Analysis Overview
SHA256
e0b750bcd8b26253b569a327be4a66b14866957877c5c6584def46d3c363c03b
Threat Level: Likely malicious
The file 2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Loads dropped DLL
Deletes itself
Modifies file permissions
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-09 08:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-09 08:50
Reported
2024-10-09 20:56
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\imm32.dll | C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\ole.dll | C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\imm32.dll.log | C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\imm32.dll.log | C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM NVCAgent.npc
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\system32\imm32.dll
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\system32\imm32.dll /grant administrators:f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\clr_f76a9f5.bat
Network
Files
memory/2648-8-0x0000000074B80000-0x0000000074BE0000-memory.dmp
C:\Windows\SysWOW64\IMM32.DLL
| MD5 | 7b74137f4cf5ec53d19e649d3ccf98bb |
| SHA1 | 13994de0d5bc9cc740ab97a57f36f11e49fd8985 |
| SHA256 | 09d4d49d987a79495c68022aaa0fb10df9fb84c704e85e2575bf8ab1803119c0 |
| SHA512 | 426599d2bae98ae05b34de46484440fd587507b01612cbbc6fc87210098dd353c30ed1d31c84cab164d486e4af9431c3b4c80d699165098a490cbc6403793506 |
C:\Windows\SysWOW64\ole.dll
| MD5 | e909af0658d1f31c9a66ed514289d478 |
| SHA1 | cd5fc6da70b21fdb3c79c056440b4df849f5b402 |
| SHA256 | 2614f071cce9f963463a04df6eeb4654b52a62d11d3761289646a083919433e8 |
| SHA512 | 3d5b2ed200bece8f106f0fb21c02bd92c5cfcfca64d97f65c66da92a1035a6528bf9d6b82ba9d5e20b6592e0eaba6a36c783b8ad4e54a4f77226f040f70470d6 |
memory/1952-13-0x0000000074690000-0x0000000074700000-memory.dmp
\??\c:\clr_f76a9f5.bat
| MD5 | 93a13810462ae8f7ca43024fbbbb9c1e |
| SHA1 | f676c443f15a9831645de441aee6ea7e2ec1c237 |
| SHA256 | 45215292b00d97a63dcf3f5c96737475d46958bfd07c03b49101b9fb3748d5a7 |
| SHA512 | 6691e7d9f82b4bb067ef236d75b7653fffe9705443ae10dfac9b345acbdfd81579653a40d710ff5a5e0a87b1feb0098ca337456a6e3c216c58537e6db92091e2 |
memory/1952-15-0x0000000074690000-0x0000000074700000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-09 08:50
Reported
2024-10-09 20:56
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
151s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ole.dll | C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\imm32.dll.log | C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\imm32.dll.log | C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\imm32.dll | C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2e30c5a62bf04bf1a925e0453bd5ee28_JaffaCakes118.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM NVCAgent.npc
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\system32\imm32.dll
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\system32\imm32.dll /grant administrators:f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\clr_e57e781.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_wewer74353f.tmp
| MD5 | 2135343ed0617460b696d1bbc1bbb8ad |
| SHA1 | 3da90751f27aded525d9c527c707aa8aa5e6c8ed |
| SHA256 | bee18cca7951cbd2ccc458ee3db447460bd1660dc3ec691614c918c2bf21251f |
| SHA512 | f0dc004c29a0f0e939aa08b36fb3403ffdcefdd308070a61a7699f34cf957ac6785a20d42f3ab6e7874ea294442d49a791272738c2974a13b28bf44a312cdf0a |
memory/1344-9-0x00000000764B0000-0x00000000764D5000-memory.dmp
\??\c:\clr_e57e781.bat
| MD5 | 7bba035300bf891e824f48e831770f2c |
| SHA1 | 5d72c2894506ecd38c7dc96f609e08f281708c4a |
| SHA256 | 353926b7a8f6a296a596e36c751bf5ba8f18b51ed9af4901159bc41c043493f9 |
| SHA512 | 91ae4291c6b9fc024894c4c3e2d1cddf7e732f2a3f1c42c37863408d97433fd622969210fc2d1be4a950d75d70862f6b683fa3f20d03c96cb4c7da188bd88932 |