Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-03-2024 09:02
Static task
static1
Behavioral task
behavioral1
Sample
5262da4295e8a62d58d17991b35bf860_JaffaCakes118.msi
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5262da4295e8a62d58d17991b35bf860_JaffaCakes118.msi
Resource
win10v2004-20240226-en
General
-
Target
5262da4295e8a62d58d17991b35bf860_JaffaCakes118.msi
-
Size
124KB
-
MD5
5262da4295e8a62d58d17991b35bf860
-
SHA1
3fba37528f6b06d2c89c7d86ce6352df438f1855
-
SHA256
058ee0434baf472713da384ee3ba273f64995b9c7f83b7e62a8b3285b334b2cf
-
SHA512
8a82d10997e8b64ab12688e6cb909e405644bfcf2ed0e47df9c16009bf1ae415c17bc5a0cc27717d34f6f5484ca27fe026893b4637ea01cb1209dd0427574c18
-
SSDEEP
1536:HEzzhi6Qu6TDW2rxtene90Ceqhg0Sh1xOeFPa+HNFiS79oe:HEzlQuExvene9zFhgDbsm7TiVe
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
MSIC7B4.tmpMSIC7B4.tmpdescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe MSIC7B4.tmp File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe MSIC7B4.tmp -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
MSIC7B4.tmpMSIC7B4.tmppid process 1828 MSIC7B4.tmp 1996 MSIC7B4.tmp -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MSIC7B4.tmpdescription pid process target process PID 1828 set thread context of 1996 1828 MSIC7B4.tmp MSIC7B4.tmp -
Drops file in Windows directory 10 IoCs
Processes:
DrvInst.exemsiexec.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\f76c468.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIC6D8.tmp msiexec.exe File opened for modification C:\Windows\Installer\f76c46b.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\f76c468.msi msiexec.exe File created C:\Windows\Installer\f76c46b.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIC7B4.tmp msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
MSIC7B4.tmppid process 1828 MSIC7B4.tmp -
Loads dropped DLL 1 IoCs
Processes:
MSIC7B4.tmppid process 1996 MSIC7B4.tmp -
Modifies data under HKEY_USERS 43 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 2700 msiexec.exe 2700 msiexec.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
MSIC7B4.tmppid process 1828 MSIC7B4.tmp -
Suspicious use of AdjustPrivilegeToken 61 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 2868 msiexec.exe Token: SeIncreaseQuotaPrivilege 2868 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeSecurityPrivilege 2700 msiexec.exe Token: SeCreateTokenPrivilege 2868 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2868 msiexec.exe Token: SeLockMemoryPrivilege 2868 msiexec.exe Token: SeIncreaseQuotaPrivilege 2868 msiexec.exe Token: SeMachineAccountPrivilege 2868 msiexec.exe Token: SeTcbPrivilege 2868 msiexec.exe Token: SeSecurityPrivilege 2868 msiexec.exe Token: SeTakeOwnershipPrivilege 2868 msiexec.exe Token: SeLoadDriverPrivilege 2868 msiexec.exe Token: SeSystemProfilePrivilege 2868 msiexec.exe Token: SeSystemtimePrivilege 2868 msiexec.exe Token: SeProfSingleProcessPrivilege 2868 msiexec.exe Token: SeIncBasePriorityPrivilege 2868 msiexec.exe Token: SeCreatePagefilePrivilege 2868 msiexec.exe Token: SeCreatePermanentPrivilege 2868 msiexec.exe Token: SeBackupPrivilege 2868 msiexec.exe Token: SeRestorePrivilege 2868 msiexec.exe Token: SeShutdownPrivilege 2868 msiexec.exe Token: SeDebugPrivilege 2868 msiexec.exe Token: SeAuditPrivilege 2868 msiexec.exe Token: SeSystemEnvironmentPrivilege 2868 msiexec.exe Token: SeChangeNotifyPrivilege 2868 msiexec.exe Token: SeRemoteShutdownPrivilege 2868 msiexec.exe Token: SeUndockPrivilege 2868 msiexec.exe Token: SeSyncAgentPrivilege 2868 msiexec.exe Token: SeEnableDelegationPrivilege 2868 msiexec.exe Token: SeManageVolumePrivilege 2868 msiexec.exe Token: SeImpersonatePrivilege 2868 msiexec.exe Token: SeCreateGlobalPrivilege 2868 msiexec.exe Token: SeBackupPrivilege 3020 vssvc.exe Token: SeRestorePrivilege 3020 vssvc.exe Token: SeAuditPrivilege 3020 vssvc.exe Token: SeBackupPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2464 DrvInst.exe Token: SeRestorePrivilege 2464 DrvInst.exe Token: SeRestorePrivilege 2464 DrvInst.exe Token: SeRestorePrivilege 2464 DrvInst.exe Token: SeRestorePrivilege 2464 DrvInst.exe Token: SeRestorePrivilege 2464 DrvInst.exe Token: SeRestorePrivilege 2464 DrvInst.exe Token: SeLoadDriverPrivilege 2464 DrvInst.exe Token: SeLoadDriverPrivilege 2464 DrvInst.exe Token: SeLoadDriverPrivilege 2464 DrvInst.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 2868 msiexec.exe 2868 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSIC7B4.tmppid process 1828 MSIC7B4.tmp -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
msiexec.exeMSIC7B4.tmpdescription pid process target process PID 2700 wrote to memory of 1828 2700 msiexec.exe MSIC7B4.tmp PID 2700 wrote to memory of 1828 2700 msiexec.exe MSIC7B4.tmp PID 2700 wrote to memory of 1828 2700 msiexec.exe MSIC7B4.tmp PID 2700 wrote to memory of 1828 2700 msiexec.exe MSIC7B4.tmp PID 1828 wrote to memory of 1996 1828 MSIC7B4.tmp MSIC7B4.tmp PID 1828 wrote to memory of 1996 1828 MSIC7B4.tmp MSIC7B4.tmp PID 1828 wrote to memory of 1996 1828 MSIC7B4.tmp MSIC7B4.tmp PID 1828 wrote to memory of 1996 1828 MSIC7B4.tmp MSIC7B4.tmp PID 1828 wrote to memory of 1996 1828 MSIC7B4.tmp MSIC7B4.tmp -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\5262da4295e8a62d58d17991b35bf860_JaffaCakes118.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Installer\MSIC7B4.tmp"C:\Windows\Installer\MSIC7B4.tmp"2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Installer\MSIC7B4.tmp"C:\Windows\Installer\MSIC7B4.tmp"3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Loads dropped DLL
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005C8" "00000000000005AC"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\f76c46c.rbsFilesize
663B
MD5d5fafbca42e11c6b13d4960646928812
SHA1deebd9ef94428f70b10efbff32cca45644c14b05
SHA25669cd323927cca147d530035e7260934cb343ff81ff37cb4ca90277b363c47002
SHA512953d6c1410c81caba2e4f9438000b31146448a8057d3cfa1ad3cec1a64af7a8d33143a27d9b26896868a7b5987fc6fca83527f024c6d1fd8bcdaa4653cde6ce5
-
C:\Windows\Installer\MSIC7B4.tmpFilesize
100KB
MD58c0ef68bfe8b4f2d72ca3599aedb6387
SHA1b6c02d95c26e2ec62ba27d0e4c3cd3b1e7f25261
SHA2564b2a32c7afbfb44a85d88bfd4f0a79306278d880c64a28bf3242dc686665c8fe
SHA51287bf4a30a191e4e7ccc4c17122868a7355d20d4666c954d0229c47bd253077565ee151b33d3a3fff439d56cf0e6360d923055ec7a4993f797a8446a86d29d733
-
memory/1828-22-0x0000000000240000-0x0000000000251000-memory.dmpFilesize
68KB
-
memory/1828-17-0x0000000077830000-0x0000000077906000-memory.dmpFilesize
856KB
-
memory/1828-19-0x0000000000240000-0x0000000000251000-memory.dmpFilesize
68KB
-
memory/1828-16-0x0000000077640000-0x00000000777E9000-memory.dmpFilesize
1.7MB
-
memory/1828-15-0x0000000000240000-0x0000000000251000-memory.dmpFilesize
68KB
-
memory/1996-23-0x0000000000400000-0x0000000000553000-memory.dmpFilesize
1.3MB
-
memory/1996-25-0x00000000001B0000-0x00000000002B0000-memory.dmpFilesize
1024KB
-
memory/1996-36-0x0000000077640000-0x00000000777E9000-memory.dmpFilesize
1.7MB
-
memory/1996-44-0x0000000000400000-0x0000000000553000-memory.dmpFilesize
1.3MB
-
memory/1996-46-0x00000000001B0000-0x00000000002B0000-memory.dmpFilesize
1024KB
-
memory/1996-47-0x0000000000400000-0x0000000000553000-memory.dmpFilesize
1.3MB