Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31-03-2024 04:18
Static task
static1
Behavioral task
behavioral1
Sample
4cea5d8cb3e0a17e942812e31667120a_JaffaCakes118.msi
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
4cea5d8cb3e0a17e942812e31667120a_JaffaCakes118.msi
Resource
win10v2004-20231215-en
General
-
Target
4cea5d8cb3e0a17e942812e31667120a_JaffaCakes118.msi
-
Size
124KB
-
MD5
4cea5d8cb3e0a17e942812e31667120a
-
SHA1
c526373cc21495053cdf3ff735f10e4f031659b7
-
SHA256
be4448eb3e5f348051538b82b3e9b63191da49d028e6c5f2b8de4cbc6135c84a
-
SHA512
1eed5b3fa630ca2e4998e5eae400cab82a2e65005107f9bae0ae04a7ed7b32373ffaaf486578acca13bf74c38193e62fbb51da381555fec8d45c10a40cc962f7
-
SSDEEP
1536:LEuul/7WYt61BPnueWzlCd46+Ml3ybnWbHPs:LEu4/7Rt61BPue4+46+s5HE
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
MSI72DF.tmpMSI72DF.tmpdescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe MSI72DF.tmp File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe MSI72DF.tmp -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MSI72DF.tmpdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\PANTOPTEROUS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AGONIED\\KLUMSEDE.vbs" MSI72DF.tmp -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
MSI72DF.tmpMSI72DF.tmppid process 1728 MSI72DF.tmp 2552 MSI72DF.tmp -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MSI72DF.tmpdescription pid process target process PID 1728 set thread context of 2552 1728 MSI72DF.tmp MSI72DF.tmp -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6} msiexec.exe File opened for modification C:\Windows\Installer\MSI7290.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI72DF.tmp msiexec.exe File created C:\Windows\Installer\e577203.msi msiexec.exe File opened for modification C:\Windows\Installer\e577203.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
MSI72DF.tmppid process 1728 MSI72DF.tmp -
Loads dropped DLL 1 IoCs
Processes:
MSI72DF.tmppid process 2552 MSI72DF.tmp -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005cf4f6141e81f6580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005cf4f6140000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005cf4f614000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5cf4f614000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005cf4f61400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 4276 msiexec.exe 4276 msiexec.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
MSI72DF.tmppid process 1728 MSI72DF.tmp -
Suspicious use of AdjustPrivilegeToken 55 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exesrtasks.exedescription pid process Token: SeShutdownPrivilege 1116 msiexec.exe Token: SeIncreaseQuotaPrivilege 1116 msiexec.exe Token: SeSecurityPrivilege 4276 msiexec.exe Token: SeCreateTokenPrivilege 1116 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1116 msiexec.exe Token: SeLockMemoryPrivilege 1116 msiexec.exe Token: SeIncreaseQuotaPrivilege 1116 msiexec.exe Token: SeMachineAccountPrivilege 1116 msiexec.exe Token: SeTcbPrivilege 1116 msiexec.exe Token: SeSecurityPrivilege 1116 msiexec.exe Token: SeTakeOwnershipPrivilege 1116 msiexec.exe Token: SeLoadDriverPrivilege 1116 msiexec.exe Token: SeSystemProfilePrivilege 1116 msiexec.exe Token: SeSystemtimePrivilege 1116 msiexec.exe Token: SeProfSingleProcessPrivilege 1116 msiexec.exe Token: SeIncBasePriorityPrivilege 1116 msiexec.exe Token: SeCreatePagefilePrivilege 1116 msiexec.exe Token: SeCreatePermanentPrivilege 1116 msiexec.exe Token: SeBackupPrivilege 1116 msiexec.exe Token: SeRestorePrivilege 1116 msiexec.exe Token: SeShutdownPrivilege 1116 msiexec.exe Token: SeDebugPrivilege 1116 msiexec.exe Token: SeAuditPrivilege 1116 msiexec.exe Token: SeSystemEnvironmentPrivilege 1116 msiexec.exe Token: SeChangeNotifyPrivilege 1116 msiexec.exe Token: SeRemoteShutdownPrivilege 1116 msiexec.exe Token: SeUndockPrivilege 1116 msiexec.exe Token: SeSyncAgentPrivilege 1116 msiexec.exe Token: SeEnableDelegationPrivilege 1116 msiexec.exe Token: SeManageVolumePrivilege 1116 msiexec.exe Token: SeImpersonatePrivilege 1116 msiexec.exe Token: SeCreateGlobalPrivilege 1116 msiexec.exe Token: SeBackupPrivilege 4064 vssvc.exe Token: SeRestorePrivilege 