2e3210c014a4d021fb1dcf512ddc69217f1e3568b40424767898661a7dacc0a7

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09-07-2024 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30999f103c3100024db2d3f7ab1ceb83_JaffaCakes118.exe
Size

740KB
MD5

30999f103c3100024db2d3f7ab1ceb83
SHA1

a9590f9490f01fb05e2194719d929ca58b2a6225
SHA256

2e3210c014a4d021fb1dcf512ddc69217f1e3568b40424767898661a7dacc0a7
SHA512

c9a01108cf1179f90bf2cb25301e8677a52f89337e3be7e7a8bb71f983c3a54aaeb6b1f6244cacd58290a48707b23eaf4b1fb5c73e035207197a9a1e6801eb60
SSDEEP

12288:GzxveAzCRr454zNAuYrQUsOiDcE13HiUomTG9RFqtK2amYb:CmeCRr4epAuYcjOiggQEEOK2JW

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2696	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2348	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2348	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2348	msiexec.exe
Token: SeRestorePrivilege	2364	msiexec.exe
Token: SeTakeOwnershipPrivilege	2364	msiexec.exe
Token: SeSecurityPrivilege	2364	msiexec.exe
Token: SeCreateTokenPrivilege	2348	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2348	msiexec.exe
Token: SeLockMemoryPrivilege	2348	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2348	msiexec.exe
Token: SeMachineAccountPrivilege	2348	msiexec.exe
Token: SeTcbPrivilege	2348	msiexec.exe
Token: SeSecurityPrivilege	2348	msiexec.exe
Token: SeTakeOwnershipPrivilege	2348	msiexec.exe
Token: SeLoadDriverPrivilege	2348	msiexec.exe
Token: SeSystemProfilePrivilege	2348	msiexec.exe
Token: SeSystemtimePrivilege	2348	msiexec.exe
Token: SeProfSingleProcessPrivilege	2348	msiexec.exe
Token: SeIncBasePriorityPrivilege	2348	msiexec.exe
Token: SeCreatePagefilePrivilege	2348	msiexec.exe
Token: SeCreatePermanentPrivilege	2348	msiexec.exe
Token: SeBackupPrivilege	2348	msiexec.exe
Token: SeRestorePrivilege	2348	msiexec.exe
Token: SeShutdownPrivilege	2348	msiexec.exe
Token: SeDebugPrivilege	2348	msiexec.exe
Token: SeAuditPrivilege	2348	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2348	msiexec.exe
Token: SeChangeNotifyPrivilege	2348	msiexec.exe
Token: SeRemoteShutdownPrivilege	2348	msiexec.exe
Token: SeUndockPrivilege	2348	msiexec.exe
Token: SeSyncAgentPrivilege	2348	msiexec.exe
Token: SeEnableDelegationPrivilege	2348	msiexec.exe
Token: SeManageVolumePrivilege	2348	msiexec.exe
Token: SeImpersonatePrivilege	2348	msiexec.exe
Token: SeCreateGlobalPrivilege	2348	msiexec.exe
Token: SeCreateTokenPrivilege	2348	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2348	msiexec.exe
Token: SeLockMemoryPrivilege	2348	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2348	msiexec.exe
Token: SeMachineAccountPrivilege	2348	msiexec.exe
Token: SeTcbPrivilege	2348	msiexec.exe
Token: SeSecurityPrivilege	2348	msiexec.exe
Token: SeTakeOwnershipPrivilege	2348	msiexec.exe
Token: SeLoadDriverPrivilege	2348	msiexec.exe
Token: SeSystemProfilePrivilege	2348	msiexec.exe
Token: SeSystemtimePrivilege	2348	msiexec.exe
Token: SeProfSingleProcessPrivilege	2348	msiexec.exe
Token: SeIncBasePriorityPrivilege	2348	msiexec.exe
Token: SeCreatePagefilePrivilege	2348	msiexec.exe
Token: SeCreatePermanentPrivilege	2348	msiexec.exe
Token: SeBackupPrivilege	2348	msiexec.exe
Token: SeRestorePrivilege	2348	msiexec.exe
Token: SeShutdownPrivilege	2348	msiexec.exe
Token: SeDebugPrivilege	2348	msiexec.exe
Token: SeAuditPrivilege	2348	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2348	msiexec.exe
Token: SeChangeNotifyPrivilege	2348	msiexec.exe
Token: SeRemoteShutdownPrivilege	2348	msiexec.exe
Token: SeUndockPrivilege	2348	msiexec.exe
Token: SeSyncAgentPrivilege	2348	msiexec.exe
Token: SeEnableDelegationPrivilege	2348	msiexec.exe
Token: SeManageVolumePrivilege	2348	msiexec.exe
Token: SeImpersonatePrivilege	2348	msiexec.exe
Token: SeCreateGlobalPrivilege	2348	msiexec.exe
Token: SeCreateTokenPrivilege	2348	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2348	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 2348	1224	30999f103c3100024db2d3f7ab1ceb83_JaffaCakes118.exe	30
PID 1224 wrote to memory of 2348	1224	30999f103c3100024db2d3f7ab1ceb83_JaffaCakes118.exe	30
PID 1224 wrote to memory of 2348	1224	30999f103c3100024db2d3f7ab1ceb83_JaffaCakes118.exe	30
PID 1224 wrote to memory of 2348	1224	30999f103c3100024db2d3f7ab1ceb83_JaffaCakes118.exe	30
PID 1224 wrote to memory of 2348	1224	30999f103c3100024db2d3f7ab1ceb83_JaffaCakes118.exe	30
PID 1224 wrote to memory of 2348	1224	30999f103c3100024db2d3f7ab1ceb83_JaffaCakes118.exe	30
PID 1224 wrote to memory of 2348	1224	30999f103c3100024db2d3f7ab1ceb83_JaffaCakes118.exe	30
PID 2364 wrote to memory of 2696	2364	msiexec.exe	32
PID 2364 wrote to memory of 2696	2364	msiexec.exe	32
PID 2364 wrote to memory of 2696	2364	msiexec.exe	32
PID 2364 wrote to memory of 2696	2364	msiexec.exe	32
PID 2364 wrote to memory of 2696	2364	msiexec.exe	32
PID 2364 wrote to memory of 2696	2364	msiexec.exe	32
PID 2364 wrote to memory of 2696	2364	msiexec.exe	32

C:\Users\Admin\AppData\Local\Temp\30999f103c3100024db2d3f7ab1ceb83_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\30999f103c3100024db2d3f7ab1ceb83_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\system32\msiexec.exe
  /i "C:\Users\Admin\AppData\Roaming\RM Royal Media Ltd.\Ramino Royal Install\install\RummyRoyal_Live_it.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\30999f103c3100024db2d3f7ab1ceb83_JaffaCakes118.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2348

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DBAD15A1DB8154A3ADCF4CA45FE9528E C
  2⤵
  - Loads dropped DLL
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\RM Royal Media Ltd\Ramino Royal Install\install\RummyRoyal_Live_it.msi

Filesize
318KB

MD5
352079e14fc6ebf4719ce2ed7c3c167a

SHA1
d517112ab18ba321b66794f0360b3ff4bd44da3f

SHA256
379cb6351ac2ede96abb3af154270f68615b9afe05f12f87545f939738cbd3b4

SHA512
3d2625edff18bdedc993849145cd9841f944c905e7e77dc1bb2d94baa6d95f0605cf2e5fd40f1af00e3d9372b6b1f656547374df301b63866790e00e5d51a410

Download Submit
\Users\Admin\AppData\Local\Temp\MSI251D.tmp

Filesize
14KB

MD5
1afa5d8db46927c210ca89b7ec81e1c7

SHA1
e5cd5b8f8afe4faf43a64d4c16d048228b9ee2fd

SHA256
e55a022de86edfd958583023e9989b94751ea36322587e047c9af642d3fb82dc

SHA512
6e860e077149e0466b267f2300ca1eba67eaee419f1bf8cc8e7ad0542472f197407b4ca6dd60632cd731ef4780a7c389bd8dedafa7e330113ef0062f188e4b24

Download Submit