454ca1ab51dcd5f7b5654eeec763e8d45278d1f7a2ba48db0c8ffc52831bfd84

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
02-07-2024 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe
Size

93KB
MD5

1d499ca722b1d20f4f77ead9224b30c9
SHA1

adcc862f2657a6474d7e7cc1bb5f7befc863e7ec
SHA256

454ca1ab51dcd5f7b5654eeec763e8d45278d1f7a2ba48db0c8ffc52831bfd84
SHA512

0aa0552fcf30f55575076bc12a7a551a84319e3b4de904189d38d75fd14043891468cc5c52416cbdb650bf7b043c8a5763817f593f48ce43b094e653a4e6e410
SSDEEP

1536:r7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfkw0P3ry:n7DhdC6kzWypvaQ0FxyNTBfk3O

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 36 IoCs

exploit

Processes:

takeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exe

pid	process
2336	takeown.exe
2668	takeown.exe
2724	icacls.exe
2728	icacls.exe
1148	takeown.exe
2844	icacls.exe
3044	icacls.exe
2556	icacls.exe
2996	icacls.exe
1996	icacls.exe
2712	icacls.exe
2628	takeown.exe
2952	takeown.exe
2824	takeown.exe
2924	icacls.exe
2040	icacls.exe
2688	icacls.exe
2664	takeown.exe
2472	icacls.exe
2604	takeown.exe
1056	takeown.exe
3020	takeown.exe
2596	takeown.exe
1660	icacls.exe
1700	icacls.exe
2940	takeown.exe
1144	icacls.exe
2256	icacls.exe
2652	takeown.exe
2020	icacls.exe
2572	takeown.exe
2028	takeown.exe
2324	takeown.exe
2800	takeown.exe
340	takeown.exe
1084	icacls.exe

Modifies file permissions 1 TTPs 36 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exe

pid	process
2800	takeown.exe
1700	icacls.exe
2256	icacls.exe
2652	takeown.exe
2596	takeown.exe
2688	icacls.exe
2952	takeown.exe
1996	icacls.exe
1148	takeown.exe
2040	icacls.exe
1660	icacls.exe
2724	icacls.exe
2728	icacls.exe
3044	icacls.exe
2668	takeown.exe
2712	icacls.exe
2628	takeown.exe
2556	icacls.exe
2824	takeown.exe
2940	takeown.exe
2324	takeown.exe
2020	icacls.exe
2572	takeown.exe
2472	icacls.exe
340	takeown.exe
1084	icacls.exe
3020	takeown.exe
2336	takeown.exe
1144	icacls.exe
1056	takeown.exe
2028	takeown.exe
2604	takeown.exe
2924	icacls.exe
2996	icacls.exe
2664	takeown.exe
2844	icacls.exe

Drops file in Windows directory 11 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Windows\Boot\DVD\EFI\BCD	cmd.exe
File opened for modification	C:\Windows\Boot\DVD\EFI\boot.sdi	cmd.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\boot.sdi	cmd.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\de-DE\bootfix.bin	cmd.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\es-ES\bootfix.bin	cmd.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\etfsboot.com	cmd.exe
File opened for modification	C:\Windows\Boot\DVD\EFI\en-US\efisys.bin	cmd.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\BCD	cmd.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\fr-FR\bootfix.bin	cmd.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\it-IT\bootfix.bin	cmd.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\ja-JP\bootfix.bin	cmd.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2336	takeown.exe
Token: SeTakeOwnershipPrivilege	2652	takeown.exe
Token: SeTakeOwnershipPrivilege	2324	takeown.exe
Token: SeTakeOwnershipPrivilege	2596	takeown.exe
Token: SeTakeOwnershipPrivilege	2668	takeown.exe
Token: SeTakeOwnershipPrivilege	2664	takeown.exe
Token: SeTakeOwnershipPrivilege	2572	takeown.exe
Token: SeTakeOwnershipPrivilege	2028	takeown.exe
Token: SeTakeOwnershipPrivilege	2628	takeown.exe
Token: SeTakeOwnershipPrivilege	2800	takeown.exe
Token: SeTakeOwnershipPrivilege	2604	takeown.exe
Token: SeTakeOwnershipPrivilege	2824	takeown.exe
Token: SeTakeOwnershipPrivilege	2940	takeown.exe
Token: SeTakeOwnershipPrivilege	2952	takeown.exe
Token: SeTakeOwnershipPrivilege	3020	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 2552 wrote to memory of 2292	2552	1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe	cmd.exe
PID 2552 wrote to memory of 2292	2552	1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe	cmd.exe
PID 2552 wrote to memory of 2292	2552	1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe	cmd.exe
PID 2552 wrote to memory of 2292	2552	1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe	cmd.exe
PID 2292 wrote to memory of 2336	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2336	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2336	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 1144	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 1144	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 1144	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 1148	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 1148	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 1148	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2256	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 2256	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 2256	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 2652	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2652	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2652	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2040	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 2040	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 2040	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 2324	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2324	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2324	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2020	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 2020	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 2020	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 2596	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2596	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2596	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2688	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 2688	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 2688	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 2668	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2668	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2668	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2712	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 2712	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 2712	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 2664	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2664	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2664	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 1660	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 1660	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 1660	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 2572	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2572	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2572	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2472	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 2472	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 2472	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 2028	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2028	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2028	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2724	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 2724	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 2724	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 2628	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2628	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2628	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2728	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 2728	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 2728	2292	cmd.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2EAE.tmp\2EBF.tmp\2EC0.bat C:\Users\Admin\AppData\Local\Temp\1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\ntoskrnl.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\ntoskrnl.exe" /grant "Admin":F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1144

C:\Windows\system32\takeown.exe
takeown -r -f -skipsl "C:\Windows\Boot"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1148

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\Boot" /t /c /grant "Admin":F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2256

C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\bfsvc.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\bfsvc.exe" /grant "Admin":F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2040

C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System\SHELL.DLL"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System\SHELL.DLL" /grant "Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2020

C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\kernel32.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\kernel32.dll" /grant "Admin":F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2688

C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\advapi32.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\advapi32.dll" /grant "Admin":F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2712

C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\user32.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\user32.dll" /grant "Admin":F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1660

C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\gdi32.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\gdi32.dll" /grant "Admin":F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2472

C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\win32k.sys"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\win32k.sys" /grant "Admin":F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2724

C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\ntdll.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\ntdll.dll" /grant "Admin":F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2728

C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\ANSI.SYS"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\ANSI.SYS" /grant "Admin":F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3044

C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\hall.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\hal.dll" /grant "Admin":F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1700

C:\Windows\system32\takeown.exe
takeown -r -f -skipsl "C:\Users\Public"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:340

C:\Windows\system32\icacls.exe
ICACLS "C:\Users\Public" /t /c /grant "Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1084

C:\Windows\system32\takeown.exe
takeown -r -f -skipsl"C:\Windows\System32\AdvencedInstallers"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1056

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\AdvencedInstallers" /t /c /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2556

C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\Boot\winload.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\Boot\winload.exe" /grant "Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2844

C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System\avicap.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System\avicap.dll" /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2924

C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System\COMMDLG.DLL"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System\COMMDLG.DLL" /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2996

C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System\keyboard.drv"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System\keyboard.drv" /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1996

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2EAE.tmp\2EBF.tmp\2EC0.bat
Filesize
3KB

MD5
411b15479e88b188dc741f7f83eda07e

SHA1
1c2d076c497dd21f31d6cfb839fe809c6374ab70

SHA256
e1e7b274e80ebb009eacd476eb942a18dc4540bf2100d12009c73b64200d981a

SHA512
fe3eea4ceeecaa279e46ebf29fa44814154083c9ba56f0591a4c399021075bfabd51a075ba5cbaa331a26d20958035bc45ec0badd0adc02ad1f0e8f1346e2a94

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads