684f03646bd8de7eb2f3d9a554319751dea91723936cfcc0c150276fa2819790

General

Target

0cceede0437d194e0573424a8227bdf7_JaffaCakes118.exe
Size

1.8MB
MD5

0cceede0437d194e0573424a8227bdf7
SHA1

0ebe8c91991c8a37c668a9d154799ce385abb6e6
SHA256

684f03646bd8de7eb2f3d9a554319751dea91723936cfcc0c150276fa2819790
SHA512

d76184f781a2ec0c91731870a16f27f023b758244e3459868308ad86636044214262396ae7d3a491141423135e358aec61797ab4046d0cbe2ae5ef2f3587de6f
SSDEEP

49152:6mO46HAzYJwP62wHSJxOsRvXEqRiKP99EkeikCE1tlB7UI4:6myAzY32wHSXOrq8AXTItlB7Uv

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2656	msiexec.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2656	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2648	msiexec.exe
Token: SeTakeOwnershipPrivilege	2648	msiexec.exe
Token: SeSecurityPrivilege	2648	msiexec.exe
Token: SeCreateTokenPrivilege	2656	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2656	msiexec.exe
Token: SeLockMemoryPrivilege	2656	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2656	msiexec.exe
Token: SeMachineAccountPrivilege	2656	msiexec.exe
Token: SeTcbPrivilege	2656	msiexec.exe
Token: SeSecurityPrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeLoadDriverPrivilege	2656	msiexec.exe
Token: SeSystemProfilePrivilege	2656	msiexec.exe
Token: SeSystemtimePrivilege	2656	msiexec.exe
Token: SeProfSingleProcessPrivilege	2656	msiexec.exe
Token: SeIncBasePriorityPrivilege	2656	msiexec.exe
Token: SeCreatePagefilePrivilege	2656	msiexec.exe
Token: SeCreatePermanentPrivilege	2656	msiexec.exe
Token: SeBackupPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeShutdownPrivilege	2656	msiexec.exe
Token: SeDebugPrivilege	2656	msiexec.exe
Token: SeAuditPrivilege	2656	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2656	msiexec.exe
Token: SeChangeNotifyPrivilege	2656	msiexec.exe
Token: SeRemoteShutdownPrivilege	2656	msiexec.exe
Token: SeUndockPrivilege	2656	msiexec.exe
Token: SeSyncAgentPrivilege	2656	msiexec.exe
Token: SeEnableDelegationPrivilege	2656	msiexec.exe
Token: SeManageVolumePrivilege	2656	msiexec.exe
Token: SeImpersonatePrivilege	2656	msiexec.exe
Token: SeCreateGlobalPrivilege	2656	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2656	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2656	2168	0cceede0437d194e0573424a8227bdf7_JaffaCakes118.exe	28
PID 2168 wrote to memory of 2656	2168	0cceede0437d194e0573424a8227bdf7_JaffaCakes118.exe	28
PID 2168 wrote to memory of 2656	2168	0cceede0437d194e0573424a8227bdf7_JaffaCakes118.exe	28
PID 2168 wrote to memory of 2656	2168	0cceede0437d194e0573424a8227bdf7_JaffaCakes118.exe	28
PID 2168 wrote to memory of 2656	2168	0cceede0437d194e0573424a8227bdf7_JaffaCakes118.exe	28
PID 2168 wrote to memory of 2656	2168	0cceede0437d194e0573424a8227bdf7_JaffaCakes118.exe	28
PID 2168 wrote to memory of 2656	2168	0cceede0437d194e0573424a8227bdf7_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\0cceede0437d194e0573424a8227bdf7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0cceede0437d194e0573424a8227bdf7_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Camtech\MP3 Tagger\install\MP3Tags.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\0cceede0437d194e0573424a8227bdf7_JaffaCakes118.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2656

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MP3Tags.ini

Filesize
78B

MD5
a0065dca72f7c4c4c7118532d383d537

SHA1
7ffa6bef9f3cfbed42323a065b325c0e2aa374d6

SHA256
2f01991a97a09efd0dd707106cf436c23677a961551078195718bce5fbf5d08c

SHA512
d4e451455b25a2b5118c85695a4066804c8b07b249be98d87b9b56d3975644db24a0cde14deacbaf4ca9cce49d10058ba5b550a347ace29e077ffe1af05697d7

Download Submit
C:\Users\Admin\AppData\Roaming\Camtech\MP3 Tagger\install\MP3Tags.msi

Filesize
138KB

MD5
4c8adec6c2dcb3425db979183076c1ed

SHA1
069da7a3bf535e3973c6aba75820606432549e42

SHA256
6b2ce5c30b777562da49d0ea9804f0585b327c7166532a00f4a1f4e2892e05e8

SHA512
ba9e6e3ce46956e2457ee63b725adf74d88010c23da519a305442a40d246944eba6f3a83c3f58594ba4be59e013b46138a4fd7b829061ae183a9c72ddad5f724

Download Submit

Analysis

Sharing