Analysis Overview
SHA256
6624840d8d9ee3cc7a6b803236c3b91af9b6b479f39183d40dc76849885a4314
Threat Level: Likely malicious
The file 0ebb288db2f114e161179e2681df5366_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Modifies file permissions
Deletes itself
Loads dropped DLL
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-03 08:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-03 08:12
Reported
2024-10-03 08:15
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\imm32.dll | C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\ole.dll | C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\imm32.dll.log | C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\imm32.dll.log | C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\system32\imm32.dll
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\system32\imm32.dll /grant administrators:f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\delf765f4f.bat
Network
Files
C:\Windows\SysWOW64\IMM32.DLL
| MD5 | 1318930126086eabb2feb266354be694 |
| SHA1 | 0407dc0f6339bf9792c8d7f955fb3ec8d66abf82 |
| SHA256 | b7d0b14060a91625c9b3d5cbd9e7cd9cc2cef61a569801782b9bf4827a14f007 |
| SHA512 | ab2789ceaedc96409a9ca75de7cf0e367a25ddc625c4b5dc8004cb668b332cfad5532562693165d41b37aacbcf9ec23394dc5a81596976405df89e5dcd6c4c92 |
memory/2564-12-0x00000000755E0000-0x0000000075650000-memory.dmp
C:\Windows\SysWOW64\ole.dll
| MD5 | 766974e590fc46ed58cdcce118b7432f |
| SHA1 | a00209e0ae4de53783dd2ba214f988ea53510e27 |
| SHA256 | 75348353dc765e9c5c7d123e2d7df6f9315d29681c4989b2645b7b3a40d665d7 |
| SHA512 | 4c5d13b0ba67581e19f62b48c34901e61ef0ac9757e7fb1ac2693648444947b3e6f95eb6ba7d09ce57983466f21d9891d3751b7c372c3ab31da6f559f5b0a0a8 |
\??\c:\delf765f4f.bat
| MD5 | 4784b1d1c0016f1bb40fb2641d2e1e73 |
| SHA1 | d89a5c4ca089dd5c35b47af186ba6cd17241d0ad |
| SHA256 | 07ea18636c984e3148ea1a7f43cbf5f5f2f8d4fda37c3afbfbde996b8513cc2b |
| SHA512 | 3ba28ea2cb0de33792b0fdf67ea9a079e638c11c67de6f37edf1f86a184a055e41b3afb98dcd1b483ad15bf78e7cec291d3ad07ab662f077e1bd6e97062272f6 |
memory/2564-15-0x00000000755E0000-0x0000000075650000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-03 08:12
Reported
2024-10-03 08:15
Platform
win10v2004-20240802-en
Max time kernel
126s
Max time network
128s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\imm32.dll.log | C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\imm32.dll | C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\ole.dll | C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\imm32.dll.log | C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0ebb288db2f114e161179e2681df5366_JaffaCakes118.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\system32\imm32.dll
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\system32\imm32.dll /grant administrators:f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\dele5882d7.bat
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4220,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/2764-9-0x0000000075630000-0x0000000075655000-memory.dmp
\??\c:\dele5882d7.bat
| MD5 | 1e84a02ec12907d4045c2193fd9df470 |
| SHA1 | 58b671f1548ad8ed14b765fd10a71e8980708bff |
| SHA256 | 4377d9284f1be93bfbd8ab1ca15bdfbdabcb2eb6430484c66fb19da434217ddb |
| SHA512 | 5593ab8371685451033893fe81d22a5fddf1f95d446294eed049023313eb32cb7c3dba357f55b6ae249f90c25a02e7cd86a6685d0175e74cadb084948e33e3bc |