1dc875aa7ec750d2496dfd9ceb8a1e2f8cc40d3aa7c0fa39107a3b6ced3f99c3

Analysis

max time kernel
122s
max time network
129s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23f7122d422b250416eb2bfa3404bf38_JaffaCakes118.exe
Size

2.0MB
MD5

23f7122d422b250416eb2bfa3404bf38
SHA1

ebfebc8985eb47018009482c12c813df100307ea
SHA256

1dc875aa7ec750d2496dfd9ceb8a1e2f8cc40d3aa7c0fa39107a3b6ced3f99c3
SHA512

f6f9f6957939654f4f28a96c2ac6f7f569aa5897dc599937365998601adff48a10e5a5ee8cabccaa1c7890eb59f173447a577146df1f9792a19c1aa59461983f
SSDEEP

49152:m7E13iVcFEhEbXD2Y2DqIWN5+kNvjXE2wMw1weOhlR:m7E13hFJD2Y2D5WpNvjX177lR

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1700	23f7122d422b250416eb2bfa3404bf38_JaffaCakes118.exe
2732	MsiExec.exe
2732	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2468	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2468	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2468	msiexec.exe
Token: SeRestorePrivilege	2172	msiexec.exe
Token: SeTakeOwnershipPrivilege	2172	msiexec.exe
Token: SeSecurityPrivilege	2172	msiexec.exe
Token: SeCreateTokenPrivilege	2468	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2468	msiexec.exe
Token: SeLockMemoryPrivilege	2468	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2468	msiexec.exe
Token: SeMachineAccountPrivilege	2468	msiexec.exe
Token: SeTcbPrivilege	2468	msiexec.exe
Token: SeSecurityPrivilege	2468	msiexec.exe
Token: SeTakeOwnershipPrivilege	2468	msiexec.exe
Token: SeLoadDriverPrivilege	2468	msiexec.exe
Token: SeSystemProfilePrivilege	2468	msiexec.exe
Token: SeSystemtimePrivilege	2468	msiexec.exe
Token: SeProfSingleProcessPrivilege	2468	msiexec.exe
Token: SeIncBasePriorityPrivilege	2468	msiexec.exe
Token: SeCreatePagefilePrivilege	2468	msiexec.exe
Token: SeCreatePermanentPrivilege	2468	msiexec.exe
Token: SeBackupPrivilege	2468	msiexec.exe
Token: SeRestorePrivilege	2468	msiexec.exe
Token: SeShutdownPrivilege	2468	msiexec.exe
Token: SeDebugPrivilege	2468	msiexec.exe
Token: SeAuditPrivilege	2468	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2468	msiexec.exe
Token: SeChangeNotifyPrivilege	2468	msiexec.exe
Token: SeRemoteShutdownPrivilege	2468	msiexec.exe
Token: SeUndockPrivilege	2468	msiexec.exe
Token: SeSyncAgentPrivilege	2468	msiexec.exe
Token: SeEnableDelegationPrivilege	2468	msiexec.exe
Token: SeManageVolumePrivilege	2468	msiexec.exe
Token: SeImpersonatePrivilege	2468	msiexec.exe
Token: SeCreateGlobalPrivilege	2468	msiexec.exe
Token: SeCreateTokenPrivilege	2468	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2468	msiexec.exe
Token: SeLockMemoryPrivilege	2468	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2468	msiexec.exe
Token: SeMachineAccountPrivilege	2468	msiexec.exe
Token: SeTcbPrivilege	2468	msiexec.exe
Token: SeSecurityPrivilege	2468	msiexec.exe
Token: SeTakeOwnershipPrivilege	2468	msiexec.exe
Token: SeLoadDriverPrivilege	2468	msiexec.exe
Token: SeSystemProfilePrivilege	2468	msiexec.exe
Token: SeSystemtimePrivilege	2468	msiexec.exe
Token: SeProfSingleProcessPrivilege	2468	msiexec.exe
Token: SeIncBasePriorityPrivilege	2468	msiexec.exe
Token: SeCreatePagefilePrivilege	2468	msiexec.exe
Token: SeCreatePermanentPrivilege	2468	msiexec.exe
Token: SeBackupPrivilege	2468	msiexec.exe
Token: SeRestorePrivilege	2468	msiexec.exe
Token: SeShutdownPrivilege	2468	msiexec.exe
Token: SeDebugPrivilege	2468	msiexec.exe
Token: SeAuditPrivilege	2468	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2468	msiexec.exe
Token: SeChangeNotifyPrivilege	2468	msiexec.exe
Token: SeRemoteShutdownPrivilege	2468	msiexec.exe
Token: SeUndockPrivilege	2468	msiexec.exe
Token: SeSyncAgentPrivilege	2468	msiexec.exe
Token: SeEnableDelegationPrivilege	2468	msiexec.exe
Token: SeManageVolumePrivilege	2468	msiexec.exe
Token: SeImpersonatePrivilege	2468	msiexec.exe
Token: SeCreateGlobalPrivilege	2468	msiexec.exe
Token: SeCreateTokenPrivilege	2468	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2468	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2468	1700	23f7122d422b250416eb2bfa3404bf38_JaffaCakes118.exe	28
PID 1700 wrote to memory of 2468	1700	23f7122d422b250416eb2bfa3404bf38_JaffaCakes118.exe	28
PID 1700 wrote to memory of 2468	1700	23f7122d422b250416eb2bfa3404bf38_JaffaCakes118.exe	28
PID 1700 wrote to memory of 2468	1700	23f7122d422b250416eb2bfa3404bf38_JaffaCakes118.exe	28
PID 1700 wrote to memory of 2468	1700	23f7122d422b250416eb2bfa3404bf38_JaffaCakes118.exe	28
PID 1700 wrote to memory of 2468	1700	23f7122d422b250416eb2bfa3404bf38_JaffaCakes118.exe	28
PID 1700 wrote to memory of 2468	1700	23f7122d422b250416eb2bfa3404bf38_JaffaCakes118.exe	28
PID 2172 wrote to memory of 2732	2172	msiexec.exe	30
PID 2172 wrote to memory of 2732	2172	msiexec.exe	30
PID 2172 wrote to memory of 2732	2172	msiexec.exe	30
PID 2172 wrote to memory of 2732	2172	msiexec.exe	30
PID 2172 wrote to memory of 2732	2172	msiexec.exe	30
PID 2172 wrote to memory of 2732	2172	msiexec.exe	30
PID 2172 wrote to memory of 2732	2172	msiexec.exe	30

C:\Users\Admin\AppData\Local\Temp\23f7122d422b250416eb2bfa3404bf38_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\23f7122d422b250416eb2bfa3404bf38_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\system32\msiexec.exe
  /i "C:\Users\Admin\AppData\Roaming\FileSubmit\tulipbouquet\install\B016367\tulipbouquet.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\23f7122d422b250416eb2bfa3404bf38_JaffaCakes118.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2468

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2E0EBAFC0E2903C91B769F86F5B9B68C C
  2⤵
  - Loads dropped DLL
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI4173.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
C:\Users\Admin\AppData\Roaming\FileSubmit\tulipbouquet\install\B016367\tulipbouquet.msi

Filesize
1.2MB

MD5
28193c9542f676a881be31a3d7f0bf3c

SHA1
4d4ea42a5a7da75046766bec5cd573f3e7b70047

SHA256
887b5a4a9dc99fea33ae068d1e72cd11ebcf5dab7fcb2aa56f8c372750baffdc

SHA512
b2f87a492952eda412bcf085729408e8e81470150f8d8c944739b692f76b607c4abc25b17a6c5cfe4c915101a1d2ad6c55e80d0d04ecf5aaa353ccf888986299

Download Submit
\Users\Admin\AppData\Roaming\FileSubmit\tulipbouquet\install\decoder.dll

Filesize
92KB

MD5
c09c157cbcbae2d04d9538eabcaaddf3

SHA1
00647fbccd19d55412f24b4a91740747cd1793ab

SHA256
8762c9520df0958649178b4629372d57eb10d4f0b8ca759eac24009c1496fc1c

SHA512
84494b12ab5ccc2455e732b0f4a66886bf6a458100f7d6fe2231799f7246ac48157c2808e4a6e303bcd0d0a2ac127e451d6b119329b05dddf0e26dd2b2801e58

Download Submit