Overview

overview

10

Static

static

10

6870f280f2...18.msi

windows7-x64

6870f280f2...18.msi

windows10-2004-x64

Analysis

  • max time kernel
    16s
  • max time network
    18s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 20:01

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    6870f280f21b6e6cd6593f36df70d78d_JaffaCakes118.msi

  • Size

    2.4MB

  • MD5

    6870f280f21b6e6cd6593f36df70d78d

  • SHA1

    7d02872d246768ddcee494e96fd26056d6d6d8a7

  • SHA256

    bf921e0e08e9e0d4a12f4e71841706eca94a096e6e0e7864ba2ea508c6549824

  • SHA512

    2d0f39421a05221f48aacf333e963d16a0cc239fc86def555559ed14ce5762f74488c82b0256fc57a2d7a94b9385c0bac3c3d16548de65f014beb375df972605

  • SSDEEP

    49152:5SoYTQ3IgOfQAWMBYNRatUZyxA0oPEkfXMKw4morPJm0YV6UO5BpvxVKJk2Kn:vYkIiApBNC0oPuKRmQY0M6UO5BfVK62K

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 13 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\6870f280f21b6e6cd6593f36df70d78d_JaffaCakes118.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1436
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1444
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding EBC81C615B6A25D5406368FD58020B55
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye
        3⤵
          PID:1040
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter1
          3⤵
            PID:400
          • C:\Windows\SysWOW64\netsh.exe
            "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
            3⤵
              PID:3880
            • C:\Windows\SysWOW64\netsh.exe
              "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
              3⤵
                PID:624
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
                3⤵
                  PID:1200
                • C:\Windows\SysWOW64\netsh.exe
                  "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
                  3⤵
                    PID:1332
                  • C:\Windows\SysWOW64\netsh.exe
                    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
                    3⤵
                      PID:2332
                    • C:\Windows\SysWOW64\netsh.exe
                      "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
                      3⤵
                        PID:3268
                      • C:\Windows\SysWOW64\netsh.exe
                        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP
                        3⤵
                          PID:4508
                        • C:\Windows\SysWOW64\netsh.exe
                          "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP
                          3⤵
                            PID:2532
                          • C:\Windows\SysWOW64\netsh.exe
                            "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP
                            3⤵
                              PID:2428
                            • C:\Windows\SysWOW64\netsh.exe
                              "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP
                              3⤵
                                PID:3140
                              • C:\Windows\SysWOW64\netsh.exe
                                "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP
                                3⤵
                                  PID:2424
                                • C:\Windows\SysWOW64\netsh.exe
                                  "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP
                                  3⤵
                                    PID:932
                                  • C:\Windows\SysWOW64\netsh.exe
                                    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8443 protocol=TCP
                                    3⤵
                                      PID:4044
                                    • C:\Windows\SysWOW64\netsh.exe
                                      "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8888 protocol=TCP
                                      3⤵
                                        PID:4704
                                      • C:\Windows\SysWOW64\netsh.exe
                                        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP
                                        3⤵
                                          PID:4592
                                        • C:\Windows\SysWOW64\netsh.exe
                                          "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9999 protocol=TCP
                                          3⤵
                                            PID:1756
                                          • C:\Windows\SysWOW64\netsh.exe
                                            "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14443 protocol=TCP
                                            3⤵
                                              PID:1728
                                            • C:\Windows\SysWOW64\netsh.exe
                                              "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14444 protocol=TCP
                                              3⤵
                                                PID:1160
                                              • C:\Windows\SysWOW64\netsh.exe
                                                "C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
                                                3⤵
                                                  PID:3268
                                                • C:\Windows\SysWOW64\netsh.exe
                                                  "C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1
                                                  3⤵
                                                    PID:4508
                                                  • C:\Windows\SysWOW64\netsh.exe
                                                    "C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y
                                                    3⤵
                                                      PID:1108
                                                • C:\Windows\system32\LogonUI.exe
                                                  "LogonUI.exe" /flags:0x4 /state0:0xa395c055 /state1:0x41c64e6d
                                                  1⤵
                                                  • Modifies data under HKEY_USERS
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:2420

                                                Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Config.Msi\e573c8f.rbs
                                                  Filesize

                                                  12KB

                                                  MD5

                                                  dee1dde05ad7d898e4f2cb327f2488cd

                                                  SHA1

                                                  258120e62ac664832896957ed2a1ec45e341111c

                                                  SHA256

                                                  d2d1014f87286698e25edaa0267216691d142c902819aedfa49c7c0a98ebd770

                                                  SHA512

                                                  023dbde2158b965753433092279482f78bafafb3e83668b40dc5530dfbd8352f2597dca9c63f980c1064f768afc425ddc89d74b4db8c097003071357371e488b

                                                  Download Submit

                                                • C:\Windows\Installer\MSI3CEA.tmp
                                                  Filesize

                                                  243KB

                                                  MD5

                                                  aaab8d3f7e9e8f143a17a0d15a1d1715

                                                  SHA1

                                                  8aca4e362e4cdc68c2f8f8f35f200126716f9c74

                                                  SHA256

                                                  fd3d6c50c3524063f7c28f815838e0fb06fd4ebff094e7b88902334abd463889

                                                  SHA512

                                                  1999224f57cd453d5d4d7d678144e0b719290ae925bb3574ce28ae787dc406a6b3df8e44475b12b9cdc0ff43d2979f626f08291304c66cdca536cd1897715c9a

                                                  Download Submit

                                                • C:\Windows\Installer\MSI3DE7.tmp
                                                  Filesize

                                                  380KB

                                                  MD5

                                                  3eb31b9a689d506f3b1d3738d28ab640

                                                  SHA1

                                                  1681fe3bbdcbe617a034b092ea77249dd4c3e986

                                                  SHA256

                                                  3a7d9cdd6be9ce0e4d01e9894242b497536336bf1850fb0a814a369c8a189c46

                                                  SHA512

                                                  2598e39f4fd139775bbb040218af802db722d4dca99a4230edfde282362b433c5e30c15d5385063aa76bff916031b0e43586ef05d2ada4edc3c1410371b98e09

                                                  Download Submit