2e3210c014a4d021fb1dcf512ddc69217f1e3568b40424767898661a7dacc0a7

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 13:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

30999f103c3100024db2d3f7ab1ceb83_JaffaCakes118.exe
Size

740KB
MD5

30999f103c3100024db2d3f7ab1ceb83
SHA1

a9590f9490f01fb05e2194719d929ca58b2a6225
SHA256

2e3210c014a4d021fb1dcf512ddc69217f1e3568b40424767898661a7dacc0a7
SHA512

c9a01108cf1179f90bf2cb25301e8677a52f89337e3be7e7a8bb71f983c3a54aaeb6b1f6244cacd58290a48707b23eaf4b1fb5c73e035207197a9a1e6801eb60
SSDEEP

12288:GzxveAzCRr454zNAuYrQUsOiDcE13HiUomTG9RFqtK2amYb:CmeCRr4epAuYcjOiggQEEOK2JW

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1796	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1224	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1224	msiexec.exe
Token: SeSecurityPrivilege	2812	msiexec.exe
Token: SeCreateTokenPrivilege	1224	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1224	msiexec.exe
Token: SeLockMemoryPrivilege	1224	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1224	msiexec.exe
Token: SeMachineAccountPrivilege	1224	msiexec.exe
Token: SeTcbPrivilege	1224	msiexec.exe
Token: SeSecurityPrivilege	1224	msiexec.exe
Token: SeTakeOwnershipPrivilege	1224	msiexec.exe
Token: SeLoadDriverPrivilege	1224	msiexec.exe
Token: SeSystemProfilePrivilege	1224	msiexec.exe
Token: SeSystemtimePrivilege	1224	msiexec.exe
Token: SeProfSingleProcessPrivilege	1224	msiexec.exe
Token: SeIncBasePriorityPrivilege	1224	msiexec.exe
Token: SeCreatePagefilePrivilege	1224	msiexec.exe
Token: SeCreatePermanentPrivilege	1224	msiexec.exe
Token: SeBackupPrivilege	1224	msiexec.exe
Token: SeRestorePrivilege	1224	msiexec.exe
Token: SeShutdownPrivilege	1224	msiexec.exe
Token: SeDebugPrivilege	1224	msiexec.exe
Token: SeAuditPrivilege	1224	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1224	msiexec.exe
Token: SeChangeNotifyPrivilege	1224	msiexec.exe
Token: SeRemoteShutdownPrivilege	1224	msiexec.exe
Token: SeUndockPrivilege	1224	msiexec.exe
Token: SeSyncAgentPrivilege	1224	msiexec.exe
Token: SeEnableDelegationPrivilege	1224	msiexec.exe
Token: SeManageVolumePrivilege	1224	msiexec.exe
Token: SeImpersonatePrivilege	1224	msiexec.exe
Token: SeCreateGlobalPrivilege	1224	msiexec.exe
Token: SeCreateTokenPrivilege	1224	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1224	msiexec.exe
Token: SeLockMemoryPrivilege	1224	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1224	msiexec.exe
Token: SeMachineAccountPrivilege	1224	msiexec.exe
Token: SeTcbPrivilege	1224	msiexec.exe
Token: SeSecurityPrivilege	1224	msiexec.exe
Token: SeTakeOwnershipPrivilege	1224	msiexec.exe
Token: SeLoadDriverPrivilege	1224	msiexec.exe
Token: SeSystemProfilePrivilege	1224	msiexec.exe
Token: SeSystemtimePrivilege	1224	msiexec.exe
Token: SeProfSingleProcessPrivilege	1224	msiexec.exe
Token: SeIncBasePriorityPrivilege	1224	msiexec.exe
Token: SeCreatePagefilePrivilege	1224	msiexec.exe
Token: SeCreatePermanentPrivilege	1224	msiexec.exe
Token: SeBackupPrivilege	1224	msiexec.exe
Token: SeRestorePrivilege	1224	msiexec.exe
Token: SeShutdownPrivilege	1224	msiexec.exe
Token: SeDebugPrivilege	1224	msiexec.exe
Token: SeAuditPrivilege	1224	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1224	msiexec.exe
Token: SeChangeNotifyPrivilege	1224	msiexec.exe
Token: SeRemoteShutdownPrivilege	1224	msiexec.exe
Token: SeUndockPrivilege	1224	msiexec.exe
Token: SeSyncAgentPrivilege	1224	msiexec.exe
Token: SeEnableDelegationPrivilege	1224	msiexec.exe
Token: SeManageVolumePrivilege	1224	msiexec.exe
Token: SeImpersonatePrivilege	1224	msiexec.exe
Token: SeCreateGlobalPrivilege	1224	msiexec.exe
Token: SeCreateTokenPrivilege	1224	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1224	msiexec.exe
Token: SeLockMemoryPrivilege	1224	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1224	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 1224	384	30999f103c3100024db2d3f7ab1ceb83_JaffaCakes118.exe	85
PID 384 wrote to memory of 1224	384	30999f103c3100024db2d3f7ab1ceb83_JaffaCakes118.exe	85
PID 2812 wrote to memory of 1796	2812	msiexec.exe	88
PID 2812 wrote to memory of 1796	2812	msiexec.exe	88
PID 2812 wrote to memory of 1796	2812	msiexec.exe	88

C:\Users\Admin\AppData\Local\Temp\30999f103c3100024db2d3f7ab1ceb83_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\30999f103c3100024db2d3f7ab1ceb83_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:384
- C:\Windows\system32\msiexec.exe
  /i "C:\Users\Admin\AppData\Roaming\RM Royal Media Ltd.\Ramino Royal Install\install\RummyRoyal_Live_it.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\30999f103c3100024db2d3f7ab1ceb83_JaffaCakes118.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1224

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6F60CA8E1C6A76A6130AAA4646225710 C
  2⤵
  - Loads dropped DLL
  PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI9FBA.tmp

Filesize
14KB

MD5
1afa5d8db46927c210ca89b7ec81e1c7

SHA1
e5cd5b8f8afe4faf43a64d4c16d048228b9ee2fd

SHA256
e55a022de86edfd958583023e9989b94751ea36322587e047c9af642d3fb82dc

SHA512
6e860e077149e0466b267f2300ca1eba67eaee419f1bf8cc8e7ad0542472f197407b4ca6dd60632cd731ef4780a7c389bd8dedafa7e330113ef0062f188e4b24

Download Submit
C:\Users\Admin\AppData\Roaming\RM Royal Media Ltd\Ramino Royal Install\install\RummyRoyal_Live_it.msi

Filesize
318KB

MD5
352079e14fc6ebf4719ce2ed7c3c167a

SHA1
d517112ab18ba321b66794f0360b3ff4bd44da3f

SHA256
379cb6351ac2ede96abb3af154270f68615b9afe05f12f87545f939738cbd3b4

SHA512
3d2625edff18bdedc993849145cd9841f944c905e7e77dc1bb2d94baa6d95f0605cf2e5fd40f1af00e3d9372b6b1f656547374df301b63866790e00e5d51a410

Download Submit