Analysis

  • max time kernel
    139s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/07/2024, 01:19

General

  • Target

    5e7a8c0fb8bdc8678ed471713b017dc1_JaffaCakes118.exe

  • Size

    4.5MB

  • MD5

    5e7a8c0fb8bdc8678ed471713b017dc1

  • SHA1

    904dbdfcea184730986ff6dae22c44b565dacb54

  • SHA256

    7933fed8fee5f2416795bc13a4ee7be247283aa282aa32ffa41b483f3c1718f1

  • SHA512

    58aa671747b7e89645da58361615d1284e2c063559af083b3b6cb93915c06ac1c426ca2dc1e7107858559fa12ee1e93023a9646454ac6297c1f719df46b90c9a

  • SSDEEP

    98304:VkaSpTW35nq4++OyuL+FaDcxji4WnSOAtmqrUta0LsP3VujnBLlHOIAtn7vl:Vt2q5nq4ZEDcIhnSJtTJETxlHOIAtjl

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e7a8c0fb8bdc8678ed471713b017dc1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5e7a8c0fb8bdc8678ed471713b017dc1_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Windows\system32\msiexec.exe
      /i "C:\Users\Admin\AppData\Roaming\UpSoft\Adobe Flash Player\install\B488E0D\setup.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\5e7a8c0fb8bdc8678ed471713b017dc1_JaffaCakes118.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\"
      2⤵
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:5064
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3704
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 4B0ADA7E868573384834C5BF9FD6365C C
      2⤵
      • Loads dropped DLL
      PID:4300

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MSI7FDE.tmp

    Filesize

    55KB

    MD5

    90b3af9249834461ffc677a094ced844

    SHA1

    77407089033bda6be8261b1735105c874de7d050

    SHA256

    a56e0b3b6f7c3ee2225fa0ba9c936f74767c9b54c13d257e650e0a215628d5b1

    SHA512

    f3a756e24d9858fa7dcf88e5f7c15c8e7867b68a03c0a2530977168cf240f3ab1c4f6a258e629081180811adc1f561fd469c9d1a932229fcb63e802dfed7f6e2

  • C:\Users\Admin\AppData\Roaming\UpSoft\Adobe Flash Player\install\B488E0D\setup.msi

    Filesize

    4.2MB

    MD5

    e59c3731d8691cc237fb6a64926b4259

    SHA1

    1f3c250a1b496c697d9d9dc9f2092b8406082d48

    SHA256

    7d9ff76a5f16d1e49bcd3709b6ea50e14f10c7caf0010d472565771a77c827f4

    SHA512

    dd93792bd2964f816c08c81f98138b3d57bc8862abb26d74efebd4663c8e438a0834410a655dca9e119ce6ee604c333bf1a4892a273d212491d89fa187e46f87

  • C:\Users\Admin\AppData\Roaming\UpSoft\Adobe Flash Player\install\decoder.dll

    Filesize

    120KB

    MD5

    8c091a1f10d89d54709f7ebab0ada856

    SHA1

    13154fa14d47c20dee746ff8a262adf890f5d102

    SHA256

    af30003958cf0224ebc082893ed55c469f640dfbd604e60e1a8678a559e47565

    SHA512

    bacca2c9e0c4195e47732bdbfdfcc9f07a1b6a02102a544f5c197d630814c072ad5a5dc2810f8fd4b9ca4160d70667d6b3ef11c8611800268c560d8cd710dca3