05c86d9d831edc73a13c83ad3b0d987084332eb2f9869faa8df1c1103d1547df

General

Target

917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe
Size

26KB
MD5

917d85b132132423ce41b17bd7ae6c2d
SHA1

4638dfa4a8823a95e94efb44a4dd5a862adf8567
SHA256

05c86d9d831edc73a13c83ad3b0d987084332eb2f9869faa8df1c1103d1547df
SHA512

455b4c65a699f7f255a1b018fc2d44d9dcfd93224f628b2a9c4d5eb1c8f2223cf55d2236b0c4b748c6f0718985591f91ee4d3d7d3a42cdc0e7d07c20eb35e0ef
SSDEEP

384:VW8NWg2+2vDEo8R5v6Xbntgmfjf74TiM6p9WtWw1NVNc8uSvTJMzloRY4ONED9s+:172x82Hsi9uRJN9uQTJMzXdtzg

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
488	takeown.exe
2624	icacls.exe

Deletes itself 1 IoCs

pid	Process
2976	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2976	cmd.exe
2976	cmd.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
488	takeown.exe
2624	icacls.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ole.dll	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\imm32.dll.log	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\imm32.dll.log	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\imm32.dll	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2532	taskkill.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2236	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	taskkill.exe
Token: SeTakeOwnershipPrivilege	488	takeown.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2236	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe
2236	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2532	2236	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe	30
PID 2236 wrote to memory of 2532	2236	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe	30
PID 2236 wrote to memory of 2532	2236	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe	30
PID 2236 wrote to memory of 2532	2236	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe	30
PID 2236 wrote to memory of 488	2236	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe	34
PID 2236 wrote to memory of 488	2236	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe	34
PID 2236 wrote to memory of 488	2236	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe	34
PID 2236 wrote to memory of 488	2236	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe	34
PID 2236 wrote to memory of 2624	2236	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe	36
PID 2236 wrote to memory of 2624	2236	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe	36
PID 2236 wrote to memory of 2624	2236	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe	36
PID 2236 wrote to memory of 2624	2236	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe	36
PID 2236 wrote to memory of 2976	2236	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe	38
PID 2236 wrote to memory of 2976	2236	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe	38
PID 2236 wrote to memory of 2976	2236	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe	38
PID 2236 wrote to memory of 2976	2236	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe	38

C:\Users\Admin\AppData\Local\Temp\917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM NVCAgent.npc
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Windows\SysWOW64\takeown.exe
  takeown /F C:\Windows\system32\imm32.dll
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:488
- C:\Windows\SysWOW64\icacls.exe
  icacls C:\Windows\system32\imm32.dll /grant administrators:f
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:2624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\clr_f76ec90.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\IMM32.DLL

Filesize
121KB

MD5
98eae8371d2195aea720777a71d1b793

SHA1
68f01d061eda22a466450a62690bb564d4710573

SHA256
d6b10755f96fa9c809e124a64aa2b75149fe60a1bb2525aef3645dc784513159

SHA512
707f3c3b7c0428985807872dabf1d51f0471e65a1cb7d1cccc1dac0f9e9410b21467d69ad5762c5f4799b6a3815a183b9b061a39ac06e85eb6a29797de5b97d2

Download Submit
\??\c:\clr_f76ec90.bat

Filesize
238B

MD5
5bc1358ec445958e6a96461fff725321

SHA1
0ead47a8cca96b3cdb4e014aa72ffec23cf472fe

SHA256
c241049b473e9df2d0a5aabe6decf06069ba4420377e2edbc369c0ee5a8453d3

SHA512
b887e9c20b2a59487bf485588c5706b83e29953dacb04905f4c78b6a7cba2cdf139eb3c07adf3254b5b519d562ad1fa2b39a2dd28fee66caee362b2f971c665b

Download Submit
\Windows\SysWOW64\ole.dll

Filesize
52KB

MD5
6cf8687ef20ad50a7a75b41431e0f696

SHA1
95849d8c1f0dc5440059504456a4a3954afe479e

SHA256
2f94b07f030e52e9a5bf9babcd315338d734509708428462a7c886951dccc845

SHA512
2bf78fe4ad76b911965162364954cb7c884acc4f7fdc4953b1221015d9a9b600e18b86cfa3717a2411dcf82bcebb10f20c35a6e3b28413ff64ebadc40ea8f3a4

Download Submit
memory/2236-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2236-1-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2236-4-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2236-12-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2976-17-0x0000000075150000-0x00000000751C0000-memory.dmp

Filesize
448KB

Download
memory/2976-19-0x0000000075150000-0x00000000751C0000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing