b547d7e1ca41e924cbda422bfd91af1f4a2f40fecf94fb34ed0de3924380fc2e

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22f09c3981e48000b80d24624118c911_JaffaCakes118.exe
Size

285KB
MD5

22f09c3981e48000b80d24624118c911
SHA1

20f7d9d85767a0fed5a5c91b594512913cf42278
SHA256

b547d7e1ca41e924cbda422bfd91af1f4a2f40fecf94fb34ed0de3924380fc2e
SHA512

c287f2f7f190a777c2162fef5c9298aed8d1b14bf2577530e811a72d2220bab07fba440db05950a27415565c5826d58cb695f84de23283ea819afb7d610142ac
SSDEEP

3072:zAgmeSumf3YOmFOX9PgdgIwtQuQI/zwcl39O1BCVc16zeWykek6LVdf2z/Ux+Xp8:zAgIuISOudgIwpNzDlo1BSQZVJ9AC

Score

8^/10

discovery evasion execution exploit

Malware Config

Signatures

Possible privilege escalation attempt 14 IoCs

exploit

Processes:

icacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exe

pid	process
2704	icacls.exe
2560	takeown.exe
2656	takeown.exe
2936	takeown.exe
2700	icacls.exe
2764	icacls.exe
2972	takeown.exe
1220	takeown.exe
2440	icacls.exe
2584	icacls.exe
2556	icacls.exe
2592	icacls.exe
2668	takeown.exe
2296	takeown.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Modifies file permissions 1 TTPs 14 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exe

pid	process
2296	takeown.exe
2972	takeown.exe
2764	icacls.exe
2656	takeown.exe
2584	icacls.exe
2556	icacls.exe
2668	takeown.exe
2700	icacls.exe
2440	icacls.exe
2704	icacls.exe
1220	takeown.exe
2936	takeown.exe
2560	takeown.exe
2592	icacls.exe

Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2744 sc.exe
3056 sc.exe
2276 sc.exe
860 sc.exe
1804 sc.exe
1828 sc.exe
2624 sc.exe
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

2752 timeout.exe
2688 timeout.exe
2468 timeout.exe

pid	process
2744	sc.exe
3056	sc.exe
2276	sc.exe
860	sc.exe
1804	sc.exe
1828	sc.exe
2624	sc.exe

pid	process
2752	timeout.exe
2688	timeout.exe
2468	timeout.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2296	takeown.exe
Token: SeTakeOwnershipPrivilege	1220	takeown.exe
Token: SeTakeOwnershipPrivilege	2936	takeown.exe
Token: SeTakeOwnershipPrivilege	2972	takeown.exe
Token: SeTakeOwnershipPrivilege	2560	takeown.exe
Token: SeTakeOwnershipPrivilege	2656	takeown.exe
Token: SeTakeOwnershipPrivilege	2668	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

22f09c3981e48000b80d24624118c911_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 2516 wrote to memory of 2292	2516	22f09c3981e48000b80d24624118c911_JaffaCakes118.exe	cmd.exe
PID 2516 wrote to memory of 2292	2516	22f09c3981e48000b80d24624118c911_JaffaCakes118.exe	cmd.exe
PID 2516 wrote to memory of 2292	2516	22f09c3981e48000b80d24624118c911_JaffaCakes118.exe	cmd.exe
PID 2516 wrote to memory of 2292	2516	22f09c3981e48000b80d24624118c911_JaffaCakes118.exe	cmd.exe
PID 2516 wrote to memory of 2292	2516	22f09c3981e48000b80d24624118c911_JaffaCakes118.exe	cmd.exe
PID 2516 wrote to memory of 2292	2516	22f09c3981e48000b80d24624118c911_JaffaCakes118.exe	cmd.exe
PID 2516 wrote to memory of 2292	2516	22f09c3981e48000b80d24624118c911_JaffaCakes118.exe	cmd.exe
PID 2292 wrote to memory of 3056	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 3056	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 3056	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 3056	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 3056	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 3056	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 3056	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 2276	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 2276	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 2276	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 2276	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 2276	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 2276	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 2276	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 860	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 860	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 860	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 860	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 860	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 860	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 860	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 1804	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 1804	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 1804	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 1804	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 1804	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 1804	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 1804	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 1828	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 1828	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 1828	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 1828	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 1828	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 1828	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 1828	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 2624	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 2624	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 2624	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 2624	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 2624	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 2624	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 2624	2292	cmd.exe	sc.exe
PID 2292 wrote to memory of 2752	2292	cmd.exe	timeout.exe
PID 2292 wrote to memory of 2752	2292	cmd.exe	timeout.exe
PID 2292 wrote to memory of 2752	2292	cmd.exe	timeout.exe
PID 2292 wrote to memory of 2752	2292	cmd.exe	timeout.exe
PID 2292 wrote to memory of 2752	2292	cmd.exe	timeout.exe
PID 2292 wrote to memory of 2752	2292	cmd.exe	timeout.exe
PID 2292 wrote to memory of 2752	2292	cmd.exe	timeout.exe
PID 2292 wrote to memory of 2296	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2296	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2296	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2296	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2296	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2296	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2296	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 1220	2292	cmd.exe	takeown.exe

Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

2852 attrib.exe
3060 attrib.exe
3068 attrib.exe
2848 attrib.exe

pid	process
2852	attrib.exe
3060	attrib.exe
3068	attrib.exe
2848	attrib.exe

C:\Users\Admin\AppData\Local\Temp\22f09c3981e48000b80d24624118c911_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\22f09c3981e48000b80d24624118c911_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~A7C.cmd "C:\Users\Admin\AppData\Local\Temp\22f09c3981e48000b80d24624118c911_JaffaCakes118.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\SysWOW64\sc.exe
sc stop sppsvc
3⤵
- Launches sc.exe
PID:3056

C:\Windows\SysWOW64\sc.exe
sc config sppsvc start= Delayed-Auto
3⤵
- Launches sc.exe
PID:2276

C:\Windows\SysWOW64\sc.exe
sc stop sppuinotify
3⤵
- Launches sc.exe
PID:860

C:\Windows\SysWOW64\sc.exe
sc config sppuinotify start= Demand
3⤵
- Launches sc.exe
PID:1804

C:\Windows\SysWOW64\sc.exe
sc stop SLUINotify
3⤵
- Launches sc.exe
PID:1828

C:\Windows\SysWOW64\sc.exe
sc config SLUINotify start= Demand
3⤵
- Launches sc.exe
PID:2624

C:\Windows\SysWOW64\timeout.exe
timeout /T 2 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:2752

C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Sysnative\SLLUA.exe.bak
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Sysnative\sppsvc.exe.bak
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Sysnative\SLUI.exe.bak
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Sysnative\sppuinotify.dll.bak
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Sysnative\SLUINotify.dll.bak
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Sysnative\spp\plugin-manifests-signed\sppwinob-spp-plugin-manifest-signed.bak.xrm-ms
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Sysnative\sppwinob.dll.bak
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\SysWOW64\timeout.exe
timeout /T 2 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:2688

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\Sysnative\SLLUA.exe.bak /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2700

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\Sysnative\sppsvc.exe.bak /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2584

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\Sysnative\SLUI.exe.bak /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2556

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\Sysnative\sppuinotify.dll.bak /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2440

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\Sysnative\SLUINotify.dll.bak /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2764

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\Sysnative\spp\plugin-manifests-signed\sppwinob-spp-plugin-manifest-signed.bak.xrm-ms /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2704

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\Sysnative\sppwinob.dll.bak /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2592

C:\Windows\SysWOW64\timeout.exe
timeout /T 2 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:2468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
3⤵
PID:2748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" del C:\Windows\Sysnative\spp\plugin-manifests-signed\sppwinob-spp-plugin-manifest-signed.bak.xrm-ms"
3⤵
PID:2648

C:\Windows\SysWOW64\sc.exe
sc stop timerstop
3⤵
- Launches sc.exe
PID:2744

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TimerStop" /f
3⤵
PID:2568

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation" /v Logo /f
3⤵
PID:2596

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation" /v HelpCustomized /f
3⤵
PID:2600

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation" /v Manufacturer /f
3⤵
PID:2480

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation" /v SupportURL /f
3⤵
PID:2544

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Start Menu" /v OEMLogoUri /f
3⤵
PID:2432

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winsat\WindowsExperienceIndexOemInfo" /v Logo /f
3⤵
PID:2428

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
3⤵
PID:2448

C:\Windows\SysWOW64\findstr.exe
findstr /I "XP"
3⤵
PID:1844

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
3⤵
PID:2496

C:\Windows\SysWOW64\findstr.exe
findstr /I "2003"
3⤵
PID:2504

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
3⤵
PID:2164

C:\Windows\SysWOW64\findstr.exe
findstr /I "7"
3⤵
PID:672

C:\Windows\SysWOW64\findstr.exe
FINDSTR /I "HarddiskVolume" "C:\Users\Admin\AppData\Local\Temp\Boot"
3⤵
PID:2844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c FINDSTR /I "\<device" "C:\Users\Admin\AppData\Local\Temp\Boot"
3⤵
PID:2840

C:\Windows\SysWOW64\findstr.exe
FINDSTR /I "\<device" "C:\Users\Admin\AppData\Local\Temp\Boot"
4⤵
PID:2692

C:\Windows\SysWOW64\attrib.exe
attrib "\win7ldr" -H -S -R
3⤵
- Views/modifies file attributes
PID:3060

C:\Windows\SysWOW64\attrib.exe
ATTRIB "\grldr" -h -s -r
3⤵
- Views/modifies file attributes
PID:3068

C:\Windows\SysWOW64\attrib.exe
attrib "\win7ldr" -H -S -R
3⤵
- Views/modifies file attributes
PID:2848

C:\Windows\SysWOW64\attrib.exe
ATTRIB "\grldr" -h -s -r
3⤵
- Views/modifies file attributes
PID:2852

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~A7C.cmd
Filesize
7KB

MD5
e65ab3753f25806e60a5105d98ee5d1a

SHA1
f71b168bf8f11158108d2a16925c8e2774b49f41

SHA256
d3df460de31d10d886e859375e3a076eaa4adbb5136fd93db27b34894f57e407

SHA512
c9b45ef31a87b56914fb9b4e7f84ff3cb1fa4ff4f019c11ed598640fab9836f40f17baaaa4f9b9e7def909f8912478d092ed7be0b47976ab713e1d9285e139eb

Download Submit
memory/2516-7-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads