Analysis

  • max time kernel
    16s
  • max time network
    28s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 18:40

Errors

Reason
Machine shutdown

General

  • Target

    87f3c5cceabdfc71e56c3e6272374496_JaffaCakes118.msi

  • Size

    7.2MB

  • MD5

    87f3c5cceabdfc71e56c3e6272374496

  • SHA1

    3fb860f1b631d9d4f443c66bfe62d9bf03eb1b43

  • SHA256

    e793b7faec4ada0bcf07c96dc80c209a069055658849c7c43554f39e6acbbeb3

  • SHA512

    fad3696d5031247d58941d639ddefa6344b735755fb30138484a5441ec515b22ce84b7af30644e8d5e09b4752c534e43b12f5a31f7efb6f431ee98482a680043

  • SSDEEP

    196608:oL8Ls8tOLoWa4dr5FI0J0wxpFzydiM8sGeLvqu5B:oQLtthV+1y0J00rwTRjdB

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 11 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\87f3c5cceabdfc71e56c3e6272374496_JaffaCakes118.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2696
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1072
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding C78EDCAD5105C09F8C2934271C277185
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye
        3⤵
          PID:2812
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter1
          3⤵
            PID:592
          • C:\Windows\SysWOW64\netsh.exe
            "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
            3⤵
              PID:2780
            • C:\Windows\SysWOW64\netsh.exe
              "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
              3⤵
                PID:1068
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
                3⤵
                  PID:1264
                • C:\Windows\SysWOW64\netsh.exe
                  "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
                  3⤵
                    PID:1544
                  • C:\Windows\SysWOW64\netsh.exe
                    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
                    3⤵
                      PID:1560
                    • C:\Windows\SysWOW64\netsh.exe
                      "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
                      3⤵
                        PID:1952
                      • C:\Windows\SysWOW64\netsh.exe
                        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP
                        3⤵
                          PID:2220
                        • C:\Windows\SysWOW64\netsh.exe
                          "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP
                          3⤵
                            PID:2100
                          • C:\Windows\SysWOW64\netsh.exe
                            "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP
                            3⤵
                              PID:1196
                            • C:\Windows\SysWOW64\netsh.exe
                              "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP
                              3⤵
                                PID:2884
                              • C:\Windows\SysWOW64\netsh.exe
                                "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP
                                3⤵
                                  PID:588
                                • C:\Windows\SysWOW64\netsh.exe
                                  "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP
                                  3⤵
                                    PID:2620
                                  • C:\Windows\SysWOW64\netsh.exe
                                    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8443 protocol=TCP
                                    3⤵
                                      PID:2460
                                    • C:\Windows\SysWOW64\netsh.exe
                                      "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8888 protocol=TCP
                                      3⤵
                                        PID:2380
                                      • C:\Windows\SysWOW64\netsh.exe
                                        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP
                                        3⤵
                                          PID:2412
                                        • C:\Windows\SysWOW64\netsh.exe
                                          "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9999 protocol=TCP
                                          3⤵
                                            PID:2420
                                          • C:\Windows\SysWOW64\netsh.exe
                                            "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14443 protocol=TCP
                                            3⤵
                                              PID:2080
                                            • C:\Windows\SysWOW64\netsh.exe
                                              "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14444 protocol=TCP
                                              3⤵
                                                PID:1008
                                              • C:\Windows\SysWOW64\netsh.exe
                                                "C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
                                                3⤵
                                                  PID:908
                                                • C:\Windows\SysWOW64\netsh.exe
                                                  "C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1
                                                  3⤵
                                                    PID:2752
                                                  • C:\Windows\SysWOW64\netsh.exe
                                                    "C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y
                                                    3⤵
                                                      PID:1128
                                                  • C:\Windows\Installer\MSI9785.tmp
                                                    "C:\Windows\Installer\MSI9785.tmp" /HideWindow "C:\Msupdate\service.bat"
                                                    2⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:1216
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      cmd /c ""C:\Msupdate\service.bat" "
                                                      3⤵
                                                      • Loads dropped DLL
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:2340
                                                      • \??\c:\Msupdate\instsrv.exe
                                                        c:\Msupdate\instsrv.exe Msupdate c:\Msupdate\srvany.exe
                                                        4⤵
                                                        • Executes dropped EXE
                                                        PID:2576
                                                      • C:\Windows\SysWOW64\regedit.exe
                                                        regedit /s 1.reg
                                                        4⤵
                                                        • Runs .reg file with regedit
                                                        PID:1712
                                                      • C:\Msupdate\update.exe
                                                        update.exe /S
                                                        4⤵
                                                        • Drops file in Drivers directory
                                                        • Drops file in System32 directory
                                                        • Drops file in Program Files directory
                                                        • Executes dropped EXE
                                                        • Loads dropped DLL
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:1668
                                                        • C:\Windows\SysWOW64\net.exe
                                                          net stop npf
                                                          5⤵
                                                          • Suspicious use of WriteProcessMemory
                                                          PID:1784
                                                          • C:\Windows\SysWOW64\net1.exe
                                                            C:\Windows\system32\net1 stop npf
                                                            6⤵
                                                              PID:1640
                                                          • C:\Windows\SysWOW64\net.exe
                                                            net start npf
                                                            5⤵
                                                            • Suspicious use of WriteProcessMemory
                                                            PID:1768
                                                            • C:\Windows\SysWOW64\net1.exe
                                                              C:\Windows\system32\net1 start npf
                                                              6⤵
                                                                PID:1696
                                                    • C:\Windows\system32\LogonUI.exe
                                                      "LogonUI.exe" /flags:0x0
                                                      1⤵
                                                        PID:2716
                                                      • C:\Windows\system32\LogonUI.exe
                                                        "LogonUI.exe" /flags:0x1
                                                        1⤵
                                                          PID:2400

                                                        Network

                                                        MITRE ATT&CK Matrix ATT&CK v13

                                                        Discovery

                                                        Query Registry

                                                        2
                                                        T1012

                                                        Peripheral Device Discovery

                                                        1
                                                        T1120

                                                        System Information Discovery

                                                        2
                                                        T1082

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\Config.Msi\f768a0b.rbs
                                                          Filesize

                                                          14KB

                                                          MD5

                                                          6664542121fce007c105e1fd4a5f1b28

                                                          SHA1

                                                          fc42c128fc260612b0b38292b661f8149f21aee0

                                                          SHA256

                                                          859471d06868a6ea4452c91762d6fb08c53b47891d1f2249776516693da244b8

                                                          SHA512

                                                          682734d6d78ea5d51d1f76d526aa5abad492f7510e8bee446edbd5e5248edd1b597b2bb39619dacd63f4d8d237e943cf72c221c2bcce8fca367d38718df92d51

                                                        • C:\Msupdate\1.reg
                                                          Filesize

                                                          416B

                                                          MD5

                                                          8dacf3ded9159fb1f5b065215e1fd8aa

                                                          SHA1

                                                          0c43e91b996ca72b75a02de3f85a695ded7a4a5e

                                                          SHA256

                                                          1d5766733fdbeb1ecd8ddc4c49634d96024398621a55f3de9d20dbdc9f3c24c5

                                                          SHA512

                                                          a682ce938d8ecb78fd93e085c35f868968ad9e94b571fcf4de3c007314dfa5495304e31f643f8f3df2f553dadd6cc65f932479103c7570c4ba9939839d6eb0c6

                                                        • C:\Msupdate\service.bat
                                                          Filesize

                                                          88B

                                                          MD5

                                                          b10428f1774d2caa81092891a980f9e7

                                                          SHA1

                                                          6fb6df8cb4d293c0e0264c83d97f016fbb0da926

                                                          SHA256

                                                          884abdf05624ab4d76db2e35720014a616378d299a8c64ab3743d9320258886c

                                                          SHA512

                                                          9412ac38e876f9232172c6ff6d890dd0c2d1258126bf712602a9e5795ed52aadebad113fc0b985557b615f6305b704ce19bb3440942ee02f56b06793cb4ee105

                                                        • C:\Windows\Installer\MSI8AE1.tmp
                                                          Filesize

                                                          243KB

                                                          MD5

                                                          aaab8d3f7e9e8f143a17a0d15a1d1715

                                                          SHA1

                                                          8aca4e362e4cdc68c2f8f8f35f200126716f9c74

                                                          SHA256

                                                          fd3d6c50c3524063f7c28f815838e0fb06fd4ebff094e7b88902334abd463889

                                                          SHA512

                                                          1999224f57cd453d5d4d7d678144e0b719290ae925bb3574ce28ae787dc406a6b3df8e44475b12b9cdc0ff43d2979f626f08291304c66cdca536cd1897715c9a

                                                        • C:\Windows\Installer\MSI8DC1.tmp
                                                          Filesize

                                                          380KB

                                                          MD5

                                                          3eb31b9a689d506f3b1d3738d28ab640

                                                          SHA1

                                                          1681fe3bbdcbe617a034b092ea77249dd4c3e986

                                                          SHA256

                                                          3a7d9cdd6be9ce0e4d01e9894242b497536336bf1850fb0a814a369c8a189c46

                                                          SHA512

                                                          2598e39f4fd139775bbb040218af802db722d4dca99a4230edfde282362b433c5e30c15d5385063aa76bff916031b0e43586ef05d2ada4edc3c1410371b98e09

                                                        • C:\Windows\Installer\MSI9785.tmp
                                                          Filesize

                                                          17KB

                                                          MD5

                                                          73c578ca2383a2e7f4687cdee410aefe

                                                          SHA1

                                                          431b7de3091245b3affbf1911da17a6964b813dc

                                                          SHA256

                                                          67fdafaf7c115fab48e50b3031f8b7f599770ca333321ded1dcb24db06fe6db1

                                                          SHA512

                                                          915d88ec68e061c880f319345a4e5d709b4e789b5cc3c6a1c84fd83cc95fe765ef7324a722abf8935f2f8567bffbb3ede9e78fb4baa3f004118959f7ae7f43dd

                                                        • \??\c:\Msupdate\srvany.exe
                                                          Filesize

                                                          8KB

                                                          MD5

                                                          4635935fc972c582632bf45c26bfcb0e

                                                          SHA1

                                                          7c5329229042535fe56e74f1f246c6da8cea3be8

                                                          SHA256

                                                          abd4afd71b3c2bd3f741bbe3cec52c4fa63ac78d353101d2e7dc4de2725d1ca1

                                                          SHA512

                                                          167503133b5a0ebd9f8b2971bca120e902497eb21542d6a1f94e52ae8e5b6bde1e4cae1a2c905870a00d772e0df35f808701e2cfbd26dcbb130a5573fa590060

                                                        • \Msupdate\instsrv.exe
                                                          Filesize

                                                          31KB

                                                          MD5

                                                          9f7acaad365af0d1a3cd9261e3208b9b

                                                          SHA1

                                                          b4c7049562e770093e707ac1329cb37ad6313a37

                                                          SHA256

                                                          f7b0a444b590eb8a6b46cedf544bcb3117c85cab02b599b45d61b8a590095c9c

                                                          SHA512

                                                          6847bb10cf08f7e594907b5d160768e60468b14a62cdd87ad33dcc0bc2b523549c1c91e9854069ca11ee074e43a6f41f11351201626922c02aaea41fd32c2a54

                                                        • \Msupdate\update.exe
                                                          Filesize

                                                          422KB

                                                          MD5

                                                          c6f1d4a6cccd04e4b15a96942372d5f7

                                                          SHA1

                                                          2f79839fe5cb740f21b29dae3181f43c1ae9de9c

                                                          SHA256

                                                          89b74dc79f229b0488bf43b552da9f84864a6a38c11039898e4f9d854411a26e

                                                          SHA512

                                                          1ce87f5b4b0897a6a4cd4d9a58548db47d335eba860714598b297a939e476edc6a8b3e597b71ee92e655857c2320f5812e375da4d67d503e70623f6828eb2119

                                                        • \Users\Admin\AppData\Local\Temp\nst9CED.tmp\System.dll
                                                          Filesize

                                                          11KB

                                                          MD5

                                                          00a0194c20ee912257df53bfe258ee4a

                                                          SHA1

                                                          d7b4e319bc5119024690dc8230b9cc919b1b86b2

                                                          SHA256

                                                          dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

                                                          SHA512

                                                          3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

                                                        • \Users\Admin\AppData\Local\Temp\nst9CED.tmp\nsExec.dll
                                                          Filesize

                                                          6KB

                                                          MD5

                                                          e54eb27fb5048964e8d1ec7a1f72334b

                                                          SHA1

                                                          2b76d7aedafd724de96532b00fbc6c7c370e4609

                                                          SHA256

                                                          ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

                                                          SHA512

                                                          c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4