Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
28-07-2024 22:01
Static task
static1
Behavioral task
behavioral1
Sample
26991e003c7df1b7ed815750866abd09_JaffaCakes118.msi
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral2
Sample
26991e003c7df1b7ed815750866abd09_JaffaCakes118.msi
Resource
win10v2004-20240730-en
windows10-2004-x64
General
-
Target
26991e003c7df1b7ed815750866abd09_JaffaCakes118.msi
-
Size
900KB
-
MD5
26991e003c7df1b7ed815750866abd09
-
SHA1
029301174bd92c2dc2e5f2b4df426c33305ecdd7
-
SHA256
e2db78db122785f0740bef4de8eef75a56370da463e1d9948aff66494ab7388e
-
SHA512
9f22acffb159858365a9ee128f497b21e1cd7a6d631a4924dc5c19cf42ab63f7f0acb23e8219c89281fd6b0dd9872f3134540c9c7aacd06b2ffc98168fdbc485
-
SSDEEP
6144:T/tWxOo6HFxhXTh/fotWZrgj1migvH74OULb:TFWxOo6lTNYWlkDo8X
Malware Config
Signatures
-
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
resource yara_rule behavioral2/memory/4084-41-0x0000000002480000-0x00000000024AE000-memory.dmp trickbot_loader32 -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIEC55.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEC75.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIECB5.tmp msiexec.exe File opened for modification C:\Windows\Installer\e57a71d.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIA79A.tmp msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log expand.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log expand.exe File created C:\Windows\Installer\e57a71d.msi msiexec.exe File created C:\Windows\Installer\SourceHash{2BCD47FA-10BD-428F-B362-A7AAC16E0E39} msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 4084 backup.exe -
Loads dropped DLL 3 IoCs
pid Process 1348 MsiExec.exe 1348 MsiExec.exe 1348 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 1492 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language expand.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language backup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4388 msiexec.exe 4388 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeShutdownPrivilege 1492 msiexec.exe Token: SeIncreaseQuotaPrivilege 1492 msiexec.exe Token: SeSecurityPrivilege 4388 msiexec.exe Token: SeCreateTokenPrivilege 1492 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1492 msiexec.exe Token: SeLockMemoryPrivilege 1492 msiexec.exe Token: SeIncreaseQuotaPrivilege 1492 msiexec.exe Token: SeMachineAccountPrivilege 1492 msiexec.exe Token: SeTcbPrivilege 1492 msiexec.exe Token: SeSecurityPrivilege 1492 msiexec.exe Token: SeTakeOwnershipPrivilege 1492 msiexec.exe Token: SeLoadDriverPrivilege 1492 msiexec.exe Token: SeSystemProfilePrivilege 1492 msiexec.exe Token: SeSystemtimePrivilege 1492 msiexec.exe Token: SeProfSingleProcessPrivilege 1492 msiexec.exe Token: SeIncBasePriorityPrivilege 1492 msiexec.exe Token: SeCreatePagefilePrivilege 1492 msiexec.exe Token: SeCreatePermanentPrivilege 1492 msiexec.exe Token: SeBackupPrivilege 1492 msiexec.exe Token: SeRestorePrivilege 1492 msiexec.exe Token: SeShutdownPrivilege 1492 msiexec.exe Token: SeDebugPrivilege 1492 msiexec.exe Token: SeAuditPrivilege 1492 msiexec.exe Token: SeSystemEnvironmentPrivilege 1492 msiexec.exe Token: SeChangeNotifyPrivilege 1492 msiexec.exe Token: SeRemoteShutdownPrivilege 1492 msiexec.exe Token: SeUndockPrivilege 1492 msiexec.exe Token: SeSyncAgentPrivilege 1492 msiexec.exe Token: SeEnableDelegationPrivilege 1492 msiexec.exe Token: SeManageVolumePrivilege 1492 msiexec.exe Token: SeImpersonatePrivilege 1492 msiexec.exe Token: SeCreateGlobalPrivilege 1492 msiexec.exe Token: SeBackupPrivilege 3244 vssvc.exe Token: SeRestorePrivilege 3244 vssvc.exe Token: SeAuditPrivilege 3244 vssvc.exe Token: SeRestorePrivilege 4388 msiexec.exe Token: SeTakeOwnershipPrivilege 4388 msiexec.exe Token: SeRestorePrivilege 4388 msiexec.exe Token: SeTakeOwnershipPrivilege 4388 msiexec.exe Token: SeRestorePrivilege 4388 msiexec.exe Token: SeTakeOwnershipPrivilege 4388 msiexec.exe Token: SeRestorePrivilege 4388 msiexec.exe Token: SeTakeOwnershipPrivilege 4388 msiexec.exe Token: SeRestorePrivilege 4388 msiexec.exe Token: SeTakeOwnershipPrivilege 4388 msiexec.exe Token: SeRestorePrivilege 4388 msiexec.exe Token: SeTakeOwnershipPrivilege 4388 msiexec.exe Token: SeRestorePrivilege 4388 msiexec.exe Token: SeTakeOwnershipPrivilege 4388 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1492 msiexec.exe 1492 msiexec.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4084 backup.exe 4084 backup.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4388 wrote to memory of 1348 4388 msiexec.exe 88 PID 4388 wrote to memory of 1348 4388 msiexec.exe 88 PID 4388 wrote to memory of 1348 4388 msiexec.exe 88 PID 1348 wrote to memory of 3716 1348 MsiExec.exe 89 PID 1348 wrote to memory of 3716 1348 MsiExec.exe 89 PID 1348 wrote to memory of 3716 1348 MsiExec.exe 89 PID 1348 wrote to memory of 4084 1348 MsiExec.exe 91 PID 1348 wrote to memory of 4084 1348 MsiExec.exe 91 PID 1348 wrote to memory of 4084 1348 MsiExec.exe 91 PID 4084 wrote to memory of 2068 4084 backup.exe 92 PID 4084 wrote to memory of 2068 4084 backup.exe 92 PID 4084 wrote to memory of 2068 4084 backup.exe 92 PID 4084 wrote to memory of 2068 4084 backup.exe 92 PID 1348 wrote to memory of 3532 1348 MsiExec.exe 93 PID 1348 wrote to memory of 3532 1348 MsiExec.exe 93 PID 1348 wrote to memory of 3532 1348 MsiExec.exe 93 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\26991e003c7df1b7ed815750866abd09_JaffaCakes118.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1492
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3E52974A9C1DB46F2B374E62B476F97C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\expand.exe"C:\Windows\System32\expand.exe" -R files.cab -F:* files3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3716
-
-
C:\Users\Admin\AppData\Local\Temp\MW-5fdcb7e4-8b02-424a-a7e3-1b0702c14710\files\backup.exe"C:\Users\Admin\AppData\Local\Temp\MW-5fdcb7e4-8b02-424a-a7e3-1b0702c14710\files\backup.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe4⤵PID:2068
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-5fdcb7e4-8b02-424a-a7e3-1b0702c14710\files"3⤵
- System Location Discovery: System Language Discovery
PID:3532
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3244
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51f7fe04839e1e325719c92da3bd5abcd
SHA13dfeb3b1ed070772151f2a95e72f264e0e63354e
SHA256cf3f9ef2f14b2a16e6786c1d3ff9ca081fc7155a3303a6704c11548a87a878f7
SHA512254e918180c881bbef4ec0c892278c29233ea6a405dbc9575444cbdf09da4fa769037ceadeced696fe86c54ccc212a678a43b1b19b3e24411d1483beab4a6068
-
Filesize
728KB
MD5a8e7d2ea64b6a802129c898cac6b8cb8
SHA17d368cf9f0caa6c775d93d5b10458944b79ea03c
SHA256519b3400f07273e4dbed56c805d32f99e6756a62a327a6708b9acae9fdbe7192
SHA51260b1ced53b34d12ebe9be6df8fcfe3b47f3e872f46057e566c087c1b66dae6739cc499a8c6a4c860df19c8f809c0774fb1627a18b696a44d6bfaf9ccce37968b
-
Filesize
728KB
MD544fe13c0c25a706c46247158fb4c932b
SHA146b183a1089a1e42cc510f662047c11610019656
SHA2565868d46bd51c706f79a968ee4020810bffaed8a85a8c67a37d0c656a10a9eeba
SHA5129e8e9b6296f7527002e10d9b3b26066731e69b2d0434af00ac46813728e038b02b223b092d2f77d43f7140d736b40d1aab0521b9177dc6541fff80888d33c619
-
Filesize
458B
MD5ba3d32e723379afc211eb7d6942ed56b
SHA1f12e530e3cbb7099f35ff3d201571b6b1e272b0a
SHA25604b004d07221d4b04e878525500182d1fc04b5b047d58efaf8b9d7842c77ea1b
SHA5124c3c18ca5fc00c787bd0b7b13eccc52a55c815ba77c1e56cc8ea0f6f523378cc7d6dc38172707d545dfde8f3afa90a530efa5fe5782fdd4cc27d3f7f2ea644ec
-
Filesize
128KB
MD5bd237aac254bd2285aa3b2d9023beedc
SHA13d2715c92a301dcad0d3d4683d559886202dec37
SHA256b126b59c75f9e3ca19bd5f901c462325e954baf5719765bb0ea4a6e09b6b6b69
SHA51272e912c23b6d3220b0b8d4ff262a28797ecc163449221ed5e5e047c3b0706f4b85211e74e61a3ac0ef6b1d5dda35eb341e2528a607ac3fca883c1d60967faa0a