a8966bbc4a771da485bb79fbf7cac162bf6f55ab017a85ca1303d6e656b20b52

Analysis

max time kernel
120s
max time network
129s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Size

157KB
MD5

75876d65612cbdfebccf1065bedf284c
SHA1

b2b30e2b37cbf69ffc2c93c7a683ec8da63a609d
SHA256

a8966bbc4a771da485bb79fbf7cac162bf6f55ab017a85ca1303d6e656b20b52
SHA512

0c15731a0b8fbbe63926c8dcfc24047fe9cdbe3ec3a093f3ffe90ce29e303e3437a1248f87c1293cc3bd499a504fa689385d427ecfa17b891fcc7efec858e6a3
SSDEEP

3072:g0/AMdBs/q7qxQy/2NZSj/MeZLV3EaPvjfG1k78tGdq4VYl5S:gzMBs/q7qxQy/27a/f5V3R7dH84VYm

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
2660	MsiExec.exe
2660	MsiExec.exe
2660	MsiExec.exe
2660	MsiExec.exe
2660	MsiExec.exe
2660	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\J:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\L:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\U:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\V:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\P:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\N:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\T:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\M:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\O:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\R:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\Q:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\S:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\Y:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\Z:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\X:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\I:	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2660	MsiExec.exe
2660	MsiExec.exe
2660	MsiExec.exe
2660	MsiExec.exe
2660	MsiExec.exe
2660	MsiExec.exe
2660	MsiExec.exe
2660	MsiExec.exe
2660	MsiExec.exe
2660	MsiExec.exe
2660	MsiExec.exe
2660	MsiExec.exe
2660	MsiExec.exe
2660	MsiExec.exe
2660	MsiExec.exe
2660	MsiExec.exe
2660	MsiExec.exe
2660	MsiExec.exe
2660	MsiExec.exe
2660	MsiExec.exe
2660	MsiExec.exe
2660	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeRestorePrivilege	2728	msiexec.exe
Token: SeTakeOwnershipPrivilege	2728	msiexec.exe
Token: SeSecurityPrivilege	2728	msiexec.exe
Token: SeCreateTokenPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeTcbPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeSecurityPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeBackupPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeRestorePrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeShutdownPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeDebugPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeAuditPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeUndockPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeSyncAgentPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeEnableDelegationPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeCreateTokenPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeTcbPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeSecurityPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeBackupPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeRestorePrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeShutdownPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeDebugPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeAuditPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeUndockPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeSyncAgentPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeEnableDelegationPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeCreateTokenPrivilege	2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2960	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2660	2728	msiexec.exe	33
PID 2728 wrote to memory of 2660	2728	msiexec.exe	33
PID 2728 wrote to memory of 2660	2728	msiexec.exe	33
PID 2728 wrote to memory of 2660	2728	msiexec.exe	33
PID 2728 wrote to memory of 2660	2728	msiexec.exe	33
PID 2728 wrote to memory of 2660	2728	msiexec.exe	33
PID 2728 wrote to memory of 2660	2728	msiexec.exe	33

C:\Users\Admin\AppData\Local\Temp\75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2960

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DBAD49543312294E8596B7A5D429B181 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C3948BE6E525B8A8CEE9FAC91C9E392_625831257BDAD5EDE9F82A76B457B04B

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C3948BE6E525B8A8CEE9FAC91C9E392_625831257BDAD5EDE9F82A76B457B04B

Filesize
412B

MD5
f04d2b6d6b102474a7fe50ed3a86b893

SHA1
e36587f38625c296595f24c9efe014c15dffc6fb

SHA256
564212758ca5b8ccabe978d0c54868179795c3d3af5b54b3a77f5a3dc4a76f01

SHA512
a6a0a22bf52443b21e80b80e37da67a1ba876e7c5c235b297df0fecff10bb89a623f3ab59220a8d49a5a9df35f4479e648ac2be9423f4573fd8e30533b576a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI17A.tmp

Filesize
349KB

MD5
b381c2ade79ec791c56bce2150410527

SHA1
d71887f86ef53764191f6aa870f6c99a273dcf73

SHA256
721ce118704206ce31cba0c0fabbc3a45a8d3f52e4ca430637bd6acce36b795e

SHA512
94374147df3c54d98d56f751ed65d75b3d2b01747c693287b5896605b932ae6d5ac280ce67e177d858a59859e5b2fc8760bef30591a3969f77f985c3ce72ec23

Download Submit
C:\Users\Admin\AppData\Local\Temp\rap259450504\RapportSetup-Full.msi

Filesize
14.1MB

MD5
09edf5b1f04d58369cbd80f3c22b72ce

SHA1
e6fb66fb45aa0c170719252802ad02a072404dcc

SHA256
1c7bd0e864abeb9961a470151cbc0990c77db485044205fb95848d600b9252b3

SHA512
8ce364fe681690aaad737b1d98b815f95bb2a60320c30c11a83c50c30bf44d2e4f1bfbc765c85e545ddd6c93749599e29c4756daec131f3b308e940a268ec45b

Download Submit
\Users\Admin\AppData\Local\Temp\MSI8F.tmp

Filesize
613KB

MD5
8f7b7452c1004b979009e565a317f114

SHA1
6e246522028f17c9ec7c338806e5114efe709f93

SHA256
fcb7fc90474b07df2994218832ee865f46876c3a069ffde30cb416f0bfbff237

SHA512
b6086b2b3f73ed7efc8dbd8d7a354d5aebddf4d5045a4d6b488ba8e60280c4e07a502d1f0012af19cc83e42b37aa6fc2df5c541190e1922bc3d3e7a291628464

Download Submit
memory/2660-54-0x0000000010000000-0x000000001009D000-memory.dmp

Filesize
628KB

Download
memory/2660-60-0x0000000000650000-0x00000000006A7000-memory.dmp

Filesize
348KB

Download
memory/2660-61-0x0000000000650000-0x00000000006A7000-memory.dmp

Filesize
348KB

Download
memory/2660-66-0x0000000010000000-0x000000001009D000-memory.dmp

Filesize
628KB

Download