97b101b592d4fea04ff8aa841345b71f7dfc7482877660c51da000959dff063e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2024 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fc934b7990b9fa0a8b7146d147baca9_JaffaCakes118.exe
Size

1.1MB
MD5

3fc934b7990b9fa0a8b7146d147baca9
SHA1

af82b3323a94ae7693a5ab8e8d0b77724132db7a
SHA256

97b101b592d4fea04ff8aa841345b71f7dfc7482877660c51da000959dff063e
SHA512

bda1125ced6e119777e26f3a6361b29738719b70ecfa48e4a4844dc1d1101d26ac64367d2d8e3cb8a1d97dde3a917fa6f6454297f4aa67189b39f3072249ee11
SSDEEP

24576:GRsK4+2TIN3WeXv93RCWW5lvX2Y8iWZGtVW8UegoEvCBd6W3k:G78W3WeXv930X/4eo8P9EvK6W3k

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1992	3fc934b7990b9fa0a8b7146d147baca9_JaffaCakes118.exe
3524	MsiExec.exe
3524	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4844	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4844	msiexec.exe
Token: SeSecurityPrivilege	2556	msiexec.exe
Token: SeCreateTokenPrivilege	4844	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4844	msiexec.exe
Token: SeLockMemoryPrivilege	4844	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4844	msiexec.exe
Token: SeMachineAccountPrivilege	4844	msiexec.exe
Token: SeTcbPrivilege	4844	msiexec.exe
Token: SeSecurityPrivilege	4844	msiexec.exe
Token: SeTakeOwnershipPrivilege	4844	msiexec.exe
Token: SeLoadDriverPrivilege	4844	msiexec.exe
Token: SeSystemProfilePrivilege	4844	msiexec.exe
Token: SeSystemtimePrivilege	4844	msiexec.exe
Token: SeProfSingleProcessPrivilege	4844	msiexec.exe
Token: SeIncBasePriorityPrivilege	4844	msiexec.exe
Token: SeCreatePagefilePrivilege	4844	msiexec.exe
Token: SeCreatePermanentPrivilege	4844	msiexec.exe
Token: SeBackupPrivilege	4844	msiexec.exe
Token: SeRestorePrivilege	4844	msiexec.exe
Token: SeShutdownPrivilege	4844	msiexec.exe
Token: SeDebugPrivilege	4844	msiexec.exe
Token: SeAuditPrivilege	4844	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4844	msiexec.exe
Token: SeChangeNotifyPrivilege	4844	msiexec.exe
Token: SeRemoteShutdownPrivilege	4844	msiexec.exe
Token: SeUndockPrivilege	4844	msiexec.exe
Token: SeSyncAgentPrivilege	4844	msiexec.exe
Token: SeEnableDelegationPrivilege	4844	msiexec.exe
Token: SeManageVolumePrivilege	4844	msiexec.exe
Token: SeImpersonatePrivilege	4844	msiexec.exe
Token: SeCreateGlobalPrivilege	4844	msiexec.exe
Token: SeCreateTokenPrivilege	4844	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4844	msiexec.exe
Token: SeLockMemoryPrivilege	4844	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4844	msiexec.exe
Token: SeMachineAccountPrivilege	4844	msiexec.exe
Token: SeTcbPrivilege	4844	msiexec.exe
Token: SeSecurityPrivilege	4844	msiexec.exe
Token: SeTakeOwnershipPrivilege	4844	msiexec.exe
Token: SeLoadDriverPrivilege	4844	msiexec.exe
Token: SeSystemProfilePrivilege	4844	msiexec.exe
Token: SeSystemtimePrivilege	4844	msiexec.exe
Token: SeProfSingleProcessPrivilege	4844	msiexec.exe
Token: SeIncBasePriorityPrivilege	4844	msiexec.exe
Token: SeCreatePagefilePrivilege	4844	msiexec.exe
Token: SeCreatePermanentPrivilege	4844	msiexec.exe
Token: SeBackupPrivilege	4844	msiexec.exe
Token: SeRestorePrivilege	4844	msiexec.exe
Token: SeShutdownPrivilege	4844	msiexec.exe
Token: SeDebugPrivilege	4844	msiexec.exe
Token: SeAuditPrivilege	4844	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4844	msiexec.exe
Token: SeChangeNotifyPrivilege	4844	msiexec.exe
Token: SeRemoteShutdownPrivilege	4844	msiexec.exe
Token: SeUndockPrivilege	4844	msiexec.exe
Token: SeSyncAgentPrivilege	4844	msiexec.exe
Token: SeEnableDelegationPrivilege	4844	msiexec.exe
Token: SeManageVolumePrivilege	4844	msiexec.exe
Token: SeImpersonatePrivilege	4844	msiexec.exe
Token: SeCreateGlobalPrivilege	4844	msiexec.exe
Token: SeCreateTokenPrivilege	4844	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4844	msiexec.exe
Token: SeLockMemoryPrivilege	4844	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4844	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 4844	1992	3fc934b7990b9fa0a8b7146d147baca9_JaffaCakes118.exe	86
PID 1992 wrote to memory of 4844	1992	3fc934b7990b9fa0a8b7146d147baca9_JaffaCakes118.exe	86
PID 2556 wrote to memory of 3524	2556	msiexec.exe	89
PID 2556 wrote to memory of 3524	2556	msiexec.exe	89
PID 2556 wrote to memory of 3524	2556	msiexec.exe	89

C:\Users\Admin\AppData\Local\Temp\3fc934b7990b9fa0a8b7146d147baca9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3fc934b7990b9fa0a8b7146d147baca9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\system32\msiexec.exe
  /i "C:\Users\Admin\AppData\Roaming\FileSubmit\180498\install\6D49DA4\180498.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\3fc934b7990b9fa0a8b7146d147baca9_JaffaCakes118.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4844

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C6A6628513763D85350B1F95157E951B C
  2⤵
  - Loads dropped DLL
  PID:3524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIA3B2.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
C:\Users\Admin\AppData\Roaming\FileSubmit\180498\install\6D49DA4\180498.msi

Filesize
1.1MB

MD5
cbf4e8bfdeb3208b26bae76d75f00d21

SHA1
2637c2261bd30fdc04226118865314f3e785167f

SHA256
0ecd3973f85cdafe3d5d5d034e808be03beadb3c3bf0a647bd7eb6e7b11587ae

SHA512
b5d31fb5759e82ba628a1750f863834b857231e5d915fef49cce3b9dbb684e1739f52ba5b53c61cfb1b2f9c19d433fbde78c14ad3d253b6421a31d27daa33157

Download Submit
C:\Users\Admin\AppData\Roaming\FileSubmit\180498\install\decoder.dll

Filesize
92KB

MD5
c09c157cbcbae2d04d9538eabcaaddf3

SHA1
00647fbccd19d55412f24b4a91740747cd1793ab

SHA256
8762c9520df0958649178b4629372d57eb10d4f0b8ca759eac24009c1496fc1c

SHA512
84494b12ab5ccc2455e732b0f4a66886bf6a458100f7d6fe2231799f7246ac48157c2808e4a6e303bcd0d0a2ac127e451d6b119329b05dddf0e26dd2b2801e58

Download Submit