Analysis
-
max time kernel
142s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25/06/2024, 21:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0fa1a99d6273b1621e3e339b460da1e7_JaffaCakes118.exe
Resource
win7-20240220-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
0fa1a99d6273b1621e3e339b460da1e7_JaffaCakes118.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
0fa1a99d6273b1621e3e339b460da1e7_JaffaCakes118.exe
-
Size
9.7MB
-
MD5
0fa1a99d6273b1621e3e339b460da1e7
-
SHA1
7705b9c46d8256c152b2c0e704cd015d52a3eef0
-
SHA256
5f7077518b585cf2a1f29dfcd86000e4d7b94d4c382f1cb22e9f28345e2f3014
-
SHA512
02deb2508943731796c8f5f850d26d11efb96b17f0962b59bf43dd96cf6869936ccc7b92ae52ac3fc6db728283c69585085b066c82b653bf36fe450a75f7d764
-
SSDEEP
196608:/xZjmTOFT4HG1cWvb7ASOSgRjV6UufHHBq2G0hh6QfKV:/bjmTOFTXb7H+5Fu5u0jz
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 0fa1a99d6273b1621e3e339b460da1e7_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
pid Process 4080 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS7739C50674AE48CF991BAB5E35A927FC_5_0_4_2.MSI 0fa1a99d6273b1621e3e339b460da1e7_JaffaCakes118.exe File created C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS7739C50674AE48CF991BAB5E35A927FC_5_0_4_2.MSI 0fa1a99d6273b1621e3e339b460da1e7_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2172 msiexec.exe Token: SeIncreaseQuotaPrivilege 2172 msiexec.exe Token: SeSecurityPrivilege 3092 msiexec.exe Token: SeCreateTokenPrivilege 2172 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2172 msiexec.exe Token: SeLockMemoryPrivilege 2172 msiexec.exe Token: SeIncreaseQuotaPrivilege 2172 msiexec.exe Token: SeMachineAccountPrivilege 2172 msiexec.exe Token: SeTcbPrivilege 2172 msiexec.exe Token: SeSecurityPrivilege 2172 msiexec.exe Token: SeTakeOwnershipPrivilege 2172 msiexec.exe Token: SeLoadDriverPrivilege 2172 msiexec.exe Token: SeSystemProfilePrivilege 2172 msiexec.exe Token: SeSystemtimePrivilege 2172 msiexec.exe Token: SeProfSingleProcessPrivilege 2172 msiexec.exe Token: SeIncBasePriorityPrivilege 2172 msiexec.exe Token: SeCreatePagefilePrivilege 2172 msiexec.exe Token: SeCreatePermanentPrivilege 2172 msiexec.exe Token: SeBackupPrivilege 2172 msiexec.exe Token: SeRestorePrivilege 2172 msiexec.exe Token: SeShutdownPrivilege 2172 msiexec.exe Token: SeDebugPrivilege 2172 msiexec.exe Token: SeAuditPrivilege 2172 msiexec.exe Token: SeSystemEnvironmentPrivilege 2172 msiexec.exe Token: SeChangeNotifyPrivilege 2172 msiexec.exe Token: SeRemoteShutdownPrivilege 2172 msiexec.exe Token: SeUndockPrivilege 2172 msiexec.exe Token: SeSyncAgentPrivilege 2172 msiexec.exe Token: SeEnableDelegationPrivilege 2172 msiexec.exe Token: SeManageVolumePrivilege 2172 msiexec.exe Token: SeImpersonatePrivilege 2172 msiexec.exe Token: SeCreateGlobalPrivilege 2172 msiexec.exe Token: SeCreateTokenPrivilege 2172 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2172 msiexec.exe Token: SeLockMemoryPrivilege 2172 msiexec.exe Token: SeIncreaseQuotaPrivilege 2172 msiexec.exe Token: SeMachineAccountPrivilege 2172 msiexec.exe Token: SeTcbPrivilege 2172 msiexec.exe Token: SeSecurityPrivilege 2172 msiexec.exe Token: SeTakeOwnershipPrivilege 2172 msiexec.exe Token: SeLoadDriverPrivilege 2172 msiexec.exe Token: SeSystemProfilePrivilege 2172 msiexec.exe Token: SeSystemtimePrivilege 2172 msiexec.exe Token: SeProfSingleProcessPrivilege 2172 msiexec.exe Token: SeIncBasePriorityPrivilege 2172 msiexec.exe Token: SeCreatePagefilePrivilege 2172 msiexec.exe Token: SeCreatePermanentPrivilege 2172 msiexec.exe Token: SeBackupPrivilege 2172 msiexec.exe Token: SeRestorePrivilege 2172 msiexec.exe Token: SeShutdownPrivilege 2172 msiexec.exe Token: SeDebugPrivilege 2172 msiexec.exe Token: SeAuditPrivilege 2172 msiexec.exe Token: SeSystemEnvironmentPrivilege 2172 msiexec.exe Token: SeChangeNotifyPrivilege 2172 msiexec.exe Token: SeRemoteShutdownPrivilege 2172 msiexec.exe Token: SeUndockPrivilege 2172 msiexec.exe Token: SeSyncAgentPrivilege 2172 msiexec.exe Token: SeEnableDelegationPrivilege 2172 msiexec.exe Token: SeManageVolumePrivilege 2172 msiexec.exe Token: SeImpersonatePrivilege 2172 msiexec.exe Token: SeCreateGlobalPrivilege 2172 msiexec.exe Token: SeCreateTokenPrivilege 2172 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2172 msiexec.exe Token: SeLockMemoryPrivilege 2172 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2172 msiexec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4596 wrote to memory of 2172 4596 0fa1a99d6273b1621e3e339b460da1e7_JaffaCakes118.exe 93 PID 4596 wrote to memory of 2172 4596 0fa1a99d6273b1621e3e339b460da1e7_JaffaCakes118.exe 93 PID 4596 wrote to memory of 2172 4596 0fa1a99d6273b1621e3e339b460da1e7_JaffaCakes118.exe 93 PID 3092 wrote to memory of 4080 3092 msiexec.exe 97 PID 3092 wrote to memory of 4080 3092 msiexec.exe 97 PID 3092 wrote to memory of 4080 3092 msiexec.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fa1a99d6273b1621e3e339b460da1e7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0fa1a99d6273b1621e3e339b460da1e7_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /I "C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS7739C50674AE48CF991BAB5E35A927FC_5_0_4_2.MSI" WISE_SETUP_EXE_PATH="C:\Users\Admin\AppData\Local\Temp\0fa1a99d6273b1621e3e339b460da1e7_JaffaCakes118.exe"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2172
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0C402693F482D1AD09D3EE38C0AA13F7 C2⤵
- Loads dropped DLL
PID:4080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3588 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:81⤵PID:3284
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS7739C50674AE48CF991BAB5E35A927FC_5_0_4_2.MSI
Filesize9.5MB
MD5d832cefca45fb9ac738222ad3160b63c
SHA1e9e5e0ccaeceb12448aba415f765c9b62d15c948
SHA256c8c73e7ec75e944a7225ed27d5475a8cf0dea65608a06d7e44eebd1375262f5e
SHA51200084c21db71466eb11aa87fd87e1e08c2fc00e8a615159711993203fcdad99774a86b59113bef34959a634d06776a7845885f1746d4186c260b607191718993
-
Filesize
19KB
MD5a8098832976813ce64b23879f0e5af7e
SHA146723c8b825f8828af3e5fb4a92552ee170397cf
SHA256644700716cb63db1c48ff6ffffdb90d654ca8578c0a30a271c63880145813c73
SHA5129f21344c09be843d4ee6d9393487107f68a8bb11426490f4cdb1a31c4d924c9a111d5f1e269c0bcedb28833fcafbdb0b9c0b2a491d55cd1250690cac944afbaf