bffd0ac65041bf0a3fc6ba861e281712cdcb1e063d6c29e562bdc864e1963466ebcec9e30475907bea80a67ab48111ae583e65c
-
Filesize
3.3MB
MD5c4d6d3633382fe25a25aa4ee12a19560
SHA1c6fd5d70f7609c589757fac45811dd7c1c63f93a
SHA25627b4ea627778b5f75622daab8c736f4024778b69ca93f2ec940e3d44107902d6
SHA5127b4d1471e2c79d9b23c6fda2d0388ffdfad174f6624625df14e86be16c345696640d43564848fdc9a4a0e228c2c70d783f936e1b11a8510ec8efb533b35b6aa7