Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-06-2024 13:21

General

  • Target

    bc260b2427388aa2492da3ebba202db0_JaffaCakes118.msi

  • Size

    2.3MB

  • MD5

    bc260b2427388aa2492da3ebba202db0

  • SHA1

    297d227b8c0256bd69ba983d6b1c9c4e442bbeec

  • SHA256

    6a064f8e88bd6bcb7c3347495b004429a8c55cc707f7ea7eb5d394f83a76ae2b

  • SHA512

    062149297cf86c0914038adec8e0d24401890ee704fe3143fd8489b1d503fa477c09fd41614833250442c5e1893786afaf31a39b00a44e8a83dc53b94d2b7926

  • SSDEEP

    49152:AEMJZoQrbTFZY1ia5iGkbJvsqyRSIC9upALK1PVqnjVTxxUqPdOH:WtrbTA1Fp8DyRdpyK1Pgj3dOH

Malware Config

Signatures

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 55 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\bc260b2427388aa2492da3ebba202db0_JaffaCakes118.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2952
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5092
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3312
    • C:\Windows\Installer\MSI64B6.tmp
      "C:\Windows\Installer\MSI64B6.tmp"
      2⤵
      • Suspicious use of SetThreadContext
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3320
      • C:\Windows\Installer\MSI64B6.tmp
        "C:\Windows\Installer\MSI64B6.tmp"
        3⤵
        • Executes dropped EXE
        PID:3392
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:448

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Privilege Escalation

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

3
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e576370.rbs
    Filesize

    663B

    MD5

    5abe0aca40bf6699b8102236260bc47b

    SHA1

    cf0674ad8e39f6e5459e8bcc656ced78c41a7f5a

    SHA256

    46a647e3f86f4aa2e13f474a17c2a3404fdbd9ac5b35e1be5a0c1a83fcbbcfc8

    SHA512

    f48519bc7a9175715833947ae6ce0f3cf779c61b48c124a7028121b3c435719bff528dba24133cf7776648586a1f5053de98d63e5348f1f10918adfadb990480

  • C:\Windows\Installer\MSI64B6.tmp
    Filesize

    2.3MB

    MD5

    0a678d5045888f5eedf50d5a43f76981

    SHA1

    c24d11fa0e05bf2c94e2df2e2423317b272e94da

    SHA256

    a6f2807bb927fe15170a00cc6d1d5610ed6b476da9c813dc44e6a100ebaa6856

    SHA512

    ead04687a554f5b83095369fac60fe97519076f8aa3efacb8a9b2d72152cfdf6d25d630f27e84a5c1f04877a260e40378c7a22ecf8631c1478d0516a61d8d683

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    23.7MB

    MD5

    38e4271616517d9fb2b81ef5be875018

    SHA1

    a65d20ac4f6dbb0b9edc1178167825b024c794df

    SHA256

    8e2920ac83949e7adfbd971e5738fa7f613af9c7879a3eea09104dd422c84d95

    SHA512

    2a1d996eed883776cdf6e4f9624384e557d5c6dbde9841e508486b4acb2264fcfdd5e26886c649aac0c9ebb51c84d00e35cef0e8ae686baff78086e3c1c36733

  • \??\Volume{2497d54d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e08d41f4-97f5-4ddc-bd22-6a16c528987a}_OnDiskSnapshotProp
    Filesize

    6KB

    MD5

    4a23acad3694f32f849791a29572c2dd

    SHA1

    e97f300e1136fb6266a852e96724a5ca2c1be010

    SHA256

    b97b08a45987cc2db850a036639b50a62ab2e44619d7ec275f89e57ed03eadd0

    SHA512

    aaf5d8d1e3f24271d9912b9fb7ad29a98f4541f6218bae055c93374ab0ea8a04d78f98573cb37bafef5ec3923c164558d4d14b4c8a33ccb06fd1433a7756a89c

  • memory/3392-12-0x0000000000400000-0x0000000000475000-memory.dmp
    Filesize

    468KB

  • memory/3392-14-0x0000000000400000-0x0000000000475000-memory.dmp
    Filesize

    468KB

  • memory/3392-15-0x0000000000400000-0x0000000000475000-memory.dmp
    Filesize

    468KB

  • memory/3392-16-0x0000000000400000-0x0000000000475000-memory.dmp
    Filesize

    468KB

  • memory/3392-27-0x0000000000400000-0x0000000000475000-memory.dmp
    Filesize

    468KB