Analysis
-
max time kernel
128s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
03-07-2024 15:55
Static task
static1
Behavioral task
behavioral1
Sample
22f09c3981e48000b80d24624118c911_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
22f09c3981e48000b80d24624118c911_JaffaCakes118.exe
-
Size
285KB
-
MD5
22f09c3981e48000b80d24624118c911
-
SHA1
20f7d9d85767a0fed5a5c91b594512913cf42278
-
SHA256
b547d7e1ca41e924cbda422bfd91af1f4a2f40fecf94fb34ed0de3924380fc2e
-
SHA512
c287f2f7f190a777c2162fef5c9298aed8d1b14bf2577530e811a72d2220bab07fba440db05950a27415565c5826d58cb695f84de23283ea819afb7d610142ac
-
SSDEEP
3072:zAgmeSumf3YOmFOX9PgdgIwtQuQI/zwcl39O1BCVc16zeWykek6LVdf2z/Ux+Xp8:zAgIuISOudgIwpNzDlo1BSQZVJ9AC
Malware Config
Signatures
-
Possible privilege escalation attempt 14 IoCs
Processes:
takeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exepid process 2864 takeown.exe 3696 takeown.exe 5088 icacls.exe 4648 takeown.exe 596 icacls.exe 3512 icacls.exe 5064 icacls.exe 4136 takeown.exe 1112 takeown.exe 1140 icacls.exe 4224 icacls.exe 4908 takeown.exe 5056 takeown.exe 1392 icacls.exe -
Modifies file permissions 1 TTPs 14 IoCs
Processes:
icacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exepid process 5088 icacls.exe 1112 takeown.exe 2864 takeown.exe 5056 takeown.exe 1392 icacls.exe 3512 icacls.exe 4224 icacls.exe 4908 takeown.exe 596 icacls.exe 1140 icacls.exe 3696 takeown.exe 4648 takeown.exe 5064 icacls.exe 4136 takeown.exe -
Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1248 sc.exe 3708 sc.exe 4760 sc.exe 1100 sc.exe 3960 sc.exe 1656 sc.exe 2972 sc.exe -
Delays execution with timeout.exe 3 IoCs
Processes:
timeout.exetimeout.exetimeout.exepid process 608 timeout.exe 5004 timeout.exe 1344 timeout.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 3696 takeown.exe Token: SeTakeOwnershipPrivilege 4136 takeown.exe Token: SeTakeOwnershipPrivilege 1112 takeown.exe Token: SeTakeOwnershipPrivilege 4648 takeown.exe Token: SeTakeOwnershipPrivilege 2864 takeown.exe Token: SeTakeOwnershipPrivilege 4908 takeown.exe Token: SeTakeOwnershipPrivilege 5056 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
22f09c3981e48000b80d24624118c911_JaffaCakes118.execmd.exedescription pid process target process PID 4900 wrote to memory of 4792 4900 22f09c3981e48000b80d24624118c911_JaffaCakes118.exe cmd.exe PID 4900 wrote to memory of 4792 4900 22f09c3981e48000b80d24624118c911_JaffaCakes118.exe cmd.exe PID 4900 wrote to memory of 4792 4900 22f09c3981e48000b80d24624118c911_JaffaCakes118.exe cmd.exe PID 4792 wrote to memory of 1248 4792 cmd.exe sc.exe PID 4792 wrote to memory of 1248 4792 cmd.exe sc.exe PID 4792 wrote to memory of 1248 4792 cmd.exe sc.exe PID 4792 wrote to memory of 3708 4792 cmd.exe sc.exe PID 4792 wrote to memory of 3708 4792 cmd.exe sc.exe PID 4792 wrote to memory of 3708 4792 cmd.exe sc.exe PID 4792 wrote to memory of 4760 4792 cmd.exe sc.exe PID 4792 wrote to memory of 4760 4792 cmd.exe sc.exe PID 4792 wrote to memory of 4760 4792 cmd.exe sc.exe PID 4792 wrote to memory of 1100 4792 cmd.exe sc.exe PID 4792 wrote to memory of 1100 4792 cmd.exe sc.exe PID 4792 wrote to memory of 1100 4792 cmd.exe sc.exe PID 4792 wrote to memory of 3960 4792 cmd.exe sc.exe PID 4792 wrote to memory of 3960 4792 cmd.exe sc.exe PID 4792 wrote to memory of 3960 4792 cmd.exe sc.exe PID 4792 wrote to memory of 1656 4792 cmd.exe sc.exe PID 4792 wrote to memory of 1656 4792 cmd.exe sc.exe PID 4792 wrote to memory of 1656 4792 cmd.exe sc.exe PID 4792 wrote to memory of 608 4792 cmd.exe timeout.exe PID 4792 wrote to memory of 608 4792 cmd.exe timeout.exe PID 4792 wrote to memory of 608 4792 cmd.exe timeout.exe PID 4792 wrote to memory of 3696 4792 cmd.exe takeown.exe PID 4792 wrote to memory of 3696 4792 cmd.exe takeown.exe PID 4792 wrote to memory of 3696 4792 cmd.exe takeown.exe PID 4792 wrote to memory of 4136 4792 cmd.exe takeown.exe PID 4792 wrote to memory of 4136 4792 cmd.exe takeown.exe PID 4792 wrote to memory of 4136 4792 cmd.exe takeown.exe PID 4792 wrote to memory of 1112 4792 cmd.exe takeown.exe PID 4792 wrote to memory of 1112 4792 cmd.exe takeown.exe PID 4792 wrote to memory of 1112 4792 cmd.exe takeown.exe PID 4792 wrote to memory of 4648 4792 cmd.exe takeown.exe PID 4792 wrote to memory of 4648 4792 cmd.exe takeown.exe PID 4792 wrote to memory of 4648 4792 cmd.exe takeown.exe PID 4792 wrote to memory of 2864 4792 cmd.exe takeown.exe PID 4792 wrote to memory of 2864 4792 cmd.exe takeown.exe PID 4792 wrote to memory of 2864 4792 cmd.exe takeown.exe PID 4792 wrote to memory of 4908 4792 cmd.exe takeown.exe PID 4792 wrote to memory of 4908 4792 cmd.exe takeown.exe PID 4792 wrote to memory of 4908 4792 cmd.exe takeown.exe PID 4792 wrote to memory of 5056 4792 cmd.exe takeown.exe PID 4792 wrote to memory of 5056 4792 cmd.exe takeown.exe PID 4792 wrote to memory of 5056 4792 cmd.exe takeown.exe PID 4792 wrote to memory of 5004 4792 cmd.exe timeout.exe PID 4792 wrote to memory of 5004 4792 cmd.exe timeout.exe PID 4792 wrote to memory of 5004 4792 cmd.exe timeout.exe PID 4792 wrote to memory of 596 4792 cmd.exe icacls.exe PID 4792 wrote to memory of 596 4792 cmd.exe icacls.exe PID 4792 wrote to memory of 596 4792 cmd.exe icacls.exe PID 4792 wrote to memory of 1140 4792 cmd.exe icacls.exe PID 4792 wrote to memory of 1140 4792 cmd.exe icacls.exe PID 4792 wrote to memory of 1140 4792 cmd.exe icacls.exe PID 4792 wrote to memory of 5088 4792 cmd.exe icacls.exe PID 4792 wrote to memory of 5088 4792 cmd.exe icacls.exe PID 4792 wrote to memory of 5088 4792 cmd.exe icacls.exe PID 4792 wrote to memory of 1392 4792 cmd.exe icacls.exe PID 4792 wrote to memory of 1392 4792 cmd.exe icacls.exe PID 4792 wrote to memory of 1392 4792 cmd.exe icacls.exe PID 4792 wrote to memory of 3512 4792 cmd.exe icacls.exe PID 4792 wrote to memory of 3512 4792 cmd.exe icacls.exe PID 4792 wrote to memory of 3512 4792 cmd.exe icacls.exe PID 4792 wrote to memory of 4224 4792 cmd.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\22f09c3981e48000b80d24624118c911_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\22f09c3981e48000b80d24624118c911_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\~36B0.cmd "C:\Users\Admin\AppData\Local\Temp\22f09c3981e48000b80d24624118c911_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc stop sppsvc3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc config sppsvc start= Delayed-Auto3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop sppuinotify3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc config sppuinotify start= Demand3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop SLUINotify3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc config SLUINotify start= Demand3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\timeout.exetimeout /T 2 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Sysnative\SLLUA.exe.bak3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Sysnative\sppsvc.exe.bak3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Sysnative\SLUI.exe.bak3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Sysnative\sppuinotify.dll.bak3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Sysnative\SLUINotify.dll.bak3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Sysnative\spp\plugin-manifests-signed\sppwinob-spp-plugin-manifest-signed.bak.xrm-ms3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Sysnative\sppwinob.dll.bak3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout /T 2 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\Sysnative\SLLUA.exe.bak /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\Sysnative\sppsvc.exe.bak /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\Sysnative\SLUI.exe.bak /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\Sysnative\sppuinotify.dll.bak /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\Sysnative\SLUINotify.dll.bak /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\Sysnative\spp\plugin-manifests-signed\sppwinob-spp-plugin-manifest-signed.bak.xrm-ms /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\Sysnative\sppwinob.dll.bak /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\timeout.exetimeout /T 2 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y "3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del C:\Windows\Sysnative\spp\plugin-manifests-signed\sppwinob-spp-plugin-manifest-signed.bak.xrm-ms"3⤵
-
C:\Windows\SysWOW64\sc.exesc stop timerstop3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TimerStop" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation" /v Logo /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation" /v HelpCustomized /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation" /v Manufacturer /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation" /v SupportURL /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Start Menu" /v OEMLogoUri /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winsat\WindowsExperienceIndexOemInfo" /v Logo /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"3⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /I "XP"3⤵
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"3⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /I "2003"3⤵
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"3⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /I "7"3⤵
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"3⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /I "VISTA"3⤵
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"3⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /I "2008"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~36B0.cmdFilesize
7KB
MD5e65ab3753f25806e60a5105d98ee5d1a
SHA1f71b168bf8f11158108d2a16925c8e2774b49f41
SHA256d3df460de31d10d886e859375e3a076eaa4adbb5136fd93db27b34894f57e407
SHA512c9b45ef31a87b56914fb9b4e7f84ff3cb1fa4ff4f019c11ed598640fab9836f40f17baaaa4f9b9e7def909f8912478d092ed7be0b47976ab713e1d9285e139eb
-
memory/4900-7-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB