05c86d9d831edc73a13c83ad3b0d987084332eb2f9869faa8df1c1103d1547df

General

Target

917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe
Size

26KB
MD5

917d85b132132423ce41b17bd7ae6c2d
SHA1

4638dfa4a8823a95e94efb44a4dd5a862adf8567
SHA256

05c86d9d831edc73a13c83ad3b0d987084332eb2f9869faa8df1c1103d1547df
SHA512

455b4c65a699f7f255a1b018fc2d44d9dcfd93224f628b2a9c4d5eb1c8f2223cf55d2236b0c4b748c6f0718985591f91ee4d3d7d3a42cdc0e7d07c20eb35e0ef
SSDEEP

384:VW8NWg2+2vDEo8R5v6Xbntgmfjf74TiM6p9WtWw1NVNc8uSvTJMzloRY4ONED9s+:172x82Hsi9uRJN9uQTJMzXdtzg

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
1992	takeown.exe
3576	icacls.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1992	takeown.exe
3576	icacls.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ole.dll	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\imm32.dll.log	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\imm32.dll.log	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\imm32.dll	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4908	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4888	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe
4888	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4888	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe
Token: SeDebugPrivilege	4908	taskkill.exe
Token: SeTakeOwnershipPrivilege	1992	takeown.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4888	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe
4888	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 4908	4888	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe	83
PID 4888 wrote to memory of 4908	4888	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe	83
PID 4888 wrote to memory of 4908	4888	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe	83
PID 4888 wrote to memory of 1992	4888	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe	89
PID 4888 wrote to memory of 1992	4888	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe	89
PID 4888 wrote to memory of 1992	4888	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe	89
PID 4888 wrote to memory of 3576	4888	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe	94
PID 4888 wrote to memory of 3576	4888	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe	94
PID 4888 wrote to memory of 3576	4888	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe	94
PID 4888 wrote to memory of 1284	4888	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe	98
PID 4888 wrote to memory of 1284	4888	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe	98
PID 4888 wrote to memory of 1284	4888	917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe	98

C:\Users\Admin\AppData\Local\Temp\917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\917d85b132132423ce41b17bd7ae6c2d_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM NVCAgent.npc
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4908
- C:\Windows\SysWOW64\takeown.exe
  takeown /F C:\Windows\system32\imm32.dll
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\Windows\SysWOW64\icacls.exe
  icacls C:\Windows\system32\imm32.dll /grant administrators:f
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:3576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\clr_e582045.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sdfsd6786fd~.tmp

Filesize
143KB

MD5
bad840f767e5e2bb14e995ba69533787

SHA1
98869b4f8a3908359252b477deef6c9d0a4025d8

SHA256
1ed820ee063427fbb6e52fa6ecf3552961e0f0d19bb3b23c55f62e0d56f1621f

SHA512
38fb3f7e83c9f5a732de9a7e19936df22abcd359e220f81a11efee9d6fcb381459cb9a3fe3654f17c56d1f6d06f2d7874d4d6ae288f0ac3125ddb131a4b4390b

Download Submit
\??\c:\clr_e582045.bat

Filesize
238B

MD5
0fbc781a4aaeac3ec41b7de543d7ac89

SHA1
c126830a57551d7ce9f02076da4b3486bca01a6c

SHA256
b0745f8a95085bf020a955f9e9c087f45a4b24d55995e79a927798598cbdce30

SHA512
6661bbbe8a52d674bcc5eb7794d0c5b87f847f187b4e6c9ab518e56a210e5348ac44b30b981dcbfe3bb9154d43e77ed8af754f34f225fe78b90845ad5ccca4c7

Download Submit
memory/4888-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4888-1-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/4888-4-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4888-7-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/4888-14-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4888-13-0x0000000077430000-0x0000000077455000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing