Malware Analysis Report

2024-12-07 14:35

Sample ID 241009-krqcyavepb
Target 2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118
SHA256 e0b750bcd8b26253b569a327be4a66b14866957877c5c6584def46d3c363c03b
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e0b750bcd8b26253b569a327be4a66b14866957877c5c6584def46d3c363c03b

Threat Level: Likely malicious

The file 2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Loads dropped DLL

Deletes itself

Modifies file permissions

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-09 08:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-09 08:50

Reported

2024-10-09 20:56

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\imm32.dll C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ole.dll C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\imm32.dll.log C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\imm32.dll.log C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe C:\Windows\SysWOW64\taskkill.exe
PID 2648 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe C:\Windows\SysWOW64\taskkill.exe
PID 2648 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe C:\Windows\SysWOW64\taskkill.exe
PID 2648 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe C:\Windows\SysWOW64\taskkill.exe
PID 2648 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe C:\Windows\SysWOW64\takeown.exe
PID 2648 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe C:\Windows\SysWOW64\takeown.exe
PID 2648 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe C:\Windows\SysWOW64\takeown.exe
PID 2648 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe C:\Windows\SysWOW64\takeown.exe
PID 2648 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 2648 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 2648 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 2648 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 2648 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM NVCAgent.npc

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\system32\imm32.dll

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\system32\imm32.dll /grant administrators:f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\clr_f76a9f5.bat

Network

N/A

Files

memory/2648-8-0x0000000074B80000-0x0000000074BE0000-memory.dmp

C:\Windows\SysWOW64\IMM32.DLL

MD5 7b74137f4cf5ec53d19e649d3ccf98bb
SHA1 13994de0d5bc9cc740ab97a57f36f11e49fd8985
SHA256 09d4d49d987a79495c68022aaa0fb10df9fb84c704e85e2575bf8ab1803119c0
SHA512 426599d2bae98ae05b34de46484440fd587507b01612cbbc6fc87210098dd353c30ed1d31c84cab164d486e4af9431c3b4c80d699165098a490cbc6403793506

C:\Windows\SysWOW64\ole.dll

MD5 e909af0658d1f31c9a66ed514289d478
SHA1 cd5fc6da70b21fdb3c79c056440b4df849f5b402
SHA256 2614f071cce9f963463a04df6eeb4654b52a62d11d3761289646a083919433e8
SHA512 3d5b2ed200bece8f106f0fb21c02bd92c5cfcfca64d97f65c66da92a1035a6528bf9d6b82ba9d5e20b6592e0eaba6a36c783b8ad4e54a4f77226f040f70470d6

memory/1952-13-0x0000000074690000-0x0000000074700000-memory.dmp

\??\c:\clr_f76a9f5.bat

MD5 93a13810462ae8f7ca43024fbbbb9c1e
SHA1 f676c443f15a9831645de441aee6ea7e2ec1c237
SHA256 45215292b00d97a63dcf3f5c96737475d46958bfd07c03b49101b9fb3748d5a7
SHA512 6691e7d9f82b4bb067ef236d75b7653fffe9705443ae10dfac9b345acbdfd81579653a40d710ff5a5e0a87b1feb0098ca337456a6e3c216c58537e6db92091e2

memory/1952-15-0x0000000074690000-0x0000000074700000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-09 08:50

Reported

2024-10-09 20:56

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ole.dll C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\imm32.dll.log C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\imm32.dll.log C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\imm32.dll C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1344 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe C:\Windows\SysWOW64\taskkill.exe
PID 1344 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe C:\Windows\SysWOW64\taskkill.exe
PID 1344 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe C:\Windows\SysWOW64\taskkill.exe
PID 1344 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe C:\Windows\SysWOW64\takeown.exe
PID 1344 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe C:\Windows\SysWOW64\takeown.exe
PID 1344 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe C:\Windows\SysWOW64\takeown.exe
PID 1344 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 1344 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 1344 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe C:\Windows\SysWOW64\icacls.exe
PID 1344 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM NVCAgent.npc

C:\Windows\SysWOW64\takeown.exe

takeown /F C:\Windows\system32\imm32.dll

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\system32\imm32.dll /grant administrators:f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\clr_e57e781.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_wewer74353f.tmp

MD5 2135343ed0617460b696d1bbc1bbb8ad
SHA1 3da90751f27aded525d9c527c707aa8aa5e6c8ed
SHA256 bee18cca7951cbd2ccc458ee3db447460bd1660dc3ec691614c918c2bf21251f
SHA512 f0dc004c29a0f0e939aa08b36fb3403ffdcefdd308070a61a7699f34cf957ac6785a20d42f3ab6e7874ea294442d49a791272738c2974a13b28bf44a312cdf0a

memory/1344-9-0x00000000764B0000-0x00000000764D5000-memory.dmp

\??\c:\clr_e57e781.bat

MD5 7bba035300bf891e824f48e831770f2c
SHA1 5d72c2894506ecd38c7dc96f609e08f281708c4a
SHA256 353926b7a8f6a296a596e36c751bf5ba8f18b51ed9af4901159bc41c043493f9
SHA512 91ae4291c6b9fc024894c4c3e2d1cddf7e732f2a3f1c42c37863408d97433fd622969210fc2d1be4a950d75d70862f6b683fa3f20d03c96cb4c7da188bd88932