Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
03-07-2024 15:55
Static task
static1
Behavioral task
behavioral1
Sample
22f09c3981e48000b80d24624118c911_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
22f09c3981e48000b80d24624118c911_JaffaCakes118.exe
-
Size
285KB
-
MD5
22f09c3981e48000b80d24624118c911
-
SHA1
20f7d9d85767a0fed5a5c91b594512913cf42278
-
SHA256
b547d7e1ca41e924cbda422bfd91af1f4a2f40fecf94fb34ed0de3924380fc2e
-
SHA512
c287f2f7f190a777c2162fef5c9298aed8d1b14bf2577530e811a72d2220bab07fba440db05950a27415565c5826d58cb695f84de23283ea819afb7d610142ac
-
SSDEEP
3072:zAgmeSumf3YOmFOX9PgdgIwtQuQI/zwcl39O1BCVc16zeWykek6LVdf2z/Ux+Xp8:zAgIuISOudgIwpNzDlo1BSQZVJ9AC
Malware Config
Signatures
-
Possible privilege escalation attempt 14 IoCs
Processes:
icacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exepid process 2704 icacls.exe 2560 takeown.exe 2656 takeown.exe 2936 takeown.exe 2700 icacls.exe 2764 icacls.exe 2972 takeown.exe 1220 takeown.exe 2440 icacls.exe 2584 icacls.exe 2556 icacls.exe 2592 icacls.exe 2668 takeown.exe 2296 takeown.exe -
Modifies file permissions 1 TTPs 14 IoCs
Processes:
takeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exepid process 2296 takeown.exe 2972 takeown.exe 2764 icacls.exe 2656 takeown.exe 2584 icacls.exe 2556 icacls.exe 2668 takeown.exe 2700 icacls.exe 2440 icacls.exe 2704 icacls.exe 1220 takeown.exe 2936 takeown.exe 2560 takeown.exe 2592 icacls.exe -
Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 2744 sc.exe 3056 sc.exe 2276 sc.exe 860 sc.exe 1804 sc.exe 1828 sc.exe 2624 sc.exe -
Delays execution with timeout.exe 3 IoCs
Processes:
timeout.exetimeout.exetimeout.exepid process 2752 timeout.exe 2688 timeout.exe 2468 timeout.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 2296 takeown.exe Token: SeTakeOwnershipPrivilege 1220 takeown.exe Token: SeTakeOwnershipPrivilege 2936 takeown.exe Token: SeTakeOwnershipPrivilege 2972 takeown.exe Token: SeTakeOwnershipPrivilege 2560 takeown.exe Token: SeTakeOwnershipPrivilege 2656 takeown.exe Token: SeTakeOwnershipPrivilege 2668 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
22f09c3981e48000b80d24624118c911_JaffaCakes118.execmd.exedescription pid process target process PID 2516 wrote to memory of 2292 2516 22f09c3981e48000b80d24624118c911_JaffaCakes118.exe cmd.exe PID 2516 wrote to memory of 2292 2516 22f09c3981e48000b80d24624118c911_JaffaCakes118.exe cmd.exe PID 2516 wrote to memory of 2292 2516 22f09c3981e48000b80d24624118c911_JaffaCakes118.exe cmd.exe PID 2516 wrote to memory of 2292 2516 22f09c3981e48000b80d24624118c911_JaffaCakes118.exe cmd.exe PID 2516 wrote to memory of 2292 2516 22f09c3981e48000b80d24624118c911_JaffaCakes118.exe cmd.exe PID 2516 wrote to memory of 2292 2516 22f09c3981e48000b80d24624118c911_JaffaCakes118.exe cmd.exe PID 2516 wrote to memory of 2292 2516 22f09c3981e48000b80d24624118c911_JaffaCakes118.exe cmd.exe PID 2292 wrote to memory of 3056 2292 cmd.exe sc.exe PID 2292 wrote to memory of 3056 2292 cmd.exe sc.exe PID 2292 wrote to memory of 3056 2292 cmd.exe sc.exe PID 2292 wrote to memory of 3056 2292 cmd.exe sc.exe PID 2292 wrote to memory of 3056 2292 cmd.exe sc.exe PID 2292 wrote to memory of 3056 2292 cmd.exe sc.exe PID 2292 wrote to memory of 3056 2292 cmd.exe sc.exe PID 2292 wrote to memory of 2276 2292 cmd.exe sc.exe PID 2292 wrote to memory of 2276 2292 cmd.exe sc.exe PID 2292 wrote to memory of 2276 2292 cmd.exe sc.exe PID 2292 wrote to memory of 2276 2292 cmd.exe sc.exe PID 2292 wrote to memory of 2276 2292 cmd.exe sc.exe PID 2292 wrote to memory of 2276 2292 cmd.exe sc.exe PID 2292 wrote to memory of 2276 2292 cmd.exe sc.exe PID 2292 wrote to memory of 860 2292 cmd.exe sc.exe PID 2292 wrote to memory of 860 2292 cmd.exe sc.exe PID 2292 wrote to memory of 860 2292 cmd.exe sc.exe PID 2292 wrote to memory of 860 2292 cmd.exe sc.exe PID 2292 wrote to memory of 860 2292 cmd.exe sc.exe PID 2292 wrote to memory of 860 2292 cmd.exe sc.exe PID 2292 wrote to memory of 860 2292 cmd.exe sc.exe PID 2292 wrote to memory of 1804 2292 cmd.exe sc.exe PID 2292 wrote to memory of 1804 2292 cmd.exe sc.exe PID 2292 wrote to memory of 1804 2292 cmd.exe sc.exe PID 2292 wrote to memory of 1804 2292 cmd.exe sc.exe PID 2292 wrote to memory of 1804 2292 cmd.exe sc.exe PID 2292 wrote to memory of 1804 2292 cmd.exe sc.exe PID 2292 wrote to memory of 1804 2292 cmd.exe sc.exe PID 2292 wrote to memory of 1828 2292 cmd.exe sc.exe PID 2292 wrote to memory of 1828 2292 cmd.exe sc.exe PID 2292 wrote to memory of 1828 2292 cmd.exe sc.exe PID 2292 wrote to memory of 1828 2292 cmd.exe sc.exe PID 2292 wrote to memory of 1828 2292 cmd.exe sc.exe PID 2292 wrote to memory of 1828 2292 cmd.exe sc.exe PID 2292 wrote to memory of 1828 2292 cmd.exe sc.exe PID 2292 wrote to memory of 2624 2292 cmd.exe sc.exe PID 2292 wrote to memory of 2624 2292 cmd.exe sc.exe PID 2292 wrote to memory of 2624 2292 cmd.exe sc.exe PID 2292 wrote to memory of 2624 2292 cmd.exe sc.exe PID 2292 wrote to memory of 2624 2292 cmd.exe sc.exe PID 2292 wrote to memory of 2624 2292 cmd.exe sc.exe PID 2292 wrote to memory of 2624 2292 cmd.exe sc.exe PID 2292 wrote to memory of 2752 2292 cmd.exe timeout.exe PID 2292 wrote to memory of 2752 2292 cmd.exe timeout.exe PID 2292 wrote to memory of 2752 2292 cmd.exe timeout.exe PID 2292 wrote to memory of 2752 2292 cmd.exe timeout.exe PID 2292 wrote to memory of 2752 2292 cmd.exe timeout.exe PID 2292 wrote to memory of 2752 2292 cmd.exe timeout.exe PID 2292 wrote to memory of 2752 2292 cmd.exe timeout.exe PID 2292 wrote to memory of 2296 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2296 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2296 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2296 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2296 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2296 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2296 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 1220 2292 cmd.exe takeown.exe -
Views/modifies file attributes 1 TTPs 4 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exepid process 2852 attrib.exe 3060 attrib.exe 3068 attrib.exe 2848 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\22f09c3981e48000b80d24624118c911_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\22f09c3981e48000b80d24624118c911_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\~A7C.cmd "C:\Users\Admin\AppData\Local\Temp\22f09c3981e48000b80d24624118c911_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc stop sppsvc3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc config sppsvc start= Delayed-Auto3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop sppuinotify3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc config sppuinotify start= Demand3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop SLUINotify3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc config SLUINotify start= Demand3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /T 2 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Sysnative\SLLUA.exe.bak3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Sysnative\sppsvc.exe.bak3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Sysnative\SLUI.exe.bak3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Sysnative\sppuinotify.dll.bak3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Sysnative\SLUINotify.dll.bak3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Sysnative\spp\plugin-manifests-signed\sppwinob-spp-plugin-manifest-signed.bak.xrm-ms3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Sysnative\sppwinob.dll.bak3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout /T 2 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\Sysnative\SLLUA.exe.bak /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\Sysnative\sppsvc.exe.bak /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\Sysnative\SLUI.exe.bak /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\Sysnative\sppuinotify.dll.bak /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\Sysnative\SLUINotify.dll.bak /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\Sysnative\spp\plugin-manifests-signed\sppwinob-spp-plugin-manifest-signed.bak.xrm-ms /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\Sysnative\sppwinob.dll.bak /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\timeout.exetimeout /T 2 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y "3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del C:\Windows\Sysnative\spp\plugin-manifests-signed\sppwinob-spp-plugin-manifest-signed.bak.xrm-ms"3⤵
-
C:\Windows\SysWOW64\sc.exesc stop timerstop3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TimerStop" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation" /v Logo /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation" /v HelpCustomized /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation" /v Manufacturer /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation" /v SupportURL /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Start Menu" /v OEMLogoUri /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winsat\WindowsExperienceIndexOemInfo" /v Logo /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"3⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /I "XP"3⤵
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"3⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /I "2003"3⤵
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"3⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /I "7"3⤵
-
C:\Windows\SysWOW64\findstr.exeFINDSTR /I "HarddiskVolume" "C:\Users\Admin\AppData\Local\Temp\Boot"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c FINDSTR /I "\<device" "C:\Users\Admin\AppData\Local\Temp\Boot"3⤵
-
C:\Windows\SysWOW64\findstr.exeFINDSTR /I "\<device" "C:\Users\Admin\AppData\Local\Temp\Boot"4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "\win7ldr" -H -S -R3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB "\grldr" -h -s -r3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "\win7ldr" -H -S -R3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeATTRIB "\grldr" -h -s -r3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~A7C.cmdFilesize
7KB
MD5e65ab3753f25806e60a5105d98ee5d1a
SHA1f71b168bf8f11158108d2a16925c8e2774b49f41
SHA256d3df460de31d10d886e859375e3a076eaa4adbb5136fd93db27b34894f57e407
SHA512c9b45ef31a87b56914fb9b4e7f84ff3cb1fa4ff4f019c11ed598640fab9836f40f17baaaa4f9b9e7def909f8912478d092ed7be0b47976ab713e1d9285e139eb
-
memory/2516-7-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB