Analysis
-
max time kernel
139s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2024, 01:19
Static task
static1
Behavioral task
behavioral1
Sample
5e7a8c0fb8bdc8678ed471713b017dc1_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
5e7a8c0fb8bdc8678ed471713b017dc1_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5e7a8c0fb8bdc8678ed471713b017dc1_JaffaCakes118.exe
-
Size
4.5MB
-
MD5
5e7a8c0fb8bdc8678ed471713b017dc1
-
SHA1
904dbdfcea184730986ff6dae22c44b565dacb54
-
SHA256
7933fed8fee5f2416795bc13a4ee7be247283aa282aa32ffa41b483f3c1718f1
-
SHA512
58aa671747b7e89645da58361615d1284e2c063559af083b3b6cb93915c06ac1c426ca2dc1e7107858559fa12ee1e93023a9646454ac6297c1f719df46b90c9a
-
SSDEEP
98304:VkaSpTW35nq4++OyuL+FaDcxji4WnSOAtmqrUta0LsP3VujnBLlHOIAtn7vl:Vt2q5nq4ZEDcIhnSJtTJETxlHOIAtjl
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 1168 5e7a8c0fb8bdc8678ed471713b017dc1_JaffaCakes118.exe 4300 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 5064 msiexec.exe Token: SeIncreaseQuotaPrivilege 5064 msiexec.exe Token: SeSecurityPrivilege 3704 msiexec.exe Token: SeCreateTokenPrivilege 5064 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5064 msiexec.exe Token: SeLockMemoryPrivilege 5064 msiexec.exe Token: SeIncreaseQuotaPrivilege 5064 msiexec.exe Token: SeMachineAccountPrivilege 5064 msiexec.exe Token: SeTcbPrivilege 5064 msiexec.exe Token: SeSecurityPrivilege 5064 msiexec.exe Token: SeTakeOwnershipPrivilege 5064 msiexec.exe Token: SeLoadDriverPrivilege 5064 msiexec.exe Token: SeSystemProfilePrivilege 5064 msiexec.exe Token: SeSystemtimePrivilege 5064 msiexec.exe Token: SeProfSingleProcessPrivilege 5064 msiexec.exe Token: SeIncBasePriorityPrivilege 5064 msiexec.exe Token: SeCreatePagefilePrivilege 5064 msiexec.exe Token: SeCreatePermanentPrivilege 5064 msiexec.exe Token: SeBackupPrivilege 5064 msiexec.exe Token: SeRestorePrivilege 5064 msiexec.exe Token: SeShutdownPrivilege 5064 msiexec.exe Token: SeDebugPrivilege 5064 msiexec.exe Token: SeAuditPrivilege 5064 msiexec.exe Token: SeSystemEnvironmentPrivilege 5064 msiexec.exe Token: SeChangeNotifyPrivilege 5064 msiexec.exe Token: SeRemoteShutdownPrivilege 5064 msiexec.exe Token: SeUndockPrivilege 5064 msiexec.exe Token: SeSyncAgentPrivilege 5064 msiexec.exe Token: SeEnableDelegationPrivilege 5064 msiexec.exe Token: SeManageVolumePrivilege 5064 msiexec.exe Token: SeImpersonatePrivilege 5064 msiexec.exe Token: SeCreateGlobalPrivilege 5064 msiexec.exe Token: SeCreateTokenPrivilege 5064 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5064 msiexec.exe Token: SeLockMemoryPrivilege 5064 msiexec.exe Token: SeIncreaseQuotaPrivilege 5064 msiexec.exe Token: SeMachineAccountPrivilege 5064 msiexec.exe Token: SeTcbPrivilege 5064 msiexec.exe Token: SeSecurityPrivilege 5064 msiexec.exe Token: SeTakeOwnershipPrivilege 5064 msiexec.exe Token: SeLoadDriverPrivilege 5064 msiexec.exe Token: SeSystemProfilePrivilege 5064 msiexec.exe Token: SeSystemtimePrivilege 5064 msiexec.exe Token: SeProfSingleProcessPrivilege 5064 msiexec.exe Token: SeIncBasePriorityPrivilege 5064 msiexec.exe Token: SeCreatePagefilePrivilege 5064 msiexec.exe Token: SeCreatePermanentPrivilege 5064 msiexec.exe Token: SeBackupPrivilege 5064 msiexec.exe Token: SeRestorePrivilege 5064 msiexec.exe Token: SeShutdownPrivilege 5064 msiexec.exe Token: SeDebugPrivilege 5064 msiexec.exe Token: SeAuditPrivilege 5064 msiexec.exe Token: SeSystemEnvironmentPrivilege 5064 msiexec.exe Token: SeChangeNotifyPrivilege 5064 msiexec.exe Token: SeRemoteShutdownPrivilege 5064 msiexec.exe Token: SeUndockPrivilege 5064 msiexec.exe Token: SeSyncAgentPrivilege 5064 msiexec.exe Token: SeEnableDelegationPrivilege 5064 msiexec.exe Token: SeManageVolumePrivilege 5064 msiexec.exe Token: SeImpersonatePrivilege 5064 msiexec.exe Token: SeCreateGlobalPrivilege 5064 msiexec.exe Token: SeCreateTokenPrivilege 5064 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5064 msiexec.exe Token: SeLockMemoryPrivilege 5064 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 5064 msiexec.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1168 wrote to memory of 5064 1168 5e7a8c0fb8bdc8678ed471713b017dc1_JaffaCakes118.exe 85 PID 1168 wrote to memory of 5064 1168 5e7a8c0fb8bdc8678ed471713b017dc1_JaffaCakes118.exe 85 PID 3704 wrote to memory of 4300 3704 msiexec.exe 90 PID 3704 wrote to memory of 4300 3704 msiexec.exe 90 PID 3704 wrote to memory of 4300 3704 msiexec.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e7a8c0fb8bdc8678ed471713b017dc1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5e7a8c0fb8bdc8678ed471713b017dc1_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\system32\msiexec.exe/i "C:\Users\Admin\AppData\Roaming\UpSoft\Adobe Flash Player\install\B488E0D\setup.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\5e7a8c0fb8bdc8678ed471713b017dc1_JaffaCakes118.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5064
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4B0ADA7E868573384834C5BF9FD6365C C2⤵
- Loads dropped DLL
PID:4300
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55KB
MD590b3af9249834461ffc677a094ced844
SHA177407089033bda6be8261b1735105c874de7d050
SHA256a56e0b3b6f7c3ee2225fa0ba9c936f74767c9b54c13d257e650e0a215628d5b1
SHA512f3a756e24d9858fa7dcf88e5f7c15c8e7867b68a03c0a2530977168cf240f3ab1c4f6a258e629081180811adc1f561fd469c9d1a932229fcb63e802dfed7f6e2
-
Filesize
4.2MB
MD5e59c3731d8691cc237fb6a64926b4259
SHA11f3c250a1b496c697d9d9dc9f2092b8406082d48
SHA2567d9ff76a5f16d1e49bcd3709b6ea50e14f10c7caf0010d472565771a77c827f4
SHA512dd93792bd2964f816c08c81f98138b3d57bc8862abb26d74efebd4663c8e438a0834410a655dca9e119ce6ee604c333bf1a4892a273d212491d89fa187e46f87
-
Filesize
120KB
MD58c091a1f10d89d54709f7ebab0ada856
SHA113154fa14d47c20dee746ff8a262adf890f5d102
SHA256af30003958cf0224ebc082893ed55c469f640dfbd604e60e1a8678a559e47565
SHA512bacca2c9e0c4195e47732bdbfdfcc9f07a1b6a02102a544f5c197d630814c072ad5a5dc2810f8fd4b9ca4160d70667d6b3ef11c8611800268c560d8cd710dca3