3a20068e0f3ab8b9735f12b0a5475b01e9f5635acd80961248535531ff523bd4

Analysis

max time kernel
129s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dd1d4c55c7e8ee669f31b6467535058_JaffaCakes118.msi
Size

1.0MB
MD5

7dd1d4c55c7e8ee669f31b6467535058
SHA1

5e661cb0b167b870afbe5021ca360df648093505
SHA256

3a20068e0f3ab8b9735f12b0a5475b01e9f5635acd80961248535531ff523bd4
SHA512

524a499ac8138f1e79410abd8de58c3357aa22f5709ba4585d08959fb0f0aa0ce0d24c486c10c430f9965ab34eddf54811bf50d6db31d726be5b19ec9c553506
SSDEEP

24576:YEd/ZEfUXF3yHcKKI7McIFQY2+v0Xe89vtbC:YEd/Z7dpQu0Xe8W

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e5779b4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5779b4.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7A60.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7ABF.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
2164	MSI7ABF.tmp

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003f3ccc8c3b3921e10000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003f3ccc8c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003f3ccc8c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3f3ccc8c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003f3ccc8c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
6088	msiexec.exe
6088	msiexec.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5796	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5796	msiexec.exe
Token: SeSecurityPrivilege	6088	msiexec.exe
Token: SeCreateTokenPrivilege	5796	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5796	msiexec.exe
Token: SeLockMemoryPrivilege	5796	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5796	msiexec.exe
Token: SeMachineAccountPrivilege	5796	msiexec.exe
Token: SeTcbPrivilege	5796	msiexec.exe
Token: SeSecurityPrivilege	5796	msiexec.exe
Token: SeTakeOwnershipPrivilege	5796	msiexec.exe
Token: SeLoadDriverPrivilege	5796	msiexec.exe
Token: SeSystemProfilePrivilege	5796	msiexec.exe
Token: SeSystemtimePrivilege	5796	msiexec.exe
Token: SeProfSingleProcessPrivilege	5796	msiexec.exe
Token: SeIncBasePriorityPrivilege	5796	msiexec.exe
Token: SeCreatePagefilePrivilege	5796	msiexec.exe
Token: SeCreatePermanentPrivilege	5796	msiexec.exe
Token: SeBackupPrivilege	5796	msiexec.exe
Token: SeRestorePrivilege	5796	msiexec.exe
Token: SeShutdownPrivilege	5796	msiexec.exe
Token: SeDebugPrivilege	5796	msiexec.exe
Token: SeAuditPrivilege	5796	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5796	msiexec.exe
Token: SeChangeNotifyPrivilege	5796	msiexec.exe
Token: SeRemoteShutdownPrivilege	5796	msiexec.exe
Token: SeUndockPrivilege	5796	msiexec.exe
Token: SeSyncAgentPrivilege	5796	msiexec.exe
Token: SeEnableDelegationPrivilege	5796	msiexec.exe
Token: SeManageVolumePrivilege	5796	msiexec.exe
Token: SeImpersonatePrivilege	5796	msiexec.exe
Token: SeCreateGlobalPrivilege	5796	msiexec.exe
Token: SeBackupPrivilege	4412	vssvc.exe
Token: SeRestorePrivilege	4412	vssvc.exe
Token: SeAuditPrivilege	4412	vssvc.exe
Token: SeBackupPrivilege	6088	msiexec.exe
Token: SeRestorePrivilege	6088	msiexec.exe
Token: SeRestorePrivilege	6088	msiexec.exe
Token: SeTakeOwnershipPrivilege	6088	msiexec.exe
Token: SeRestorePrivilege	6088	msiexec.exe
Token: SeTakeOwnershipPrivilege	6088	msiexec.exe
Token: SeRestorePrivilege	6088	msiexec.exe
Token: SeTakeOwnershipPrivilege	6088	msiexec.exe
Token: SeBackupPrivilege	2492	srtasks.exe
Token: SeRestorePrivilege	2492	srtasks.exe
Token: SeSecurityPrivilege	2492	srtasks.exe
Token: SeTakeOwnershipPrivilege	2492	srtasks.exe
Token: SeBackupPrivilege	2492	srtasks.exe
Token: SeRestorePrivilege	2492	srtasks.exe
Token: SeSecurityPrivilege	2492	srtasks.exe
Token: SeTakeOwnershipPrivilege	2492	srtasks.exe
Token: SeRestorePrivilege	6088	msiexec.exe
Token: SeTakeOwnershipPrivilege	6088	msiexec.exe
Token: SeRestorePrivilege	6088	msiexec.exe
Token: SeTakeOwnershipPrivilege	6088	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5796	msiexec.exe
5796	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 6088 wrote to memory of 2492	6088	msiexec.exe	105
PID 6088 wrote to memory of 2492	6088	msiexec.exe	105
PID 6088 wrote to memory of 2164	6088	msiexec.exe	107
PID 6088 wrote to memory of 2164	6088	msiexec.exe	107
PID 6088 wrote to memory of 2164	6088	msiexec.exe	107
PID 2164 wrote to memory of 2052	2164	MSI7ABF.tmp	113
PID 2164 wrote to memory of 2052	2164	MSI7ABF.tmp	113
PID 2164 wrote to memory of 2052	2164	MSI7ABF.tmp	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\7dd1d4c55c7e8ee669f31b6467535058_JaffaCakes118.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5796

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6088
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2492
- C:\Windows\Installer\MSI7ABF.tmp
  "C:\Windows\Installer\MSI7ABF.tmp"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\SysWOW64\svchost.exe"
    3⤵
    PID:2052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5779b7.rbs

Filesize
663B

MD5
2c819efc2cca49e1dbe9000f3d01c4c9

SHA1
a6c333bf70455e10c68317a17d3ce49418138f80

SHA256
d83b271dbca6018c88d5b67a98914ccbed8ccd3c00b5fc5f983ac734faebac5c

SHA512
602ef1aa5cf5a18eb07e81610e1b7322c648d41b17f9f611c2fc9a64ce8770c1b33287ee8c43182a15c9d4c130843930f235a4ce3d3ed6ede2e7b0a9dff878c0

Download Submit
C:\Windows\Installer\MSI7ABF.tmp

Filesize
1.0MB

MD5
fca0beea9d8bf5a98b581e775cf87de0

SHA1
0be8fd39929254c180b42bec110526ac18d867a3

SHA256
928b9521c1f993b3539d90884d1fefd0331e17b0e973f5bb1e533bc13a406b2c

SHA512
825b04b463472002206564fe9960ee179c967943546952892098d9011c1cb1a0719336fca7f8609f0101559fc8662a609642cec8997fd7926be44997dd19cebe

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
f1d41751a957c277ddd5d36e0c7c6b28

SHA1
f7d23de0d05b5912e2e301b932e4863e8759d410

SHA256
920823ffe95fa0f7003676b5e444fc5a929915c4660e90d863e92c8f4524aa8f

SHA512
b19c733243b19c6aa9523f59434810ab343fd0d34ff59c4adbd6a1801bdd15e915bcfae7dbbe66494d9912572bf83c79bbb0e4adc5b3a15ab89a578b802aa163

Download Submit
\??\Volume{8ccc3c3f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{00ef7afe-5a8d-461c-994d-313ca6b1261a}_OnDiskSnapshotProp

Filesize
6KB

MD5
b2ffb13577965daff778604f3a74f93e

SHA1
e7886013469a597328bb7cd017263642ed4638d3

SHA256
a2ce4ef526e90f08ecfe74aa92e2b0e7d9d5a6f5b6316f95c7644316e5bcb763

SHA512
1955fbaa373212d9c32f2e1caba210a0f25fa03e0fb300aac61e8c03c17d960e306ba7ac19643b8452a13bbd242438257e18d8bee80531efbc79b1a451aff80e

Download Submit
memory/2164-14-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/2164-23-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download