Analysis
-
max time kernel
146s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14/05/2024, 18:53
Static task
static1
Behavioral task
behavioral1
Sample
429458b7c5d2dee2eb6bd5025d843f4a_JaffaCakes118.msi
Resource
win7-20240508-en
windows7-x64
22 signatures
150 seconds
Behavioral task
behavioral2
Sample
429458b7c5d2dee2eb6bd5025d843f4a_JaffaCakes118.msi
Resource
win10v2004-20240426-en
windows10-2004-x64
23 signatures
150 seconds
General
-
Target
429458b7c5d2dee2eb6bd5025d843f4a_JaffaCakes118.msi
-
Size
544KB
-
MD5
429458b7c5d2dee2eb6bd5025d843f4a
-
SHA1
1baf8a0730cb170463898ac1b92728564a0e29a5
-
SHA256
e94078928fb1d55b790647c581b0e7f44a10961f0a6f7c6d809cf1681cca9de3
-
SHA512
77799fa3ec73585b8afbf8a75d937be7de9e0f6719f66d81e1b4d42aff5f28b51a35a6c744d923e1e042be5f17c50f28e776a23076fe550fbcabca5c6f7bd6ae
-
SSDEEP
12288:qEgIou4TBViseZyEZhsepkrJL61lk1oarFHpZQfJYKZbF6wgs4:qEg7p/ise4epkt641oqDZQdZbrv
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 5 IoCs
resource yara_rule behavioral1/memory/2184-34-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla behavioral1/memory/2184-32-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla behavioral1/memory/2184-30-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla behavioral1/memory/2184-28-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla behavioral1/memory/2184-25-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSI32C6.tmp Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSI32C6.tmp Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSI32C6.tmp -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 checkip.amazonaws.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1488 set thread context of 2184 1488 MSI32C6.tmp 37 -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f7631ab.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI32C6.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File created C:\Windows\Installer\f7631ae.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI3295.tmp msiexec.exe File opened for modification C:\Windows\Installer\f7631ae.ipi msiexec.exe File opened for modification C:\Windows\Installer\f7631ab.msi msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 1488 MSI32C6.tmp 2184 MSI32C6.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2912 schtasks.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2544 msiexec.exe 2544 msiexec.exe 1488 MSI32C6.tmp 1488 MSI32C6.tmp 2184 MSI32C6.tmp 2184 MSI32C6.tmp -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeShutdownPrivilege 1924 msiexec.exe Token: SeIncreaseQuotaPrivilege 1924 msiexec.exe Token: SeRestorePrivilege 2544 msiexec.exe Token: SeTakeOwnershipPrivilege 2544 msiexec.exe Token: SeSecurityPrivilege 2544 msiexec.exe Token: SeCreateTokenPrivilege 1924 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1924 msiexec.exe Token: SeLockMemoryPrivilege 1924 msiexec.exe Token: SeIncreaseQuotaPrivilege 1924 msiexec.exe Token: SeMachineAccountPrivilege 1924 msiexec.exe Token: SeTcbPrivilege 1924 msiexec.exe Token: SeSecurityPrivilege 1924 msiexec.exe Token: SeTakeOwnershipPrivilege 1924 msiexec.exe Token: SeLoadDriverPrivilege 1924 msiexec.exe Token: SeSystemProfilePrivilege 1924 msiexec.exe Token: SeSystemtimePrivilege 1924 msiexec.exe Token: SeProfSingleProcessPrivilege 1924 msiexec.exe Token: SeIncBasePriorityPrivilege 1924 msiexec.exe Token: SeCreatePagefilePrivilege 1924 msiexec.exe Token: SeCreatePermanentPrivilege 1924 msiexec.exe Token: SeBackupPrivilege 1924 msiexec.exe Token: SeRestorePrivilege 1924 msiexec.exe Token: SeShutdownPrivilege 1924 msiexec.exe Token: SeDebugPrivilege 1924 msiexec.exe Token: SeAuditPrivilege 1924 msiexec.exe Token: SeSystemEnvironmentPrivilege 1924 msiexec.exe Token: SeChangeNotifyPrivilege 1924 msiexec.exe Token: SeRemoteShutdownPrivilege 1924 msiexec.exe Token: SeUndockPrivilege 1924 msiexec.exe Token: SeSyncAgentPrivilege 1924 msiexec.exe Token: SeEnableDelegationPrivilege 1924 msiexec.exe Token: SeManageVolumePrivilege 1924 msiexec.exe Token: SeImpersonatePrivilege 1924 msiexec.exe Token: SeCreateGlobalPrivilege 1924 msiexec.exe Token: SeBackupPrivilege 2680 vssvc.exe Token: SeRestorePrivilege 2680 vssvc.exe Token: SeAuditPrivilege 2680 vssvc.exe Token: SeBackupPrivilege 2544 msiexec.exe Token: SeRestorePrivilege 2544 msiexec.exe Token: SeRestorePrivilege 2468 DrvInst.exe Token: SeRestorePrivilege 2468 DrvInst.exe Token: SeRestorePrivilege 2468 DrvInst.exe Token: SeRestorePrivilege 2468 DrvInst.exe Token: SeRestorePrivilege 2468 DrvInst.exe Token: SeRestorePrivilege 2468 DrvInst.exe Token: SeRestorePrivilege 2468 DrvInst.exe Token: SeLoadDriverPrivilege 2468 DrvInst.exe Token: SeLoadDriverPrivilege 2468 DrvInst.exe Token: SeLoadDriverPrivilege 2468 DrvInst.exe Token: SeRestorePrivilege 2544 msiexec.exe Token: SeTakeOwnershipPrivilege 2544 msiexec.exe Token: SeRestorePrivilege 2544 msiexec.exe Token: SeTakeOwnershipPrivilege 2544 msiexec.exe Token: SeRestorePrivilege 2544 msiexec.exe Token: SeTakeOwnershipPrivilege 2544 msiexec.exe Token: SeRestorePrivilege 2544 msiexec.exe Token: SeTakeOwnershipPrivilege 2544 msiexec.exe Token: SeDebugPrivilege 1488 MSI32C6.tmp Token: SeRestorePrivilege 2544 msiexec.exe Token: SeTakeOwnershipPrivilege 2544 msiexec.exe Token: SeRestorePrivilege 2544 msiexec.exe Token: SeTakeOwnershipPrivilege 2544 msiexec.exe Token: SeDebugPrivilege 2184 MSI32C6.tmp -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1924 msiexec.exe 1924 msiexec.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2544 wrote to memory of 1488 2544 msiexec.exe 32 PID 2544 wrote to memory of 1488 2544 msiexec.exe 32 PID 2544 wrote to memory of 1488 2544 msiexec.exe 32 PID 2544 wrote to memory of 1488 2544 msiexec.exe 32 PID 1488 wrote to memory of 2912 1488 MSI32C6.tmp 35 PID 1488 wrote to memory of 2912 1488 MSI32C6.tmp 35 PID 1488 wrote to memory of 2912 1488 MSI32C6.tmp 35 PID 1488 wrote to memory of 2912 1488 MSI32C6.tmp 35 PID 1488 wrote to memory of 2184 1488 MSI32C6.tmp 37 PID 1488 wrote to memory of 2184 1488 MSI32C6.tmp 37 PID 1488 wrote to memory of 2184 1488 MSI32C6.tmp 37 PID 1488 wrote to memory of 2184 1488 MSI32C6.tmp 37 PID 1488 wrote to memory of 2184 1488 MSI32C6.tmp 37 PID 1488 wrote to memory of 2184 1488 MSI32C6.tmp 37 PID 1488 wrote to memory of 2184 1488 MSI32C6.tmp 37 PID 1488 wrote to memory of 2184 1488 MSI32C6.tmp 37 PID 1488 wrote to memory of 2184 1488 MSI32C6.tmp 37 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSI32C6.tmp -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSI32C6.tmp
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\429458b7c5d2dee2eb6bd5025d843f4a_JaffaCakes118.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1924
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\Installer\MSI32C6.tmp"C:\Windows\Installer\MSI32C6.tmp"2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lxguKQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF5D4.tmp"3⤵
- Creates scheduled task(s)
PID:2912
-
-
C:\Windows\Installer\MSI32C6.tmp"C:\Windows\Installer\MSI32C6.tmp"3⤵
- Accesses Microsoft Outlook profiles
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2184
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000058C" "0000000000000574"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2468
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
663B
MD50448505657cacf31f423f98bda2e54c0
SHA1e4ca66ece8a0e08dac97dd05435658324c817c9c
SHA256317723f7b85cb50b152ed5111d517f3cdfa58b8cbc9db215228741ec86831d8f
SHA51242b08f728449a4b113f78e9159c4861dd1d4bd97b959f3a0253b2b019d57f7001b2aff8df66aec2164a81514f618f1c51fe63375808bb3d3b949728e253d2aa2
-
Filesize
1KB
MD5a08385a8d45598859d4caddf59803fa9
SHA126d1f4b42bcfbffc20690eddc3ad1a9208260a32
SHA2562d6309f5339eb8e280c6cf11b25fb1921eca5e21de1c7be6ba4c5b878dae0194
SHA5120db278320cf5c9ad1f9e21c36cfcac7d79351850cf86c25f950b6d9db9eef64ffa2e5abc44da84ea0bfca2285a27114ab87016f094c29a3ade6a36624d286d56
-
Filesize
519KB
MD5ce0052028c920e82135a65681564ab22
SHA1217674745fa7ce6b70ed1f8f36d1b93b2c5f6a93
SHA2565b5e16a1ab40d1ce8bf4d0c865df6594b1df6baaa9f8a6aa0dd3819c0855fb42
SHA512cbdd80e605d8728ae18199db614dc5801d380006526ec831d0038adcb39ab3a355f39e721bed8a5a7675619576037d2e0e7723e4d79ded5362ae98c316282c0d