56a6019b2a79ae45bac835fe186d0de8ac8d57e3283e8f31904544902766c024

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78a6e33dc1501a53f687e56e94ad3575_JaffaCakes118.exe
Size

1.3MB
MD5

78a6e33dc1501a53f687e56e94ad3575
SHA1

cb0cc13e47ffc1a95822fd512db125f87f150ffa
SHA256

56a6019b2a79ae45bac835fe186d0de8ac8d57e3283e8f31904544902766c024
SHA512

882ad8a506d69913464b56097c0fc130f3368f06ede2897d57925452a542f11487f187f8e822e171faf78fa48f1f57458869e9f25e03ca4e0a890c253f57df67
SSDEEP

24576:ZOkPDafAwBvBXEjbEh2GAZQ+/VKOEnuneIxGbw4iPKDHYfYVxwh/FtOTy0/ZpyIg:ZPDao8BUPE2ZvynuneIx0YKjksxwxF5x

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
1904	78a6e33dc1501a53f687e56e94ad3575_JaffaCakes118.exe
1188	MsiExec.exe
1188	MsiExec.exe
1188	MsiExec.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2624	msiexec.exe
5	2624	msiexec.exe
7	2624	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78a6e33dc1501a53f687e56e94ad3575_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2624	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2624	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2624	msiexec.exe
Token: SeRestorePrivilege	3048	msiexec.exe
Token: SeTakeOwnershipPrivilege	3048	msiexec.exe
Token: SeSecurityPrivilege	3048	msiexec.exe
Token: SeCreateTokenPrivilege	2624	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2624	msiexec.exe
Token: SeLockMemoryPrivilege	2624	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2624	msiexec.exe
Token: SeMachineAccountPrivilege	2624	msiexec.exe
Token: SeTcbPrivilege	2624	msiexec.exe
Token: SeSecurityPrivilege	2624	msiexec.exe
Token: SeTakeOwnershipPrivilege	2624	msiexec.exe
Token: SeLoadDriverPrivilege	2624	msiexec.exe
Token: SeSystemProfilePrivilege	2624	msiexec.exe
Token: SeSystemtimePrivilege	2624	msiexec.exe
Token: SeProfSingleProcessPrivilege	2624	msiexec.exe
Token: SeIncBasePriorityPrivilege	2624	msiexec.exe
Token: SeCreatePagefilePrivilege	2624	msiexec.exe
Token: SeCreatePermanentPrivilege	2624	msiexec.exe
Token: SeBackupPrivilege	2624	msiexec.exe
Token: SeRestorePrivilege	2624	msiexec.exe
Token: SeShutdownPrivilege	2624	msiexec.exe
Token: SeDebugPrivilege	2624	msiexec.exe
Token: SeAuditPrivilege	2624	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2624	msiexec.exe
Token: SeChangeNotifyPrivilege	2624	msiexec.exe
Token: SeRemoteShutdownPrivilege	2624	msiexec.exe
Token: SeUndockPrivilege	2624	msiexec.exe
Token: SeSyncAgentPrivilege	2624	msiexec.exe
Token: SeEnableDelegationPrivilege	2624	msiexec.exe
Token: SeManageVolumePrivilege	2624	msiexec.exe
Token: SeImpersonatePrivilege	2624	msiexec.exe
Token: SeCreateGlobalPrivilege	2624	msiexec.exe
Token: SeCreateTokenPrivilege	2624	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2624	msiexec.exe
Token: SeLockMemoryPrivilege	2624	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2624	msiexec.exe
Token: SeMachineAccountPrivilege	2624	msiexec.exe
Token: SeTcbPrivilege	2624	msiexec.exe
Token: SeSecurityPrivilege	2624	msiexec.exe
Token: SeTakeOwnershipPrivilege	2624	msiexec.exe
Token: SeLoadDriverPrivilege	2624	msiexec.exe
Token: SeSystemProfilePrivilege	2624	msiexec.exe
Token: SeSystemtimePrivilege	2624	msiexec.exe
Token: SeProfSingleProcessPrivilege	2624	msiexec.exe
Token: SeIncBasePriorityPrivilege	2624	msiexec.exe
Token: SeCreatePagefilePrivilege	2624	msiexec.exe
Token: SeCreatePermanentPrivilege	2624	msiexec.exe
Token: SeBackupPrivilege	2624	msiexec.exe
Token: SeRestorePrivilege	2624	msiexec.exe
Token: SeShutdownPrivilege	2624	msiexec.exe
Token: SeDebugPrivilege	2624	msiexec.exe
Token: SeAuditPrivilege	2624	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2624	msiexec.exe
Token: SeChangeNotifyPrivilege	2624	msiexec.exe
Token: SeRemoteShutdownPrivilege	2624	msiexec.exe
Token: SeUndockPrivilege	2624	msiexec.exe
Token: SeSyncAgentPrivilege	2624	msiexec.exe
Token: SeEnableDelegationPrivilege	2624	msiexec.exe
Token: SeManageVolumePrivilege	2624	msiexec.exe
Token: SeImpersonatePrivilege	2624	msiexec.exe
Token: SeCreateGlobalPrivilege	2624	msiexec.exe
Token: SeCreateTokenPrivilege	2624	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1904	78a6e33dc1501a53f687e56e94ad3575_JaffaCakes118.exe
2624	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 2624	1904	78a6e33dc1501a53f687e56e94ad3575_JaffaCakes118.exe	31
PID 1904 wrote to memory of 2624	1904	78a6e33dc1501a53f687e56e94ad3575_JaffaCakes118.exe	31
PID 1904 wrote to memory of 2624	1904	78a6e33dc1501a53f687e56e94ad3575_JaffaCakes118.exe	31
PID 1904 wrote to memory of 2624	1904	78a6e33dc1501a53f687e56e94ad3575_JaffaCakes118.exe	31
PID 1904 wrote to memory of 2624	1904	78a6e33dc1501a53f687e56e94ad3575_JaffaCakes118.exe	31
PID 1904 wrote to memory of 2624	1904	78a6e33dc1501a53f687e56e94ad3575_JaffaCakes118.exe	31
PID 1904 wrote to memory of 2624	1904	78a6e33dc1501a53f687e56e94ad3575_JaffaCakes118.exe	31
PID 3048 wrote to memory of 1188	3048	msiexec.exe	33
PID 3048 wrote to memory of 1188	3048	msiexec.exe	33
PID 3048 wrote to memory of 1188	3048	msiexec.exe	33
PID 3048 wrote to memory of 1188	3048	msiexec.exe	33
PID 3048 wrote to memory of 1188	3048	msiexec.exe	33
PID 3048 wrote to memory of 1188	3048	msiexec.exe	33
PID 3048 wrote to memory of 1188	3048	msiexec.exe	33

C:\Users\Admin\AppData\Local\Temp\78a6e33dc1501a53f687e56e94ad3575_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\78a6e33dc1501a53f687e56e94ad3575_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\system32\msiexec.exe
  /i "C:\Users\Admin\AppData\Roaming\Luottokunta\EMVLumo\install\7475BF6\EMVLumoSetup_1.00.026.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\78a6e33dc1501a53f687e56e94ad3575_JaffaCakes118.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2624

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 31A7A47686D9513862A8A74E8117E4AD C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabFF09.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI23C.tmp

Filesize
48KB

MD5
061b504c1a3a41ecdd9cf7b1d33259e4

SHA1
2394bb353951e524a67249f14b0a6fd15ea65123

SHA256
02ca99212b699c7efb1f0c3a62d873911212777132366c894fd094fe226cb5bc

SHA512
0697c0732d71db35db7380fbe78a09d8d32f92cfd38ca8f98b079938122e96e9c859039015f334471c0fb5d8b8077e975b5c92fe3170b0a639a7f39d2cc61c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFF1C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Luottokunta\EMVLumo\install\7475BF6\EMVLumoSetup_1.00.026.msi

Filesize
748KB

MD5
ccf5163b906ca6cf062c3f91efbd9b5a

SHA1
93df2d050d024c55ba0d8d01c29a08b7ffc3d145

SHA256
5b7dce243a01afdf57e7e6e9199ba92721029cac9d8a2f7c014ff159ba27a7fc

SHA512
486a9ab2f1908860b04ed7864b4edce21fed97504529b6f2efcc9882da5642d3607516c12cb7fb25a46fb554482a766a302eb1425190790afe2487517509792e

Download Submit
\Users\Admin\AppData\Local\Temp\MSI2BA.tmp

Filesize
245KB

MD5
bd84e2d4c66a5139eb36b2c5799cc042

SHA1
13bc11c8efe52bba77fc72d6867646725635beab

SHA256
4a3c2bad890e08cdf6c51230b950ef689983bda0d698d748bbbee1589c1c18d0

SHA512
10795d40b60281724e3b853621671b07963738ee44065a1a98cf87e1c9ed535a6abf17ab2c050471407cce0fb4874e68d786813aaa1f35cae4ecdeddacbec122

Download Submit
\Users\Admin\AppData\Roaming\Luottokunta\EMVLumo\install\decoder.dll

Filesize
105KB

MD5
b2b2a36e61d81c8b06bbb3646c349b1e

SHA1
ce2e984706cf9253bf3503c9e132de456356c8cf

SHA256
1a47bd5f55c383572ea06c29e4776d8bc098c936d7dbfe505c2a2fad82971e3e

SHA512
f03aa71eb7a762d6384e992e184ed05a131857da25e53a08f7969bee2d206c3c34a55f92b1aa27d6f0af584a3bc8b5754fd5bee91f986635b421e523789e7d2a

Download Submit
memory/1904-0-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1904-84-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download