Overview

overview

8

Static

static

3

1d499ca722...18.exe

windows7-x64

8

1d499ca722...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    41s
  • max time network
    47s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-07-2024 20:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe

  • Size

    93KB

  • MD5

    1d499ca722b1d20f4f77ead9224b30c9

  • SHA1

    adcc862f2657a6474d7e7cc1bb5f7befc863e7ec

  • SHA256

    454ca1ab51dcd5f7b5654eeec763e8d45278d1f7a2ba48db0c8ffc52831bfd84

  • SHA512

    0aa0552fcf30f55575076bc12a7a551a84319e3b4de904189d38d75fd14043891468cc5c52416cbdb650bf7b043c8a5763817f593f48ce43b094e653a4e6e410

  • SSDEEP

    1536:r7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfkw0P3ry:n7DhdC6kzWypvaQ0FxyNTBfk3O

Score
8/10
discoveryexploit

Malware Config

Signatures

  • Possible privilege escalation attempt 36 IoCs
    exploit
  • Modifies file permissions 1 TTPs 36 IoCs
    discovery
  • Drops file in Windows directory 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\519A.tmp\519B.tmp\519C.bat C:\Users\Admin\AppData\Local\Temp\1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:5052
      • C:\Windows\system32\takeown.exe
        takeown -f "C:\Windows\System32\ntoskrnl.exe"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:4480
      • C:\Windows\system32\icacls.exe
        ICACLS "C:\Windows\System32\ntoskrnl.exe" /grant "Admin":F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:624
      • C:\Windows\system32\takeown.exe
        takeown -r -f -skipsl "C:\Windows\Boot"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2776
      • C:\Windows\system32\icacls.exe
        ICACLS "C:\Windows\Boot" /t /c /grant "Admin":F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1012
      • C:\Windows\system32\takeown.exe
        takeown -f "C:\Windows\bfsvc.exe"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:3268
      • C:\Windows\system32\icacls.exe
        ICACLS "C:\Windows\bfsvc.exe" /grant "Admin":F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3076
      • C:\Windows\system32\takeown.exe
        takeown -f "C:\Windows\System\SHELL.DLL"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:4104
      • C:\Windows\system32\icacls.exe
        ICACLS "C:\Windows\System\SHELL.DLL" /grant "Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1288
      • C:\Windows\system32\takeown.exe
        takeown -f "C:\Windows\System32\kernel32.dll"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2740
      • C:\Windows\system32\icacls.exe
        ICACLS "C:\Windows\System32\kernel32.dll" /grant "Admin":F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2588
      • C:\Windows\system32\takeown.exe
        takeown -f "C:\Windows\System32\advapi32.dll"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:4836
      • C:\Windows\system32\icacls.exe
        ICACLS "C:\Windows\System32\advapi32.dll" /grant "Admin":F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2400
      • C:\Windows\system32\takeown.exe
        takeown -f "C:\Windows\System32\user32.dll"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:4416
      • C:\Windows\system32\icacls.exe
        ICACLS "C:\Windows\System32\user32.dll" /grant "Admin":F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1152
      • C:\Windows\system32\takeown.exe
        takeown -f "C:\Windows\System32\gdi32.dll"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:3060
      • C:\Windows\system32\icacls.exe
        ICACLS "C:\Windows\System32\gdi32.dll" /grant "Admin":F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:536
      • C:\Windows\system32\takeown.exe
        takeown -f "C:\Windows\System32\win32k.sys"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:4000
      • C:\Windows\system32\icacls.exe
        ICACLS "C:\Windows\System32\win32k.sys" /grant "Admin":F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1368
      • C:\Windows\system32\takeown.exe
        takeown -f "C:\Windows\System32\ntdll.dll"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2468
      • C:\Windows\system32\icacls.exe
        ICACLS "C:\Windows\System32\ntdll.dll" /grant "Admin":F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3324
      • C:\Windows\system32\takeown.exe
        takeown -f "C:\Windows\System32\ANSI.SYS"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2688
      • C:\Windows\system32\icacls.exe
        ICACLS "C:\Windows\System32\ANSI.SYS" /grant "Admin":F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1584
      • C:\Windows\system32\takeown.exe
        takeown -f "C:\Windows\System32\hall.dll"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:1404
      • C:\Windows\system32\icacls.exe
        ICACLS "C:\Windows\System32\hal.dll" /grant "Admin":F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1412
      • C:\Windows\system32\takeown.exe
        takeown -r -f -skipsl "C:\Users\Public"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1492
      • C:\Windows\system32\icacls.exe
        ICACLS "C:\Users\Public" /t /c /grant "Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1316
      • C:\Windows\system32\takeown.exe
        takeown -r -f -skipsl"C:\Windows\System32\AdvencedInstallers"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:820
      • C:\Windows\system32\icacls.exe
        ICACLS "C:\Windows\System32\AdvencedInstallers" /t /c /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1820
      • C:\Windows\system32\takeown.exe
        takeown -f "C:\Windows\System32\Boot\winload.exe"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:1984
      • C:\Windows\system32\icacls.exe
        ICACLS "C:\Windows\System32\Boot\winload.exe" /grant "Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3912
      • C:\Windows\system32\takeown.exe
        takeown -f "C:\Windows\System\avicap.dll"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:400
      • C:\Windows\system32\icacls.exe
        ICACLS "C:\Windows\System\avicap.dll" /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:5048
      • C:\Windows\system32\takeown.exe
        takeown -f "C:\Windows\System\COMMDLG.DLL"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:4648
      • C:\Windows\system32\icacls.exe
        ICACLS "C:\Windows\System\COMMDLG.DLL" /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4088
      • C:\Windows\system32\takeown.exe
        takeown -f "C:\Windows\System\keyboard.drv"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:828
      • C:\Windows\system32\icacls.exe
        ICACLS "C:\Windows\System\keyboard.drv" /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1940

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\519A.tmp\519B.tmp\519C.bat
    Filesize

    3KB

    MD5

    411b15479e88b188dc741f7f83eda07e

    SHA1

    1c2d076c497dd21f31d6cfb839fe809c6374ab70

    SHA256

    e1e7b274e80ebb009eacd476eb942a18dc4540bf2100d12009c73b64200d981a

    SHA512

    fe3eea4ceeecaa279e46ebf29fa44814154083c9ba56f0591a4c399021075bfabd51a075ba5cbaa331a26d20958035bc45ec0badd0adc02ad1f0e8f1346e2a94

    Download Submit