6655a03a944c8f55d9fdcc541d304f87f39cd897e97c8a9390576255fadd8197

General

Target

0d966df3068e9e01c58d8d7b9402f463_JaffaCakes118.msi
Size

967KB
MD5

0d966df3068e9e01c58d8d7b9402f463
SHA1

97c77d57a03a0e3f4b7dcc6b007b81d15b18bae6
SHA256

6655a03a944c8f55d9fdcc541d304f87f39cd897e97c8a9390576255fadd8197
SHA512

45ebeb877bc4351ad7a47e30cd0c0e568f8dc6d95e7addb07557e7992d089e161aac641f0711ac062a9ed9ce91cbc08fea26c8f7d727d109d74b20c6b6325b0c
SSDEEP

24576:GGOw7MAFZjiaZBuc2g4jocf6p2XHXNNpbCClCtRGLovJ+:QwHnjis3M6p2X/pbC7ALn

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Drops file in Windows directory 5 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\e576c18.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6CC4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6D90.tmp	msiexec.exe
File created	C:\Windows\Installer\e576c18.msi	msiexec.exe

Loads dropped DLL 2 IoCs

Processes:

MsiExec.exe

pid process

2820 MsiExec.exe
2820 MsiExec.exe

pid	process
2820	MsiExec.exe
2820	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000324c0cbb4829e1b20000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000324c0cbb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900324c0cbb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d324c0cbb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000324c0cbb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exe

description	pid	process
Token: SeShutdownPrivilege	808	msiexec.exe
Token: SeIncreaseQuotaPrivilege	808	msiexec.exe
Token: SeSecurityPrivilege	4772	msiexec.exe
Token: SeCreateTokenPrivilege	808	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	808	msiexec.exe
Token: SeLockMemoryPrivilege	808	msiexec.exe
Token: SeIncreaseQuotaPrivilege	808	msiexec.exe
Token: SeMachineAccountPrivilege	808	msiexec.exe
Token: SeTcbPrivilege	808	msiexec.exe
Token: SeSecurityPrivilege	808	msiexec.exe
Token: SeTakeOwnershipPrivilege	808	msiexec.exe
Token: SeLoadDriverPrivilege	808	msiexec.exe
Token: SeSystemProfilePrivilege	808	msiexec.exe
Token: SeSystemtimePrivilege	808	msiexec.exe
Token: SeProfSingleProcessPrivilege	808	msiexec.exe
Token: SeIncBasePriorityPrivilege	808	msiexec.exe
Token: SeCreatePagefilePrivilege	808	msiexec.exe
Token: SeCreatePermanentPrivilege	808	msiexec.exe
Token: SeBackupPrivilege	808	msiexec.exe
Token: SeRestorePrivilege	808	msiexec.exe
Token: SeShutdownPrivilege	808	msiexec.exe
Token: SeDebugPrivilege	808	msiexec.exe
Token: SeAuditPrivilege	808	msiexec.exe
Token: SeSystemEnvironmentPrivilege	808	msiexec.exe
Token: SeChangeNotifyPrivilege	808	msiexec.exe
Token: SeRemoteShutdownPrivilege	808	msiexec.exe
Token: SeUndockPrivilege	808	msiexec.exe
Token: SeSyncAgentPrivilege	808	msiexec.exe
Token: SeEnableDelegationPrivilege	808	msiexec.exe
Token: SeManageVolumePrivilege	808	msiexec.exe
Token: SeImpersonatePrivilege	808	msiexec.exe
Token: SeCreateGlobalPrivilege	808	msiexec.exe
Token: SeBackupPrivilege	2072	vssvc.exe
Token: SeRestorePrivilege	2072	vssvc.exe
Token: SeAuditPrivilege	2072	vssvc.exe
Token: SeBackupPrivilege	4772	msiexec.exe
Token: SeRestorePrivilege	4772	msiexec.exe
Token: SeRestorePrivilege	4772	msiexec.exe
Token: SeTakeOwnershipPrivilege	4772	msiexec.exe
Token: SeRestorePrivilege	4772	msiexec.exe
Token: SeTakeOwnershipPrivilege	4772	msiexec.exe
Token: SeRestorePrivilege	4772	msiexec.exe
Token: SeTakeOwnershipPrivilege	4772	msiexec.exe
Token: SeBackupPrivilege	4896	srtasks.exe
Token: SeRestorePrivilege	4896	srtasks.exe
Token: SeSecurityPrivilege	4896	srtasks.exe
Token: SeTakeOwnershipPrivilege	4896	srtasks.exe
Token: SeBackupPrivilege	4896	srtasks.exe
Token: SeRestorePrivilege	4896	srtasks.exe
Token: SeSecurityPrivilege	4896	srtasks.exe
Token: SeTakeOwnershipPrivilege	4896	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

808 msiexec.exe
808 msiexec.exe

pid	process
808	msiexec.exe
808	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 4772 wrote to memory of 4896	4772	msiexec.exe	srtasks.exe
PID 4772 wrote to memory of 4896	4772	msiexec.exe	srtasks.exe
PID 4772 wrote to memory of 2820	4772	msiexec.exe	MsiExec.exe
PID 4772 wrote to memory of 2820	4772	msiexec.exe	MsiExec.exe
PID 4772 wrote to memory of 2820	4772	msiexec.exe	MsiExec.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0d966df3068e9e01c58d8d7b9402f463_JaffaCakes118.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:808

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C597B5FD3DD939A7E21461B7460DBED1
2⤵
- Loads dropped DLL
PID:2820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2072

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

2

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSI6CC4.tmp
Filesize
56KB

MD5
38a4250c5e678728a0cdf126f1cdd937

SHA1
d55553ab896f085fd5cd191022c64442c99f48a4

SHA256
63c4d968320e634b97542ccf0edffe130800314346c3316817813e62d7b7ee08

SHA512
cc00d1d5e6b074eff3245d3e8aa3020804a6bfd01516c7be7b05f671a93c6a56d9058738c422ad77eabb6c10e6c698a219dac7102e0b17dd941b11bfd60eb894

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
24.1MB

MD5
c40fa162fdc392f37c978213401d87a1

SHA1
3e3c413b4ebf064b89a9d214274b4361c3342c48

SHA256
19e4e01dbc5f6ee842c0ba36c3350e67c23951d154d93e4f2cc966614415e985

SHA512
2345649d375376e0931d4473769d39e3d0b7fa681b4a3be58c29ca591b51b65c5da1c775595fa335235baf8e2b2cd95a0909620a92de31acf0c1c06a32c0471c

Download Submit
\??\Volume{bb0c4c32-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{af21a14c-3648-4e1a-9e8f-4d29484c8850}_OnDiskSnapshotProp
Filesize
6KB

MD5
22ddd59b848e082b27f39b75493f4e55

SHA1
dac11e109b1d5bd1e7320c2d32125d8d08026911

SHA256
ebcd86dd3b1e334305d77c5364ba47a5d09b9226d3ebe4acba2e157558e03e69

SHA512
ab809e2ae9e5818efb3d6b58854b42d654bc49b9ada43e4135d9e06c774a82079afaa35911bed10ef3102e2a99b9ff67bd2bfe137c2ae54b260ee35db2f58517

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads