Analysis

  • max time kernel
    126s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2024 08:12

General

  • Target

    0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe

  • Size

    141KB

  • MD5

    0ebb288db2f114e161179e2681df5366

  • SHA1

    6f82dd0907b9915a89f50a6453f618eca162d803

  • SHA256

    6624840d8d9ee3cc7a6b803236c3b91af9b6b479f39183d40dc76849885a4314

  • SHA512

    f67aa1ca0a577fa0f3e1a26f883c21e2a8a2133e11fb9e342a4b5ae0a2482dda456fdb1af44d1009f9f70256fdaf19a5fe7d96a28094fc915182ac9c7df1239f

  • SSDEEP

    3072:1Vn2EV+i5K0opbMqqJI7w7gj9vuxVKQ0+xBhuxelgB5Js:1V2KR5K7pbMqqJI7w7ge0ajchB5

Score
8/10

Malware Config

Signatures

  • Possible privilege escalation attempt 2 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Windows\SysWOW64\takeown.exe
      takeown /F C:\Windows\system32\imm32.dll
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4640
    • C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\system32\imm32.dll /grant administrators:f
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:3672
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\dele5882d7.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4392
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4220,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:8
    1⤵
      PID:4476

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \??\c:\dele5882d7.bat

      Filesize

      235B

      MD5

      1e84a02ec12907d4045c2193fd9df470

      SHA1

      58b671f1548ad8ed14b765fd10a71e8980708bff

      SHA256

      4377d9284f1be93bfbd8ab1ca15bdfbdabcb2eb6430484c66fb19da434217ddb

      SHA512

      5593ab8371685451033893fe81d22a5fddf1f95d446294eed049023313eb32cb7c3dba357f55b6ae249f90c25a02e7cd86a6685d0175e74cadb084948e33e3bc

    • memory/2764-9-0x0000000075630000-0x0000000075655000-memory.dmp

      Filesize

      148KB