Overview

overview

7

Static

static

3

30999f103c...18.exe

windows7-x64

7

30999f103c...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/07/2024, 13:39 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    30999f103c3100024db2d3f7ab1ceb83_JaffaCakes118.exe

  • Size

    740KB

  • MD5

    30999f103c3100024db2d3f7ab1ceb83

  • SHA1

    a9590f9490f01fb05e2194719d929ca58b2a6225

  • SHA256

    2e3210c014a4d021fb1dcf512ddc69217f1e3568b40424767898661a7dacc0a7

  • SHA512

    c9a01108cf1179f90bf2cb25301e8677a52f89337e3be7e7a8bb71f983c3a54aaeb6b1f6244cacd58290a48707b23eaf4b1fb5c73e035207197a9a1e6801eb60

  • SSDEEP

    12288:GzxveAzCRr454zNAuYrQUsOiDcE13HiUomTG9RFqtK2amYb:CmeCRr4epAuYcjOiggQEEOK2JW

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\30999f103c3100024db2d3f7ab1ceb83_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\30999f103c3100024db2d3f7ab1ceb83_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:384
    • C:\Windows\system32\msiexec.exe
      /i "C:\Users\Admin\AppData\Roaming\RM Royal Media Ltd.\Ramino Royal Install\install\RummyRoyal_Live_it.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\30999f103c3100024db2d3f7ab1ceb83_JaffaCakes118.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\"
      2⤵
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1224
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2812
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 6F60CA8E1C6A76A6130AAA4646225710 C
      2⤵
      • Loads dropped DLL
      PID:1796

Network

  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dd1244b84f3549748c4b1594888dd97f&localId=w:BA92A146-83EA-3704-B8DF-12231551E870&deviceId=6966568097803362&anid=
    Remote address:
    13.107.21.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dd1244b84f3549748c4b1594888dd97f&localId=w:BA92A146-83EA-3704-B8DF-12231551E870&deviceId=6966568097803362&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=398F25FBEB7364483F17314CEAF065A8; domain=.bing.com; expires=Sun, 03-Aug-2025 15:02:08 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 5396D8C1D0BD44539A1290CC375D2E5D Ref B: AMS04EDGE2608 Ref C: 2024-07-09T15:02:08Z
    date: Tue, 09 Jul 2024 15:02:07 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=dd1244b84f3549748c4b1594888dd97f&localId=w:BA92A146-83EA-3704-B8DF-12231551E870&deviceId=6966568097803362&anid=
    Remote address:
    13.107.21.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=dd1244b84f3549748c4b1594888dd97f&localId=w:BA92A146-83EA-3704-B8DF-12231551E870&deviceId=6966568097803362&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=398F25FBEB7364483F17314CEAF065A8
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=Av_JwMeGSu2LepK0e1VGnDQjzTUwHgW2eJttnAwaW0g; domain=.bing.com; expires=Sun, 03-Aug-2025 15:02:08 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 5666EAF7CBA7472DB475269A728A4757 Ref B: AMS04EDGE2608 Ref C: 2024-07-09T15:02:08Z
    date: Tue, 09 Jul 2024 15:02:07 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dd1244b84f3549748c4b1594888dd97f&localId=w:BA92A146-83EA-3704-B8DF-12231551E870&deviceId=6966568097803362&anid=
    Remote address:
    13.107.21.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dd1244b84f3549748c4b1594888dd97f&localId=w:BA92A146-83EA-3704-B8DF-12231551E870&deviceId=6966568097803362&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=398F25FBEB7364483F17314CEAF065A8; MSPTC=Av_JwMeGSu2LepK0e1VGnDQjzTUwHgW2eJttnAwaW0g
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 81BFE1C7078D476494F710AB7841C4A0 Ref B: AMS04EDGE2608 Ref C: 2024-07-09T15:02:08Z
    date: Tue, 09 Jul 2024 15:02:08 GMT
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    237.21.107.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.21.107.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.144.22.2.in-addr.arpa
    IN PTR
    Response
    73.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-73deploystaticakamaitechnologiescom
  • flag-us
    DNS
    22.177.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.177.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    147.142.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    147.142.123.92.in-addr.arpa
    IN PTR
    Response
    147.142.123.92.in-addr.arpa
    IN PTR
    a92-123-142-147deploystaticakamaitechnologiescom
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 13.107.21.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dd1244b84f3549748c4b1594888dd97f&localId=w:BA92A146-83EA-3704-B8DF-12231551E870&deviceId=6966568097803362&anid=
    tls, http2
    2.0kB
     9.3kB
     22
    18

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dd1244b84f3549748c4b1594888dd97f&localId=w:BA92A146-83EA-3704-B8DF-12231551E870&deviceId=6966568097803362&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=dd1244b84f3549748c4b1594888dd97f&localId=w:BA92A146-83EA-3704-B8DF-12231551E870&deviceId=6966568097803362&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=dd1244b84f3549748c4b1594888dd97f&localId=w:BA92A146-83EA-3704-B8DF-12231551E870&deviceId=6966568097803362&anid=

    HTTP Response

    204
  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     151 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    13.107.21.237
    204.79.197.237

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    237.21.107.13.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    237.21.107.13.in-addr.arpa

  • 8.8.8.8:53
    73.144.22.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    73.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    22.177.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    22.177.190.20.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    147.142.123.92.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    147.142.123.92.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

  • 8.8.8.8:53

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MSI9FBA.tmp
    Filesize

    14KB

    MD5

    1afa5d8db46927c210ca89b7ec81e1c7

    SHA1

    e5cd5b8f8afe4faf43a64d4c16d048228b9ee2fd

    SHA256

    e55a022de86edfd958583023e9989b94751ea36322587e047c9af642d3fb82dc

    SHA512

    6e860e077149e0466b267f2300ca1eba67eaee419f1bf8cc8e7ad0542472f197407b4ca6dd60632cd731ef4780a7c389bd8dedafa7e330113ef0062f188e4b24

    Download Submit

  • C:\Users\Admin\AppData\Roaming\RM Royal Media Ltd\Ramino Royal Install\install\RummyRoyal_Live_it.msi
    Filesize

    318KB

    MD5

    352079e14fc6ebf4719ce2ed7c3c167a

    SHA1

    d517112ab18ba321b66794f0360b3ff4bd44da3f

    SHA256

    379cb6351ac2ede96abb3af154270f68615b9afe05f12f87545f939738cbd3b4

    SHA512

    3d2625edff18bdedc993849145cd9841f944c905e7e77dc1bb2d94baa6d95f0605cf2e5fd40f1af00e3d9372b6b1f656547374df301b63866790e00e5d51a410

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.