97b101b592d4fea04ff8aa841345b71f7dfc7482877660c51da000959dff063e

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
13-07-2024 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fc934b7990b9fa0a8b7146d147baca9_JaffaCakes118.exe
Size

1.1MB
MD5

3fc934b7990b9fa0a8b7146d147baca9
SHA1

af82b3323a94ae7693a5ab8e8d0b77724132db7a
SHA256

97b101b592d4fea04ff8aa841345b71f7dfc7482877660c51da000959dff063e
SHA512

bda1125ced6e119777e26f3a6361b29738719b70ecfa48e4a4844dc1d1101d26ac64367d2d8e3cb8a1d97dde3a917fa6f6454297f4aa67189b39f3072249ee11
SSDEEP

24576:GRsK4+2TIN3WeXv93RCWW5lvX2Y8iWZGtVW8UegoEvCBd6W3k:G78W3WeXv930X/4eo8P9EvK6W3k

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2988	3fc934b7990b9fa0a8b7146d147baca9_JaffaCakes118.exe
2812	MsiExec.exe
2812	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1984	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1984	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1984	msiexec.exe
Token: SeRestorePrivilege	2792	msiexec.exe
Token: SeTakeOwnershipPrivilege	2792	msiexec.exe
Token: SeSecurityPrivilege	2792	msiexec.exe
Token: SeCreateTokenPrivilege	1984	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1984	msiexec.exe
Token: SeLockMemoryPrivilege	1984	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1984	msiexec.exe
Token: SeMachineAccountPrivilege	1984	msiexec.exe
Token: SeTcbPrivilege	1984	msiexec.exe
Token: SeSecurityPrivilege	1984	msiexec.exe
Token: SeTakeOwnershipPrivilege	1984	msiexec.exe
Token: SeLoadDriverPrivilege	1984	msiexec.exe
Token: SeSystemProfilePrivilege	1984	msiexec.exe
Token: SeSystemtimePrivilege	1984	msiexec.exe
Token: SeProfSingleProcessPrivilege	1984	msiexec.exe
Token: SeIncBasePriorityPrivilege	1984	msiexec.exe
Token: SeCreatePagefilePrivilege	1984	msiexec.exe
Token: SeCreatePermanentPrivilege	1984	msiexec.exe
Token: SeBackupPrivilege	1984	msiexec.exe
Token: SeRestorePrivilege	1984	msiexec.exe
Token: SeShutdownPrivilege	1984	msiexec.exe
Token: SeDebugPrivilege	1984	msiexec.exe
Token: SeAuditPrivilege	1984	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1984	msiexec.exe
Token: SeChangeNotifyPrivilege	1984	msiexec.exe
Token: SeRemoteShutdownPrivilege	1984	msiexec.exe
Token: SeUndockPrivilege	1984	msiexec.exe
Token: SeSyncAgentPrivilege	1984	msiexec.exe
Token: SeEnableDelegationPrivilege	1984	msiexec.exe
Token: SeManageVolumePrivilege	1984	msiexec.exe
Token: SeImpersonatePrivilege	1984	msiexec.exe
Token: SeCreateGlobalPrivilege	1984	msiexec.exe
Token: SeCreateTokenPrivilege	1984	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1984	msiexec.exe
Token: SeLockMemoryPrivilege	1984	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1984	msiexec.exe
Token: SeMachineAccountPrivilege	1984	msiexec.exe
Token: SeTcbPrivilege	1984	msiexec.exe
Token: SeSecurityPrivilege	1984	msiexec.exe
Token: SeTakeOwnershipPrivilege	1984	msiexec.exe
Token: SeLoadDriverPrivilege	1984	msiexec.exe
Token: SeSystemProfilePrivilege	1984	msiexec.exe
Token: SeSystemtimePrivilege	1984	msiexec.exe
Token: SeProfSingleProcessPrivilege	1984	msiexec.exe
Token: SeIncBasePriorityPrivilege	1984	msiexec.exe
Token: SeCreatePagefilePrivilege	1984	msiexec.exe
Token: SeCreatePermanentPrivilege	1984	msiexec.exe
Token: SeBackupPrivilege	1984	msiexec.exe
Token: SeRestorePrivilege	1984	msiexec.exe
Token: SeShutdownPrivilege	1984	msiexec.exe
Token: SeDebugPrivilege	1984	msiexec.exe
Token: SeAuditPrivilege	1984	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1984	msiexec.exe
Token: SeChangeNotifyPrivilege	1984	msiexec.exe
Token: SeRemoteShutdownPrivilege	1984	msiexec.exe
Token: SeUndockPrivilege	1984	msiexec.exe
Token: SeSyncAgentPrivilege	1984	msiexec.exe
Token: SeEnableDelegationPrivilege	1984	msiexec.exe
Token: SeManageVolumePrivilege	1984	msiexec.exe
Token: SeImpersonatePrivilege	1984	msiexec.exe
Token: SeCreateGlobalPrivilege	1984	msiexec.exe
Token: SeCreateTokenPrivilege	1984	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1984	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 1984	2988	3fc934b7990b9fa0a8b7146d147baca9_JaffaCakes118.exe	30
PID 2988 wrote to memory of 1984	2988	3fc934b7990b9fa0a8b7146d147baca9_JaffaCakes118.exe	30
PID 2988 wrote to memory of 1984	2988	3fc934b7990b9fa0a8b7146d147baca9_JaffaCakes118.exe	30
PID 2988 wrote to memory of 1984	2988	3fc934b7990b9fa0a8b7146d147baca9_JaffaCakes118.exe	30
PID 2988 wrote to memory of 1984	2988	3fc934b7990b9fa0a8b7146d147baca9_JaffaCakes118.exe	30
PID 2988 wrote to memory of 1984	2988	3fc934b7990b9fa0a8b7146d147baca9_JaffaCakes118.exe	30
PID 2988 wrote to memory of 1984	2988	3fc934b7990b9fa0a8b7146d147baca9_JaffaCakes118.exe	30
PID 2792 wrote to memory of 2812	2792	msiexec.exe	32
PID 2792 wrote to memory of 2812	2792	msiexec.exe	32
PID 2792 wrote to memory of 2812	2792	msiexec.exe	32
PID 2792 wrote to memory of 2812	2792	msiexec.exe	32
PID 2792 wrote to memory of 2812	2792	msiexec.exe	32
PID 2792 wrote to memory of 2812	2792	msiexec.exe	32
PID 2792 wrote to memory of 2812	2792	msiexec.exe	32

C:\Users\Admin\AppData\Local\Temp\3fc934b7990b9fa0a8b7146d147baca9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3fc934b7990b9fa0a8b7146d147baca9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\system32\msiexec.exe
  /i "C:\Users\Admin\AppData\Roaming\FileSubmit\180498\install\6D49DA4\180498.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\3fc934b7990b9fa0a8b7146d147baca9_JaffaCakes118.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1984

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C1291200D0DF8E4086D018240EB6DFCE C
  2⤵
  - Loads dropped DLL
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FileSubmit\180498\install\6D49DA4\180498.msi

Filesize
1.1MB

MD5
cbf4e8bfdeb3208b26bae76d75f00d21

SHA1
2637c2261bd30fdc04226118865314f3e785167f

SHA256
0ecd3973f85cdafe3d5d5d034e808be03beadb3c3bf0a647bd7eb6e7b11587ae

SHA512
b5d31fb5759e82ba628a1750f863834b857231e5d915fef49cce3b9dbb684e1739f52ba5b53c61cfb1b2f9c19d433fbde78c14ad3d253b6421a31d27daa33157

Download Submit
\Users\Admin\AppData\Local\Temp\MSIA93A.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
\Users\Admin\AppData\Roaming\FileSubmit\180498\install\decoder.dll

Filesize
92KB

MD5
c09c157cbcbae2d04d9538eabcaaddf3

SHA1
00647fbccd19d55412f24b4a91740747cd1793ab

SHA256
8762c9520df0958649178b4629372d57eb10d4f0b8ca759eac24009c1496fc1c

SHA512
84494b12ab5ccc2455e732b0f4a66886bf6a458100f7d6fe2231799f7246ac48157c2808e4a6e303bcd0d0a2ac127e451d6b119329b05dddf0e26dd2b2801e58

Download Submit