cf3537f8d24f8b59848c996f0fb94fd8f81bebd4a9baa8e1922f635eadc2d33e

General

Target

d392d9bfb7046189dc7bd9783a1602ae_JaffaCakes118.msi
Size

264KB
MD5

d392d9bfb7046189dc7bd9783a1602ae
SHA1

884ebbad69a4d9e3ce5973514c5c6d77f4d672a4
SHA256

cf3537f8d24f8b59848c996f0fb94fd8f81bebd4a9baa8e1922f635eadc2d33e
SHA512

fb3d8166ce2f4f0a54b4b87922a75c693694309062eb17eed2ed2d03e052e2517c77231f18199bfa5d3f1f5d36a4aedf2d0696c913bdf4b60256cf529237ee86
SSDEEP

3072:ymYbl8903DaYlAYwgz88ereWn/7w05g0ZMcB3RUN46ILJ9+ZB5yOantr:ymC3DaYlAJ8er1nzTkr2r

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

MsiExec.exe

flow pid process

4 3776 MsiExec.exe

flow	pid	process
4	3776	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 5 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\e5753ec.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5753ec.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI542B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI55D2.tmp	msiexec.exe

Loads dropped DLL 2 IoCs

Processes:

MsiExec.exe

pid process

3776 MsiExec.exe
3776 MsiExec.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
3776	MsiExec.exe
3776	MsiExec.exe

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2528	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2528	msiexec.exe
Token: SeSecurityPrivilege	1696	msiexec.exe
Token: SeCreateTokenPrivilege	2528	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2528	msiexec.exe
Token: SeLockMemoryPrivilege	2528	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2528	msiexec.exe
Token: SeMachineAccountPrivilege	2528	msiexec.exe
Token: SeTcbPrivilege	2528	msiexec.exe
Token: SeSecurityPrivilege	2528	msiexec.exe
Token: SeTakeOwnershipPrivilege	2528	msiexec.exe
Token: SeLoadDriverPrivilege	2528	msiexec.exe
Token: SeSystemProfilePrivilege	2528	msiexec.exe
Token: SeSystemtimePrivilege	2528	msiexec.exe
Token: SeProfSingleProcessPrivilege	2528	msiexec.exe
Token: SeIncBasePriorityPrivilege	2528	msiexec.exe
Token: SeCreatePagefilePrivilege	2528	msiexec.exe
Token: SeCreatePermanentPrivilege	2528	msiexec.exe
Token: SeBackupPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	2528	msiexec.exe
Token: SeShutdownPrivilege	2528	msiexec.exe
Token: SeDebugPrivilege	2528	msiexec.exe
Token: SeAuditPrivilege	2528	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2528	msiexec.exe
Token: SeChangeNotifyPrivilege	2528	msiexec.exe
Token: SeRemoteShutdownPrivilege	2528	msiexec.exe
Token: SeUndockPrivilege	2528	msiexec.exe
Token: SeSyncAgentPrivilege	2528	msiexec.exe
Token: SeEnableDelegationPrivilege	2528	msiexec.exe
Token: SeManageVolumePrivilege	2528	msiexec.exe
Token: SeImpersonatePrivilege	2528	msiexec.exe
Token: SeCreateGlobalPrivilege	2528	msiexec.exe
Token: SeRestorePrivilege	1696	msiexec.exe
Token: SeTakeOwnershipPrivilege	1696	msiexec.exe
Token: SeRestorePrivilege	1696	msiexec.exe
Token: SeTakeOwnershipPrivilege	1696	msiexec.exe
Token: SeRestorePrivilege	1696	msiexec.exe
Token: SeTakeOwnershipPrivilege	1696	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2528 msiexec.exe
2528 msiexec.exe

pid	process
2528	msiexec.exe
2528	msiexec.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 1696 wrote to memory of 3776	1696	msiexec.exe	MsiExec.exe
PID 1696 wrote to memory of 3776	1696	msiexec.exe	MsiExec.exe
PID 1696 wrote to memory of 3776	1696	msiexec.exe	MsiExec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d392d9bfb7046189dc7bd9783a1602ae_JaffaCakes118.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2528

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 0009125D0DBCEDC5B041D8F42D8BF8A0
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3776

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSI542B.tmp
Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads