60ca595c2e8c64cecf7c2f5e1bf9b6d8fa0ca96ba4003daf9681ede62244d35b

Analysis

max time kernel
135s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2024 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2654d2d35ce77f52a2f09784c124f924_JaffaCakes118.msi
Size

264KB
MD5

2654d2d35ce77f52a2f09784c124f924
SHA1

b52bd25fef4dfc4f79f63b45dcf52f9b41babc20
SHA256

60ca595c2e8c64cecf7c2f5e1bf9b6d8fa0ca96ba4003daf9681ede62244d35b
SHA512

639f306c360b334e56b04058bc1a9ee4ffa4ebc361d45486ba985b225d7d3c31929e51576765e897f20e8f34ff6b06172658e6e2ac7b13e31869987b6a169ad8
SSDEEP

3072:QmAk2R903DaYJAkwgz88ereWn/7w05g0zMcB3RUN46ILJ9+ZB5yOanny:Qmn3DaYJAV8er1nzTirIy

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
19	1840	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e582bed.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e582bed.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2DD1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI368D.tmp	msiexec.exe

Loads dropped DLL 2 IoCs

pid	Process
1840	MsiExec.exe
1840	MsiExec.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	19	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3128	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3128	msiexec.exe
Token: SeSecurityPrivilege	3572	msiexec.exe
Token: SeCreateTokenPrivilege	3128	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3128	msiexec.exe
Token: SeLockMemoryPrivilege	3128	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3128	msiexec.exe
Token: SeMachineAccountPrivilege	3128	msiexec.exe
Token: SeTcbPrivilege	3128	msiexec.exe
Token: SeSecurityPrivilege	3128	msiexec.exe
Token: SeTakeOwnershipPrivilege	3128	msiexec.exe
Token: SeLoadDriverPrivilege	3128	msiexec.exe
Token: SeSystemProfilePrivilege	3128	msiexec.exe
Token: SeSystemtimePrivilege	3128	msiexec.exe
Token: SeProfSingleProcessPrivilege	3128	msiexec.exe
Token: SeIncBasePriorityPrivilege	3128	msiexec.exe
Token: SeCreatePagefilePrivilege	3128	msiexec.exe
Token: SeCreatePermanentPrivilege	3128	msiexec.exe
Token: SeBackupPrivilege	3128	msiexec.exe
Token: SeRestorePrivilege	3128	msiexec.exe
Token: SeShutdownPrivilege	3128	msiexec.exe
Token: SeDebugPrivilege	3128	msiexec.exe
Token: SeAuditPrivilege	3128	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3128	msiexec.exe
Token: SeChangeNotifyPrivilege	3128	msiexec.exe
Token: SeRemoteShutdownPrivilege	3128	msiexec.exe
Token: SeUndockPrivilege	3128	msiexec.exe
Token: SeSyncAgentPrivilege	3128	msiexec.exe
Token: SeEnableDelegationPrivilege	3128	msiexec.exe
Token: SeManageVolumePrivilege	3128	msiexec.exe
Token: SeImpersonatePrivilege	3128	msiexec.exe
Token: SeCreateGlobalPrivilege	3128	msiexec.exe
Token: SeRestorePrivilege	3572	msiexec.exe
Token: SeTakeOwnershipPrivilege	3572	msiexec.exe
Token: SeRestorePrivilege	3572	msiexec.exe
Token: SeTakeOwnershipPrivilege	3572	msiexec.exe
Token: SeRestorePrivilege	3572	msiexec.exe
Token: SeTakeOwnershipPrivilege	3572	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3128	msiexec.exe
3128	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3572 wrote to memory of 1840	3572	msiexec.exe	98
PID 3572 wrote to memory of 1840	3572	msiexec.exe	98
PID 3572 wrote to memory of 1840	3572	msiexec.exe	98

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\2654d2d35ce77f52a2f09784c124f924_JaffaCakes118.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3128

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5B34F153033C0BAF6AEB91F40B952C1D
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:1840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSI2DD1.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit