7933fed8fee5f2416795bc13a4ee7be247283aa282aa32ffa41b483f3c1718f1

Analysis

max time kernel
139s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e7a8c0fb8bdc8678ed471713b017dc1_JaffaCakes118.exe
Size

4.5MB
MD5

5e7a8c0fb8bdc8678ed471713b017dc1
SHA1

904dbdfcea184730986ff6dae22c44b565dacb54
SHA256

7933fed8fee5f2416795bc13a4ee7be247283aa282aa32ffa41b483f3c1718f1
SHA512

58aa671747b7e89645da58361615d1284e2c063559af083b3b6cb93915c06ac1c426ca2dc1e7107858559fa12ee1e93023a9646454ac6297c1f719df46b90c9a
SSDEEP

98304:VkaSpTW35nq4++OyuL+FaDcxji4WnSOAtmqrUta0LsP3VujnBLlHOIAtn7vl:Vt2q5nq4ZEDcIhnSJtTJETxlHOIAtjl

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1168	5e7a8c0fb8bdc8678ed471713b017dc1_JaffaCakes118.exe
4300	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5064	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5064	msiexec.exe
Token: SeSecurityPrivilege	3704	msiexec.exe
Token: SeCreateTokenPrivilege	5064	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5064	msiexec.exe
Token: SeLockMemoryPrivilege	5064	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5064	msiexec.exe
Token: SeMachineAccountPrivilege	5064	msiexec.exe
Token: SeTcbPrivilege	5064	msiexec.exe
Token: SeSecurityPrivilege	5064	msiexec.exe
Token: SeTakeOwnershipPrivilege	5064	msiexec.exe
Token: SeLoadDriverPrivilege	5064	msiexec.exe
Token: SeSystemProfilePrivilege	5064	msiexec.exe
Token: SeSystemtimePrivilege	5064	msiexec.exe
Token: SeProfSingleProcessPrivilege	5064	msiexec.exe
Token: SeIncBasePriorityPrivilege	5064	msiexec.exe
Token: SeCreatePagefilePrivilege	5064	msiexec.exe
Token: SeCreatePermanentPrivilege	5064	msiexec.exe
Token: SeBackupPrivilege	5064	msiexec.exe
Token: SeRestorePrivilege	5064	msiexec.exe
Token: SeShutdownPrivilege	5064	msiexec.exe
Token: SeDebugPrivilege	5064	msiexec.exe
Token: SeAuditPrivilege	5064	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5064	msiexec.exe
Token: SeChangeNotifyPrivilege	5064	msiexec.exe
Token: SeRemoteShutdownPrivilege	5064	msiexec.exe
Token: SeUndockPrivilege	5064	msiexec.exe
Token: SeSyncAgentPrivilege	5064	msiexec.exe
Token: SeEnableDelegationPrivilege	5064	msiexec.exe
Token: SeManageVolumePrivilege	5064	msiexec.exe
Token: SeImpersonatePrivilege	5064	msiexec.exe
Token: SeCreateGlobalPrivilege	5064	msiexec.exe
Token: SeCreateTokenPrivilege	5064	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5064	msiexec.exe
Token: SeLockMemoryPrivilege	5064	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5064	msiexec.exe
Token: SeMachineAccountPrivilege	5064	msiexec.exe
Token: SeTcbPrivilege	5064	msiexec.exe
Token: SeSecurityPrivilege	5064	msiexec.exe
Token: SeTakeOwnershipPrivilege	5064	msiexec.exe
Token: SeLoadDriverPrivilege	5064	msiexec.exe
Token: SeSystemProfilePrivilege	5064	msiexec.exe
Token: SeSystemtimePrivilege	5064	msiexec.exe
Token: SeProfSingleProcessPrivilege	5064	msiexec.exe
Token: SeIncBasePriorityPrivilege	5064	msiexec.exe
Token: SeCreatePagefilePrivilege	5064	msiexec.exe
Token: SeCreatePermanentPrivilege	5064	msiexec.exe
Token: SeBackupPrivilege	5064	msiexec.exe
Token: SeRestorePrivilege	5064	msiexec.exe
Token: SeShutdownPrivilege	5064	msiexec.exe
Token: SeDebugPrivilege	5064	msiexec.exe
Token: SeAuditPrivilege	5064	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5064	msiexec.exe
Token: SeChangeNotifyPrivilege	5064	msiexec.exe
Token: SeRemoteShutdownPrivilege	5064	msiexec.exe
Token: SeUndockPrivilege	5064	msiexec.exe
Token: SeSyncAgentPrivilege	5064	msiexec.exe
Token: SeEnableDelegationPrivilege	5064	msiexec.exe
Token: SeManageVolumePrivilege	5064	msiexec.exe
Token: SeImpersonatePrivilege	5064	msiexec.exe
Token: SeCreateGlobalPrivilege	5064	msiexec.exe
Token: SeCreateTokenPrivilege	5064	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5064	msiexec.exe
Token: SeLockMemoryPrivilege	5064	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5064	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 5064	1168	5e7a8c0fb8bdc8678ed471713b017dc1_JaffaCakes118.exe	85
PID 1168 wrote to memory of 5064	1168	5e7a8c0fb8bdc8678ed471713b017dc1_JaffaCakes118.exe	85
PID 3704 wrote to memory of 4300	3704	msiexec.exe	90
PID 3704 wrote to memory of 4300	3704	msiexec.exe	90
PID 3704 wrote to memory of 4300	3704	msiexec.exe	90

