Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 13:21
Static task
static1
Behavioral task
behavioral1
Sample
bc260b2427388aa2492da3ebba202db0_JaffaCakes118.msi
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
bc260b2427388aa2492da3ebba202db0_JaffaCakes118.msi
Resource
win10v2004-20240611-en
General
-
Target
bc260b2427388aa2492da3ebba202db0_JaffaCakes118.msi
-
Size
2.3MB
-
MD5
bc260b2427388aa2492da3ebba202db0
-
SHA1
297d227b8c0256bd69ba983d6b1c9c4e442bbeec
-
SHA256
6a064f8e88bd6bcb7c3347495b004429a8c55cc707f7ea7eb5d394f83a76ae2b
-
SHA512
062149297cf86c0914038adec8e0d24401890ee704fe3143fd8489b1d503fa477c09fd41614833250442c5e1893786afaf31a39b00a44e8a83dc53b94d2b7926
-
SSDEEP
49152:AEMJZoQrbTFZY1ia5iGkbJvsqyRSIC9upALK1PVqnjVTxxUqPdOH:WtrbTA1Fp8DyRdpyK1Pgj3dOH
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3392-12-0x0000000000400000-0x0000000000475000-memory.dmp upx behavioral2/memory/3392-14-0x0000000000400000-0x0000000000475000-memory.dmp upx behavioral2/memory/3392-15-0x0000000000400000-0x0000000000475000-memory.dmp upx behavioral2/memory/3392-16-0x0000000000400000-0x0000000000475000-memory.dmp upx behavioral2/memory/3392-27-0x0000000000400000-0x0000000000475000-memory.dmp upx -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\H: msiexec.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Windows\Installer\MSI64B6.tmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MSI64B6.tmpdescription pid process target process PID 3320 set thread context of 3392 3320 MSI64B6.tmp MSI64B6.tmp -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6} msiexec.exe File opened for modification C:\Windows\Installer\MSI6457.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI64B6.tmp msiexec.exe File created C:\Windows\Installer\e57636d.msi msiexec.exe File opened for modification C:\Windows\Installer\e57636d.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Executes dropped EXE 2 IoCs
Processes:
MSI64B6.tmpMSI64B6.tmppid process 3320 MSI64B6.tmp 3392 MSI64B6.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000004dd597242da055490000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800004dd597240000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809004dd59724000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d4dd59724000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004dd5972400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 5092 msiexec.exe 5092 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 55 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exesrtasks.exedescription pid process Token: SeShutdownPrivilege 2952 msiexec.exe Token: SeIncreaseQuotaPrivilege 2952 msiexec.exe Token: SeSecurityPrivilege 5092 msiexec.exe Token: SeCreateTokenPrivilege 2952 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2952 msiexec.exe Token: SeLockMemoryPrivilege 2952 msiexec.exe Token: SeIncreaseQuotaPrivilege 2952 msiexec.exe Token: SeMachineAccountPrivilege 2952 msiexec.exe Token: SeTcbPrivilege 2952 msiexec.exe Token: SeSecurityPrivilege 2952 msiexec.exe Token: SeTakeOwnershipPrivilege 2952 msiexec.exe Token: SeLoadDriverPrivilege 2952 msiexec.exe Token: SeSystemProfilePrivilege 2952 msiexec.exe Token: SeSystemtimePrivilege 2952 msiexec.exe Token: SeProfSingleProcessPrivilege 2952 msiexec.exe Token: SeIncBasePriorityPrivilege 2952 msiexec.exe Token: SeCreatePagefilePrivilege 2952 msiexec.exe Token: SeCreatePermanentPrivilege 2952 msiexec.exe Token: SeBackupPrivilege 2952 msiexec.exe Token: SeRestorePrivilege 2952 msiexec.exe Token: SeShutdownPrivilege 2952 msiexec.exe Token: SeDebugPrivilege 2952 msiexec.exe Token: SeAuditPrivilege 2952 msiexec.exe Token: SeSystemEnvironmentPrivilege 2952 msiexec.exe Token: SeChangeNotifyPrivilege 2952 msiexec.exe Token: SeRemoteShutdownPrivilege 2952 msiexec.exe Token: SeUndockPrivilege 2952 msiexec.exe Token: SeSyncAgentPrivilege 2952 msiexec.exe Token: SeEnableDelegationPrivilege 2952 msiexec.exe Token: SeManageVolumePrivilege 2952 msiexec.exe Token: SeImpersonatePrivilege 2952 msiexec.exe Token: SeCreateGlobalPrivilege 