5c4696dece4312512cd49b0b65e081b392c5c006bd202adf046eaeb0682affb2

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b005facaeb3280183ddf02bfcc8588a_JaffaCakes118.exe
Size

730KB
MD5

1b005facaeb3280183ddf02bfcc8588a
SHA1

186007254ba17be7030119509979ef0c314f05dd
SHA256

5c4696dece4312512cd49b0b65e081b392c5c006bd202adf046eaeb0682affb2
SHA512

6e0e894b0a6f3e294ed222560dc2ded480dd38a71f54a62c9e78fc4454943d67f5b24a8845704a3561786de4a9c4d3713cae92c957910ad45b45bbbfddbc5f33
SSDEEP

12288:2zxveAzCY64LyRAuYW/g8eyi49Wr3xvPTY38czsg84On0kBOvW1LcqOwi:SmeCY64LMAuYZyipk8GnwnOwi

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1172	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3016	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3016	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3016	msiexec.exe
Token: SeRestorePrivilege	3056	msiexec.exe
Token: SeTakeOwnershipPrivilege	3056	msiexec.exe
Token: SeSecurityPrivilege	3056	msiexec.exe
Token: SeCreateTokenPrivilege	3016	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3016	msiexec.exe
Token: SeLockMemoryPrivilege	3016	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3016	msiexec.exe
Token: SeMachineAccountPrivilege	3016	msiexec.exe
Token: SeTcbPrivilege	3016	msiexec.exe
Token: SeSecurityPrivilege	3016	msiexec.exe
Token: SeTakeOwnershipPrivilege	3016	msiexec.exe
Token: SeLoadDriverPrivilege	3016	msiexec.exe
Token: SeSystemProfilePrivilege	3016	msiexec.exe
Token: SeSystemtimePrivilege	3016	msiexec.exe
Token: SeProfSingleProcessPrivilege	3016	msiexec.exe
Token: SeIncBasePriorityPrivilege	3016	msiexec.exe
Token: SeCreatePagefilePrivilege	3016	msiexec.exe
Token: SeCreatePermanentPrivilege	3016	msiexec.exe
Token: SeBackupPrivilege	3016	msiexec.exe
Token: SeRestorePrivilege	3016	msiexec.exe
Token: SeShutdownPrivilege	3016	msiexec.exe
Token: SeDebugPrivilege	3016	msiexec.exe
Token: SeAuditPrivilege	3016	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3016	msiexec.exe
Token: SeChangeNotifyPrivilege	3016	msiexec.exe
Token: SeRemoteShutdownPrivilege	3016	msiexec.exe
Token: SeUndockPrivilege	3016	msiexec.exe
Token: SeSyncAgentPrivilege	3016	msiexec.exe
Token: SeEnableDelegationPrivilege	3016	msiexec.exe
Token: SeManageVolumePrivilege	3016	msiexec.exe
Token: SeImpersonatePrivilege	3016	msiexec.exe
Token: SeCreateGlobalPrivilege	3016	msiexec.exe
Token: SeCreateTokenPrivilege	3016	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3016	msiexec.exe
Token: SeLockMemoryPrivilege	3016	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3016	msiexec.exe
Token: SeMachineAccountPrivilege	3016	msiexec.exe
Token: SeTcbPrivilege	3016	msiexec.exe
Token: SeSecurityPrivilege	3016	msiexec.exe
Token: SeTakeOwnershipPrivilege	3016	msiexec.exe
Token: SeLoadDriverPrivilege	3016	msiexec.exe
Token: SeSystemProfilePrivilege	3016	msiexec.exe
Token: SeSystemtimePrivilege	3016	msiexec.exe
Token: SeProfSingleProcessPrivilege	3016	msiexec.exe
Token: SeIncBasePriorityPrivilege	3016	msiexec.exe
Token: SeCreatePagefilePrivilege	3016	msiexec.exe
Token: SeCreatePermanentPrivilege	3016	msiexec.exe
Token: SeBackupPrivilege	3016	msiexec.exe
Token: SeRestorePrivilege	3016	msiexec.exe
Token: SeShutdownPrivilege	3016	msiexec.exe
Token: SeDebugPrivilege	3016	msiexec.exe
Token: SeAuditPrivilege	3016	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3016	msiexec.exe
Token: SeChangeNotifyPrivilege	3016	msiexec.exe
Token: SeRemoteShutdownPrivilege	3016	msiexec.exe
Token: SeUndockPrivilege	3016	msiexec.exe
Token: SeSyncAgentPrivilege	3016	msiexec.exe
Token: SeEnableDelegationPrivilege	3016	msiexec.exe
Token: SeManageVolumePrivilege	3016	msiexec.exe
Token: SeImpersonatePrivilege	3016	msiexec.exe
Token: SeCreateGlobalPrivilege	3016	msiexec.exe
Token: SeCreateTokenPrivilege	3016	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3016	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 3016	2392	1b005facaeb3280183ddf02bfcc8588a_JaffaCakes118.exe	28
PID 2392 wrote to memory of 3016	2392	1b005facaeb3280183ddf02bfcc8588a_JaffaCakes118.exe	28
PID 2392 wrote to memory of 3016	2392	1b005facaeb3280183ddf02bfcc8588a_JaffaCakes118.exe	28
PID 2392 wrote to memory of 3016	2392	1b005facaeb3280183ddf02bfcc8588a_JaffaCakes118.exe	28
PID 2392 wrote to memory of 3016	2392	1b005facaeb3280183ddf02bfcc8588a_JaffaCakes118.exe	28
PID 2392 wrote to memory of 3016	2392	1b005facaeb3280183ddf02bfcc8588a_JaffaCakes118.exe	28
PID 2392 wrote to memory of 3016	2392	1b005facaeb3280183ddf02bfcc8588a_JaffaCakes118.exe	28
PID 3056 wrote to memory of 1172	3056	msiexec.exe	30
PID 3056 wrote to memory of 1172	3056	msiexec.exe	30
PID 3056 wrote to memory of 1172	3056	msiexec.exe	30
PID 3056 wrote to memory of 1172	3056	msiexec.exe	30
PID 3056 wrote to memory of 1172	3056	msiexec.exe	30
PID 3056 wrote to memory of 1172	3056	msiexec.exe	30
PID 3056 wrote to memory of 1172	3056	msiexec.exe	30

C:\Users\Admin\AppData\Local\Temp\1b005facaeb3280183ddf02bfcc8588a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b005facaeb3280183ddf02bfcc8588a_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\system32\msiexec.exe
  /i "C:\Users\Admin\AppData\Roaming\RM Royal Media Ltd.\Romi Royal Install\install\RummyRoyal_Live_hu.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\1b005facaeb3280183ddf02bfcc8588a_JaffaCakes118.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3016

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 965231D947D0D012FCA52FB2DC1574AA C
  2⤵
  - Loads dropped DLL
  PID:1172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIFAA.tmp

Filesize
14KB

MD5
1afa5d8db46927c210ca89b7ec81e1c7

SHA1
e5cd5b8f8afe4faf43a64d4c16d048228b9ee2fd

SHA256
e55a022de86edfd958583023e9989b94751ea36322587e047c9af642d3fb82dc

SHA512
6e860e077149e0466b267f2300ca1eba67eaee419f1bf8cc8e7ad0542472f197407b4ca6dd60632cd731ef4780a7c389bd8dedafa7e330113ef0062f188e4b24

Download Submit
C:\Users\Admin\AppData\Roaming\RM Royal Media Ltd\Romi Royal Install\install\RummyRoyal_Live_hu.msi

Filesize
309KB

MD5
5da84727e0583cc10194a8362db7c5be

SHA1
0940ae296c954a1c41d05fc1ad4b6021e268c703

SHA256
a09a000dbbe490cdc4cc37c31e8165da9b110b26d8cde3cbe8d590232da9d13f

SHA512
2f88419c78702c57af259fe79f5a2f1578178e1d5b94bae65bccaad6fa4877a99be47d56af3311abd9ae016e9c4906f49d60c51d32beb0be20f7a71ce9ae2813

Download Submit