a8966bbc4a771da485bb79fbf7cac162bf6f55ab017a85ca1303d6e656b20b52

Analysis

max time kernel
129s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Size

157KB
MD5

75876d65612cbdfebccf1065bedf284c
SHA1

b2b30e2b37cbf69ffc2c93c7a683ec8da63a609d
SHA256

a8966bbc4a771da485bb79fbf7cac162bf6f55ab017a85ca1303d6e656b20b52
SHA512

0c15731a0b8fbbe63926c8dcfc24047fe9cdbe3ec3a093f3ffe90ce29e303e3437a1248f87c1293cc3bd499a504fa689385d427ecfa17b891fcc7efec858e6a3
SSDEEP

3072:g0/AMdBs/q7qxQy/2NZSj/MeZLV3EaPvjfG1k78tGdq4VYl5S:gzMBs/q7qxQy/27a/f5V3R7dH84VYm

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 7 IoCs

pid	Process
1496	MsiExec.exe
1496	MsiExec.exe
1496	MsiExec.exe
1496	MsiExec.exe
1496	MsiExec.exe
1496	MsiExec.exe
1496	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\W:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\J:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\Z:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\M:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\N:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\S:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\V:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\G:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\O:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\R:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\U:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\T:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\Y:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
File opened (read-only)	\??\Q:	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1496	MsiExec.exe
1496	MsiExec.exe
1496	MsiExec.exe
1496	MsiExec.exe
1496	MsiExec.exe
1496	MsiExec.exe
1496	MsiExec.exe
1496	MsiExec.exe
1496	MsiExec.exe
1496	MsiExec.exe
1496	MsiExec.exe
1496	MsiExec.exe
1496	MsiExec.exe
1496	MsiExec.exe
1496	MsiExec.exe
1496	MsiExec.exe
1496	MsiExec.exe
1496	MsiExec.exe
1496	MsiExec.exe
1496	MsiExec.exe
1496	MsiExec.exe
1496	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeSecurityPrivilege	2900	msiexec.exe
Token: SeCreateTokenPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeTcbPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeSecurityPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeBackupPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeRestorePrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeShutdownPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeDebugPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeAuditPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeUndockPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeSyncAgentPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeEnableDelegationPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeImpersonatePrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeCreateTokenPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeTcbPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeSecurityPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeBackupPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeRestorePrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeShutdownPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeDebugPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeAuditPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeUndockPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeSyncAgentPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeEnableDelegationPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeImpersonatePrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeCreateTokenPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3312	75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 1496	2900	msiexec.exe	100
PID 2900 wrote to memory of 1496	2900	msiexec.exe	100
PID 2900 wrote to memory of 1496	2900	msiexec.exe	100

C:\Users\Admin\AppData\Local\Temp\75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\75876d65612cbdfebccf1065bedf284c_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3312

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B75B1713CD276D5EF9D57EF1FA944EA7 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C3948BE6E525B8A8CEE9FAC91C9E392_625831257BDAD5EDE9F82A76B457B04B

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C3948BE6E525B8A8CEE9FAC91C9E392_625831257BDAD5EDE9F82A76B457B04B

Filesize
412B

MD5
7672bf07a352bad459e4c2ba731c373c

SHA1
229f9a2c77fd4eda78b5d9ba5bf320b4e8ba0da6

SHA256
245f4de507ce2dbb24998ef1125145b2665676438a8bb474183d8117e65f4701

SHA512
2605440efbf22ca2bb9bb947f9f7fa50f48e1a6ee7724905ad95882a646bfee78d351c66ebad98c7406168887d7292a7054045dc838e82e3f8a024c4ba0d33ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBEBC.tmp

Filesize
613KB

MD5
8f7b7452c1004b979009e565a317f114

SHA1
6e246522028f17c9ec7c338806e5114efe709f93

SHA256
fcb7fc90474b07df2994218832ee865f46876c3a069ffde30cb416f0bfbff237

SHA512
b6086b2b3f73ed7efc8dbd8d7a354d5aebddf4d5045a4d6b488ba8e60280c4e07a502d1f0012af19cc83e42b37aa6fc2df5c541190e1922bc3d3e7a291628464

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBF98.tmp

Filesize
349KB

MD5
b381c2ade79ec791c56bce2150410527

SHA1
d71887f86ef53764191f6aa870f6c99a273dcf73

SHA256
721ce118704206ce31cba0c0fabbc3a45a8d3f52e4ca430637bd6acce36b795e

SHA512
94374147df3c54d98d56f751ed65d75b3d2b01747c693287b5896605b932ae6d5ac280ce67e177d858a59859e5b2fc8760bef30591a3969f77f985c3ce72ec23

Download Submit
C:\Users\Admin\AppData\Local\Temp\rap240627890\RapportSetup-Full.msi

Filesize
14.1MB

MD5
09edf5b1f04d58369cbd80f3c22b72ce

SHA1
e6fb66fb45aa0c170719252802ad02a072404dcc

SHA256
1c7bd0e864abeb9961a470151cbc0990c77db485044205fb95848d600b9252b3

SHA512
8ce364fe681690aaad737b1d98b815f95bb2a60320c30c11a83c50c30bf44d2e4f1bfbc765c85e545ddd6c93749599e29c4756daec131f3b308e940a268ec45b

Download Submit
memory/1496-50-0x0000000010000000-0x000000001009D000-memory.dmp

Filesize
628KB

Download
memory/1496-57-0x0000000002FB0000-0x0000000003007000-memory.dmp

Filesize
348KB

Download
memory/1496-58-0x0000000002FB0000-0x0000000003007000-memory.dmp

Filesize
348KB

Download