Overview

overview

7

Static

static

1

9cfa6fe70f...18.exe

windows7-x64

7

9cfa6fe70f...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    94s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-06-2024 04:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9cfa6fe70f0886ee46bb3b35f768cd0d_JaffaCakes118.exe

  • Size

    1.8MB

  • MD5

    9cfa6fe70f0886ee46bb3b35f768cd0d

  • SHA1

    07309e7fc1356f6bf05f87d3d7397378f1a34e19

  • SHA256

    c51f11ae52aef78699233174c52ec1ac3a781f7496ddc7efe369cc140f05842f

  • SHA512

    55658d73b47dd391874250b2e1b5086b301ee4a677c0fc7ad703f31c878ced8ddb9c8d348e054cf077be7e6f4d89c646f1743a2c2f7b1b8cf4dd17dd440e8632

  • SSDEEP

    24576:HtbPrrbTPUy9A+hZ1HjqQSUHi2Ha50hUXJS5GcRbhgaCoszGmltuaebBIPKUy0jq:lrkydhZ1HjqiHs0CcG4gaCo/mltrenYq

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 30 IoCs
  • Blocklisted process makes network request 6 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 39 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 25 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\9cfa6fe70f0886ee46bb3b35f768cd0d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9cfa6fe70f0886ee46bb3b35f768cd0d_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2612
    • C:\Windows\SysWOW64\msiexec.exe
      /i "C:\Users\Admin\AppData\Roaming\Microleaves\Online.io Application 1.15.0\install\9AEF407\Online Installer InstallCapital.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\9cfa6fe70f0886ee46bb3b35f768cd0d_JaffaCakes118.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates "
      2⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1320
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4344
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 5C2563523E94FB774D91E67D0EAAB9E3
      2⤵
      • Loads dropped DLL
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      PID:3408
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 1C63858479C032016521AA30CB645D32 E Global\MSI0000
      2⤵
      • Loads dropped DLL
      • Drops file in Program Files directory
      PID:1740
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:4976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e5779f6.rbs
    Filesize

    1011KB

    MD5

    6de2fdac7341daba20a3465177cb38c0

    SHA1

    25f8c85b7f920be33c52878c1abd1240ac12f1a3

    SHA256

    4a2146ac80006b2ab945ee3af5d1211e5b3020ede7c04e14b255763855c239e5

    SHA512

    44e83c4d102c31db9971482a01a91df5c3aa932b3bc96579f5e37a800be98a241dbef58d055e1062718e4767513b43247f44cfa933ed00885f2723af42f04aca

    Download Submit

  • C:\Program Files (x86)\Microleaves\Online.io Application\Online Application Updater.ini
    Filesize

    184B

    MD5

    32d5b009154b279a8d0ada51e860b8ce

    SHA1

    4d559587b9e4b80ff93b66ba03dabe36dd816126

    SHA256

    616e57a5ce331bfffa8288b582313693b4d75fac2826748435d8cc8465b6eee0

    SHA512

    8844addff4b06ee48aa4544a2671b71e17216adbb98f15c02d4b0bff9f2d63ced422f641db88225b723211cd2c759eb396020a1fb7aa792587a0771d226d20ad

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0972B7C417F696E06E186AEB26286F01_8F1CEC0D4A77E69A32FDA2ABCCCE69B6
    Filesize

    1KB

    MD5

    f41de38671b46a4a1c9034643ff5fb59

    SHA1

    8c1437fb77c3ad74dc6a19ff924071d9bb072fbe

    SHA256

    1f33c560078e632d23e676ac451da24f38f0fd30115ecd45f7491141412d5dbb

    SHA512

    5b623e6c34e11d587abe9ce7f8b69739098ffa945d843a4e96ad486e825b5dbdf6f8842593d34119aedfafbdfa4fb142c8a74e16dc7db91aa71bb9d19134b79f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F
    Filesize

    5B

    MD5

    5bfa51f3a417b98e7443eca90fc94703

    SHA1

    8c015d80b8a23f780bdd215dc842b0f5551f63bd

    SHA256

    bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

    SHA512

    4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A3D5BF1283C2E63D8C8A8C72F0051F5A
    Filesize

    834B

    MD5

    cbed24fd2b55aea95367efca5ee889de

    SHA1

    946f48b5c344fd57113845cd483fed5fb9fa3e54

    SHA256

    1dc8a0fcbe260b77adfe5ad9aaac543239b2a0d9f4e1f3c2657beee4376ffee4

    SHA512

    c504a11ea576f8ce14de26a0617e22e71e14db0f1dadefc187ce94e4a35a83743c743824e3629899c262aae4772bb86a0ee5bb643db20645483f0c376215ec6b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0972B7C417F696E06E186AEB26286F01_8F1CEC0D4A77E69A32FDA2ABCCCE69B6
    Filesize

    394B

    MD5

    21a987336ff9861d9036b6ac63134eff

    SHA1

    b1759d708004e5bb2b1ee4db78d77a7372ef3985

    SHA256

    891b6d6dea2a32427212d0fcc66b16864df79915ef96b7d968fd6576c16d5f7c

    SHA512

    1fd6151d9ca5680a2f49af2de1b69ddbe175ce1767516fe971073be7af54e01a1a685295f2ab5d4ac6752e80b43170e08d7c00a36de79fb42dc3a53555f37fee

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F
    Filesize

    392B

    MD5

    5d8c7f7c1473683dbdeeb60b08d687cf

    SHA1

    f746764310a330a79ef7b1d865d3354e08ab1250

    SHA256

    5ac10f63f61f0f35952d6ec8a8d6d3c4ccb715396efe603ba4d33d2653e3cd78

    SHA512

    d8fa2cc7b7e699656a485ddff84cf2817de4e7cec97e836a5e7ed5c5cabf8ff4920a50eebe70a2c473c69b833d27a9ba4eb4217b67643499ea0b1c05590ce7cf

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A3D5BF1283C2E63D8C8A8C72F0051F5A
    Filesize

    178B

    MD5

    284cff70241185955955af15c98d0407

    SHA1

    8ed038830277b58f92a7a5ed282d129b9e238c92

    SHA256

    4e63c5eb1285e37382277a55e8516b0155dff83ded6617051d87383d69f96f59

    SHA512

    56d2178633a160659b696127ac3352f8246bf5555ee2a30d6809f04e032ba5de630d67c391cbf3e123c5b7d55b91bc4568d4c218d522e75e1dbc3920817cd099

    Download Submit

  • C:\Users\Admin\AppData\Local\AdvinstAnalytics\57bec79515c1ec525f8858bf\1.15.0\tracking.ini
    Filesize

    84B

    MD5

    8ce95945d8e9f5d905eead722ee2d1dd

    SHA1

    4ba6e82bf2c6e437a4911951908fcbc89b3019b1

    SHA256

    73e062e0f783046e42d7293f1fbc3f44ab26d9e4e95013c59223abffcd4e76e1

    SHA512

    5b97cc1d47c130206eb1821181a641c17a484c02323949f0975e9eb318d4578f38e3b6c1d30dcb0d575031c0df575bbed5e028e2049dca3331c4650d78242a47

    Download Submit

  • C:\Users\Admin\AppData\Local\AdvinstAnalytics\57bec79515c1ec525f8858bf\1.15.0\tracking.ini
    Filesize

    84B

    MD5

    edc8cf3b0571911dbc6c305ff087143d

    SHA1

    f14fa8b322680012d4890c706b637c54d470007f

    SHA256

    3e34c03a3b783b8d02a44431701ad21333271f0e7b148891262053fe099489e2

    SHA512

    2d8d32195fa691a8ca28673e4f17d66ea49ff991c29f00c77b97ffb811205cf6edfbf6518c1282599dc9b630437287e5d41f9307d5fd8106e958cd83afd9e6e1

    Download Submit

  • C:\Users\Admin\AppData\Local\AdvinstAnalytics\57bec79515c1ec525f8858bf\1.15.0\{B7071B6C-384B-4B6F-BA84-89CF08007924}.session
    Filesize

    4KB

    MD5

    314d88ff665c9d52457a25ab4cc0056d

    SHA1

    49c612a3503b60ce23da1f744a5c07957f4b0023

    SHA256

    0c0ae1ea642b047418b2e11e9f32cc05fd5421f3c27e6e0c3a50d7a888b2d820

    SHA512

    9456a00c64040de8e940d43f7ab23137a6c8191c1437aa245837e5415b8f457bfae69777dffea2a7e82b2a34a140bf9d402e863c8a5ffed9e6ced3e54c805126

    Download Submit

  • C:\Users\Admin\AppData\Local\AdvinstAnalytics\57bec79515c1ec525f8858bf\1.15.0\{B7071B6C-384B-4B6F-BA84-89CF08007924}.session
    Filesize

    3KB

    MD5

    c20e500eaea9f6d1b85d21621b581c39

    SHA1

    9656c0023a5d17906ff810ff59add36bd2c70a25

    SHA256

    e9968faa4bc3fd96e12e0a0e97048615255f49c9e9378425c9e83dbdd3d81ab2

    SHA512

    d2c01b76099d8325c9341f2cef0558fea69e9446f2af4b1114e7725e0cebd166f31d97b1f19152e3b05c1f9c7b9a53cd3ce8da7a42c6794fecf8f412e8fa1926

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microleaves\Online.io Application 1.15.0\install\9AEF407\Online Application Updater.exe
    Filesize

    756KB

    MD5

    4c282cb7ba59c9b53878af31f9da78de

    SHA1

    517c7a52de8b4d39bc40640914dfcc18c01836d8

    SHA256

    27ab441e5586cbc080163e9320ef577057fcfe0a8d889c84b1e1028f875fd39d

    SHA512

    8a44fe8335cf24209efbf43c63b46184dbbd33a4bae62fbb3510f5f2d10631d49b8a334d53a92579e98343a9d105ffca4a2196202893d3f85f291dcf90d5a9e6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microleaves\Online.io Application 1.15.0\install\9AEF407\Online Installer InstallCapital.msi
    Filesize

    2.6MB

    MD5

    d8940849edbfa3941e00ec83c194dc0c

    SHA1

    8125fffa118bcff70b107d057d40bffd250dd224

    SHA256

    975f4e8240793c13094f8bb7f107443f4c8ffd38702ad07a150fbc25041cc167

    SHA512

    87ea0473a42499564724811fc6cac1de1bd83a38b46b0fad53266cd191999d732e007d007b05b9d106e237d854702f8443e3534438e49607d2480b8b9ebb4f5f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microleaves\Online.io Application 1.15.0\install\9AEF407\Online-Guardian.exe
    Filesize

    457KB

    MD5

    c9682df02e2db38faea7d270fd4aeb86

    SHA1

    b3d7364bbf4b5b8760c769c93a531bd57ca53e89

    SHA256

    c6f5e89541e8406d6c6de808b2a7ff5a28bc409601c8838c71c092b7a5c680a3

    SHA512

    950a9bcd37b1a37660535162b63120b69ec28ab56d2ff08ffefe9e8276efc0ea0efb5351bd72cf5ca97b283b37b1b0292d42a99a9be948cb9cc821616380168c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microleaves\Online.io Application 1.15.0\install\decoder.dll
    Filesize

    145KB

    MD5

    bf436648d11de396f4b4cf1faeb63366

    SHA1

    fa1e2751736e3a100a7daa6f53a5665afe931272

    SHA256

    abdee86230f7d790976ac031522788e0a23cc5657d19e95d97096a398140ea93

    SHA512

    d6ba2edb79fdac74fb81c1ca876bf90f1deb12a9b2736526405e48ecc7854a01164c86e343028ff88cfcde47b7414bf45aec3a7bacfe8b4e8c18052a97bf14de

    Download Submit

  • C:\Windows\Installer\MSI7A7F.tmp
    Filesize

    209KB

    MD5

    e0d0d82f22d7cc1a1cacd486799d5d96

    SHA1

    1e3d1b2a43356d8bde93fdd8362b6e9598da9124

    SHA256

    84fe1f4a7dc3c2a73ed202a9fcf4da9b463c5b692639cb93f919bda9f18a14e9

    SHA512

    1931d193e78b6fc8c29e45af19981911f3266a9385874ef2069870fff3b58f3c410e175a2d16f55bdd2d23782f0c3ba76e474d08ea7b0afa9a335d693ecad5a9

    Download Submit

  • C:\Windows\Installer\MSI7B1C.tmp
    Filesize

    478KB

    MD5

    e4317ef8e6fb9e87f5b219be1945c6a4

    SHA1

    30bfed3e2e845a5a14974ffcd6f7e9a3c232b72b

    SHA256

    2c057c89822094e8d1b6f6e1292003d7c1f2078ca2549740a5d6e9b09c1a63f0

    SHA512

    90cd353ef5aad6ce996eb319fe5d095924d27e73316aa2a231b0f2169551054aa840e465e2ccfc6238a594c46240a0300647ab6cb876d866e52f8eadb6198b92

    Download Submit

  • C:\Windows\Installer\MSI7B8E.tmp
    Filesize

    313KB

    MD5

    43fbce62ec3bf37b00dc6df53efc9f16

    SHA1

    21ed689be5933ea512c44e4ee23beb9c9f871d38

    SHA256

    94446f2ce07cf081c8b11aaca7c8bf50a5c0b142d86536d60c2f58784986c26e

    SHA512

    5c3f78d5548a150018a3dca0a2d5126b7c77d7fbb11b09e95c9105dc525455b9e35b28063b9d14fdfab505bacabf0a78e6fc6e678d1c92949f1a2916b6b64090

    Download Submit

  • C:\Windows\Installer\MSI8441.tmp
    Filesize

    123KB

    MD5

    ffedc035b78bc3983a1ee0f37b38d98c

    SHA1

    a5730757d7c4c819c7b53c0f099a271663087f31

    SHA256

    64ec3b793fa3d56651b6984629f25e2ed8c8aacd9a5ff4f990a069caf97c1e85

    SHA512

    127177fa8c71a36f05c73dc3464f7514ff9e52ace89febcc64e060075466a9075e02819994606f09e181f889f11a4bb09274e436a56ac86b36fda48cae20b7f3

    Download Submit

  • C:\Windows\Installer\MSI8480.tmp
    Filesize

    142KB

    MD5

    77c2b9771fecb6b78fc217a4292be3e0

    SHA1

    8aabd3d8b1ac6f7704df3e22e0bc89d5ef4553ba

    SHA256

    c2eaf25709084bb304b003b077a7fe7462353df10b4f24668916720e29bf1778

    SHA512

    76ecc2c89569df228c335d9f7567eda7079b0d72aaf73c0d4624e9426975780f06d9ff031f99a341080e07baee0e33f5e6b7fd1c63b25e5c152db2e2c6d0b112

    Download Submit

  • C:\Windows\Installer\MSI859A.tmp
    Filesize

    365KB

    MD5

    5671bcffa38c8bccc620a298ab0e6b58

    SHA1

    b44cb29020dea02b634632ba1adfb30ae4e12791

    SHA256

    d9b9319bb817e829dc2e29363bc9f90f811fc0e0e069458ff78f5afa69af59f5

    SHA512

    b820a3f07757482a7965dcd29bccf546fd131c001497c0f40e32f043e79cfd862a5261fd38f15c4ba535618c8c46b3cba0dbe54b4dd0cf3e3058f229afd04545

    Download Submit

  • C:\Windows\Installer\MSI85E9.tmp
    Filesize

    191KB

    MD5

    0bb78f0b425860ea8e25090ee4ba3548

    SHA1

    a794298cc2ee64ce44c75ea7c5339293951fc129

    SHA256

    8109236391bd0ce2ed08dbadf5978c0eca673eb12b00933bbb16f9d2f88d0dc2

    SHA512

    10187db3ce1cb3429b604da166a8e971c9d54654f469d43a15b6115a53000c17abf7cd77908f138a30e579d42982ab5b6bc29bdd33d79007642088001abdba64

    Download Submit

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    23.7MB

    MD5

    a575336d993d00e984389a41859fc102

    SHA1

    2a6cabbfcd273c144b15917ec8f21b91f58b2db7

    SHA256

    ff9e1b9c87e5c9c9fe801f0b1d76dc79ce2f61a634a3d59c52de889ba2d5927e

    SHA512

    6b229f63c43295a7d0edbf9bf6278531c4333875028dce833107eee5bc7218ce808bc54a670349be957bdd1327722cbeb267c0e85fc3498ae6576479a634c8b5

    Download Submit

  • \??\Volume{b97ebe19-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{211a8995-b5ff-4e80-a97d-125535732607}_OnDiskSnapshotProp
    Filesize

    6KB

    MD5

    041bebfb24cc32b774b0d39f30000cbc

    SHA1

    77a2ea74ad38d032a2b2228ab8f45dd0395f5d40

    SHA256

    f7ebb75e48f65ee9d79ce0c421f6987fd885430b7667ae9928446043ccbe4908

    SHA512

    4dc861576fa395e0293fa26ffdd5e7e2e2a31fea8097d17ae73340adba8ef4240d4f6a007b3ac94b39c40ab06b0714adaaf5920bab7fbeea2cf4878164d970b6

    Download Submit