Analysis
-
max time kernel
16s -
max time network
18s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10/05/2024, 04:49
Behavioral task
behavioral1
Sample
2d6eb77ea440c458d4eed7c1c8b00610_JaffaCakes118.msi
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
2d6eb77ea440c458d4eed7c1c8b00610_JaffaCakes118.msi
Resource
win10v2004-20240426-en
windows10-2004-x64
9 signatures
150 seconds
Errors
Reason
Machine shutdown
General
-
Target
2d6eb77ea440c458d4eed7c1c8b00610_JaffaCakes118.msi
-
Size
2.0MB
-
MD5
2d6eb77ea440c458d4eed7c1c8b00610
-
SHA1
e4c8d9c3f8cab9030c24e37e75198f88be214ecf
-
SHA256
58b55f4d584c13f3daad09e7c63cdd515483d9ef299da6553529c699453bd2e5
-
SHA512
a468c243a7f5af55a0218e317990f0952cf50c5831c1dd5a8ef46d2a1cd4ac1780af078652d4c7431679c89a3da139df646131ac6673bd01ed0fd38a0b5f81ba
-
SSDEEP
49152:jYoYTQ3IgOfQAWMBYNRatUnyxA0oPEkfXV3hZ2lEvS0:rYkIiApBLC0oPn3hv60
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI3B46.tmp msiexec.exe File created C:\Windows\sysupdate.log msiexec.exe File opened for modification C:\Windows\Installer\MSI3BA5.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{17AB1BF2-25B3-473C-8C91-9FC8D6BDB3D0} msiexec.exe File opened for modification C:\Windows\Installer\MSI3A88.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3B85.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\e573a3a.msi msiexec.exe File opened for modification C:\Windows\Installer\e573a3a.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI3C23.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI3B25.tmp msiexec.exe -
Loads dropped DLL 5 IoCs
pid Process 4936 MsiExec.exe 4936 MsiExec.exe 4936 MsiExec.exe 4936 MsiExec.exe 4936 MsiExec.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "12" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2700 msiexec.exe 2700 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
description pid Process Token: SeShutdownPrivilege 2568 msiexec.exe Token: SeIncreaseQuotaPrivilege 2568 msiexec.exe Token: SeSecurityPrivilege 2700 msiexec.exe Token: SeCreateTokenPrivilege 2568 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2568 msiexec.exe Token: SeLockMemoryPrivilege 2568 msiexec.exe Token: SeIncreaseQuotaPrivilege 2568 msiexec.exe Token: SeMachineAccountPrivilege 2568 msiexec.exe Token: SeTcbPrivilege 2568 msiexec.exe Token: SeSecurityPrivilege 2568 msiexec.exe Token: SeTakeOwnershipPrivilege 2568 msiexec.exe Token: SeLoadDriverPrivilege 2568 msiexec.exe Token: SeSystemProfilePrivilege 2568 msiexec.exe Token: SeSystemtimePrivilege 2568 msiexec.exe Token: SeProfSingleProcessPrivilege 2568 msiexec.exe Token: SeIncBasePriorityPrivilege 2568 msiexec.exe Token: SeCreatePagefilePrivilege 2568 msiexec.exe Token: SeCreatePermanentPrivilege 2568 msiexec.exe Token: SeBackupPrivilege 2568 msiexec.exe Token: SeRestorePrivilege 2568 msiexec.exe Token: SeShutdownPrivilege 2568 msiexec.exe Token: SeDebugPrivilege 2568 msiexec.exe Token: SeAuditPrivilege 2568 msiexec.exe Token: SeSystemEnvironmentPrivilege 2568 msiexec.exe Token: SeChangeNotifyPrivilege 2568 msiexec.exe Token: SeRemoteShutdownPrivilege 2568 msiexec.exe Token: SeUndockPrivilege 2568 msiexec.exe Token: SeSyncAgentPrivilege 2568 msiexec.exe Token: SeEnableDelegationPrivilege 2568 msiexec.exe Token: SeManageVolumePrivilege 2568 msiexec.exe Token: SeImpersonatePrivilege 2568 msiexec.exe Token: SeCreateGlobalPrivilege 2568 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeShutdownPrivilege 2700 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2568 msiexec.exe 2568 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3144 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2700 wrote to memory of 4936 2700 msiexec.exe 85 PID 2700 wrote to memory of 4936 2700 msiexec.exe 85 PID 2700 wrote to memory of 4936 2700 msiexec.exe 85 PID 4936 wrote to memory of 3156 4936 MsiExec.exe 88 PID 4936 wrote to memory of 3156 4936 MsiExec.exe 88 PID 4936 wrote to memory of 3156 4936 MsiExec.exe 88 PID 4936 wrote to memory of 1488 4936 MsiExec.exe 91 PID 4936 wrote to memory of 1488 4936 MsiExec.exe 91 PID 4936 wrote to memory of 1488 4936 MsiExec.exe 91 PID 4936 wrote to memory of 4620 4936 MsiExec.exe 93 PID 4936 wrote to memory of 4620 4936 MsiExec.exe 93 PID 4936 wrote to memory of 4620 4936 MsiExec.exe 93 PID 4936 wrote to memory of 2756 4936 MsiExec.exe 96 PID 4936 wrote to memory of 2756 4936 MsiExec.exe 96 PID 4936 wrote to memory of 2756 4936 MsiExec.exe 96 PID 4936 wrote to memory of 4404 4936 MsiExec.exe 99 PID 4936 wrote to memory of 4404 4936 MsiExec.exe 99 PID 4936 wrote to memory of 4404 4936 MsiExec.exe 99 PID 4936 wrote to memory of 2424 4936 MsiExec.exe 101 PID 4936 wrote to memory of 2424 4936 MsiExec.exe 101 PID 4936 wrote to memory of 2424 4936 MsiExec.exe 101 PID 4936 wrote to memory of 4052 4936 MsiExec.exe 106 PID 4936 wrote to memory of 4052 4936 MsiExec.exe 106 PID 4936 wrote to memory of 4052 4936 MsiExec.exe 106 PID 4936 wrote to memory of 3356 4936 MsiExec.exe 108 PID 4936 wrote to memory of 3356 4936 MsiExec.exe 108 PID 4936 wrote to memory of 3356 4936 MsiExec.exe 108 PID 4936 wrote to memory of 2016 4936 MsiExec.exe 113 PID 4936 wrote to memory of 2016 4936 MsiExec.exe 113 PID 4936 wrote to memory of 2016 4936 MsiExec.exe 113 PID 4936 wrote to memory of 4080 4936 MsiExec.exe 115 PID 4936 wrote to memory of 4080 4936 MsiExec.exe 115 PID 4936 wrote to memory of 4080 4936 MsiExec.exe 115 PID 4936 wrote to memory of 3920 4936 MsiExec.exe 117 PID 4936 wrote to memory of 3920 4936 MsiExec.exe 117 PID 4936 wrote to memory of 3920 4936 MsiExec.exe 117 PID 4936 wrote to memory of 5048 4936 MsiExec.exe 119 PID 4936 wrote to memory of 5048 4936 MsiExec.exe 119 PID 4936 wrote to memory of 5048 4936 MsiExec.exe 119 PID 4936 wrote to memory of 4416 4936 MsiExec.exe 121 PID 4936 wrote to memory of 4416 4936 MsiExec.exe 121 PID 4936 wrote to memory of 4416 4936 MsiExec.exe 121 PID 4936 wrote to memory of 3280 4936 MsiExec.exe 123 PID 4936 wrote to memory of 3280 4936 MsiExec.exe 123 PID 4936 wrote to memory of 3280 4936 MsiExec.exe 123 PID 4936 wrote to memory of 2276 4936 MsiExec.exe 126 PID 4936 wrote to memory of 2276 4936 MsiExec.exe 126 PID 4936 wrote to memory of 2276 4936 MsiExec.exe 126 PID 4936 wrote to memory of 3496 4936 MsiExec.exe 128 PID 4936 wrote to memory of 3496 4936 MsiExec.exe 128 PID 4936 wrote to memory of 3496 4936 MsiExec.exe 128 PID 4936 wrote to memory of 4700 4936 MsiExec.exe 130 PID 4936 wrote to memory of 4700 4936 MsiExec.exe 130 PID 4936 wrote to memory of 4700 4936 MsiExec.exe 130 PID 4936 wrote to memory of 4632 4936 MsiExec.exe 132 PID 4936 wrote to memory of 4632 4936 MsiExec.exe 132 PID 4936 wrote to memory of 4632 4936 MsiExec.exe 132 PID 4936 wrote to memory of 1328 4936 MsiExec.exe 134 PID 4936 wrote to memory of 1328 4936 MsiExec.exe 134 PID 4936 wrote to memory of 1328 4936 MsiExec.exe 134 PID 4936 wrote to memory of 1080 4936 MsiExec.exe 136 PID 4936 wrote to memory of 1080 4936 MsiExec.exe 136 PID 4936 wrote to memory of 1080 4936 MsiExec.exe 136 PID 4936 wrote to memory of 3740 4936 MsiExec.exe 138
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\2d6eb77ea440c458d4eed7c1c8b00610_JaffaCakes118.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2568
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BD37282E028A1648874D7B1938B8D8DF2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye3⤵PID:3156
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter13⤵PID:1488
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP3⤵PID:4620
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP3⤵PID:2756
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP3⤵PID:4404
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP3⤵PID:2424
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP3⤵PID:4052
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP3⤵PID:3356
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP3⤵PID:2016
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP3⤵PID:4080
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP3⤵PID:3920
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP3⤵PID:5048
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP3⤵PID:4416
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP3⤵PID:3280
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8443 protocol=TCP3⤵PID:2276
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8888 protocol=TCP3⤵PID:3496
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP3⤵PID:4700
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9999 protocol=TCP3⤵PID:4632
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14443 protocol=TCP3⤵PID:1328
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14444 protocol=TCP3⤵PID:1080
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block3⤵PID:3740
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion13⤵PID:2660
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y3⤵PID:1600
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa396b055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3144
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD595f5844559927a1e5b8f19a50e275cbb
SHA12b2cc1d93a9d53d17abaa7c0bcd37dfb13587f95
SHA256790f6497b4c0501742b6f432b11083530bb52fe0f1991182a20ae4d2adc0a0b2
SHA512ed6d560ffdb3b864f600eb53af4185f2931c7d03161470cb5244316f56b4f393d7761d811c96a9e83960974470beb4782b0ccd702ae0f3226075486f13ceb87c
-
Filesize
243KB
MD5aaab8d3f7e9e8f143a17a0d15a1d1715
SHA18aca4e362e4cdc68c2f8f8f35f200126716f9c74
SHA256fd3d6c50c3524063f7c28f815838e0fb06fd4ebff094e7b88902334abd463889
SHA5121999224f57cd453d5d4d7d678144e0b719290ae925bb3574ce28ae787dc406a6b3df8e44475b12b9cdc0ff43d2979f626f08291304c66cdca536cd1897715c9a
-
Filesize
380KB
MD53eb31b9a689d506f3b1d3738d28ab640
SHA11681fe3bbdcbe617a034b092ea77249dd4c3e986
SHA2563a7d9cdd6be9ce0e4d01e9894242b497536336bf1850fb0a814a369c8a189c46
SHA5122598e39f4fd139775bbb040218af802db722d4dca99a4230edfde282362b433c5e30c15d5385063aa76bff916031b0e43586ef05d2ada4edc3c1410371b98e09