Analysis
-
max time kernel
143s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 03:40
Static task
static1
Behavioral task
behavioral1
Sample
906c4effd6a20be22ea026a43a3cb7b3_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
906c4effd6a20be22ea026a43a3cb7b3_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
906c4effd6a20be22ea026a43a3cb7b3_JaffaCakes118.exe
-
Size
13.0MB
-
MD5
906c4effd6a20be22ea026a43a3cb7b3
-
SHA1
89df6ca0d893d9355741d8ca11cdebea1fbbb095
-
SHA256
08e5e7e5f30801b363f08a6106425faa1c505bd048a18c846a5b3e5959a4998e
-
SHA512
fa866adaa965c98e809a3efc57550c5c9464668f619922e9b769550fc58623b3815cfbbf1473877e551a7f0d9a6634a7b02157eb2b8e1156ca2c892c32063c2e
-
SSDEEP
393216:TjnUwmatWZ+mgSbBXxKqLupZr6KbkeJO2:TjnJmapSDsu7eN
Malware Config
Signatures
-
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
pid Process 2428 bcdedit.exe -
Executes dropped EXE 11 IoCs
pid Process 2320 ISBEW64.exe 404 ISBEW64.exe 2720 ISBEW64.exe 3396 ISBEW64.exe 3624 ISBEW64.exe 868 ISBEW64.exe 4172 ISBEW64.exe 1536 ISBEW64.exe 5084 ISBEW64.exe 5092 ISBEW64.exe 3424 ISBEW64.exe -
Loads dropped DLL 5 IoCs
pid Process 2020 MsiExec.exe 2020 MsiExec.exe 2020 MsiExec.exe 2020 MsiExec.exe 2020 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2012 msiexec.exe Token: SeIncreaseQuotaPrivilege 2012 msiexec.exe Token: SeSecurityPrivilege 4048 msiexec.exe Token: SeCreateTokenPrivilege 2012 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2012 msiexec.exe Token: SeLockMemoryPrivilege 2012 msiexec.exe Token: SeIncreaseQuotaPrivilege 2012 msiexec.exe Token: SeMachineAccountPrivilege 2012 msiexec.exe Token: SeTcbPrivilege 2012 msiexec.exe Token: SeSecurityPrivilege 2012 msiexec.exe Token: SeTakeOwnershipPrivilege 2012 msiexec.exe Token: SeLoadDriverPrivilege 2012 msiexec.exe Token: SeSystemProfilePrivilege 2012 msiexec.exe Token: SeSystemtimePrivilege 2012 msiexec.exe Token: SeProfSingleProcessPrivilege 2012 msiexec.exe Token: SeIncBasePriorityPrivilege 2012 msiexec.exe Token: SeCreatePagefilePrivilege 2012 msiexec.exe Token: SeCreatePermanentPrivilege 2012 msiexec.exe Token: SeBackupPrivilege 2012 msiexec.exe Token: SeRestorePrivilege 2012 msiexec.exe Token: SeShutdownPrivilege 2012 msiexec.exe Token: SeDebugPrivilege 2012 msiexec.exe Token: SeAuditPrivilege 2012 msiexec.exe Token: SeSystemEnvironmentPrivilege 2012 msiexec.exe Token: SeChangeNotifyPrivilege 2012 msiexec.exe Token: SeRemoteShutdownPrivilege 2012 msiexec.exe Token: SeUndockPrivilege 2012 msiexec.exe Token: SeSyncAgentPrivilege 2012 msiexec.exe Token: SeEnableDelegationPrivilege 2012 msiexec.exe Token: SeManageVolumePrivilege 2012 msiexec.exe Token: SeImpersonatePrivilege 2012 msiexec.exe Token: SeCreateGlobalPrivilege 2012 msiexec.exe Token: SeCreateTokenPrivilege 2012 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2012 msiexec.exe Token: SeLockMemoryPrivilege 2012 msiexec.exe Token: SeIncreaseQuotaPrivilege 2012 msiexec.exe Token: SeMachineAccountPrivilege 2012 msiexec.exe Token: SeTcbPrivilege 2012 msiexec.exe Token: SeSecurityPrivilege 2012 msiexec.exe Token: SeTakeOwnershipPrivilege 2012 msiexec.exe Token: SeLoadDriverPrivilege 2012 msiexec.exe Token: SeSystemProfilePrivilege 2012 msiexec.exe Token: SeSystemtimePrivilege 2012 msiexec.exe Token: SeProfSingleProcessPrivilege 2012 msiexec.exe Token: SeIncBasePriorityPrivilege 2012 msiexec.exe Token: SeCreatePagefilePrivilege 2012 msiexec.exe Token: SeCreatePermanentPrivilege 2012 msiexec.exe Token: SeBackupPrivilege 2012 msiexec.exe Token: SeRestorePrivilege 2012 msiexec.exe Token: SeShutdownPrivilege 2012 msiexec.exe Token: SeDebugPrivilege 2012 msiexec.exe Token: SeAuditPrivilege 2012 msiexec.exe Token: SeSystemEnvironmentPrivilege 2012 msiexec.exe Token: SeChangeNotifyPrivilege 2012 msiexec.exe Token: SeRemoteShutdownPrivilege 2012 msiexec.exe Token: SeUndockPrivilege 2012 msiexec.exe Token: SeSyncAgentPrivilege 2012 msiexec.exe Token: SeEnableDelegationPrivilege 2012 msiexec.exe Token: SeManageVolumePrivilege 2012 msiexec.exe Token: SeImpersonatePrivilege 2012 msiexec.exe Token: SeCreateGlobalPrivilege 2012 msiexec.exe Token: SeCreateTokenPrivilege 2012 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2012 msiexec.exe Token: SeLockMemoryPrivilege 2012 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2012 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3564 906c4effd6a20be22ea026a43a3cb7b3_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 3564 wrote to memory of 3596 3564 906c4effd6a20be22ea026a43a3cb7b3_JaffaCakes118.exe 83 PID 3564 wrote to memory of 3596 3564 906c4effd6a20be22ea026a43a3cb7b3_JaffaCakes118.exe 83 PID 3596 wrote to memory of 5056 3596 cmd.exe 85 PID 3596 wrote to memory of 5056 3596 cmd.exe 85 PID 3564 wrote to memory of 2428 3564 906c4effd6a20be22ea026a43a3cb7b3_JaffaCakes118.exe 86 PID 3564 wrote to memory of 2428 3564 906c4effd6a20be22ea026a43a3cb7b3_JaffaCakes118.exe 86 PID 3564 wrote to memory of 2012 3564 906c4effd6a20be22ea026a43a3cb7b3_JaffaCakes118.exe 89 PID 3564 wrote to memory of 2012 3564 906c4effd6a20be22ea026a43a3cb7b3_JaffaCakes118.exe 89 PID 3564 wrote to memory of 2012 3564 906c4effd6a20be22ea026a43a3cb7b3_JaffaCakes118.exe 89 PID 4048 wrote to memory of 2020 4048 msiexec.exe 94 PID 4048 wrote to memory of 2020 4048 msiexec.exe 94 PID 4048 wrote to memory of 2020 4048 msiexec.exe 94 PID 2020 wrote to memory of 2320 2020 MsiExec.exe 95 PID 2020 wrote to memory of 2320 2020 MsiExec.exe 95 PID 2020 wrote to memory of 404 2020 MsiExec.exe 96 PID 2020 wrote to memory of 404 2020 MsiExec.exe 96 PID 2020 wrote to memory of 2720 2020 MsiExec.exe 97 PID 2020 wrote to memory of 2720 2020 MsiExec.exe 97 PID 2020 wrote to memory of 3396 2020 MsiExec.exe 98 PID 2020 wrote to memory of 3396 2020 MsiExec.exe 98 PID 2020 wrote to memory of 3624 2020 MsiExec.exe 99 PID 2020 wrote to memory of 3624 2020 MsiExec.exe 99 PID 2020 wrote to memory of 868 2020 MsiExec.exe 100 PID 2020 wrote to memory of 868 2020 MsiExec.exe 100 PID 2020 wrote to memory of 4172 2020 MsiExec.exe 101 PID 2020 wrote to memory of 4172 2020 MsiExec.exe 101 PID 2020 wrote to memory of 1536 2020 MsiExec.exe 102 PID 2020 wrote to memory of 1536 2020 MsiExec.exe 102 PID 2020 wrote to memory of 5084 2020 MsiExec.exe 103 PID 2020 wrote to memory of 5084 2020 MsiExec.exe 103 PID 2020 wrote to memory of 5092 2020 MsiExec.exe 104 PID 2020 wrote to memory of 5092 2020 MsiExec.exe 104 PID 2020 wrote to memory of 3424 2020 MsiExec.exe 105 PID 2020 wrote to memory of 3424 2020 MsiExec.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\906c4effd6a20be22ea026a43a3cb7b3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\906c4effd6a20be22ea026a43a3cb7b3_JaffaCakes118.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c bcdedit.exe > "C:\Users\Admin\AppData\Local\Temp\usb701F.tmp"2⤵
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\system32\bcdedit.exebcdedit.exe3⤵PID:5056
-
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set testsigning on2⤵
- Modifies boot configuration data using bcdedit
PID:2428
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi" REBOOTNEEDED=12⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2012
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 78428D6170137DDC6D9DEB76952F1A08 C2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B5E24028-63DD-4538-AC84-405A441BD2CF}3⤵
- Executes dropped EXE
PID:2320
-
-
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{22B7427C-3724-4BE4-86D0-4629E6D608AD}3⤵
- Executes dropped EXE
PID:404
-
-
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8AB096F5-7B49-4A2B-9309-9F8010AD85E6}3⤵
- Executes dropped EXE
PID:2720
-
-
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F30B0C79-7504-48E2-A24A-3CA7E6214F7F}3⤵
- Executes dropped EXE
PID:3396
-
-
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{124B2B01-0167-4B24-8660-7D723B7F9F85}3⤵
- Executes dropped EXE
PID:3624
-
-
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B7CD3E7D-7B34-4873-B857-A23956FD119A}3⤵
- Executes dropped EXE
PID:868
-
-
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{07441B02-C815-498C-8450-0152E61B9EE5}3⤵
- Executes dropped EXE
PID:4172
-
-
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{63289CF8-3977-4955-A804-F7EC21A16E61}3⤵
- Executes dropped EXE
PID:1536
-
-
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EDD58BE7-39F1-42AA-B394-1E0950D20C92}3⤵
- Executes dropped EXE
PID:5084
-
-
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FAD35A6F-AC18-48C1-98DE-B12E44543347}3⤵
- Executes dropped EXE
PID:5092
-
-
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7AFFED01-E21B-4DC3-AA33-4D5F437A5AED}3⤵
- Executes dropped EXE
PID:3424
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD57a2798d06f6ff4bb08381e75e1202277
SHA1123875bd02231d8e06d234e400f64ebb6ce622f2
SHA256c73541a041134a4e9d7e9e5f68aef83fa3f6caad9e9b44b7cba52cd5441a38de
SHA51216784c47c85b5c446422d6c17c933fbe1bd0b4f02bf43d487b404180c2b53567e587c527b5c4b23c4af96780499e01e5871fb67ccbf83d5ed90df433f15a120a
-
Filesize
11.6MB
MD52c35cb1d6bc7e9e2c1fd18e401de3a02
SHA1cfba57b4d521dc1d9bd5f226ab954f7ec8da3108
SHA256ec29ea59edf79119f5cb06fc7e742cd191652e2afebb223d94a98b38dc7c3c5b
SHA512fe2ee417f6bd8687116297c4c09872aa8d5c9e1cb048fe792befc494dddc0f2a100f21680b210fcace2b0562055ce9443091e409e74e1136c8b2c9643c0ed2b5
-
Filesize
1KB
MD540323f90d4b6fadfa1652b951b17a43b
SHA16f2a7849eddee6a26439efded23228ec9c557ebf
SHA2560b82c6f01bf8c62768d48e5c52adb69131df0225b12563e974854139472fd457
SHA512c81044cda91d40a4f2d340902cf7e4bbb8eee943b92eed10e60a7b4aee3d3f2091ef8b48de5e2e80d9d5c2c914cf02a482d4885241ff000f27c4da2aee4bf8f8
-
Filesize
146KB
MD5c3b2acc07bb0610405fc786e3432bef9
SHA1333d5f2b55bd00ad4311ba104af7db984f953924
SHA2569acc6cb5d01a4e4dbc92c8774c6999fab5f0e49f097e83098ba740842f5a2894
SHA5122438e5dd11c8322101d9dc2d0f89ed0b1fc3cb5a65f644a1cf07f4c5a7f353c648e715fb910e09a444b623b3384eecd628e312608bcec63aa3b0107630df32bd
-
Filesize
260KB
MD5a93f625ef42b54c2b0f4d38201e67606
SHA1cbfebc1f736ccfc65562ede79a5ae1a8afb116a1
SHA256e91a865c3d60d9d0bce5d5a0a2f551c5e032d5bc13bc40f85091ce46d38064e0
SHA512805f0d535022de3d03aa191239fd90c54f2f6745bf02e0ce9cbe59ea34eecac7f9ebb600864c7cbcad5d011fa61bdb5b65889136617edc44178f87bd3970b198
-
Filesize
540KB
MD5d6bbf7ff6984213c7f1f0f8f07c51e6a
SHA1cfe933fc3b634f7333adec7ec124c14e9d19ac21
SHA2566366e18a8cbf609c9573f341004e5c2725c23a12973affa90ee7bcc7934ae1b2
SHA512a1364c96848f54b241c8e92ed1887ca599255c8046e31af11cd4b0b23d97c00243808dff9086a536c0084d6815223685283844a9e27f2c20c4d3b85a794a9e9d