1fcca6883c60e3fe1924e290d85168793f5735ed0ca954fdb1b1738f6a199e19

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2024, 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2fd3390ff898dd55a646da33b4c02ff_JaffaCakes118.msi
Size

984KB
MD5

a2fd3390ff898dd55a646da33b4c02ff
SHA1

79df71db32379f6e7efaf85f06cee0149010e234
SHA256

1fcca6883c60e3fe1924e290d85168793f5735ed0ca954fdb1b1738f6a199e19
SHA512

356db92ce0dc24af11ec919e40f4c23a2584149400a9b980ae4e06f57a11694b17529aa01861859bcf73303acd01bd15d2e3a4b37c2c018f4e1ac8ae46ac5674
SSDEEP

24576:YXvOwHuvjDTWBnc2/4joAvuLmyONNNpbCClCtRGLovJX:YmwQjDM3CuLmycpbC7ALE

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	4320	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e576c75.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e576c75.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6CE3.tmp	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
1864	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a1a8d825d9cc14480000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a1a8d8250000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a1a8d825000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da1a8d825000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a1a8d82500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4320	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4320	msiexec.exe
Token: SeSecurityPrivilege	4340	msiexec.exe
Token: SeCreateTokenPrivilege	4320	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4320	msiexec.exe
Token: SeLockMemoryPrivilege	4320	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4320	msiexec.exe
Token: SeMachineAccountPrivilege	4320	msiexec.exe
Token: SeTcbPrivilege	4320	msiexec.exe
Token: SeSecurityPrivilege	4320	msiexec.exe
Token: SeTakeOwnershipPrivilege	4320	msiexec.exe
Token: SeLoadDriverPrivilege	4320	msiexec.exe
Token: SeSystemProfilePrivilege	4320	msiexec.exe
Token: SeSystemtimePrivilege	4320	msiexec.exe
Token: SeProfSingleProcessPrivilege	4320	msiexec.exe
Token: SeIncBasePriorityPrivilege	4320	msiexec.exe
Token: SeCreatePagefilePrivilege	4320	msiexec.exe
Token: SeCreatePermanentPrivilege	4320	msiexec.exe
Token: SeBackupPrivilege	4320	msiexec.exe
Token: SeRestorePrivilege	4320	msiexec.exe
Token: SeShutdownPrivilege	4320	msiexec.exe
Token: SeDebugPrivilege	4320	msiexec.exe
Token: SeAuditPrivilege	4320	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4320	msiexec.exe
Token: SeChangeNotifyPrivilege	4320	msiexec.exe
Token: SeRemoteShutdownPrivilege	4320	msiexec.exe
Token: SeUndockPrivilege	4320	msiexec.exe
Token: SeSyncAgentPrivilege	4320	msiexec.exe
Token: SeEnableDelegationPrivilege	4320	msiexec.exe
Token: SeManageVolumePrivilege	4320	msiexec.exe
Token: SeImpersonatePrivilege	4320	msiexec.exe
Token: SeCreateGlobalPrivilege	4320	msiexec.exe
Token: SeBackupPrivilege	60	vssvc.exe
Token: SeRestorePrivilege	60	vssvc.exe
Token: SeAuditPrivilege	60	vssvc.exe
Token: SeBackupPrivilege	4340	msiexec.exe
Token: SeRestorePrivilege	4340	msiexec.exe
Token: SeRestorePrivilege	4340	msiexec.exe
Token: SeTakeOwnershipPrivilege	4340	msiexec.exe
Token: SeRestorePrivilege	4340	msiexec.exe
Token: SeTakeOwnershipPrivilege	4340	msiexec.exe
Token: SeBackupPrivilege	1176	srtasks.exe
Token: SeRestorePrivilege	1176	srtasks.exe
Token: SeSecurityPrivilege	1176	srtasks.exe
Token: SeTakeOwnershipPrivilege	1176	srtasks.exe
Token: SeBackupPrivilege	1176	srtasks.exe
Token: SeRestorePrivilege	1176	srtasks.exe
Token: SeSecurityPrivilege	1176	srtasks.exe
Token: SeTakeOwnershipPrivilege	1176	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4320	msiexec.exe
4320	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 1176	4340	msiexec.exe	89
PID 4340 wrote to memory of 1176	4340	msiexec.exe	89
PID 4340 wrote to memory of 1864	4340	msiexec.exe	91
PID 4340 wrote to memory of 1864	4340	msiexec.exe	91
PID 4340 wrote to memory of 1864	4340	msiexec.exe	91

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\a2fd3390ff898dd55a646da33b4c02ff_JaffaCakes118.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4320

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1176
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F254B4C82A702EB280D3E1BD25F705A7
  2⤵
  - Loads dropped DLL
  PID:1864

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:60

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSI6CE3.tmp

Filesize
56KB

MD5
38a4250c5e678728a0cdf126f1cdd937

SHA1
d55553ab896f085fd5cd191022c64442c99f48a4

SHA256
63c4d968320e634b97542ccf0edffe130800314346c3316817813e62d7b7ee08

SHA512
cc00d1d5e6b074eff3245d3e8aa3020804a6bfd01516c7be7b05f671a93c6a56d9058738c422ad77eabb6c10e6c698a219dac7102e0b17dd941b11bfd60eb894

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
26e832cfc03c5a6c27f11618d1b63262

SHA1
dec107c04e6581e4a869021967039630ea01df5b

SHA256
01bc9d0ac5659c6916c6d2d361b84176adedc46fc45eae9da3358490221d73c7

SHA512
d2515683d3533c4a45174404d16c980280033e8f0b3d61effdc5c468c012c0883c768d058d4907517dd8d13325d106e4c4116d2330dd1a6bd7c2158e8aadc517

Download Submit
\??\Volume{25d8a8a1-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ba34c83e-9286-461a-b5c2-00bef6206d84}_OnDiskSnapshotProp

Filesize
6KB

MD5
d4e7377439a3bd470bac2a61a6d5aa48

SHA1
62c064054f075c81e7e7c87e677a8618fe951825

SHA256
2cef47124ef6bf62ab2e79a5f08918837605d2efe369d70bdd6af028bb07eff0

SHA512
66a41d1dfc01279897c2176fdbfbf54b20984ba53073b0b671d90bb8ab724959deaf2951328b8b9bc1d9ce0a564b0a19778fe91e3a5adece1ae1973e0f3d411b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads