Malware Analysis Report

2024-12-07 14:55

Sample ID 241008-xrl2qsyhrc
Target 23f616989438536e3e0af5262dfcebdf_JaffaCakes118
SHA256 05ac0ee5867ec0340d8903dbb8690eaf6bdada1013af3535380070ce360afe39
Tags
discovery exploit upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

05ac0ee5867ec0340d8903dbb8690eaf6bdada1013af3535380070ce360afe39

Threat Level: Likely malicious

The file 23f616989438536e3e0af5262dfcebdf_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit upx

Possible privilege escalation attempt

Loads dropped DLL

Modifies file permissions

Deletes itself

Drops file in System32 directory

UPX packed file

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-08 19:05

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-08 19:05

Reported

2024-10-08 23:54

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ole.dll C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\imm32.dll.log C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\imm32.dll.log C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\imm32.dll C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe"

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\system32\imm32.dll

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\system32\imm32.dll /grant administrators:f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\dele57afd7.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 139.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/2228-0-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2228-10-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2228-11-0x00000000771A0000-0x00000000771C5000-memory.dmp

\??\c:\dele57afd7.bat

MD5 b9084debc76d158d40f3880b86b9de42
SHA1 5b84257902abd0042c3a88ddfd30d45b73890f4a
SHA256 0578f1705ed6761eb6a2728f09e1909c9c14d420b807661066969875c7d89313
SHA512 2b3c9517885f2aa07f6dfe2906d2740047746715d42fcf098c702f75dca371877dddb02eada03b299a16b6e337384e8c63d5442659dab95efb5830aae077e1ec

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-08 19:05

Reported

2024-10-08 23:53

Platform

win7-20240708-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ole.dll C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\imm32.dll.log C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\imm32.dll.log C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\imm32.dll C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1312 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe C:\Windows\SysWOW64\takeown.exe
PID 1312 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe C:\Windows\SysWOW64\takeown.exe
PID 1312 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe C:\Windows\SysWOW64\takeown.exe
PID 1312 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe C:\Windows\SysWOW64\takeown.exe
PID 1312 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 1312 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 1312 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 1312 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 1312 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1312 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1312 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1312 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe"

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\system32\imm32.dll

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\system32\imm32.dll /grant administrators:f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\delf76d920.bat

Network

N/A

Files

memory/1312-0-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1312-9-0x0000000000400000-0x0000000000417000-memory.dmp

\Windows\SysWOW64\imm32.dll

MD5 90531a950d8566b22b9a076ea244a632
SHA1 6a3f94c77d8ee43f0a9627022fe2e627de1b7e65
SHA256 d5094d116ba0155c9a146a64d7cd8e345baa833887a5c75cf3183bc0ab67fc50
SHA512 f8f8a944236e5ea53bd76a048adeac7811f4c6158c20b3fffe70286dca1936cf27ed4817054d9ce339461fb82afdb5a63a7ee7ec957e223db5460b2ad550054c

memory/2172-14-0x00000000746F0000-0x0000000074760000-memory.dmp

C:\Windows\SysWOW64\ole.dll

MD5 62e1a9b48424692a2cde9eece85312a4
SHA1 5d8ee563ca9d8992cf0e42cc2f3e43ac8ea9efac
SHA256 6d264e5f8e56ac750aaed3f6b0822f7234d001603ec3811061a018feba48b5f4
SHA512 b30168a796851e6c88768c06f589c7683a174717838e6428bf60ff6451fb555c904f28a3e02463ca92b6f0f9a161e439c0807535ba59cddb69d6e1b985635fc0

\??\c:\delf76d920.bat

MD5 5f3bf1aac8a0bd9b11786a8d13c56637
SHA1 67dbe165d7b319072122fb84b50874c481e937c6
SHA256 5d8da6dc5f374d0171bb2edd338e516d9688dc45670283dd8f838de1510b3687
SHA512 80ea239dd5772b2ac2bb2b69103030e358987907e1741c7629edecfcf3c6d6d3d251377834ef32b566415163cabcf402d483235e38f60506cd6576692ce212c4

memory/2172-17-0x00000000746F0000-0x0000000074760000-memory.dmp