Overview

overview

10

Static

static

10

ace6e57bae...18.msi

windows7-x64

6

ace6e57bae...18.msi

windows10-2004-x64

6

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    15-06-2024 04:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ace6e57bae77662196232131131e784e_JaffaCakes118.msi

  • Size

    384KB

  • MD5

    ace6e57bae77662196232131131e784e

  • SHA1

    1e7e10274944b4f9e46730d8118d90172904000c

  • SHA256

    c8f969f561e06095543bf7f64281be7d95754c06d4b7ece3447acc5f99a3de6c

  • SHA512

    a45f9be129c36ea8ccd1e8d44f05e9693e9f58c1bfac96e0c833bb2282dd44142ed5f48a9f832399559480bfc714d1636daf0d3965e799d15ea7d11fe8cefe92

  • SSDEEP

    6144:hZjgS007NNMX/+DoklCAFNWClCA+jp02GmaZ/ZJSEPavLFjt+WM:hZNNNzbCClCA+jp02GmWhJnav5jUn

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 12 IoCs
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ace6e57bae77662196232131131e784e_JaffaCakes118.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1952
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2776
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2440
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005AC" "00000000000003A8"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2500

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f763bab.rbs
    Filesize

    7KB

    MD5

    66d4c6e76d35328fa37e25bc690023a1

    SHA1

    caebdf1535749bdcb4c7ab92eab702b428f97249

    SHA256

    b2367c72aa00c0e90341bc00a79db54c32d31b8ab28c89c5e01e284cf74c8b09

    SHA512

    36635f057ec82b8b34302e05791ef04958b6f5e1993c0c08f7edde148a6f96fa2ced8eba5b823b6b2d9d73d5b0a3940b3c8b39d2f230cf8e5a5404846920691d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    d910ab20ee59c6bc36bc90845b768181

    SHA1

    cedb040b51854ffbe892004b7ff55f2e580d7c75

    SHA256

    a4962f08e0d7e51a67d892535090ba17aeceda286acafc61e92a8eadb5a863f4

    SHA512

    2a5a4a32a68fb9d36a63d52fbcd35ecb96d2f2a4a9b152211e289784857a5e9f5ecd6e564a6e9c562bc9520ed354c9718b56cb764e6562eff4a5a0f2f2be5084

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab3BF7.tmp
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    Download Submit