21c15427e510d11a270acde17b9be3f4b521c2b79caedeba4241433355acfb68

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2024, 22:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6029e560b25e77fa0dfb90c1f699e30a_JaffaCakes118.msi
Size

264KB
MD5

6029e560b25e77fa0dfb90c1f699e30a
SHA1

b527ed1a06832418dba90812064bffccacc2b352
SHA256

21c15427e510d11a270acde17b9be3f4b521c2b79caedeba4241433355acfb68
SHA512

f729f7ae148eb7bf744af0142a6f68516067278b2ea416a8872ac51f465dc15253fc913f4a10ce35aac80a9e92174980bfd1c0903a9efd7eb4cfc47a7e6e5e87
SSDEEP

3072:0mAk2R903DaYRAkwgz88ereWn/7w05g0WaAMcB3RUN46ILJ9+ZB5yOannb:0mn3DaYRAV8er1nzTsaPrIb

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
12	3988	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI610C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6235.tmp	msiexec.exe
File created	C:\Windows\Installer\e57609e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57609e.msi	msiexec.exe

Loads dropped DLL 2 IoCs

pid	Process
3988	MsiExec.exe
3988	MsiExec.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	12	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2364	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2364	msiexec.exe
Token: SeSecurityPrivilege	5016	msiexec.exe
Token: SeCreateTokenPrivilege	2364	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2364	msiexec.exe
Token: SeLockMemoryPrivilege	2364	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2364	msiexec.exe
Token: SeMachineAccountPrivilege	2364	msiexec.exe
Token: SeTcbPrivilege	2364	msiexec.exe
Token: SeSecurityPrivilege	2364	msiexec.exe
Token: SeTakeOwnershipPrivilege	2364	msiexec.exe
Token: SeLoadDriverPrivilege	2364	msiexec.exe
Token: SeSystemProfilePrivilege	2364	msiexec.exe
Token: SeSystemtimePrivilege	2364	msiexec.exe
Token: SeProfSingleProcessPrivilege	2364	msiexec.exe
Token: SeIncBasePriorityPrivilege	2364	msiexec.exe
Token: SeCreatePagefilePrivilege	2364	msiexec.exe
Token: SeCreatePermanentPrivilege	2364	msiexec.exe
Token: SeBackupPrivilege	2364	msiexec.exe
Token: SeRestorePrivilege	2364	msiexec.exe
Token: SeShutdownPrivilege	2364	msiexec.exe
Token: SeDebugPrivilege	2364	msiexec.exe
Token: SeAuditPrivilege	2364	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2364	msiexec.exe
Token: SeChangeNotifyPrivilege	2364	msiexec.exe
Token: SeRemoteShutdownPrivilege	2364	msiexec.exe
Token: SeUndockPrivilege	2364	msiexec.exe
Token: SeSyncAgentPrivilege	2364	msiexec.exe
Token: SeEnableDelegationPrivilege	2364	msiexec.exe
Token: SeManageVolumePrivilege	2364	msiexec.exe
Token: SeImpersonatePrivilege	2364	msiexec.exe
Token: SeCreateGlobalPrivilege	2364	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe
Token: SeRestorePrivilege	5016	msiexec.exe
Token: SeTakeOwnershipPrivilege	5016	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2364	msiexec.exe
2364	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 3988	5016	msiexec.exe	87
PID 5016 wrote to memory of 3988	5016	msiexec.exe	87
PID 5016 wrote to memory of 3988	5016	msiexec.exe	87

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\6029e560b25e77fa0dfb90c1f699e30a_JaffaCakes118.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2364

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6A39AD379797F504C4DF17E86549264E
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:3988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSI610C.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit