Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    18-06-2024 13:21

General

  • Target

    bc260b2427388aa2492da3ebba202db0_JaffaCakes118.msi

  • Size

    2.3MB

  • MD5

    bc260b2427388aa2492da3ebba202db0

  • SHA1

    297d227b8c0256bd69ba983d6b1c9c4e442bbeec

  • SHA256

    6a064f8e88bd6bcb7c3347495b004429a8c55cc707f7ea7eb5d394f83a76ae2b

  • SHA512

    062149297cf86c0914038adec8e0d24401890ee704fe3143fd8489b1d503fa477c09fd41614833250442c5e1893786afaf31a39b00a44e8a83dc53b94d2b7926

  • SSDEEP

    49152:AEMJZoQrbTFZY1ia5iGkbJvsqyRSIC9upALK1PVqnjVTxxUqPdOH:WtrbTA1Fp8DyRdpyK1Pgj3dOH

Malware Config

Signatures

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 61 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\bc260b2427388aa2492da3ebba202db0_JaffaCakes118.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2420
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Windows\Installer\MSI2D0B.tmp
      "C:\Windows\Installer\MSI2D0B.tmp"
      2⤵
      • Suspicious use of SetThreadContext
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Windows\Installer\MSI2D0B.tmp
        "C:\Windows\Installer\MSI2D0B.tmp"
        3⤵
        • Executes dropped EXE
        PID:1228
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1736
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "0000000000000000" "00000000000004C0" "00000000000003A4"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2752

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Privilege Escalation

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f762c14.rbs
    Filesize

    663B

    MD5

    b5f5331993a9e1bd5689b61b6ddc218a

    SHA1

    e68cebbf61100c40670204513293522421779ce3

    SHA256

    ad136ea64ae56d1360baf5ff3678abc66e52d45e4da6591a8629cc5fa82f5c2b

    SHA512

    c05c0a7b5a5c17ccd7cd85f06f7855d11b0255cc8467c491e12ddf11cc60e54d21d9dec2e638b3b2abfa94afae6014c109aba4d7ba91637cfc39c122544f7bfa

  • C:\Windows\Installer\MSI2D0B.tmp
    Filesize

    2.3MB

    MD5

    0a678d5045888f5eedf50d5a43f76981

    SHA1

    c24d11fa0e05bf2c94e2df2e2423317b272e94da

    SHA256

    a6f2807bb927fe15170a00cc6d1d5610ed6b476da9c813dc44e6a100ebaa6856

    SHA512

    ead04687a554f5b83095369fac60fe97519076f8aa3efacb8a9b2d72152cfdf6d25d630f27e84a5c1f04877a260e40378c7a22ecf8631c1478d0516a61d8d683

  • memory/1228-12-0x0000000000400000-0x0000000000475000-memory.dmp
    Filesize

    468KB

  • memory/1228-14-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
    Filesize

    4KB

  • memory/1228-15-0x0000000000400000-0x0000000000475000-memory.dmp
    Filesize

    468KB

  • memory/1228-19-0x0000000000400000-0x0000000000475000-memory.dmp
    Filesize

    468KB

  • memory/1228-18-0x0000000000400000-0x0000000000475000-memory.dmp
    Filesize

    468KB

  • memory/1228-17-0x0000000000400000-0x0000000000475000-memory.dmp
    Filesize

    468KB

  • memory/1228-30-0x0000000000400000-0x0000000000475000-memory.dmp
    Filesize

    468KB