4064 vssvc.exe Token: SeAuditPrivilege 4064 vssvc.exe Token: SeBackupPrivilege 4276 msiexec.exe Token: SeRestorePrivilege 4276 msiexec.exe Token: SeRestorePrivilege 4276 msiexec.exe Token: SeTakeOwnershipPrivilege 4276 msiexec.exe Token: SeRestorePrivilege 4276 msiexec.exe Token: SeTakeOwnershipPrivilege 4276 msiexec.exe Token: SeRestorePrivilege 4276 msiexec.exe Token: SeTakeOwnershipPrivilege 4276 msiexec.exe Token: SeBackupPrivilege 4612 srtasks.exe Token: SeRestorePrivilege 4612 srtasks.exe Token: SeSecurityPrivilege 4612 srtasks.exe Token: SeTakeOwnershipPrivilege 4612 srtasks.exe Token: SeBackupPrivilege 4612 srtasks.exe Token: SeRestorePrivilege 4612 srtasks.exe Token: SeSecurityPrivilege 4612 srtasks.exe Token: SeTakeOwnershipPrivilege 4612 srtasks.exe Token: SeRestorePrivilege 4276 msiexec.exe Token: SeTakeOwnershipPrivilege 4276 msiexec.exe Token: SeRestorePrivilege 4276 msiexec.exe Token: SeTakeOwnershipPrivilege 4276 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1116 msiexec.exe 1116 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSI72DF.tmppid process 1728 MSI72DF.tmp -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
msiexec.exeMSI72DF.tmpdescription pid process target process PID 4276 wrote to memory of 4612 4276 msiexec.exe srtasks.exe PID 4276 wrote to memory of 4612 4276 msiexec.exe srtasks.exe PID 4276 wrote to memory of 1728 4276 msiexec.exe MSI72DF.tmp PID 4276 wrote to memory of 1728 4276 msiexec.exe MSI72DF.tmp PID 4276 wrote to memory of 1728 4276 msiexec.exe MSI72DF.tmp PID 1728 wrote to memory of 2552 1728 MSI72DF.tmp MSI72DF.tmp PID 1728 wrote to memory of 2552 1728 MSI72DF.tmp MSI72DF.tmp PID 1728 wrote to memory of 2552 1728 MSI72DF.tmp MSI72DF.tmp PID 1728 wrote to memory of 2552 1728 MSI72DF.tmp MSI72DF.tmp -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4cea5d8cb3e0a17e942812e31667120a_JaffaCakes118.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Installer\MSI72DF.tmp"C:\Windows\Installer\MSI72DF.tmp"2⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Installer\MSI72DF.tmp"C:\Windows\Installer\MSI72DF.tmp"3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Loads dropped DLL
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e577206.rbsFilesize
663B
MD56941d285f50cc352f2ef6d1a92059282
SHA109802f1a59594e1e2fcf67bdcdaa32af7bf936c9
SHA2568e13ab22382cd55fee388847d7436fa01798687786c7fd4d59501a178fc26d18
SHA512c41639bcfc110886f8fdb4925782fe88ef7746651733939fd96b3841770adfbaef9b5e12e04ea21a65ff7a024ec04830f607e24968d928d824372895154f027b
-
C:\Windows\Installer\MSI72DF.tmpFilesize
100KB
MD59c0f4f8b74d0c49c28997dcc175897c9
SHA156aedf510fe21edf7f5deb00b210e50f54f44443
SHA2569fd8a479a9f54341cfea3c2906cbc779c8623a288708ac00e21a486f325e3934
SHA512c2ff13b0737904fc97fdd57a17f9d4885776a5c07d1c3a884292e7143df2966397e4f4820a39450c950b2e3c68fdf2799091357fa9f129ef196e962f4c5e8ba3
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD5483f6226d4fb727afd0670635ae45950
SHA1d72844e5e8e8bac6e5b5569f64ccb4f323cfabda
SHA256eeb6c21017b91422803d5c5252d4cedb2213add200ca43a3b5a84b5bf278af5d
SHA512db098b1188652eb6c841398b1f66978e6d3a56c435b673ab333e32517c02107403bef7329b0cc126fbdc0aa325a4c42655bd7ed0494409f1bec5a91d3979a9d2
-
\??\Volume{14f6f45c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{70287e1a-ce4f-448e-992c-099ef00f1976}_OnDiskSnapshotPropFilesize
6KB
MD581dd8bd27eb2d1d85cfd3f5167bb0521
SHA1f224b216184ba2e5ba3016e2e324acd98f3b2e45
SHA256bf0bd408e936ae10d04ff88f4035abd256e20a10cf44f19629911d1a8c3580e7
SHA5126c406897612279ad293f73af9cd0ce0da100bda513402d5ce1a0635c8e10d7f91f46b8176aa15f46b734e10855ad075932f3fe91d82bc04fbef46719c7a0ba2f
-
memory/1728-14-0x0000000000750000-0x0000000000761000-memory.dmpFilesize
68KB
-
memory/1728-15-0x0000000077201000-0x0000000077321000-memory.dmpFilesize
1.1MB
-
memory/1728-21-0x0000000000750000-0x0000000000761000-memory.dmpFilesize
68KB
-
memory/2552-19-0x0000000000400000-0x000000000055D000-memory.dmpFilesize
1.4MB
-
memory/2552-22-0x0000000000560000-0x0000000000660000-memory.dmpFilesize
1024KB
-
memory/2552-35-0x0000000000400000-0x000000000055D000-memory.dmpFilesize
1.4MB
-
memory/2552-37-0x0000000000560000-0x0000000000660000-memory.dmpFilesize
1024KB