b547d7e1ca41e924cbda422bfd91af1f4a2f40fecf94fb34ed0de3924380fc2e

Analysis

max time kernel
128s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22f09c3981e48000b80d24624118c911_JaffaCakes118.exe
Size

285KB
MD5

22f09c3981e48000b80d24624118c911
SHA1

20f7d9d85767a0fed5a5c91b594512913cf42278
SHA256

b547d7e1ca41e924cbda422bfd91af1f4a2f40fecf94fb34ed0de3924380fc2e
SHA512

c287f2f7f190a777c2162fef5c9298aed8d1b14bf2577530e811a72d2220bab07fba440db05950a27415565c5826d58cb695f84de23283ea819afb7d610142ac
SSDEEP

3072:zAgmeSumf3YOmFOX9PgdgIwtQuQI/zwcl39O1BCVc16zeWykek6LVdf2z/Ux+Xp8:zAgIuISOudgIwpNzDlo1BSQZVJ9AC

Score

8^/10

discovery evasion execution exploit

Malware Config

Signatures

Possible privilege escalation attempt 14 IoCs

exploit

Processes:

takeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exe

pid	process
2864	takeown.exe
3696	takeown.exe
5088	icacls.exe
4648	takeown.exe
596	icacls.exe
3512	icacls.exe
5064	icacls.exe
4136	takeown.exe
1112	takeown.exe
1140	icacls.exe
4224	icacls.exe
4908	takeown.exe
5056	takeown.exe
1392	icacls.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Modifies file permissions 1 TTPs 14 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exe

pid	process
5088	icacls.exe
1112	takeown.exe
2864	takeown.exe
5056	takeown.exe
1392	icacls.exe
3512	icacls.exe
4224	icacls.exe
4908	takeown.exe
596	icacls.exe
1140	icacls.exe
3696	takeown.exe
4648	takeown.exe
5064	icacls.exe
4136	takeown.exe

Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1248 sc.exe
3708 sc.exe
4760 sc.exe
1100 sc.exe
3960 sc.exe
1656 sc.exe
2972 sc.exe
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

608 timeout.exe
5004 timeout.exe
1344 timeout.exe

pid	process
1248	sc.exe
3708	sc.exe
4760	sc.exe
1100	sc.exe
3960	sc.exe
1656	sc.exe
2972	sc.exe

pid	process
608	timeout.exe
5004	timeout.exe
1344	timeout.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3696	takeown.exe
Token: SeTakeOwnershipPrivilege	4136	takeown.exe
Token: SeTakeOwnershipPrivilege	1112	takeown.exe
Token: SeTakeOwnershipPrivilege	4648	takeown.exe
Token: SeTakeOwnershipPrivilege	2864	takeown.exe
Token: SeTakeOwnershipPrivilege	4908	takeown.exe
Token: SeTakeOwnershipPrivilege	5056	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

22f09c3981e48000b80d24624118c911_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 4900 wrote to memory of 4792	4900	22f09c3981e48000b80d24624118c911_JaffaCakes118.exe	cmd.exe
PID 4900 wrote to memory of 4792	4900	22f09c3981e48000b80d24624118c911_JaffaCakes118.exe	cmd.exe
PID 4900 wrote to memory of 4792	4900	22f09c3981e48000b80d24624118c911_JaffaCakes118.exe	cmd.exe
PID 4792 wrote to memory of 1248	4792	cmd.exe	sc.exe
PID 4792 wrote to memory of 1248	4792	cmd.exe	sc.exe
PID 4792 wrote to memory of 1248	4792	cmd.exe	sc.exe
PID 4792 wrote to memory of 3708	4792	cmd.exe	sc.exe
PID 4792 wrote to memory of 3708	4792	cmd.exe	sc.exe
PID 4792 wrote to memory of 3708	4792	cmd.exe	sc.exe
PID 4792 wrote to memory of 4760	4792	cmd.exe	sc.exe
PID 4792 wrote to memory of 4760	4792	cmd.exe	sc.exe
PID 4792 wrote to memory of 4760	4792	cmd.exe	sc.exe
PID 4792 wrote to memory of 1100	4792	cmd.exe	sc.exe
PID 4792 wrote to memory of 1100	4792	cmd.exe	sc.exe
PID 4792 wrote to memory of 1100	4792	cmd.exe	sc.exe
PID 4792 wrote to memory of 3960	4792	cmd.exe	sc.exe
PID 4792 wrote to memory of 3960	4792	cmd.exe	sc.exe
PID 4792 wrote to memory of 3960	4792	cmd.exe	sc.exe
PID 4792 wrote to memory of 1656	4792	cmd.exe	sc.exe
PID 4792 wrote to memory of 1656	4792	cmd.exe	sc.exe
PID 4792 wrote to memory of 1656	4792	cmd.exe	sc.exe
PID 4792 wrote to memory of 608	4792	cmd.exe	timeout.exe
PID 4792 wrote to memory of 608	4792	cmd.exe	timeout.exe
PID 4792 wrote to memory of 608	4792	cmd.exe	timeout.exe
PID 4792 wrote to memory of 3696	4792	cmd.exe	takeown.exe
PID 4792 wrote to memory of 3696	4792	cmd.exe	takeown.exe
PID 4792 wrote to memory of 3696	4792	cmd.exe	takeown.exe
PID 4792 wrote to memory of 4136	4792	cmd.exe	takeown.exe
PID 4792 wrote to memory of 4136	4792	cmd.exe	takeown.exe
PID 4792 wrote to memory of 4136	4792	cmd.exe	takeown.exe
PID 4792 wrote to memory of 1112	4792	cmd.exe	takeown.exe
PID 4792 wrote to memory of 1112	4792	cmd.exe	takeown.exe
PID 4792 wrote to memory of 1112	4792	cmd.exe	takeown.exe
PID 4792 wrote to memory of 4648	4792	cmd.exe	takeown.exe
PID 4792 wrote to memory of 4648	4792	cmd.exe	takeown.exe
PID 4792 wrote to memory of 4648	4792	cmd.exe	takeown.exe
PID 4792 wrote to memory of 2864	4792	cmd.exe	takeown.exe
PID 4792 wrote to memory of 2864	4792	cmd.exe	takeown.exe
PID 4792 wrote to memory of 2864	4792	cmd.exe	takeown.exe
PID 4792 wrote to memory of 4908	4792	cmd.exe	takeown.exe
PID 4792 wrote to memory of 4908	4792	cmd.exe	takeown.exe
PID 4792 wrote to memory of 4908	4792	cmd.exe	takeown.exe
PID 4792 wrote to memory of 5056	4792	cmd.exe	takeown.exe
PID 4792 wrote to memory of 5056	4792	cmd.exe	takeown.exe
PID 4792 wrote to memory of 5056	4792	cmd.exe	takeown.exe
PID 4792 wrote to memory of 5004	4792	cmd.exe	timeout.exe
PID 4792 wrote to memory of 5004	4792	cmd.exe	timeout.exe
PID 4792 wrote to memory of 5004	4792	cmd.exe	timeout.exe
PID 4792 wrote to memory of 596	4792	cmd.exe	icacls.exe
PID 4792 wrote to memory of 596	4792	cmd.exe	icacls.exe
PID 4792 wrote to memory of 596	4792	cmd.exe	icacls.exe
PID 4792 wrote to memory of 1140	4792	cmd.exe	icacls.exe
PID 4792 wrote to memory of 1140	4792	cmd.exe	icacls.exe
PID 4792 wrote to memory of 1140	4792	cmd.exe	icacls.exe
PID 4792 wrote to memory of 5088	4792	cmd.exe	icacls.exe
PID 4792 wrote to memory of 5088	4792	cmd.exe	icacls.exe
PID 4792 wrote to memory of 5088	4792	cmd.exe	icacls.exe
PID 4792 wrote to memory of 1392	4792	cmd.exe	icacls.exe
PID 4792 wrote to memory of 1392	4792	cmd.exe	icacls.exe
PID 4792 wrote to memory of 1392	4792	cmd.exe	icacls.exe
PID 4792 wrote to memory of 3512	4792	cmd.exe	icacls.exe
PID 4792 wrote to memory of 3512	4792	cmd.exe	icacls.exe
PID 4792 wrote to memory of 3512	4792	cmd.exe	icacls.exe
PID 4792 wrote to memory of 4224	4792	cmd.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\22f09c3981e48000b80d24624118c911_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\22f09c3981e48000b80d24624118c911_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~36B0.cmd "C:\Users\Admin\AppData\Local\Temp\22f09c3981e48000b80d24624118c911_JaffaCakes118.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4792

C:\Windows\SysWOW64\sc.exe
sc stop sppsvc
3⤵
- Launches sc.exe
PID:1248

C:\Windows\SysWOW64\sc.exe
sc config sppsvc start= Delayed-Auto
3⤵
- Launches sc.exe
PID:3708

C:\Windows\SysWOW64\sc.exe
sc stop sppuinotify
3⤵
- Launches sc.exe
PID:4760

C:\Windows\SysWOW64\sc.exe
sc config sppuinotify start= Demand
3⤵
- Launches sc.exe
PID:1100

C:\Windows\SysWOW64\sc.exe
sc stop SLUINotify
3⤵
- Launches sc.exe
PID:3960

C:\Windows\SysWOW64\sc.exe
sc config SLUINotify start= Demand
3⤵
- Launches sc.exe
PID:1656

C:\Windows\SysWOW64\timeout.exe
timeout /T 2 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:608

C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Sysnative\SLLUA.exe.bak
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Sysnative\sppsvc.exe.bak
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Sysnative\SLUI.exe.bak
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Sysnative\sppuinotify.dll.bak
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Sysnative\SLUINotify.dll.bak
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Sysnative\spp\plugin-manifests-signed\sppwinob-spp-plugin-manifest-signed.bak.xrm-ms
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\Sysnative\sppwinob.dll.bak
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\SysWOW64\timeout.exe
timeout /T 2 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:5004

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\Sysnative\SLLUA.exe.bak /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:596

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\Sysnative\sppsvc.exe.bak /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1140

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\Sysnative\SLUI.exe.bak /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5088

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\Sysnative\sppuinotify.dll.bak /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1392

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\Sysnative\SLUINotify.dll.bak /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3512

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\Sysnative\spp\plugin-manifests-signed\sppwinob-spp-plugin-manifest-signed.bak.xrm-ms /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4224

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\Sysnative\sppwinob.dll.bak /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5064

C:\Windows\SysWOW64\timeout.exe
timeout /T 2 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
3⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" del C:\Windows\Sysnative\spp\plugin-manifests-signed\sppwinob-spp-plugin-manifest-signed.bak.xrm-ms"
3⤵
PID:1056

C:\Windows\SysWOW64\sc.exe
sc stop timerstop
3⤵
- Launches sc.exe
PID:2972

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TimerStop" /f
3⤵
PID:3584

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation" /v Logo /f
3⤵
PID:3388

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation" /v HelpCustomized /f
3⤵
PID:2512

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation" /v Manufacturer /f
3⤵
PID:1540

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation" /v SupportURL /f
3⤵
PID:404

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Start Menu" /v OEMLogoUri /f
3⤵
PID:2964

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winsat\WindowsExperienceIndexOemInfo" /v Logo /f
3⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
3⤵
PID:2272

C:\Windows\SysWOW64\findstr.exe
findstr /I "XP"
3⤵
PID:3732

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
3⤵
PID:3208

C:\Windows\SysWOW64\findstr.exe
findstr /I "2003"
3⤵
PID:2112

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
3⤵
PID:468

C:\Windows\SysWOW64\findstr.exe
findstr /I "7"
3⤵
PID:2388

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
3⤵
PID:3816

C:\Windows\SysWOW64\findstr.exe
findstr /I "VISTA"
3⤵
PID:2168

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
3⤵
PID:4992

C:\Windows\SysWOW64\findstr.exe
findstr /I "2008"
3⤵
PID:3460

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~36B0.cmd
Filesize
7KB

MD5
e65ab3753f25806e60a5105d98ee5d1a

SHA1
f71b168bf8f11158108d2a16925c8e2774b49f41

SHA256
d3df460de31d10d886e859375e3a076eaa4adbb5136fd93db27b34894f57e407

SHA512
c9b45ef31a87b56914fb9b4e7f84ff3cb1fa4ff4f019c11ed598640fab9836f40f17baaaa4f9b9e7def909f8912478d092ed7be0b47976ab713e1d9285e139eb

Download Submit
memory/4900-7-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download