C:\Users\Admin\AppData\Local\Temp\5e7a8c0fb8bdc8678ed471713b017dc1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5e7a8c0fb8bdc8678ed471713b017dc1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Windows\system32\msiexec.exe
  /i "C:\Users\Admin\AppData\Roaming\UpSoft\Adobe Flash Player\install\B488E0D\setup.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\5e7a8c0fb8bdc8678ed471713b017dc1_JaffaCakes118.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:5064

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4B0ADA7E868573384834C5BF9FD6365C C
  2⤵
  - Loads dropped DLL
  PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI7FDE.tmp

Filesize
55KB

MD5
90b3af9249834461ffc677a094ced844

SHA1
77407089033bda6be8261b1735105c874de7d050

SHA256
a56e0b3b6f7c3ee2225fa0ba9c936f74767c9b54c13d257e650e0a215628d5b1

SHA512
f3a756e24d9858fa7dcf88e5f7c15c8e7867b68a03c0a2530977168cf240f3ab1c4f6a258e629081180811adc1f561fd469c9d1a932229fcb63e802dfed7f6e2

Download Submit
C:\Users\Admin\AppData\Roaming\UpSoft\Adobe Flash Player\install\B488E0D\setup.msi

Filesize
4.2MB

MD5
e59c3731d8691cc237fb6a64926b4259

SHA1
1f3c250a1b496c697d9d9dc9f2092b8406082d48

SHA256
7d9ff76a5f16d1e49bcd3709b6ea50e14f10c7caf0010d472565771a77c827f4

SHA512
dd93792bd2964f816c08c81f98138b3d57bc8862abb26d74efebd4663c8e438a0834410a655dca9e119ce6ee604c333bf1a4892a273d212491d89fa187e46f87

Download Submit
C:\Users\Admin\AppData\Roaming\UpSoft\Adobe Flash Player\install\decoder.dll

Filesize
120KB

MD5
8c091a1f10d89d54709f7ebab0ada856

SHA1
13154fa14d47c20dee746ff8a262adf890f5d102

SHA256
af30003958cf0224ebc082893ed55c469f640dfbd604e60e1a8678a559e47565

SHA512
bacca2c9e0c4195e47732bdbfdfcc9f07a1b6a02102a544f5c197d630814c072ad5a5dc2810f8fd4b9ca4160d70667d6b3ef11c8611800268c560d8cd710dca3

Download Submit