2952 msiexec.exe Token: SeBackupPrivilege 448 vssvc.exe Token: SeRestorePrivilege 448 vssvc.exe Token: SeAuditPrivilege 448 vssvc.exe Token: SeBackupPrivilege 5092 msiexec.exe Token: SeRestorePrivilege 5092 msiexec.exe Token: SeRestorePrivilege 5092 msiexec.exe Token: SeTakeOwnershipPrivilege 5092 msiexec.exe Token: SeRestorePrivilege 5092 msiexec.exe Token: SeTakeOwnershipPrivilege 5092 msiexec.exe Token: SeRestorePrivilege 5092 msiexec.exe Token: SeTakeOwnershipPrivilege 5092 msiexec.exe Token: SeRestorePrivilege 5092 msiexec.exe Token: SeTakeOwnershipPrivilege 5092 msiexec.exe Token: SeRestorePrivilege 5092 msiexec.exe Token: SeTakeOwnershipPrivilege 5092 msiexec.exe Token: SeBackupPrivilege 3312 srtasks.exe Token: SeRestorePrivilege 3312 srtasks.exe Token: SeSecurityPrivilege 3312 srtasks.exe Token: SeTakeOwnershipPrivilege 3312 srtasks.exe Token: SeBackupPrivilege 3312 srtasks.exe Token: SeRestorePrivilege 3312 srtasks.exe Token: SeSecurityPrivilege 3312 srtasks.exe Token: SeTakeOwnershipPrivilege 3312 srtasks.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 2952 msiexec.exe 2952 msiexec.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
msiexec.exeMSI64B6.tmpdescription pid process target process PID 5092 wrote to memory of 3312 5092 msiexec.exe srtasks.exe PID 5092 wrote to memory of 3312 5092 msiexec.exe srtasks.exe PID 5092 wrote to memory of 3320 5092 msiexec.exe MSI64B6.tmp PID 5092 wrote to memory of 3320 5092 msiexec.exe MSI64B6.tmp PID 5092 wrote to memory of 3320 5092 msiexec.exe MSI64B6.tmp PID 3320 wrote to memory of 3392 3320 MSI64B6.tmp MSI64B6.tmp PID 3320 wrote to memory of 3392 3320 MSI64B6.tmp MSI64B6.tmp PID 3320 wrote to memory of 3392 3320 MSI64B6.tmp MSI64B6.tmp PID 3320 wrote to memory of 3392 3320 MSI64B6.tmp MSI64B6.tmp PID 3320 wrote to memory of 3392 3320 MSI64B6.tmp MSI64B6.tmp -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\bc260b2427388aa2492da3ebba202db0_JaffaCakes118.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Installer\MSI64B6.tmp"C:\Windows\Installer\MSI64B6.tmp"2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Installer\MSI64B6.tmp"C:\Windows\Installer\MSI64B6.tmp"3⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e576370.rbsFilesize
663B
MD55abe0aca40bf6699b8102236260bc47b
SHA1cf0674ad8e39f6e5459e8bcc656ced78c41a7f5a
SHA25646a647e3f86f4aa2e13f474a17c2a3404fdbd9ac5b35e1be5a0c1a83fcbbcfc8
SHA512f48519bc7a9175715833947ae6ce0f3cf779c61b48c124a7028121b3c435719bff528dba24133cf7776648586a1f5053de98d63e5348f1f10918adfadb990480
-
C:\Windows\Installer\MSI64B6.tmpFilesize
2.3MB
MD50a678d5045888f5eedf50d5a43f76981
SHA1c24d11fa0e05bf2c94e2df2e2423317b272e94da
SHA256a6f2807bb927fe15170a00cc6d1d5610ed6b476da9c813dc44e6a100ebaa6856
SHA512ead04687a554f5b83095369fac60fe97519076f8aa3efacb8a9b2d72152cfdf6d25d630f27e84a5c1f04877a260e40378c7a22ecf8631c1478d0516a61d8d683
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.7MB
MD538e4271616517d9fb2b81ef5be875018
SHA1a65d20ac4f6dbb0b9edc1178167825b024c794df
SHA2568e2920ac83949e7adfbd971e5738fa7f613af9c7879a3eea09104dd422c84d95
SHA5122a1d996eed883776cdf6e4f9624384e557d5c6dbde9841e508486b4acb2264fcfdd5e26886c649aac0c9ebb51c84d00e35cef0e8ae686baff78086e3c1c36733
-
\??\Volume{2497d54d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e08d41f4-97f5-4ddc-bd22-6a16c528987a}_OnDiskSnapshotPropFilesize
6KB
MD54a23acad3694f32f849791a29572c2dd
SHA1e97f300e1136fb6266a852e96724a5ca2c1be010
SHA256b97b08a45987cc2db850a036639b50a62ab2e44619d7ec275f89e57ed03eadd0
SHA512aaf5d8d1e3f24271d9912b9fb7ad29a98f4541f6218bae055c93374ab0ea8a04d78f98573cb37bafef5ec3923c164558d4d14b4c8a33ccb06fd1433a7756a89c
-
memory/3392-12-0x0000000000400000-0x0000000000475000-memory.dmpFilesize
468KB
-
memory/3392-14-0x0000000000400000-0x0000000000475000-memory.dmpFilesize
468KB
-
memory/3392-15-0x0000000000400000-0x0000000000475000-memory.dmpFilesize
468KB
-
memory/3392-16-0x0000000000400000-0x0000000000475000-memory.dmpFilesize
468KB
-
memory/3392-27-0x0000000000400000-0x0000000000475000-memory.dmpFilesize
468KB