Analysis Overview
SHA256
05ac0ee5867ec0340d8903dbb8690eaf6bdada1013af3535380070ce360afe39
Threat Level: Likely malicious
The file 23f616989438536e3e0af5262dfcebdf_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Loads dropped DLL
Modifies file permissions
Deletes itself
Drops file in System32 directory
UPX packed file
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-08 19:05
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-08 19:05
Reported
2024-10-08 23:54
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
123s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ole.dll | C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\imm32.dll.log | C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\imm32.dll.log | C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\imm32.dll | C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\system32\imm32.dll
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\system32\imm32.dll /grant administrators:f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\dele57afd7.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
memory/2228-0-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2228-10-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2228-11-0x00000000771A0000-0x00000000771C5000-memory.dmp
\??\c:\dele57afd7.bat
| MD5 | b9084debc76d158d40f3880b86b9de42 |
| SHA1 | 5b84257902abd0042c3a88ddfd30d45b73890f4a |
| SHA256 | 0578f1705ed6761eb6a2728f09e1909c9c14d420b807661066969875c7d89313 |
| SHA512 | 2b3c9517885f2aa07f6dfe2906d2740047746715d42fcf098c702f75dca371877dddb02eada03b299a16b6e337384e8c63d5442659dab95efb5830aae077e1ec |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-08 19:05
Reported
2024-10-08 23:53
Platform
win7-20240708-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ole.dll | C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\imm32.dll.log | C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\imm32.dll.log | C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\imm32.dll | C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\23f616989438536e3e0af5262dfcebdf_JaffaCakes118.exe"
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\system32\imm32.dll
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\system32\imm32.dll /grant administrators:f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\delf76d920.bat
Network
Files
memory/1312-0-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1312-9-0x0000000000400000-0x0000000000417000-memory.dmp
\Windows\SysWOW64\imm32.dll
| MD5 | 90531a950d8566b22b9a076ea244a632 |
| SHA1 | 6a3f94c77d8ee43f0a9627022fe2e627de1b7e65 |
| SHA256 | d5094d116ba0155c9a146a64d7cd8e345baa833887a5c75cf3183bc0ab67fc50 |
| SHA512 | f8f8a944236e5ea53bd76a048adeac7811f4c6158c20b3fffe70286dca1936cf27ed4817054d9ce339461fb82afdb5a63a7ee7ec957e223db5460b2ad550054c |
memory/2172-14-0x00000000746F0000-0x0000000074760000-memory.dmp
C:\Windows\SysWOW64\ole.dll
| MD5 | 62e1a9b48424692a2cde9eece85312a4 |
| SHA1 | 5d8ee563ca9d8992cf0e42cc2f3e43ac8ea9efac |
| SHA256 | 6d264e5f8e56ac750aaed3f6b0822f7234d001603ec3811061a018feba48b5f4 |
| SHA512 | b30168a796851e6c88768c06f589c7683a174717838e6428bf60ff6451fb555c904f28a3e02463ca92b6f0f9a161e439c0807535ba59cddb69d6e1b985635fc0 |
\??\c:\delf76d920.bat
| MD5 | 5f3bf1aac8a0bd9b11786a8d13c56637 |
| SHA1 | 67dbe165d7b319072122fb84b50874c481e937c6 |
| SHA256 | 5d8da6dc5f374d0171bb2edd338e516d9688dc45670283dd8f838de1510b3687 |
| SHA512 | 80ea239dd5772b2ac2bb2b69103030e358987907e1741c7629edecfcf3c6d6d3d251377834ef32b566415163cabcf402d483235e38f60506cd6576692ce212c4 |
memory/2172-17-0x00000000746F0000-0x0000000074760000-memory.dmp