cf3537f8d24f8b59848c996f0fb94fd8f81bebd4a9baa8e1922f635eadc2d33e

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d392d9bfb7046189dc7bd9783a1602ae_JaffaCakes118.msi
Size

264KB
MD5

d392d9bfb7046189dc7bd9783a1602ae
SHA1

884ebbad69a4d9e3ce5973514c5c6d77f4d672a4
SHA256

cf3537f8d24f8b59848c996f0fb94fd8f81bebd4a9baa8e1922f635eadc2d33e
SHA512

fb3d8166ce2f4f0a54b4b87922a75c693694309062eb17eed2ed2d03e052e2517c77231f18199bfa5d3f1f5d36a4aedf2d0696c913bdf4b60256cf529237ee86
SSDEEP

3072:ymYbl8903DaYlAYwgz88ereWn/7w05g0ZMcB3RUN46ILJ9+ZB5yOantr:ymC3DaYlAJ8er1nzTkr2r

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1440	MsiExec.exe
4	1440	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI1268.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1324.tmp	msiexec.exe
File created	C:\Windows\Installer\f761249.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f761249.msi	msiexec.exe

Loads dropped DLL 2 IoCs

pid	Process
1440	MsiExec.exe
1440	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1512	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1512	msiexec.exe
Token: SeRestorePrivilege	1984	msiexec.exe
Token: SeTakeOwnershipPrivilege	1984	msiexec.exe
Token: SeSecurityPrivilege	1984	msiexec.exe
Token: SeCreateTokenPrivilege	1512	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1512	msiexec.exe
Token: SeLockMemoryPrivilege	1512	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1512	msiexec.exe
Token: SeMachineAccountPrivilege	1512	msiexec.exe
Token: SeTcbPrivilege	1512	msiexec.exe
Token: SeSecurityPrivilege	1512	msiexec.exe
Token: SeTakeOwnershipPrivilege	1512	msiexec.exe
Token: SeLoadDriverPrivilege	1512	msiexec.exe
Token: SeSystemProfilePrivilege	1512	msiexec.exe
Token: SeSystemtimePrivilege	1512	msiexec.exe
Token: SeProfSingleProcessPrivilege	1512	msiexec.exe
Token: SeIncBasePriorityPrivilege	1512	msiexec.exe
Token: SeCreatePagefilePrivilege	1512	msiexec.exe
Token: SeCreatePermanentPrivilege	1512	msiexec.exe
Token: SeBackupPrivilege	1512	msiexec.exe
Token: SeRestorePrivilege	1512	msiexec.exe
Token: SeShutdownPrivilege	1512	msiexec.exe
Token: SeDebugPrivilege	1512	msiexec.exe
Token: SeAuditPrivilege	1512	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1512	msiexec.exe
Token: SeChangeNotifyPrivilege	1512	msiexec.exe
Token: SeRemoteShutdownPrivilege	1512	msiexec.exe
Token: SeUndockPrivilege	1512	msiexec.exe
Token: SeSyncAgentPrivilege	1512	msiexec.exe
Token: SeEnableDelegationPrivilege	1512	msiexec.exe
Token: SeManageVolumePrivilege	1512	msiexec.exe
Token: SeImpersonatePrivilege	1512	msiexec.exe
Token: SeCreateGlobalPrivilege	1512	msiexec.exe
Token: SeRestorePrivilege	1984	msiexec.exe
Token: SeTakeOwnershipPrivilege	1984	msiexec.exe
Token: SeRestorePrivilege	1984	msiexec.exe
Token: SeTakeOwnershipPrivilege	1984	msiexec.exe
Token: SeRestorePrivilege	1984	msiexec.exe
Token: SeTakeOwnershipPrivilege	1984	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1512	msiexec.exe
1512	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 1440	1984	msiexec.exe	29
PID 1984 wrote to memory of 1440	1984	msiexec.exe	29
PID 1984 wrote to memory of 1440	1984	msiexec.exe	29
PID 1984 wrote to memory of 1440	1984	msiexec.exe	29
PID 1984 wrote to memory of 1440	1984	msiexec.exe	29
PID 1984 wrote to memory of 1440	1984	msiexec.exe	29
PID 1984 wrote to memory of 1440	1984	msiexec.exe	29

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d392d9bfb7046189dc7bd9783a1602ae_JaffaCakes118.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1512

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E99FD715C15124CF8C299185E915D0F7
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSI1268.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit