e2f7ca22aacdedb489e6df6710c16bae7519bc7033d29dda95c9582c405ffee8

Analysis

max time kernel
135s
max time network
124s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
06/07/2024, 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

299add446ad38fe19ccac7f97ff8d57a_JaffaCakes118.exe
Size

2.6MB
MD5

299add446ad38fe19ccac7f97ff8d57a
SHA1

0198fb3c98ebf604e4a88228aacc83bf308429b7
SHA256

e2f7ca22aacdedb489e6df6710c16bae7519bc7033d29dda95c9582c405ffee8
SHA512

bef140c7c34352ef072002312f07759928052cb2176f794d500807dab911742dc3e2ed5ae62fdbe0988d80ebb10cd3d8c12da7ff75fbd82f89b685eda5e61906
SSDEEP

49152:R4j4Fg/mTOii09HqbgILFAoCAV9m3ZeHniNnf3itUSG1YKyI:CEFa4O1mqMIioH5HoPuQ1YHI

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
968	MSI3101.tmp
2684	Weather.exe

Loads dropped DLL 9 IoCs

pid	Process
640	MsiExec.exe
640	MsiExec.exe
640	MsiExec.exe
968	MSI3101.tmp
2960	MsiExec.exe
2684	Weather.exe
2220	299add446ad38fe19ccac7f97ff8d57a_JaffaCakes118.exe
2220	299add446ad38fe19ccac7f97ff8d57a_JaffaCakes118.exe
2684	Weather.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Weather = "C:\\Program Files (x86)\\AWS\\WeatherBug\\Weather.exe 1"	Weather.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2708	msiexec.exe
6	2924	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\Bot_loading.gif	msiexec.exe
File opened for modification	C:\Program Files (x86)\AWS\WeatherBug\download.txt	MsiExec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\wxbuglogo_hor.gif	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\bot_default.html	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\1px.gif	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\bot_failed2.html	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\center_loading.html	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\xpchirpedu.bmp	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\wxlocm.dll	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Wxpref.dll	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\WxWindow_noconnection.gif	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\WxWindow_loading.html	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\wxreg.dll	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\LeftNavbar60.JPG	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\WBug_Loading.gif	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\download.txt	msiexec.exe
File opened for modification	C:\Program Files (x86)\AWS\WeatherBug\download.txt	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\wxdist.dll	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Weather.exe	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\wxbug.wav	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\WxBug.gif	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\center_failed.html	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\wxproa.dll	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\wxweb.dll	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\def_bot.gif	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\bot_loading.html	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\wxutil.dll	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\weather_window_loading.gif	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\alert_failed.html	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\WxWindow_failed.html	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\skinmask60.bmp	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\Background60.jpg	msiexec.exe
File created	C:\Program Files (x86)\Setup Support for Weatherbug\uninst.exe	299add446ad38fe19ccac7f97ff8d57a_JaffaCakes118.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\WxMisc.dll	msiexec.exe
File created	C:\Program Files (x86)\AWS\WeatherBug\Local\TopNavbar60.JPG	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f772dc4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3546.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI438B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f772dc5.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\f772dc4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3101.tmp	msiexec.exe
File created	C:\Windows\Installer\f772dc5.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f772dc8.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 3 IoCs

evasion

pid	Process
1668	taskkill.exe
960	taskkill.exe
2200	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	Weather.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Weather.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Weather.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2924	msiexec.exe
2924	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2708	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2708	msiexec.exe
Token: SeRestorePrivilege	2924	msiexec.exe
Token: SeTakeOwnershipPrivilege	2924	msiexec.exe
Token: SeSecurityPrivilege	2924	msiexec.exe
Token: SeCreateTokenPrivilege	2708	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2708	msiexec.exe
Token: SeLockMemoryPrivilege	2708	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2708	msiexec.exe
Token: SeMachineAccountPrivilege	2708	msiexec.exe
Token: SeTcbPrivilege	2708	msiexec.exe
Token: SeSecurityPrivilege	2708	msiexec.exe
Token: SeTakeOwnershipPrivilege	2708	msiexec.exe
Token: SeLoadDriverPrivilege	2708	msiexec.exe
Token: SeSystemProfilePrivilege	2708	msiexec.exe
Token: SeSystemtimePrivilege	2708	msiexec.exe
Token: SeProfSingleProcessPrivilege	2708	msiexec.exe
Token: SeIncBasePriorityPrivilege	2708	msiexec.exe
Token: SeCreatePagefilePrivilege	2708	msiexec.exe
Token: SeCreatePermanentPrivilege	2708	msiexec.exe
Token: SeBackupPrivilege	2708	msiexec.exe
Token: SeRestorePrivilege	2708	msiexec.exe
Token: SeShutdownPrivilege	2708	msiexec.exe
Token: SeDebugPrivilege	2708	msiexec.exe
Token: SeAuditPrivilege	2708	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2708	msiexec.exe
Token: SeChangeNotifyPrivilege	2708	msiexec.exe
Token: SeRemoteShutdownPrivilege	2708	msiexec.exe
Token: SeUndockPrivilege	2708	msiexec.exe
Token: SeSyncAgentPrivilege	2708	msiexec.exe
Token: SeEnableDelegationPrivilege	2708	msiexec.exe
Token: SeManageVolumePrivilege	2708	msiexec.exe
Token: SeImpersonatePrivilege	2708	msiexec.exe
Token: SeCreateGlobalPrivilege	2708	msiexec.exe
Token: SeCreateTokenPrivilege	2708	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2708	msiexec.exe
Token: SeLockMemoryPrivilege	2708	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2708	msiexec.exe
Token: SeMachineAccountPrivilege	2708	msiexec.exe
Token: SeTcbPrivilege	2708	msiexec.exe
Token: SeSecurityPrivilege	2708	msiexec.exe
Token: SeTakeOwnershipPrivilege	2708	msiexec.exe
Token: SeLoadDriverPrivilege	2708	msiexec.exe
Token: SeSystemProfilePrivilege	2708	msiexec.exe
Token: SeSystemtimePrivilege	2708	msiexec.exe
Token: SeProfSingleProcessPrivilege	2708	msiexec.exe
Token: SeIncBasePriorityPrivilege	2708	msiexec.exe
Token: SeCreatePagefilePrivilege	2708	msiexec.exe
Token: SeCreatePermanentPrivilege	2708	msiexec.exe
Token: SeBackupPrivilege	2708	msiexec.exe
Token: SeRestorePrivilege	2708	msiexec.exe
Token: SeShutdownPrivilege	2708	msiexec.exe
Token: SeDebugPrivilege	2708	msiexec.exe
Token: SeAuditPrivilege	2708	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2708	msiexec.exe
Token: SeChangeNotifyPrivilege	2708	msiexec.exe
Token: SeRemoteShutdownPrivilege	2708	msiexec.exe
Token: SeUndockPrivilege	2708	msiexec.exe
Token: SeSyncAgentPrivilege	2708	msiexec.exe
Token: SeEnableDelegationPrivilege	2708	msiexec.exe
Token: SeManageVolumePrivilege	2708	msiexec.exe
Token: SeImpersonatePrivilege	2708	msiexec.exe
Token: SeCreateGlobalPrivilege	2708	msiexec.exe
Token: SeCreateTokenPrivilege	2708	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2708	msiexec.exe
2708	msiexec.exe
2684	Weather.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2684	Weather.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2684	Weather.exe
2684	Weather.exe
2684	Weather.exe
2684	Weather.exe
2684	Weather.exe
2684	Weather.exe
2684	Weather.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2708	2220	299add446ad38fe19ccac7f97ff8d57a_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2708	2220	299add446ad38fe19ccac7f97ff8d57a_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2708	2220	299add446ad38fe19ccac7f97ff8d57a_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2708	2220	299add446ad38fe19ccac7f97ff8d57a_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2708	2220	299add446ad38fe19ccac7f97ff8d57a_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2708	2220	299add446ad38fe19ccac7f97ff8d57a_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2708	2220	299add446ad38fe19ccac7f97ff8d57a_JaffaCakes118.exe	30
PID 2924 wrote to memory of 640	2924	msiexec.exe	32
PID 2924 wrote to memory of 640	2924	msiexec.exe	32
PID 2924 wrote to memory of 640	2924	msiexec.exe	32
PID 2924 wrote to memory of 640	2924	msiexec.exe	32
PID 2924 wrote to memory of 640	2924	msiexec.exe	32
PID 2924 wrote to memory of 640	2924	msiexec.exe	32
PID 2924 wrote to memory of 640	2924	msiexec.exe	32
PID 640 wrote to memory of 1668	640	MsiExec.exe	34
PID 640 wrote to memory of 1668	640	MsiExec.exe	34
PID 640 wrote to memory of 1668	640	MsiExec.exe	34
PID 640 wrote to memory of 1668	640	MsiExec.exe	34
PID 2924 wrote to memory of 2960	2924	msiexec.exe	39
PID 2924 wrote to memory of 2960	2924	msiexec.exe	39
PID 2924 wrote to memory of 2960	2924	msiexec.exe	39
PID 2924 wrote to memory of 2960	2924	msiexec.exe	39
PID 2924 wrote to memory of 2960	2924	msiexec.exe	39
PID 2924 wrote to memory of 2960	2924	msiexec.exe	39
PID 2924 wrote to memory of 2960	2924	msiexec.exe	39
PID 2960 wrote to memory of 960	2960	MsiExec.exe	40
PID 2960 wrote to memory of 960	2960	MsiExec.exe	40
PID 2960 wrote to memory of 960	2960	MsiExec.exe	40
PID 2960 wrote to memory of 960	2960	MsiExec.exe	40
PID 2924 wrote to memory of 968	2924	msiexec.exe	42
PID 2924 wrote to memory of 968	2924	msiexec.exe	42
PID 2924 wrote to memory of 968	2924	msiexec.exe	42
PID 2924 wrote to memory of 968	2924	msiexec.exe	42
PID 2924 wrote to memory of 968	2924	msiexec.exe	42
PID 2924 wrote to memory of 968	2924	msiexec.exe	42
PID 2924 wrote to memory of 968	2924	msiexec.exe	42
PID 2960 wrote to memory of 2200	2960	MsiExec.exe	43
PID 2960 wrote to memory of 2200	2960	MsiExec.exe	43
PID 2960 wrote to memory of 2200	2960	MsiExec.exe	43
PID 2960 wrote to memory of 2200	2960	MsiExec.exe	43
PID 2924 wrote to memory of 1648	2924	msiexec.exe	45
PID 2924 wrote to memory of 1648	2924	msiexec.exe	45
PID 2924 wrote to memory of 1648	2924	msiexec.exe	45
PID 2924 wrote to memory of 1648	2924	msiexec.exe	45
PID 2924 wrote to memory of 1648	2924	msiexec.exe	45
PID 2924 wrote to memory of 2684	2924	msiexec.exe	47
PID 2924 wrote to memory of 2684	2924	msiexec.exe	47
PID 2924 wrote to memory of 2684	2924	msiexec.exe	47
PID 2924 wrote to memory of 2684	2924	msiexec.exe	47

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\299add446ad38fe19ccac7f97ff8d57a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\299add446ad38fe19ccac7f97ff8d57a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /i C:\Users\Admin\AppData\Local\Temp\WeatherBugSetup.msi ISSILENTINSTALL=1 ISLAUNCH=1 ZCODE=Z6821 PREREG=2 REGTYPE=2 WXBUGCOMMAND=1
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2708

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 89A5FCA424F30EF81C535763C417D0DC C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /f /im Weather.exe
    3⤵
    - Kills process with taskkill
    PID:1668
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 718438D0A031FCC7B9A17D290E7146A7
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /f /im Weather.exe
    3⤵
    - Kills process with taskkill
    PID:960
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /f /im Weather.exe
    3⤵
    - Kills process with taskkill
    PID:2200
- C:\Windows\Installer\MSI3101.tmp
  "C:\Windows\Installer\MSI3101.tmp"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:968
- C:\Windows\system32\msiexec.exe
  "msiexec.exe" /x {70DECFBF-9119-4434-B2D3-A3C283D15E45} /qn
  2⤵
  PID:1648
- C:\Program Files (x86)\AWS\WeatherBug\Weather.exe
  "C:\Program Files (x86)\AWS\WeatherBug\Weather.exe" 1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2684

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2804

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D4" "000000000000048C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1240

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5b0
1⤵
PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f772dc6.rbs

Filesize
14KB

MD5
f07cbd9a400a17febb53068d88c649c1

SHA1
b57054a6414f359a2d21a0a92d5279c983615b85

SHA256
3cf6b21232e6f3c223865b299f1971a84f7f8bbbe3174c6f584a616a1cd86227

SHA512
74ba7dd4f0a2ea055dd6fd9ce5abe1d8f98aa3efacc36825f8d7a97164cbfbcd33c6ec4fc8a1009b076c50019b5fb1944c0b0373aff20c8f8fe674b78726649d

Download Submit
C:\Program Files (x86)\AWS\WeatherBug\Local\LeftNavbar60.jpg

Filesize
57KB

MD5
9b4d3cc1defa1efe0776ebf8bc72feba

SHA1
25935f40c61d99b2c98ca2d2780fecc1d51ad42f

SHA256
cb81a7917e1220f2b2813442f9e56530b3b75b79226bfee9631cdd1ca4fe5edc

SHA512
96c6ce540aed3787705f0f2ec37daa954af3c2b90993fb27845e9f066b4972ae82567a40c23fd5f231e5ab8a00deb364c75597a960a9bb7a8d1ebbc4ed53bcc2

Download Submit
C:\Program Files (x86)\AWS\WeatherBug\Local\TopNavbar60.jpg

Filesize
13KB

MD5
d6bfc2511f69cd46f89b8b5ad61dcc7b

SHA1
d9a79d4912c03da74247107119f677b8168766c0

SHA256
32f336b185019cf1440376e43cf7123f8c5b6171cfebfa1b907c386ff66d42e3

SHA512
10671db455c8d33466bee2442c1494be52febd2504f6981a55d511e1edced31067ba1205daf1007d6bad74888866921d05388cf89ab00b7507820ae71a5d3b48

Download Submit
C:\Program Files (x86)\AWS\WeatherBug\Local\WxWindow_loading.html

Filesize
400B

MD5
b0d89eb2f46778c5ce788faa486336a8

SHA1
47942c37e04ecc7fcdbda06a8ef5599a97d7f980

SHA256
5d5a6c51ac2f9b4022b1d2652fad67adcc132d22f3584d341bc22ea572246c6b

SHA512
bce54ab3f56c807af3a0fa1fb57e23cc92b3afe2b464ad291295b50c403693767d0ec88aef7cebfef47cfa9cd6e890dc3f06fec5a8890019a950940e7c16dc3f

Download Submit
C:\Program Files (x86)\AWS\WeatherBug\Local\background60.jpg

Filesize
98KB

MD5
14db8321845f7fa28050e64a218e6f24

SHA1
e9ee9ebf0e3b1e4b79c5a272e238e57662026211

SHA256
2e061faf80f40f3b62040d5ed45e2c5e628eaebe0f694aebfcbf59210a9a9e15

SHA512
1240d07269c55e4aff5b1c3666d136a53ac3fd11dbfd6b1b0b428f313a4f237001d25e01b9a87c055a3f6adfcaf6a58d74812752ad6a515b9c73e850ba7f8e6e

Download Submit
C:\Program Files (x86)\AWS\WeatherBug\Local\bot_loading.gif

Filesize
10KB

MD5
7deaa994973b314179b8dc01e39367a3

SHA1
dc1980e00d341d85251933883712900ab4ee396a

SHA256
d790d3c304409a9d5df3c890730519850492ed51699e78a74069b51e9f713209

SHA512
0ecaf08d504a8066f00063ae962d470e1c8e4b1c8daf7a682d27b0585eb2307266467a8b94396d201ba846f72ab01c302755f2beaf4910727e4b510e12d7afff

Download Submit
C:\Program Files (x86)\AWS\WeatherBug\Local\bot_loading.html

Filesize
145B

MD5
f86c28eee915d1741013788e5ccc4c0e

SHA1
a47458fc6ffa4d9d2c18c5b9384b6d923b631b0d

SHA256
3124c0b4695280933f7ead834bae53b0453caf375b736d09d086fc6f63709eba

SHA512
d39a782e207d835e9e6a49e806077c03fc81d4fc5ce196bf676420fa18ece55a604d7954a7cbfc41afa40b4efdcec0fa0b7118d66a61b52801631b8575d81762

Download Submit
C:\Program Files (x86)\AWS\WeatherBug\Local\skinmask60.bmp

Filesize
67KB

MD5
92d00a79ad5db3378008d291b2f97a05

SHA1
875fb977c7d5176a9d2f12d77af7d59624f0d651

SHA256
8f1b71d2f385af56b6d645123a0c8a18fec7d9f0e5b39bf28b0b59fe656d8b03

SHA512
61b688d38aa7856b19f50a81a5c2af90c29e53f9033e560d9b81f5e0cbbddd8b240107276491f1350659146bb1972f7a3dacdcf5b3f510abf01e68916d0e03ea

Download Submit
C:\Program Files (x86)\AWS\WeatherBug\Local\weather_window_loading.gif

Filesize
9KB

MD5
ee302873619c0e3a199641d130a42136

SHA1
b1085049afa12374326687ecac81d159db1588d5

SHA256
6eab5879e8bd8c8c9cacd431a882662c363c3fff75c702564c6f492ef0e5e601

SHA512
7b49df9b0b638ef3294910d4dda41d6d2bd74405bfc1cd886f743e710d41d68ec274fa3b6ac429088766f55ef48a6f1c6ff67d6100b5032064c352faba78b25d

Download Submit
C:\Program Files (x86)\AWS\WeatherBug\Weather.exe

Filesize
1.6MB

MD5
f2596401db33c35e17d7f3fa7f38ef8b

SHA1
ef8d5826a2dedb41759dc309aad0b48dcb6d7f14

SHA256
c01a6bb2063deffe5fb8c599092065e47d2bf547ef438d576808879c7f9b97a8

SHA512
02ca458c8a7bf33a5217e42d53042941ab5a9bb3a158ffa62018b5bd4f2801e61160519481f3fd91a9a67b4a791348f6f8f2c074bb11fe099811991f5fbe0f47

Download Submit
C:\Program Files (x86)\AWS\WeatherBug\WxDist.dll

Filesize
214KB

MD5
9aca98b6051ab442a3b87d0db601900c

SHA1
3157a14165b5574832cdb93aeda74e3d811941e1

SHA256
aa7f7614f3e282d62add181225499fa8e16550853c76bbf725e7723fa5fc2abf

SHA512
190eccc9483a0bb75b5bf68785fdf7e356a365e3e04780f16b1a9dbd2e01cea0ca45e40e5eb1c3abe6e77bd556d8ef25a4a9ad9a0495fdfe101a406b357785c6

Download Submit
C:\Program Files (x86)\AWS\WeatherBug\WxMisc.dll

Filesize
175KB

MD5
4daba1df6081aa00a3f6f6d5a043fd90

SHA1
38b8f9ef5f31003f7aa9eda06b0af8e90bf189b0

SHA256
f22fa22c8e4db3236a3810b629c67f32e6c3159d6faff522dd4d74f3c949df34

SHA512
ce4d0181d32c495d10e9f1c5b0da0af20ec501f680040e852d16c10dd15aa79f3beaa396f5e66debfd63d649a40d566405b76b7939d9849f771f8c3e50007ce7

Download Submit
C:\Program Files (x86)\AWS\WeatherBug\download.txt

Filesize
21B

MD5
1607e9df35a98094e3236cc7feb972d3

SHA1
e74d4ad0392256a5f76287da82012209c8eeefff

SHA256
cc123b21754c44fdbf3bdb5442b1e2eeb1a913443a207ac2ba48d68753c51876

SHA512
271346bc54a8f8e789397543db1e8d0b5dc3fbb2b9022287cdad984f01e53a3511fb275ba8ebe4ad1a0457cf2c297613de9f89228754ccd97e9f30b2b745d3bc

Download Submit
C:\Program Files (x86)\AWS\WeatherBug\download.txt

Filesize
21B

MD5
4baf242e90b0ac23315e09a297f55a1f

SHA1
a9d647c229c736c166b47b2e7f9ed42ef16b3741

SHA256
b94d7cf179bdf7cb4d22740f079a22682684890fc94da65169cf3856987f079b

SHA512
e5f004f89890f0e1f92ca485dcc48ae2b34ffb5a827867a11f6f83c4bdb340e966615937a69a88c7b121fe39ab8d06d4feb4ffe377046cd1dce237e2200f13c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4DD39726D4B55AC3B4119B35A893323C_D1A03C098F3FCAB4BEBEE6D2533CB0A4

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4DD39726D4B55AC3B4119B35A893323C_D1A03C098F3FCAB4BEBEE6D2533CB0A4

Filesize
400B

MD5
25c5b64b8a5fff1bc7bed21094d3e81e

SHA1
fe0a9fc887044388ae6d23e8017c445017c06d49

SHA256
3eb282504d0ad10e05e02468705dd2ee8aaa9148224d69848f1f7a155b05a4a5

SHA512
735b2528b42cb601209600dadf98296d4eeb3ab53e792933fd429f8d57d10e28bf1cd11d02d6578c73b78dbaa2a4d95de9f3fe4127af61ce124ce99877535f0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
604c717e9c197c33bfce1101175b9a7b

SHA1
17f3c7bef02e2117d84c0226b65bddee96708ad7

SHA256
6173445a996e741d4bb73430b1411808969c9a73eb7f2dd8dc16c53cf73a1ce1

SHA512
f7e1d3d8aaed248f3add72f3d5f410d97c9c454e5197cf3fa94b4e545ea087ff2e970ec9cf23eb184a6026b96dfdec3b409b10cded3ac740398f2b954ba6aa15

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2F6A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDE8.tmp

Filesize
126KB

MD5
48a8123016d261e45ee807c0e238a971

SHA1
d7c8bc1e4d6437697f137cff3eca0e31e49a55cf

SHA256
871f195e12ebb609e6179756092a5821e78cbf920c5c3c7da9ceb01aca991a78

SHA512
a03ed081d740160f92f0f46315e3eff6aa7ac1b6ca65c28be595a802b4d32614cc778d57792b0fbc68ec2ce7382bfcee6c4009226cb2b5428c5819d3b6d5828f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDF8.tmp

Filesize
125KB

MD5
17e171f53f5378f637942286c4dc05fc

SHA1
56e54c86e9445ae7b33230501f17e710c5f47596

SHA256
90d450c12864c8b76e07bd87c6ead25636fef032ffaa056722d2f53f58d64037

SHA512
d67b8ebd2e6091cf17a01ec73fc136eb9119e2fb3682b12dfb57d96f633d94be4805df5e10a5736197d64e04a6327d97bac943227155e9f9daa40e6944404fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WeatherBugSetup.msi

Filesize
3.1MB

MD5
8c23be9e13b10ce4e5969abd7d838576

SHA1
adda1875ca69a6b9e21e4257833c508a46fa85c1

SHA256
8d62da599bb3c0262a3b90ad2ea04da1834f7e4eee95e088951a2dabeae75589

SHA512
74430f4495c11e0f1e2d747c72b7a984f531c2f1dbd18e3e772256b687c9a1a86c65dc54bfc5b03359eddd55812ce49239ab46f9aaccfa2b177c36d2ff93d02e

Download Submit
C:\Windows\Installer\MSI3101.tmp

Filesize
109KB

MD5
2771433a2527c4b450e35d953341aac9

SHA1
d55be08e59b7228243a2db15bdf9f28540272f6f

SHA256
66fe4b4c948918cc508018c8aa111f90db610791ffeba5ada3e57a2cebd77bdf

SHA512
6514bed87ea469b539b3d56afb0922cdc5aa87eb79207fda7e3bb7b8390fa3a4fef59f916eb28fd199293b119e173942020c3329c59f007a5b59e9205c673f5b

Download Submit
\Users\Admin\AppData\Local\Temp\GLC314D.tmp

Filesize
161KB

MD5
8c97d8bb1470c6498e47b12c5a03ce39

SHA1
15d233b22f1c3d756dca29bcc0021e6fb0b8cdf7

SHA256
a87f19f9fee475d2b2e82acfb4589be6d816b613064cd06826e1d4c147beb50a

SHA512
7ad0b2b0319da52152c2595ee45045d0c06b157cdaaa56ad57dde9736be3e45fd7357949126f80d3e72b21510f9bf69d010d51b3967a7644662808beed067c3f

Download Submit
\Users\Admin\AppData\Local\Temp\nse44BF.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nse44BF.tmp\inetc.dll

Filesize
20KB

MD5
e541458cfe66ef95ffbea40eaaa07289

SHA1
caec1233f841ee72004231a3027b13cdeb13274c

SHA256
3bce87b66d9272c82421920c34b0216e12c57a437d1955c36f23c74c1a01d420

SHA512
0bf6313e4cb7bbdcfba828fb791540b630adc58c43aa4b5ba77790367d0f34f76077cd84cc62e2a2c98c788a88547f32a11e549873d172c5aa2753124847cd0c

Download Submit
memory/640-30-0x0000000000480000-0x0000000000482000-memory.dmp

Filesize
8KB

Download
memory/2960-54-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download