Overview

overview

10

Static

static

1

5262da4295...18.msi

windows7-x64

10

5262da4295...18.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    31-03-2024 09:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5262da4295e8a62d58d17991b35bf860_JaffaCakes118.msi

  • Size

    124KB

  • MD5

    5262da4295e8a62d58d17991b35bf860

  • SHA1

    3fba37528f6b06d2c89c7d86ce6352df438f1855

  • SHA256

    058ee0434baf472713da384ee3ba273f64995b9c7f83b7e62a8b3285b334b2cf

  • SHA512

    8a82d10997e8b64ab12688e6cb909e405644bfcf2ed0e47df9c16009bf1ae415c17bc5a0cc27717d34f6f5484ca27fe026893b4637ea01cb1209dd0427574c18

  • SSDEEP

    1536:HEzzhi6Qu6TDW2rxtene90Ceqhg0Sh1xOeFPa+HNFiS79oe:HEzlQuExvene9zFhgDbsm7TiVe

Score
10/10
guloaderdownloader

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 61 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\5262da4295e8a62d58d17991b35bf860_JaffaCakes118.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2868
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2700
    • C:\Windows\Installer\MSIC7B4.tmp
      "C:\Windows\Installer\MSIC7B4.tmp"
      2⤵
      • Checks QEMU agent file
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Executes dropped EXE
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1828
      • C:\Windows\Installer\MSIC7B4.tmp
        "C:\Windows\Installer\MSIC7B4.tmp"
        3⤵
        • Checks QEMU agent file
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Loads dropped DLL
        PID:1996
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3020
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005C8" "00000000000005AC"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2464

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f76c46c.rbs
    Filesize

    663B

    MD5

    d5fafbca42e11c6b13d4960646928812

    SHA1

    deebd9ef94428f70b10efbff32cca45644c14b05

    SHA256

    69cd323927cca147d530035e7260934cb343ff81ff37cb4ca90277b363c47002

    SHA512

    953d6c1410c81caba2e4f9438000b31146448a8057d3cfa1ad3cec1a64af7a8d33143a27d9b26896868a7b5987fc6fca83527f024c6d1fd8bcdaa4653cde6ce5

    Download Submit
  • C:\Windows\Installer\MSIC7B4.tmp
    Filesize

    100KB

    MD5

    8c0ef68bfe8b4f2d72ca3599aedb6387

    SHA1

    b6c02d95c26e2ec62ba27d0e4c3cd3b1e7f25261

    SHA256

    4b2a32c7afbfb44a85d88bfd4f0a79306278d880c64a28bf3242dc686665c8fe

    SHA512

    87bf4a30a191e4e7ccc4c17122868a7355d20d4666c954d0229c47bd253077565ee151b33d3a3fff439d56cf0e6360d923055ec7a4993f797a8446a86d29d733

    Download Submit
  • memory/1828-22-0x0000000000240000-0x0000000000251000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1828-17-0x0000000077830000-0x0000000077906000-memory.dmp
    Filesize

    856KB

    Download
  • memory/1828-19-0x0000000000240000-0x0000000000251000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1828-16-0x0000000077640000-0x00000000777E9000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1828-15-0x0000000000240000-0x0000000000251000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1996-23-0x0000000000400000-0x0000000000553000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1996-25-0x00000000001B0000-0x00000000002B0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1996-36-0x0000000077640000-0x00000000777E9000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1996-44-0x0000000000400000-0x0000000000553000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1996-46-0x00000000001B0000-0x00000000002B0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1996-47-0x0000000000400000-0x0000000000553000-memory.dmp
    Filesize

    1.3MB

    Download