c133ab022b0db2adbaa030e8948a8f2f3df0481cbe0a05eab6be596776cd45b2

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29-11-2024 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe
Size

3.1MB
MD5

b2162f4890cf8b208f88970d83bf96bf
SHA1

df20ff3f5b308487ada89898d74aff0b9ff5668a
SHA256

c133ab022b0db2adbaa030e8948a8f2f3df0481cbe0a05eab6be596776cd45b2
SHA512

300b8284407c389a4de5b7bff8e7b74fa178e14b72ed079a61219dd52ee88099d621614e5c6e35d31c064d58cde86acd1aa3610696928f169f5ec90b873a46ea
SSDEEP

49152:HXvsCauuraeHgou98u6JIBf1YBVSzgm2QBs/szL8yK96puWV355FXw/+UuWV355C:HXvsCatrFHgaOfMVSzgm2B/g4m

Score

8^/10

discovery exploit upx

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
2988	takeown.exe
1736	icacls.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
2184	E225.tmp
2676	jdid23ll.exe
2508	jdid23ll.exe
2316	bootsect.exe

Loads dropped DLL 1 IoCs

pid	Process
2756	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2988	takeown.exe
1736	icacls.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2676 set thread context of 2508	2676	jdid23ll.exe	33

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2756-1-0x0000000000400000-0x0000000000658200-memory.dmp	upx
behavioral1/files/0x000b00000001225f-2.dat	upx
behavioral1/memory/2184-7-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral1/memory/2184-24-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral1/memory/2756-42-0x0000000000400000-0x0000000000658200-memory.dmp	upx
behavioral1/memory/2756-102-0x0000000000400000-0x0000000000658200-memory.dmp	upx
behavioral1/memory/2756-104-0x0000000000400000-0x0000000000658200-memory.dmp	upx
behavioral1/memory/2756-111-0x0000000000400000-0x0000000000658200-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\__tmp_rar_sfx_access_check_259449693	E225.tmp
File created	C:\Windows\jdid23ll.exe	E225.tmp
File opened for modification	C:\Windows\jdid23ll.exe	E225.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jdid23ll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bootsect.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E225.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2756	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 33	2756	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2756	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe
Token: 33	2756	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2756	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2988	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2676	jdid23ll.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2184	2756	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe	31
PID 2756 wrote to memory of 2184	2756	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe	31
PID 2756 wrote to memory of 2184	2756	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe	31
PID 2756 wrote to memory of 2184	2756	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe	31
PID 2184 wrote to memory of 2676	2184	E225.tmp	32
PID 2184 wrote to memory of 2676	2184	E225.tmp	32
PID 2184 wrote to memory of 2676	2184	E225.tmp	32
PID 2184 wrote to memory of 2676	2184	E225.tmp	32
PID 2676 wrote to memory of 2508	2676	jdid23ll.exe	33
PID 2676 wrote to memory of 2508	2676	jdid23ll.exe	33
PID 2676 wrote to memory of 2508	2676	jdid23ll.exe	33
PID 2676 wrote to memory of 2508	2676	jdid23ll.exe	33
PID 2676 wrote to memory of 2508	2676	jdid23ll.exe	33
PID 2676 wrote to memory of 2508	2676	jdid23ll.exe	33
PID 2676 wrote to memory of 2508	2676	jdid23ll.exe	33
PID 2676 wrote to memory of 2508	2676	jdid23ll.exe	33
PID 2676 wrote to memory of 2508	2676	jdid23ll.exe	33
PID 2756 wrote to memory of 540	2756	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe	35
PID 2756 wrote to memory of 540	2756	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe	35
PID 2756 wrote to memory of 540	2756	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe	35
PID 2756 wrote to memory of 540	2756	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe	35
PID 540 wrote to memory of 2944	540	cmd.exe	37
PID 540 wrote to memory of 2944	540	cmd.exe	37
PID 540 wrote to memory of 2944	540	cmd.exe	37
PID 540 wrote to memory of 2944	540	cmd.exe	37
PID 2944 wrote to memory of 2988	2944	cmd.exe	38
PID 2944 wrote to memory of 2988	2944	cmd.exe	38
PID 2944 wrote to memory of 2988	2944	cmd.exe	38
PID 2944 wrote to memory of 2988	2944	cmd.exe	38
PID 2756 wrote to memory of 1848	2756	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe	39
PID 2756 wrote to memory of 1848	2756	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe	39
PID 2756 wrote to memory of 1848	2756	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe	39
PID 2756 wrote to memory of 1848	2756	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe	39
PID 1848 wrote to memory of 1736	1848	cmd.exe	41
PID 1848 wrote to memory of 1736	1848	cmd.exe	41
PID 1848 wrote to memory of 1736	1848	cmd.exe	41
PID 1848 wrote to memory of 1736	1848	cmd.exe	41
PID 2756 wrote to memory of 1556	2756	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe	42
PID 2756 wrote to memory of 1556	2756	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe	42
PID 2756 wrote to memory of 1556	2756	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe	42
PID 2756 wrote to memory of 1556	2756	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe	42
PID 1556 wrote to memory of 2316	1556	cmd.exe	44
PID 1556 wrote to memory of 2316	1556	cmd.exe	44
PID 1556 wrote to memory of 2316	1556	cmd.exe	44
PID 1556 wrote to memory of 2316	1556	cmd.exe	44
PID 2756 wrote to memory of 1392	2756	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe	45
PID 2756 wrote to memory of 1392	2756	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe	45
PID 2756 wrote to memory of 1392	2756	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe	45
PID 2756 wrote to memory of 1392	2756	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe	45
PID 1392 wrote to memory of 3024	1392	cmd.exe	47
PID 1392 wrote to memory of 3024	1392	cmd.exe	47
PID 1392 wrote to memory of 3024	1392	cmd.exe	47
PID 1392 wrote to memory of 3024	1392	cmd.exe	47
PID 2756 wrote to memory of 1588	2756	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe	49
PID 2756 wrote to memory of 1588	2756	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe	49
PID 2756 wrote to memory of 1588	2756	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe	49
PID 2756 wrote to memory of 1588	2756	b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe	49
PID 1588 wrote to memory of 1176	1588	cmd.exe	51
PID 1588 wrote to memory of 1176	1588	cmd.exe	51
PID 1588 wrote to memory of 1176	1588	cmd.exe	51
PID 1588 wrote to memory of 1176	1588	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b2162f4890cf8b208f88970d83bf96bf_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\E225.tmp
  C:\Users\Admin\AppData\Local\Temp\E225.tmp
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\WINDOWS\jdid23ll.exe
    "C:\WINDOWS\jdid23ll.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\WINDOWS\jdid23ll.exe
      C:\WINDOWS\jdid23ll.exe
      4⤵
      Executes dropped EXE
      PID:2508
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c takeown /f C:\ldrscan\bootwin
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f C:\ldrscan\bootwin
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2988
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\bootsect.exe
    C:\bootsect.exe /nt60 SYS /force
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2316
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -upk"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\SysWOW64\cscript.exe
    C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -upk
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3024
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\SysWOW64\cscript.exe
    C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\jdid23ll.exe

Filesize
152KB

MD5
bf12c59e5fa2dc0d5da6f52c354c0d74

SHA1
c071b84cf55a78930024c4230afeb391a77a8863

SHA256
ad0131444782e428ea57257d7b0240c1dac76ae6162e760fca010a76af4df170

SHA512
f11d0553707b0b96bcbc714e18a083e69ed9d7e05059d4c414bbc42be11222a0a8296a981e372f10bab501fdfa4b498d41858cc40232a3b62506deab3c266afe

Download Submit
C:\bootsect.exe

Filesize
95KB

MD5
17b18a2feb3dcfe8a165af86ebc29fe7

SHA1
bf00a8ef28200a3bbc73633b360e1484ee2874d5

SHA256
99c4970f1f4b9dc50a5db9ff6f3a581754a1631f0751bdec2b5e3a261f35d85a

SHA512
034e809a3f2a2eaa633b7c1c9bffd0ac65041bf0a3fc6ba861e281712cdcb1e063d6c29e562bdc864e1963466ebcec9e30475907bea80a67ab48111ae583e65c

Download Submit
\Users\Admin\AppData\Local\Temp\E225.tmp

Filesize
191KB

MD5
7c51a665b09509f5132748dd807121ac

SHA1
1bd220b5743a8763ee283f8c293a0782f0149b95

SHA256
e689d20675addef0963254195ba22e3061300ed49145af4410d4d5688a0a8838

SHA512
ee6e72a707729ded7df71dc71d3f02f3cebdd86c60a768cbb951e00168eb487134b059fcbfaedcb3c3c6cef668c725a1bb0d6bae9570757ae8704c330b87327c

Download Submit
memory/2184-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2184-24-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2508-31-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2508-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2508-37-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2508-39-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2508-29-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2508-27-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2508-33-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2676-19-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/2676-22-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2676-43-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2676-21-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2676-20-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2756-60-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/2756-84-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/2756-76-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/2756-68-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/2756-42-0x0000000000400000-0x0000000000658200-memory.dmp

Filesize
2.3MB

Download
memory/2756-52-0x0000000000290000-0x00000000002A0000-memory.dmp

Filesize
64KB

Download
memory/2756-44-0x0000000000370000-0x0000000000381000-memory.dmp

Filesize
68KB

Download
memory/2756-1-0x0000000000400000-0x0000000000658200-memory.dmp

Filesize
2.3MB

Download
memory/2756-102-0x0000000000400000-0x0000000000658200-memory.dmp

Filesize
2.3MB

Download
memory/2756-103-0x0000000000250000-0x0000000000278000-memory.dmp

Filesize
160KB

Download
memory/2756-104-0x0000000000400000-0x0000000000658200-memory.dmp

Filesize
2.3MB

Download
memory/2756-4-0x0000000000250000-0x0000000000278000-memory.dmp

Filesize
160KB

Download
memory/2756-111-0x0000000000400000-0x0000000000658200-memory.dmp

Filesize
2.3MB

Download