Analysis
-
max time kernel
126s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2024 08:12
Static task
static1
Behavioral task
behavioral1
Sample
0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe
-
Size
141KB
-
MD5
0ebb288db2f114e161179e2681df5366
-
SHA1
6f82dd0907b9915a89f50a6453f618eca162d803
-
SHA256
6624840d8d9ee3cc7a6b803236c3b91af9b6b479f39183d40dc76849885a4314
-
SHA512
f67aa1ca0a577fa0f3e1a26f883c21e2a8a2133e11fb9e342a4b5ae0a2482dda456fdb1af44d1009f9f70256fdaf19a5fe7d96a28094fc915182ac9c7df1239f
-
SSDEEP
3072:1Vn2EV+i5K0opbMqqJI7w7gj9vuxVKQ0+xBhuxelgB5Js:1V2KR5K7pbMqqJI7w7ge0ajchB5
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid Process 4640 takeown.exe 3672 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
icacls.exetakeown.exepid Process 3672 icacls.exe 4640 takeown.exe -
Drops file in System32 directory 4 IoCs
Processes:
0ebb288db2f114e161179e2681df5366_JaffaCakes118.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\imm32.dll.log 0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe File created C:\Windows\SysWOW64\imm32.dll 0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe File created C:\Windows\SysWOW64\ole.dll 0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe File created C:\Windows\SysWOW64\imm32.dll.log 0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
icacls.execmd.exe0ebb288db2f114e161179e2681df5366_JaffaCakes118.exetakeown.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
0ebb288db2f114e161179e2681df5366_JaffaCakes118.exepid Process 2764 0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe 2764 0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
0ebb288db2f114e161179e2681df5366_JaffaCakes118.exetakeown.exedescription pid Process Token: SeDebugPrivilege 2764 0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 4640 takeown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
0ebb288db2f114e161179e2681df5366_JaffaCakes118.exepid Process 2764 0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe 2764 0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0ebb288db2f114e161179e2681df5366_JaffaCakes118.exedescription pid Process procid_target PID 2764 wrote to memory of 4640 2764 0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe 89 PID 2764 wrote to memory of 4640 2764 0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe 89 PID 2764 wrote to memory of 4640 2764 0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe 89 PID 2764 wrote to memory of 3672 2764 0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe 91 PID 2764 wrote to memory of 3672 2764 0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe 91 PID 2764 wrote to memory of 3672 2764 0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe 91 PID 2764 wrote to memory of 4392 2764 0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe 95 PID 2764 wrote to memory of 4392 2764 0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe 95 PID 2764 wrote to memory of 4392 2764 0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\system32\imm32.dll2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4640
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\imm32.dll /grant administrators:f2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:3672
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\dele5882d7.bat2⤵
- System Location Discovery: System Language Discovery
PID:4392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4220,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:81⤵PID:4476
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
235B
MD51e84a02ec12907d4045c2193fd9df470
SHA158b671f1548ad8ed14b765fd10a71e8980708bff
SHA2564377d9284f1be93bfbd8ab1ca15bdfbdabcb2eb6430484c66fb19da434217ddb
SHA5125593ab8371685451033893fe81d22a5fddf1f95d446294eed049023313eb32cb7c3dba357f55b6ae249f90c25a02e7cd86a6685d0175e74cadb084948e33e3bc