Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
31-03-2024 09:02
Static task
static1
Behavioral task
behavioral1
Sample
5262da4295e8a62d58d17991b35bf860_JaffaCakes118.msi
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5262da4295e8a62d58d17991b35bf860_JaffaCakes118.msi
Resource
win10v2004-20240226-en
General
-
Target
5262da4295e8a62d58d17991b35bf860_JaffaCakes118.msi
-
Size
124KB
-
MD5
5262da4295e8a62d58d17991b35bf860
-
SHA1
3fba37528f6b06d2c89c7d86ce6352df438f1855
-
SHA256
058ee0434baf472713da384ee3ba273f64995b9c7f83b7e62a8b3285b334b2cf
-
SHA512
8a82d10997e8b64ab12688e6cb909e405644bfcf2ed0e47df9c16009bf1ae415c17bc5a0cc27717d34f6f5484ca27fe026893b4637ea01cb1209dd0427574c18
-
SSDEEP
1536:HEzzhi6Qu6TDW2rxtene90Ceqhg0Sh1xOeFPa+HNFiS79oe:HEzlQuExvene9zFhgDbsm7TiVe
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
MSID293.tmpMSID293.tmpdescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe MSID293.tmp File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe MSID293.tmp -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
MSID293.tmpMSID293.tmppid process 3340 MSID293.tmp 3432 MSID293.tmp -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MSID293.tmpdescription pid process target process PID 3340 set thread context of 3432 3340 MSID293.tmp MSID293.tmp -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6} msiexec.exe File opened for modification C:\Windows\Installer\MSID254.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID293.tmp msiexec.exe File created C:\Windows\Installer\e57d0cd.msi msiexec.exe File opened for modification C:\Windows\Installer\e57d0cd.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
MSID293.tmppid process 3340 MSID293.tmp -
Loads dropped DLL 1 IoCs
Processes:
MSID293.tmppid process 3432 MSID293.tmp -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000ed06fb648d6ef2080000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000ed06fb640000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900ed06fb64000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1ded06fb64000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000ed06fb6400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 1396 msiexec.exe 1396 msiexec.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
MSID293.tmppid process 3340 MSID293.tmp -
Suspicious use of AdjustPrivilegeToken 55 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exesrtasks.exedescription pid process Token: SeShutdownPrivilege 2672 msiexec.exe Token: SeIncreaseQuotaPrivilege 2672 msiexec.exe Token: SeSecurityPrivilege 1396 msiexec.exe Token: SeCreateTokenPrivilege 2672 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2672 msiexec.exe Token: SeLockMemoryPrivilege 2672 msiexec.exe Token: SeIncreaseQuotaPrivilege 2672 msiexec.exe Token: SeMachineAccountPrivilege 2672 msiexec.exe Token: SeTcbPrivilege 2672 msiexec.exe Token: SeSecurityPrivilege 2672 msiexec.exe Token: SeTakeOwnershipPrivilege 2672 msiexec.exe Token: SeLoadDriverPrivilege 2672 msiexec.exe Token: SeSystemProfilePrivilege 2672 msiexec.exe Token: SeSystemtimePrivilege 2672 msiexec.exe Token: SeProfSingleProcessPrivilege 2672 msiexec.exe Token: SeIncBasePriorityPrivilege 2672 msiexec.exe Token: SeCreatePagefilePrivilege 2672 msiexec.exe Token: SeCreatePermanentPrivilege 2672 msiexec.exe Token: SeBackupPrivilege 2672 msiexec.exe Token: SeRestorePrivilege 2672 msiexec.exe Token: SeShutdownPrivilege 2672 msiexec.exe Token: SeDebugPrivilege 2672 msiexec.exe Token: SeAuditPrivilege 2672 msiexec.exe Token: SeSystemEnvironmentPrivilege 2672 msiexec.exe Token: SeChangeNotifyPrivilege 2672 msiexec.exe Token: SeRemoteShutdownPrivilege 2672 msiexec.exe Token: SeUndockPrivilege 2672 msiexec.exe Token: SeSyncAgentPrivilege 2672 msiexec.exe Token: SeEnableDelegationPrivilege 2672 msiexec.exe Token: SeManageVolumePrivilege 2672 msiexec.exe Token: SeImpersonatePrivilege 2672 msiexec.exe Token: SeCreateGlobalPrivilege 2672 msiexec.exe Token: SeBackupPrivilege 232 vssvc.exe Token: SeRestorePrivilege 232 vssvc.exe Token: SeAuditPrivilege 232 vssvc.exe Token: SeBackupPrivilege 1396 msiexec.exe Token: SeRestorePrivilege 1396 msiexec.exe Token: SeRestorePrivilege 1396 msiexec.exe Token: SeTakeOwnershipPrivilege 1396 msiexec.exe Token: SeRestorePrivilege 1396 msiexec.exe Token: SeTakeOwnershipPrivilege 1396 msiexec.exe Token: SeRestorePrivilege 1396 msiexec.exe Token: SeTakeOwnershipPrivilege 1396 msiexec.exe Token: SeBackupPrivilege 1520 srtasks.exe Token: SeRestorePrivilege 1520 srtasks.exe Token: SeSecurityPrivilege 1520 srtasks.exe Token: SeTakeOwnershipPrivilege 1520 srtasks.exe Token: SeBackupPrivilege 1520 srtasks.exe Token: SeRestorePrivilege 1520 srtasks.exe Token: SeSecurityPrivilege 1520 srtasks.exe Token: SeTakeOwnershipPrivilege 1520 srtasks.exe Token: SeRestorePrivilege 1396 msiexec.exe Token: SeTakeOwnershipPrivilege 1396 msiexec.exe Token: SeRestorePrivilege 1396 msiexec.exe Token: SeTakeOwnershipPrivilege 1396 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 2672 msiexec.exe 2672 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSID293.tmppid process 3340 MSID293.tmp -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
msiexec.exeMSID293.tmpdescription pid process target process PID 1396 wrote to memory of 1520 1396 msiexec.exe srtasks.exe PID 1396 wrote to memory of 1520 1396 msiexec.exe srtasks.exe PID 1396 wrote to memory of 3340 1396 msiexec.exe MSID293.tmp PID 1396 wrote to memory of 3340 1396 msiexec.exe MSID293.tmp PID 1396 wrote to memory of 3340 1396 msiexec.exe MSID293.tmp PID 3340 wrote to memory of 3432 3340 MSID293.tmp MSID293.tmp PID 3340 wrote to memory of 3432 3340 MSID293.tmp MSID293.tmp PID 3340 wrote to memory of 3432 3340 MSID293.tmp MSID293.tmp PID 3340 wrote to memory of 3432 3340 MSID293.tmp MSID293.tmp -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\5262da4295e8a62d58d17991b35bf860_JaffaCakes118.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2672
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:1520 -
C:\Windows\Installer\MSID293.tmp"C:\Windows\Installer\MSID293.tmp"2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\Installer\MSID293.tmp"C:\Windows\Installer\MSID293.tmp"3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Loads dropped DLL
PID:3432
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:232
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3952 --field-trial-handle=2972,i,4036376905309803364,5412922217215781933,262144 --variations-seed-version /prefetch:81⤵PID:3772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e57d0d0.rbsFilesize
663B
MD59f4d60cac760c6f7e8e02c8f940c95f1
SHA12631a253ebdd1bf57eb3af4b8609b77707d46bcd
SHA256825b4a4817c340481aeb5cb928291b0e3967d990949e57f402002d0853c724f3
SHA512e6d5afa08021d7246c17de1dd39472c4df0b20632add5aa489eec5cd69a05690d997a4bfe9e343ecaaca9b263bccc200f1f43e6e4e7bba4851d914ee89fa155c
-
C:\Windows\Installer\MSID293.tmpFilesize
100KB
MD58c0ef68bfe8b4f2d72ca3599aedb6387
SHA1b6c02d95c26e2ec62ba27d0e4c3cd3b1e7f25261
SHA2564b2a32c7afbfb44a85d88bfd4f0a79306278d880c64a28bf3242dc686665c8fe
SHA51287bf4a30a191e4e7ccc4c17122868a7355d20d4666c954d0229c47bd253077565ee151b33d3a3fff439d56cf0e6360d923055ec7a4993f797a8446a86d29d733
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.7MB
MD52efbffa176f2dc20d4900c51fc4ba04e
SHA180853a6924e5235188ec2c80236a72831dba6693
SHA256a10e362d3e7e2a8c7334cee58d7db19b49801525660d226334ffe14bc8df3fe1
SHA512df593e3841d856f7b227fd43e2d3ba41548eff7be00098dc356a2a813cf2b3d2cb2a45061d92f847f39a26df00599669b5546cca51d7c0da0c12f6507ff08b3a
-
\??\Volume{64fb06ed-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{725f07c7-4752-4421-b3d3-a94da4bf49cf}_OnDiskSnapshotPropFilesize
6KB
MD53fbc3eb265ffa9237c8d5f35461e73da
SHA1cc323295e7e3ea223163099997f12e6e5d40d98a
SHA2568b6590ceee4dabc32be54b486ed1f1b83e8a5d349870457eafcc69f789d64f09
SHA5129c840335b2d13f695aafe54bd686ea6ce35d23c5c1040633ecbd21b82b9c2936f6e854cdad55c3456175eaeeebc2803737fd6420bae47829fc36f90bc47192a1
-
memory/3340-14-0x0000000002200000-0x0000000002211000-memory.dmpFilesize
68KB
-
memory/3340-15-0x0000000077711000-0x0000000077831000-memory.dmpFilesize
1.1MB
-
memory/3340-21-0x0000000002200000-0x0000000002211000-memory.dmpFilesize
68KB
-
memory/3432-19-0x0000000000400000-0x000000000055D000-memory.dmpFilesize
1.4MB
-
memory/3432-22-0x0000000000560000-0x0000000000660000-memory.dmpFilesize
1024KB
-
memory/3432-39-0x0000000000400000-0x000000000055D000-memory.dmpFilesize
1.4MB
-
memory/3432-40-0x0000000000560000-0x0000000000660000-memory.dmpFilesize
1024KB