Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
18-06-2024 13:21
Static task
static1
Behavioral task
behavioral1
Sample
bc260b2427388aa2492da3ebba202db0_JaffaCakes118.msi
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
bc260b2427388aa2492da3ebba202db0_JaffaCakes118.msi
Resource
win10v2004-20240611-en
General
-
Target
bc260b2427388aa2492da3ebba202db0_JaffaCakes118.msi
-
Size
2.3MB
-
MD5
bc260b2427388aa2492da3ebba202db0
-
SHA1
297d227b8c0256bd69ba983d6b1c9c4e442bbeec
-
SHA256
6a064f8e88bd6bcb7c3347495b004429a8c55cc707f7ea7eb5d394f83a76ae2b
-
SHA512
062149297cf86c0914038adec8e0d24401890ee704fe3143fd8489b1d503fa477c09fd41614833250442c5e1893786afaf31a39b00a44e8a83dc53b94d2b7926
-
SSDEEP
49152:AEMJZoQrbTFZY1ia5iGkbJvsqyRSIC9upALK1PVqnjVTxxUqPdOH:WtrbTA1Fp8DyRdpyK1Pgj3dOH
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1228-15-0x0000000000400000-0x0000000000475000-memory.dmp upx behavioral1/memory/1228-19-0x0000000000400000-0x0000000000475000-memory.dmp upx behavioral1/memory/1228-18-0x0000000000400000-0x0000000000475000-memory.dmp upx behavioral1/memory/1228-17-0x0000000000400000-0x0000000000475000-memory.dmp upx behavioral1/memory/1228-30-0x0000000000400000-0x0000000000475000-memory.dmp upx -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Windows\Installer\MSI2D0B.tmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MSI2D0B.tmpdescription pid process target process PID 2540 set thread context of 1228 2540 MSI2D0B.tmp MSI2D0B.tmp -
Drops file in Windows directory 10 IoCs
Processes:
msiexec.exeDrvInst.exedescription ioc process File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI2D0B.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f762c10.msi msiexec.exe File opened for modification C:\Windows\Installer\f762c10.msi msiexec.exe File created C:\Windows\Installer\f762c13.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI2CCB.tmp msiexec.exe File opened for modification C:\Windows\Installer\f762c13.ipi msiexec.exe -
Executes dropped EXE 2 IoCs
Processes:
MSI2D0B.tmpMSI2D0B.tmppid process 2540 MSI2D0B.tmp 1228 MSI2D0B.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
-
Modifies data under HKEY_USERS 43 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 2932 msiexec.exe 2932 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 61 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 2420 msiexec.exe Token: SeIncreaseQuotaPrivilege 2420 msiexec.exe Token: SeRestorePrivilege 2932 msiexec.exe Token: SeTakeOwnershipPrivilege 2932 msiexec.exe Token: SeSecurityPrivilege 2932 msiexec.exe Token: SeCreateTokenPrivilege 2420 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2420 msiexec.exe Token: SeLockMemoryPrivilege 2420 msiexec.exe Token: SeIncreaseQuotaPrivilege 2420 msiexec.exe Token: SeMachineAccountPrivilege 2420 msiexec.exe Token: SeTcbPrivilege 2420 msiexec.exe Token: SeSecurityPrivilege 2420 msiexec.exe Token: SeTakeOwnershipPrivilege 2420 msiexec.exe Token: SeLoadDriverPrivilege 2420 msiexec.exe Token: SeSystemProfilePrivilege 2420 msiexec.exe Token: SeSystemtimePrivilege 2420 msiexec.exe Token: SeProfSingleProcessPrivilege 2420 msiexec.exe Token: SeIncBasePriorityPrivilege 2420 msiexec.exe Token: SeCreatePagefilePrivilege 2420 msiexec.exe Token: SeCreatePermanentPrivilege 2420 msiexec.exe Token: SeBackupPrivilege 2420 msiexec.exe Token: SeRestorePrivilege 2420 msiexec.exe Token: SeShutdownPrivilege 2420 msiexec.exe Token: SeDebugPrivilege 2420 msiexec.exe Token: SeAuditPrivilege 2420 msiexec.exe Token: SeSystemEnvironmentPrivilege 2420 msiexec.exe Token: SeChangeNotifyPrivilege 2420 msiexec.exe Token: SeRemoteShutdownPrivilege 2420 msiexec.exe Token: SeUndockPrivilege 2420 msiexec.exe Token: SeSyncAgentPrivilege 2420 msiexec.exe Token: SeEnableDelegationPrivilege 2420 msiexec.exe Token: SeManageVolumePrivilege 2420 msiexec.exe Token: SeImpersonatePrivilege 2420 msiexec.exe Token: SeCreateGlobalPrivilege 2420 msiexec.exe Token: SeBackupPrivilege 1736 vssvc.exe Token: SeRestorePrivilege 1736 vssvc.exe Token: SeAuditPrivilege 1736 vssvc.exe Token: SeBackupPrivilege 2932 msiexec.exe Token: SeRestorePrivilege 2932 msiexec.exe Token: SeRestorePrivilege 2752 DrvInst.exe Token: SeRestorePrivilege 2752 DrvInst.exe Token: SeRestorePrivilege 2752 DrvInst.exe Token: SeRestorePrivilege 2752 DrvInst.exe Token: SeRestorePrivilege 2752 DrvInst.exe Token: SeRestorePrivilege 2752 DrvInst.exe Token: SeRestorePrivilege 2752 DrvInst.exe Token: SeLoadDriverPrivilege 2752 DrvInst.exe Token: SeLoadDriverPrivilege 2752 DrvInst.exe Token: SeLoadDriverPrivilege 2752 DrvInst.exe Token: SeRestorePrivilege 2932 msiexec.exe Token: SeTakeOwnershipPrivilege 2932 msiexec.exe Token: SeRestorePrivilege 2932 msiexec.exe Token: SeTakeOwnershipPrivilege 2932 msiexec.exe Token: SeRestorePrivilege 2932 msiexec.exe Token: SeTakeOwnershipPrivilege 2932 msiexec.exe Token: SeRestorePrivilege 2932 msiexec.exe Token: SeTakeOwnershipPrivilege 2932 msiexec.exe Token: SeRestorePrivilege 2932 msiexec.exe Token: SeTakeOwnershipPrivilege 2932 msiexec.exe Token: SeRestorePrivilege 2932 msiexec.exe Token: SeTakeOwnershipPrivilege 2932 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 2420 msiexec.exe 2420 msiexec.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
msiexec.exeMSI2D0B.tmpdescription pid process target process PID 2932 wrote to memory of 2540 2932 msiexec.exe MSI2D0B.tmp PID 2932 wrote to memory of 2540 2932 msiexec.exe MSI2D0B.tmp PID 2932 wrote to memory of 2540 2932 msiexec.exe MSI2D0B.tmp PID 2932 wrote to memory of 2540 2932 msiexec.exe MSI2D0B.tmp PID 2540 wrote to memory of 1228 2540 MSI2D0B.tmp MSI2D0B.tmp PID 2540 wrote to memory of 1228 2540 MSI2D0B.tmp MSI2D0B.tmp PID 2540 wrote to memory of 1228 2540 MSI2D0B.tmp MSI2D0B.tmp PID 2540 wrote to memory of 1228 2540 MSI2D0B.tmp MSI2D0B.tmp PID 2540 wrote to memory of 1228 2540 MSI2D0B.tmp MSI2D0B.tmp PID 2540 wrote to memory of 1228 2540 MSI2D0B.tmp MSI2D0B.tmp -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\bc260b2427388aa2492da3ebba202db0_JaffaCakes118.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Installer\MSI2D0B.tmp"C:\Windows\Installer\MSI2D0B.tmp"2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Installer\MSI2D0B.tmp"C:\Windows\Installer\MSI2D0B.tmp"3⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "0000000000000000" "00000000000004C0" "00000000000003A4"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\f762c14.rbsFilesize
663B
MD5b5f5331993a9e1bd5689b61b6ddc218a
SHA1e68cebbf61100c40670204513293522421779ce3
SHA256ad136ea64ae56d1360baf5ff3678abc66e52d45e4da6591a8629cc5fa82f5c2b
SHA512c05c0a7b5a5c17ccd7cd85f06f7855d11b0255cc8467c491e12ddf11cc60e54d21d9dec2e638b3b2abfa94afae6014c109aba4d7ba91637cfc39c122544f7bfa
-
C:\Windows\Installer\MSI2D0B.tmpFilesize
2.3MB
MD50a678d5045888f5eedf50d5a43f76981
SHA1c24d11fa0e05bf2c94e2df2e2423317b272e94da
SHA256a6f2807bb927fe15170a00cc6d1d5610ed6b476da9c813dc44e6a100ebaa6856
SHA512ead04687a554f5b83095369fac60fe97519076f8aa3efacb8a9b2d72152cfdf6d25d630f27e84a5c1f04877a260e40378c7a22ecf8631c1478d0516a61d8d683
-
memory/1228-12-0x0000000000400000-0x0000000000475000-memory.dmpFilesize
468KB
-
memory/1228-14-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmpFilesize
4KB
-
memory/1228-15-0x0000000000400000-0x0000000000475000-memory.dmpFilesize
468KB
-
memory/1228-19-0x0000000000400000-0x0000000000475000-memory.dmpFilesize
468KB
-
memory/1228-18-0x0000000000400000-0x0000000000475000-memory.dmpFilesize
468KB
-
memory/1228-17-0x0000000000400000-0x0000000000475000-memory.dmpFilesize
468KB
-
memory/1228-30-0x0000000000400000-0x0000000000475000-memory.dmpFilesize
468KB