Analysis
-
max time kernel
134s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2024 16:56
Static task
static1
Behavioral task
behavioral1
Sample
188debc6e602735db40b63dc7842be48_JaffaCakes118.msi
Resource
win7-20240220-en
windows7-x64
19 signatures
150 seconds
Behavioral task
behavioral2
Sample
188debc6e602735db40b63dc7842be48_JaffaCakes118.msi
Resource
win10v2004-20240419-en
windows10-2004-x64
19 signatures
150 seconds
General
-
Target
188debc6e602735db40b63dc7842be48_JaffaCakes118.msi
-
Size
1.2MB
-
MD5
188debc6e602735db40b63dc7842be48
-
SHA1
41b2f74e2d4bda6378da829c8f486338d439c2ed
-
SHA256
2619a7f6787412012ec4d3eb0bf909aa9b34d2c0a94d35af5a2b05baa21ea5ae
-
SHA512
22625eef4d106b1dd3b1c2d45f072710fdf805c07cd122f222c5e9d10618df40a7324655620c676995629224158308895edb8699a06bad66a5c429cd6a10791f
-
SSDEEP
12288:mEc4Zs866fwoPuMwBmfBPYqqHPWiLWOfVHtbIw6AOvTwuyH3kV3YzGJ:mEcy0sHWmpPQWiLWOX2TD3YzG
Score
10/10
Malware Config
Signatures
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
resource yara_rule behavioral2/memory/1796-23-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/1796-23-0x0000000000400000-0x0000000000490000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/1796-23-0x0000000000400000-0x0000000000490000-memory.dmp WebBrowserPassView -
Nirsoft 1 IoCs
resource yara_rule behavioral2/memory/1796-23-0x0000000000400000-0x0000000000490000-memory.dmp Nirsoft -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Windows\assembly\Desktop.ini MSI758F.tmp File created C:\Windows\assembly\Desktop.ini MSI758F.tmp -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 35 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2036 set thread context of 1796 2036 MSI758F.tmp 108 -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI758F.tmp msiexec.exe File opened for modification C:\Windows\assembly\Desktop.ini MSI758F.tmp File opened for modification C:\Windows\Installer\e577494.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6} msiexec.exe File opened for modification C:\Windows\Installer\MSI753F.tmp msiexec.exe File opened for modification C:\Windows\assembly MSI758F.tmp File created C:\Windows\assembly\Desktop.ini MSI758F.tmp File created C:\Windows\Installer\e577494.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 2036 MSI758F.tmp 1796 svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000066def5a81497f7c40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000066def5a80000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090066def5a8000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d66def5a8000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000066def5a800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 4660 msiexec.exe 4660 msiexec.exe 2036 MSI758F.tmp 2036 MSI758F.tmp 2036 MSI758F.tmp 2036 MSI758F.tmp 2036 MSI758F.tmp 2036 MSI758F.tmp 2036 MSI758F.tmp 2036 MSI758F.tmp 2036 MSI758F.tmp 2036 MSI758F.tmp 2036 MSI758F.tmp 2036 MSI758F.tmp 2036 MSI758F.tmp 2036 MSI758F.tmp 2036 MSI758F.tmp 2036 MSI758F.tmp -
Suspicious use of AdjustPrivilegeToken 56 IoCs
description pid Process Token: SeShutdownPrivilege 4796 msiexec.exe Token: SeIncreaseQuotaPrivilege 4796 msiexec.exe Token: SeSecurityPrivilege 4660 msiexec.exe Token: SeCreateTokenPrivilege 4796 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4796 msiexec.exe Token: SeLockMemoryPrivilege 4796 msiexec.exe Token: SeIncreaseQuotaPrivilege 4796 msiexec.exe Token: SeMachineAccountPrivilege 4796 msiexec.exe Token: SeTcbPrivilege 4796 msiexec.exe Token: SeSecurityPrivilege 4796 msiexec.exe Token: SeTakeOwnershipPrivilege 4796 msiexec.exe Token: SeLoadDriverPrivilege 4796 msiexec.exe Token: SeSystemProfilePrivilege 4796 msiexec.exe Token: SeSystemtimePrivilege 4796 msiexec.exe Token: SeProfSingleProcessPrivilege 4796 msiexec.exe Token: SeIncBasePriorityPrivilege 4796 msiexec.exe Token: SeCreatePagefilePrivilege 4796 msiexec.exe Token: SeCreatePermanentPrivilege 4796 msiexec.exe Token: SeBackupPrivilege 4796 msiexec.exe Token: SeRestorePrivilege 4796 msiexec.exe Token: SeShutdownPrivilege 4796 msiexec.exe Token: SeDebugPrivilege 4796 msiexec.exe Token: SeAuditPrivilege 4796 msiexec.exe Token: SeSystemEnvironmentPrivilege 4796 msiexec.exe Token: SeChangeNotifyPrivilege 4796 msiexec.exe Token: SeRemoteShutdownPrivilege 4796 msiexec.exe Token: SeUndockPrivilege 4796 msiexec.exe Token: SeSyncAgentPrivilege 4796 msiexec.exe Token: SeEnableDelegationPrivilege 4796 msiexec.exe Token: SeManageVolumePrivilege 4796 msiexec.exe Token: SeImpersonatePrivilege 4796 msiexec.exe Token: SeCreateGlobalPrivilege 4796 msiexec.exe Token: SeBackupPrivilege 3248 vssvc.exe Token: SeRestorePrivilege 3248 vssvc.exe Token: SeAuditPrivilege 3248 vssvc.exe Token: SeBackupPrivilege 4660 msiexec.exe Token: SeRestorePrivilege 4660 msiexec.exe Token: SeRestorePrivilege 4660 msiexec.exe Token: SeTakeOwnershipPrivilege 4660 msiexec.exe Token: SeRestorePrivilege 4660 msiexec.exe Token: SeTakeOwnershipPrivilege 4660 msiexec.exe Token: SeRestorePrivilege 4660 msiexec.exe Token: SeTakeOwnershipPrivilege 4660 msiexec.exe Token: SeBackupPrivilege 3196 srtasks.exe Token: SeRestorePrivilege 3196 srtasks.exe Token: SeSecurityPrivilege 3196 srtasks.exe Token: SeTakeOwnershipPrivilege 3196 srtasks.exe Token: SeDebugPrivilege 2036 MSI758F.tmp Token: SeBackupPrivilege 3196 srtasks.exe Token: SeRestorePrivilege 3196 srtasks.exe Token: SeSecurityPrivilege 3196 srtasks.exe Token: SeTakeOwnershipPrivilege 3196 srtasks.exe Token: SeRestorePrivilege 4660 msiexec.exe Token: SeTakeOwnershipPrivilege 4660 msiexec.exe Token: SeRestorePrivilege 4660 msiexec.exe Token: SeTakeOwnershipPrivilege 4660 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4796 msiexec.exe 4796 msiexec.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 4660 wrote to memory of 3196 4660 msiexec.exe 102 PID 4660 wrote to memory of 3196 4660 msiexec.exe 102 PID 4660 wrote to memory of 2036 4660 msiexec.exe 104 PID 4660 wrote to memory of 2036 4660 msiexec.exe 104 PID 4660 wrote to memory of 2036 4660 msiexec.exe 104 PID 2036 wrote to memory of 1288 2036 MSI758F.tmp 105 PID 2036 wrote to memory of 1288 2036 MSI758F.tmp 105 PID 2036 wrote to memory of 1288 2036 MSI758F.tmp 105 PID 1288 wrote to memory of 2740 1288 cmd.exe 107 PID 1288 wrote to memory of 2740 1288 cmd.exe 107 PID 1288 wrote to memory of 2740 1288 cmd.exe 107 PID 2036 wrote to memory of 1796 2036 MSI758F.tmp 108 PID 2036 wrote to memory of 1796 2036 MSI758F.tmp 108 PID 2036 wrote to memory of 1796 2036 MSI758F.tmp 108 PID 2036 wrote to memory of 1796 2036 MSI758F.tmp 108 PID 2036 wrote to memory of 1796 2036 MSI758F.tmp 108 PID 2036 wrote to memory of 1796 2036 MSI758F.tmp 108 PID 2036 wrote to memory of 1796 2036 MSI758F.tmp 108 PID 2036 wrote to memory of 1796 2036 MSI758F.tmp 108 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\188debc6e602735db40b63dc7842be48_JaffaCakes118.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4796
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:3196
-
-
C:\Windows\Installer\MSI758F.tmp"C:\Windows\Installer\MSI758F.tmp"2⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"3⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f4⤵PID:2740
-
-
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"3⤵
- Executes dropped EXE
PID:1796
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3248
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
663B
MD5da2eed6f039b6bff36a5a819e5a0b404
SHA1b074a3d25b7eff18a63bc2cddc6d61a5ba4e99b3
SHA2563065db72592c2f7deb04b2a69e34ba72bc97d061618908e115b126197c39b44d
SHA512659edf02f311c611e36934dc16e24437921fd85afa25d83755527613c42cf29da32da1e028326347ef29cdd332dd5332e76d5b312dc929d19080e8f327ab31af
-
Filesize
89KB
MD584c42d0f2c1ae761bef884638bc1eacd
SHA14353881e7f4e9c7610f4e0489183b55bb58bb574
SHA256331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3
SHA51243c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87
-
Filesize
1.2MB
MD56e12fc33856e334c82dd65c6e1188732
SHA1e1b00cc9343b2970c6521c708c7cbdfddd6d2a10
SHA25616fae5775fcaafa5a98eb3bfacd7e8e90709a07f0c77fed992ec3937f4ecc3fb
SHA51299219b8c3cd730c90b56d3272400edc656d2f1ea7d46fabc4b37906e722c63feda3aa75e19b09432b68c49fb179200a537651dae552e63d55b407ea5718222e7
-
Filesize
24.1MB
MD5717e4169fb916c565f8717460558ab89
SHA1b50a03c608c3302560798f629e8e7ab3c2f76b47
SHA2560a193554f64d53fa0f4a1b64b821db8ede9365f0d904d662e0162f445f390366
SHA5127377f7111c86a3cbaaa65606165ecd12e73b06a903e8afbb0149191004c2322e20c50dbe57e33359288e2a62d95bb7d0c1264fac0c047cf2cfd7361a83ba644d
-
\??\Volume{a8f5de66-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{6a7aa5d6-bad3-4986-8930-2e883009a053}_OnDiskSnapshotProp
Filesize6KB
MD5b755bcda0b742a853a9d2f8fe745078f
SHA10142c7f8e610d1c252f8d49d433fa879e738ff9f
SHA256654c181da59a3d8e4ac2dc93109b5e08a5608e288f9a91303263d0ccd8833010
SHA51288f0643fdfa03e3d6cdbcee54d8cb162de95709978752e5a531e99a1beee3238e30125cd39636e0528b7d33b4af17ab3999b473a2de057a307d74b8012671963