Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02-07-2024 20:14
Static task
static1
Behavioral task
behavioral1
Sample
1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe
-
Size
93KB
-
MD5
1d499ca722b1d20f4f77ead9224b30c9
-
SHA1
adcc862f2657a6474d7e7cc1bb5f7befc863e7ec
-
SHA256
454ca1ab51dcd5f7b5654eeec763e8d45278d1f7a2ba48db0c8ffc52831bfd84
-
SHA512
0aa0552fcf30f55575076bc12a7a551a84319e3b4de904189d38d75fd14043891468cc5c52416cbdb650bf7b043c8a5763817f593f48ce43b094e653a4e6e410
-
SSDEEP
1536:r7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfkw0P3ry:n7DhdC6kzWypvaQ0FxyNTBfk3O
Malware Config
Signatures
-
Possible privilege escalation attempt 36 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exepid process 2336 takeown.exe 2668 takeown.exe 2724 icacls.exe 2728 icacls.exe 1148 takeown.exe 2844 icacls.exe 3044 icacls.exe 2556 icacls.exe 2996 icacls.exe 1996 icacls.exe 2712 icacls.exe 2628 takeown.exe 2952 takeown.exe 2824 takeown.exe 2924 icacls.exe 2040 icacls.exe 2688 icacls.exe 2664 takeown.exe 2472 icacls.exe 2604 takeown.exe 1056 takeown.exe 3020 takeown.exe 2596 takeown.exe 1660 icacls.exe 1700 icacls.exe 2940 takeown.exe 1144 icacls.exe 2256 icacls.exe 2652 takeown.exe 2020 icacls.exe 2572 takeown.exe 2028 takeown.exe 2324 takeown.exe 2800 takeown.exe 340 takeown.exe 1084 icacls.exe -
Modifies file permissions 1 TTPs 36 IoCs
Processes:
takeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exepid process 2800 takeown.exe 1700 icacls.exe 2256 icacls.exe 2652 takeown.exe 2596 takeown.exe 2688 icacls.exe 2952 takeown.exe 1996 icacls.exe 1148 takeown.exe 2040 icacls.exe 1660 icacls.exe 2724 icacls.exe 2728 icacls.exe 3044 icacls.exe 2668 takeown.exe 2712 icacls.exe 2628 takeown.exe 2556 icacls.exe 2824 takeown.exe 2940 takeown.exe 2324 takeown.exe 2020 icacls.exe 2572 takeown.exe 2472 icacls.exe 340 takeown.exe 1084 icacls.exe 3020 takeown.exe 2336 takeown.exe 1144 icacls.exe 1056 takeown.exe 2028 takeown.exe 2604 takeown.exe 2924 icacls.exe 2996 icacls.exe 2664 takeown.exe 2844 icacls.exe -
Drops file in Windows directory 11 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\Boot\DVD\EFI\BCD cmd.exe File opened for modification C:\Windows\Boot\DVD\EFI\boot.sdi cmd.exe File opened for modification C:\Windows\Boot\DVD\PCAT\boot.sdi cmd.exe File opened for modification C:\Windows\Boot\DVD\PCAT\de-DE\bootfix.bin cmd.exe File opened for modification C:\Windows\Boot\DVD\PCAT\es-ES\bootfix.bin cmd.exe File opened for modification C:\Windows\Boot\DVD\PCAT\etfsboot.com cmd.exe File opened for modification C:\Windows\Boot\DVD\EFI\en-US\efisys.bin cmd.exe File opened for modification C:\Windows\Boot\DVD\PCAT\BCD cmd.exe File opened for modification C:\Windows\Boot\DVD\PCAT\fr-FR\bootfix.bin cmd.exe File opened for modification C:\Windows\Boot\DVD\PCAT\it-IT\bootfix.bin cmd.exe File opened for modification C:\Windows\Boot\DVD\PCAT\ja-JP\bootfix.bin cmd.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 2336 takeown.exe Token: SeTakeOwnershipPrivilege 2652 takeown.exe Token: SeTakeOwnershipPrivilege 2324 takeown.exe Token: SeTakeOwnershipPrivilege 2596 takeown.exe Token: SeTakeOwnershipPrivilege 2668 takeown.exe Token: SeTakeOwnershipPrivilege 2664 takeown.exe Token: SeTakeOwnershipPrivilege 2572 takeown.exe Token: SeTakeOwnershipPrivilege 2028 takeown.exe Token: SeTakeOwnershipPrivilege 2628 takeown.exe Token: SeTakeOwnershipPrivilege 2800 takeown.exe Token: SeTakeOwnershipPrivilege 2604 takeown.exe Token: SeTakeOwnershipPrivilege 2824 takeown.exe Token: SeTakeOwnershipPrivilege 2940 takeown.exe Token: SeTakeOwnershipPrivilege 2952 takeown.exe Token: SeTakeOwnershipPrivilege 3020 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.execmd.exedescription pid process target process PID 2552 wrote to memory of 2292 2552 1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe cmd.exe PID 2552 wrote to memory of 2292 2552 1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe cmd.exe PID 2552 wrote to memory of 2292 2552 1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe cmd.exe PID 2552 wrote to memory of 2292 2552 1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe cmd.exe PID 2292 wrote to memory of 2336 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2336 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2336 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 1144 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 1144 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 1144 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 1148 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 1148 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 1148 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2256 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 2256 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 2256 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 2652 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2652 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2652 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2040 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 2040 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 2040 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 2324 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2324 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2324 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2020 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 2020 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 2020 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 2596 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2596 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2596 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2688 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 2688 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 2688 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 2668 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2668 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2668 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2712 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 2712 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 2712 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 2664 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2664 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2664 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 1660 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 1660 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 1660 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 2572 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2572 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2572 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2472 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 2472 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 2472 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 2028 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2028 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2028 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2724 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 2724 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 2724 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 2628 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2628 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2628 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2728 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 2728 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 2728 2292 cmd.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2EAE.tmp\2EBF.tmp\2EC0.bat C:\Users\Admin\AppData\Local\Temp\1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\ntoskrnl.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\ntoskrnl.exe" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -r -f -skipsl "C:\Windows\Boot"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\Boot" /t /c /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\bfsvc.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\bfsvc.exe" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System\SHELL.DLL"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System\SHELL.DLL" /grant "Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\kernel32.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\kernel32.dll" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\advapi32.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\advapi32.dll" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\user32.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\user32.dll" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\gdi32.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\gdi32.dll" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\win32k.sys"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\win32k.sys" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\ntdll.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\ntdll.dll" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\ANSI.SYS"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\ANSI.SYS" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\hall.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\hal.dll" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -r -f -skipsl "C:\Users\Public"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeICACLS "C:\Users\Public" /t /c /grant "Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -r -f -skipsl"C:\Windows\System32\AdvencedInstallers"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\AdvencedInstallers" /t /c /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\Boot\winload.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\Boot\winload.exe" /grant "Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System\avicap.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System\avicap.dll" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System\COMMDLG.DLL"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System\COMMDLG.DLL" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System\keyboard.drv"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System\keyboard.drv" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2EAE.tmp\2EBF.tmp\2EC0.batFilesize
3KB
MD5411b15479e88b188dc741f7f83eda07e
SHA11c2d076c497dd21f31d6cfb839fe809c6374ab70
SHA256e1e7b274e80ebb009eacd476eb942a18dc4540bf2100d12009c73b64200d981a
SHA512fe3eea4ceeecaa279e46ebf29fa44814154083c9ba56f0591a4c399021075bfabd51a075ba5cbaa331a26d20958035bc45ec0badd0adc02ad1f0e8f1346e2a94