Malware Analysis Report

2024-12-07 14:58

Sample ID 241003-j39ehsxapd
Target 0ebb288db2f114e161179e2681df5366_JaffaCakes118
SHA256 6624840d8d9ee3cc7a6b803236c3b91af9b6b479f39183d40dc76849885a4314
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6624840d8d9ee3cc7a6b803236c3b91af9b6b479f39183d40dc76849885a4314

Threat Level: Likely malicious

The file 0ebb288db2f114e161179e2681df5366_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Modifies file permissions

Deletes itself

Loads dropped DLL

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-03 08:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-03 08:12

Reported

2024-10-03 08:15

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\imm32.dll C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ole.dll C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\imm32.dll.log C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\imm32.dll.log C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe C:\Windows\SysWOW64\takeown.exe
PID 2132 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe C:\Windows\SysWOW64\takeown.exe
PID 2132 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe C:\Windows\SysWOW64\takeown.exe
PID 2132 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe C:\Windows\SysWOW64\takeown.exe
PID 2132 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 2132 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 2132 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 2132 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 2132 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe"

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\system32\imm32.dll

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\system32\imm32.dll /grant administrators:f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\delf765f4f.bat

Network

N/A

Files

C:\Windows\SysWOW64\IMM32.DLL

MD5 1318930126086eabb2feb266354be694
SHA1 0407dc0f6339bf9792c8d7f955fb3ec8d66abf82
SHA256 b7d0b14060a91625c9b3d5cbd9e7cd9cc2cef61a569801782b9bf4827a14f007
SHA512 ab2789ceaedc96409a9ca75de7cf0e367a25ddc625c4b5dc8004cb668b332cfad5532562693165d41b37aacbcf9ec23394dc5a81596976405df89e5dcd6c4c92

memory/2564-12-0x00000000755E0000-0x0000000075650000-memory.dmp

C:\Windows\SysWOW64\ole.dll

MD5 766974e590fc46ed58cdcce118b7432f
SHA1 a00209e0ae4de53783dd2ba214f988ea53510e27
SHA256 75348353dc765e9c5c7d123e2d7df6f9315d29681c4989b2645b7b3a40d665d7
SHA512 4c5d13b0ba67581e19f62b48c34901e61ef0ac9757e7fb1ac2693648444947b3e6f95eb6ba7d09ce57983466f21d9891d3751b7c372c3ab31da6f559f5b0a0a8

\??\c:\delf765f4f.bat

MD5 4784b1d1c0016f1bb40fb2641d2e1e73
SHA1 d89a5c4ca089dd5c35b47af186ba6cd17241d0ad
SHA256 07ea18636c984e3148ea1a7f43cbf5f5f2f8d4fda37c3afbfbde996b8513cc2b
SHA512 3ba28ea2cb0de33792b0fdf67ea9a079e638c11c67de6f37edf1f86a184a055e41b3afb98dcd1b483ad15bf78e7cec291d3ad07ab662f077e1bd6e97062272f6

memory/2564-15-0x00000000755E0000-0x0000000075650000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-03 08:12

Reported

2024-10-03 08:15

Platform

win10v2004-20240802-en

Max time kernel

126s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\imm32.dll.log C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\imm32.dll C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ole.dll C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\imm32.dll.log C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe"

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\system32\imm32.dll

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\system32\imm32.dll /grant administrators:f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\dele5882d7.bat

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4220,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/2764-9-0x0000000075630000-0x0000000075655000-memory.dmp

\??\c:\dele5882d7.bat

MD5 1e84a02ec12907d4045c2193fd9df470
SHA1 58b671f1548ad8ed14b765fd10a71e8980708bff
SHA256 4377d9284f1be93bfbd8ab1ca15bdfbdabcb2eb6430484c66fb19da434217ddb
SHA512 5593ab8371685451033893fe81d22a5fddf1f95d446294eed049023313eb32cb7c3dba357f55b6ae249f90c25a02e7cd86a6685d0175e74cadb084948e33e3bc