Analysis Overview
SHA256
49cacc978f32e2ddbdfd8cbfdea76ea1cdeaf264c6594232029368c5064e7a41
Threat Level: Known bad
The file ba1df16589770276ed70731d44176e9b_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Detect PurpleFox MSI
Purplefox family
Enumerates connected drives
Drops file in Windows directory
Loads dropped DLL
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-17 23:28
Signatures
Detect PurpleFox MSI
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Purplefox family
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-17 23:28
Reported
2024-06-17 23:28
Platform
win7-20240611-en
Max time kernel
9s
Max time network
4s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\f766c4a.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\sysupdate.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f766c4a.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6D92.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI710C.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI716B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI71E8.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f766c4d.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI766C.tmp | C:\Windows\system32\msiexec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ba1df16589770276ed70731d44176e9b_JaffaCakes118.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A58ED0CFB647DFCEA71F24F152BBC0DC
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter1
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y
Network
Files
C:\Windows\Installer\MSI6D92.tmp
| MD5 | aaab8d3f7e9e8f143a17a0d15a1d1715 |
| SHA1 | 8aca4e362e4cdc68c2f8f8f35f200126716f9c74 |
| SHA256 | fd3d6c50c3524063f7c28f815838e0fb06fd4ebff094e7b88902334abd463889 |
| SHA512 | 1999224f57cd453d5d4d7d678144e0b719290ae925bb3574ce28ae787dc406a6b3df8e44475b12b9cdc0ff43d2979f626f08291304c66cdca536cd1897715c9a |
C:\Windows\Installer\MSI716B.tmp
| MD5 | 3eb31b9a689d506f3b1d3738d28ab640 |
| SHA1 | 1681fe3bbdcbe617a034b092ea77249dd4c3e986 |
| SHA256 | 3a7d9cdd6be9ce0e4d01e9894242b497536336bf1850fb0a814a369c8a189c46 |
| SHA512 | 2598e39f4fd139775bbb040218af802db722d4dca99a4230edfde282362b433c5e30c15d5385063aa76bff916031b0e43586ef05d2ada4edc3c1410371b98e09 |
C:\Config.Msi\f766c4e.rbs
| MD5 | d71d631a77977c4e78775d73801ade68 |
| SHA1 | 301ea455e8fd865b2ce10ef65ffd100cca22c100 |
| SHA256 | 1b98e5be7fc7694e9ff465def7fb0f5a941801bc507d5685a1474095cdc0ed28 |
| SHA512 | 373c88daff5cd30634e3c5885b5567bee52f18fcf3ee6947592505755750f577d2b66d06a6b81490e3f937c5d5753fbc505db06916a25a2a529574798bf0d6f3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-17 23:28
Reported
2024-06-17 23:28
Platform
win10v2004-20240508-en
Max time kernel
9s
Max time network
10s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{17AB1BF2-25B3-473C-8C91-9FC8D6BDB3D0} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e575294.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e575294.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI52E3.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5361.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5381.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI53A1.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI53D1.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI547E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\sysupdate.log | C:\Windows\system32\msiexec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "217" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ba1df16589770276ed70731d44176e9b_JaffaCakes118.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E5A3677E7CB337E17A0B8CB7F2260E18
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter1
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39a9055 /state1:0x41c64e6d
Network
Files
C:\Windows\Installer\MSI52E3.tmp
| MD5 | aaab8d3f7e9e8f143a17a0d15a1d1715 |
| SHA1 | 8aca4e362e4cdc68c2f8f8f35f200126716f9c74 |
| SHA256 | fd3d6c50c3524063f7c28f815838e0fb06fd4ebff094e7b88902334abd463889 |
| SHA512 | 1999224f57cd453d5d4d7d678144e0b719290ae925bb3574ce28ae787dc406a6b3df8e44475b12b9cdc0ff43d2979f626f08291304c66cdca536cd1897715c9a |
C:\Windows\Installer\MSI53A1.tmp
| MD5 | 3eb31b9a689d506f3b1d3738d28ab640 |
| SHA1 | 1681fe3bbdcbe617a034b092ea77249dd4c3e986 |
| SHA256 | 3a7d9cdd6be9ce0e4d01e9894242b497536336bf1850fb0a814a369c8a189c46 |
| SHA512 | 2598e39f4fd139775bbb040218af802db722d4dca99a4230edfde282362b433c5e30c15d5385063aa76bff916031b0e43586ef05d2ada4edc3c1410371b98e09 |
C:\Config.Msi\e575297.rbs
| MD5 | 8bad5d448cef577a8f9e3e2ccc551925 |
| SHA1 | c6501738592b5a87d2c49850beb73f21d475140b |
| SHA256 | cbefce5e98e973960bfb178cb7ae6ac052d81f20fb442e1356758a9649f11d4c |
| SHA512 | f7be5f63a2b2f9ea6413a36419dfbf225b35e34f9b7f157d92af5fb04bd58ebe00eaafbc3ae36570aec4076a71237b1e0c59d0a66e44f436d5991eab1570917a |