a6e63d38a8ebe09d0c09b45d7245137f1cdd0e7e9e978997814ea9bd6c33ee33

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe
Size

593KB
MD5

3673d5090b77a0b033da84545fda2f0f
SHA1

010d2e93a19af30eb6f17052abd855933edc4873
SHA256

a6e63d38a8ebe09d0c09b45d7245137f1cdd0e7e9e978997814ea9bd6c33ee33
SHA512

05f91a2f9dc112b80bdca6db4ccc907041ad267812d9aa514d513c2d9673b9b4aed48699bf019d2dc95e7101bb9601334d6e17d4f77f7ba2fb85303f3c7349de
SSDEEP

12288:a39mSPuqDWEB1l9gvW01XM/f85jsz1+ruUA+lpOxuGzVg7I:ymS2savWoXEqsB+S+lUkGO7I

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2984	setup.exe

Loads dropped DLL 6 IoCs

pid	Process
2028	3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe
2028	3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe
2028	3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe
2028	3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe
2532	MsiExec.exe
2532	MsiExec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2252	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2028	3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2252	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2252	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2252	msiexec.exe
Token: SeRestorePrivilege	3040	msiexec.exe
Token: SeTakeOwnershipPrivilege	3040	msiexec.exe
Token: SeSecurityPrivilege	3040	msiexec.exe
Token: SeCreateTokenPrivilege	2252	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2252	msiexec.exe
Token: SeLockMemoryPrivilege	2252	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2252	msiexec.exe
Token: SeMachineAccountPrivilege	2252	msiexec.exe
Token: SeTcbPrivilege	2252	msiexec.exe
Token: SeSecurityPrivilege	2252	msiexec.exe
Token: SeTakeOwnershipPrivilege	2252	msiexec.exe
Token: SeLoadDriverPrivilege	2252	msiexec.exe
Token: SeSystemProfilePrivilege	2252	msiexec.exe
Token: SeSystemtimePrivilege	2252	msiexec.exe
Token: SeProfSingleProcessPrivilege	2252	msiexec.exe
Token: SeIncBasePriorityPrivilege	2252	msiexec.exe
Token: SeCreatePagefilePrivilege	2252	msiexec.exe
Token: SeCreatePermanentPrivilege	2252	msiexec.exe
Token: SeBackupPrivilege	2252	msiexec.exe
Token: SeRestorePrivilege	2252	msiexec.exe
Token: SeShutdownPrivilege	2252	msiexec.exe
Token: SeDebugPrivilege	2252	msiexec.exe
Token: SeAuditPrivilege	2252	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2252	msiexec.exe
Token: SeChangeNotifyPrivilege	2252	msiexec.exe
Token: SeRemoteShutdownPrivilege	2252	msiexec.exe
Token: SeUndockPrivilege	2252	msiexec.exe
Token: SeSyncAgentPrivilege	2252	msiexec.exe
Token: SeEnableDelegationPrivilege	2252	msiexec.exe
Token: SeManageVolumePrivilege	2252	msiexec.exe
Token: SeImpersonatePrivilege	2252	msiexec.exe
Token: SeCreateGlobalPrivilege	2252	msiexec.exe
Token: SeCreateTokenPrivilege	2252	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2252	msiexec.exe
Token: SeLockMemoryPrivilege	2252	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2252	msiexec.exe
Token: SeMachineAccountPrivilege	2252	msiexec.exe
Token: SeTcbPrivilege	2252	msiexec.exe
Token: SeSecurityPrivilege	2252	msiexec.exe
Token: SeTakeOwnershipPrivilege	2252	msiexec.exe
Token: SeLoadDriverPrivilege	2252	msiexec.exe
Token: SeSystemProfilePrivilege	2252	msiexec.exe
Token: SeSystemtimePrivilege	2252	msiexec.exe
Token: SeProfSingleProcessPrivilege	2252	msiexec.exe
Token: SeIncBasePriorityPrivilege	2252	msiexec.exe
Token: SeCreatePagefilePrivilege	2252	msiexec.exe
Token: SeCreatePermanentPrivilege	2252	msiexec.exe
Token: SeBackupPrivilege	2252	msiexec.exe
Token: SeRestorePrivilege	2252	msiexec.exe
Token: SeShutdownPrivilege	2252	msiexec.exe
Token: SeDebugPrivilege	2252	msiexec.exe
Token: SeAuditPrivilege	2252	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2252	msiexec.exe
Token: SeChangeNotifyPrivilege	2252	msiexec.exe
Token: SeRemoteShutdownPrivilege	2252	msiexec.exe
Token: SeUndockPrivilege	2252	msiexec.exe
Token: SeSyncAgentPrivilege	2252	msiexec.exe
Token: SeEnableDelegationPrivilege	2252	msiexec.exe
Token: SeManageVolumePrivilege	2252	msiexec.exe
Token: SeImpersonatePrivilege	2252	msiexec.exe
Token: SeCreateGlobalPrivilege	2252	msiexec.exe
Token: SeCreateTokenPrivilege	2252	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2252	msiexec.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2984	2028	3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe	30
PID 2028 wrote to memory of 2984	2028	3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe	30
PID 2028 wrote to memory of 2984	2028	3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe	30
PID 2028 wrote to memory of 2984	2028	3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe	30
PID 2028 wrote to memory of 2984	2028	3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe	30
PID 2028 wrote to memory of 2984	2028	3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe	30
PID 2028 wrote to memory of 2984	2028	3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe	30
PID 2984 wrote to memory of 2252	2984	setup.exe	31
PID 2984 wrote to memory of 2252	2984	setup.exe	31
PID 2984 wrote to memory of 2252	2984	setup.exe	31
PID 2984 wrote to memory of 2252	2984	setup.exe	31
PID 2984 wrote to memory of 2252	2984	setup.exe	31
PID 2984 wrote to memory of 2252	2984	setup.exe	31
PID 2984 wrote to memory of 2252	2984	setup.exe	31
PID 3040 wrote to memory of 2532	3040	msiexec.exe	33
PID 3040 wrote to memory of 2532	3040	msiexec.exe	33
PID 3040 wrote to memory of 2532	3040	msiexec.exe	33
PID 3040 wrote to memory of 2532	3040	msiexec.exe	33
PID 3040 wrote to memory of 2532	3040	msiexec.exe	33
PID 3040 wrote to memory of 2532	3040	msiexec.exe	33
PID 3040 wrote to memory of 2532	3040	msiexec.exe	33

C:\Users\Admin\AppData\Local\Temp\3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3673d5090b77a0b033da84545fda2f0f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\luiCDBB.tmp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\luiCDBB.tmp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\luiCDBB.tmp\SP-Fantasy_Installer.msi"
    3⤵
    - Blocklisted process makes network request
    - Enumerates connected drives
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2252

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7DFCA485B2D0A0A1EF29153C5F384D86 C
  2⤵
  - Loads dropped DLL
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSID29D.tmp

Filesize
222KB

MD5
fb4ed24de182178cac3cd3870a4ba5b6

SHA1
38b168fbe97b72a5de5eaef16535ea1aed964e1b

SHA256
5070b4cdf7e2f95535f3340a3a0d9bce496478d0bd445b470dd67278a910c578

SHA512
03ffa685a28333cc7d8eb4a0fdd8c5dce85ca1126bcdefebda83a91586b98ae559d56074b943a6df0ec011eaa58b6841026ffb8b42e08b74351b0118011d3c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\luiCDBB.tmp\SP-Fantasy_Installer.msi

Filesize
524KB

MD5
149c5470d721e646952cea819487ff28

SHA1
5e6ee0a902135f80aea5adace0ea07c03cb82b4e

SHA256
f8ca4710cf343b7afe9fd6003a8387374a709feb5929f7bc0ff54c5cea5148b7

SHA512
a2cbf9418d207d8321050cbef4fde3900f9b857441f5e22f400a7eadc948c0ee421946e0208af5761ba34f6b2e58c52f7fe632a22cc487c261c577d4747b5cc4

Download Submit
\Users\Admin\AppData\Local\Temp\luiCDBB.tmp\setup.exe

Filesize
366KB

MD5
b07a06446303767f1c8c26bc1ef83baf

SHA1
94aa8c6ddd5f6e96867e997f150c63ebf1fc0019

SHA256
349df2da098acb773284ebf50503cab096c949cf4bb63d75e96d75bed7937564

SHA512
be1592432745c66e7c5eef56dd452ca32dd9e461eb7522cd3e58a2dde8f4341c46aa2fa44be1a72151e259dd2fd7cb246091040e05486a5ee5f042077dd234a4

Download Submit