1c9b517de19ea906b642624ab9a8f20b8b4cd91881cb6e6a031d87dfcad5ed3c

Analysis

max time kernel
140s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

953d3e61466aaef1feb0f1218991b834_JaffaCakes118.exe
Size

730KB
MD5

953d3e61466aaef1feb0f1218991b834
SHA1

a7ed9c02bd324c74e968132a52793b042b67f4f0
SHA256

1c9b517de19ea906b642624ab9a8f20b8b4cd91881cb6e6a031d87dfcad5ed3c
SHA512

cc9c652b6a1641bef3e6c66a5039b1719b48f633cafd38dcd0b588c70596ebf4e729d8377e93a44f7f8f2b8866aaf412923b7603abca8b2df6d48d9695ed7dcf
SSDEEP

12288:2zxveAzCY64Ly3AuYW/g8eyi49Wr3xvPTY38czsg84On0kBOvW1LcqOwi:SmeCY64LWAuYZyipk8GnwnOwi

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2004	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	953d3e61466aaef1feb0f1218991b834_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4604	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4604	msiexec.exe
Token: SeSecurityPrivilege	1500	msiexec.exe
Token: SeCreateTokenPrivilege	4604	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4604	msiexec.exe
Token: SeLockMemoryPrivilege	4604	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4604	msiexec.exe
Token: SeMachineAccountPrivilege	4604	msiexec.exe
Token: SeTcbPrivilege	4604	msiexec.exe
Token: SeSecurityPrivilege	4604	msiexec.exe
Token: SeTakeOwnershipPrivilege	4604	msiexec.exe
Token: SeLoadDriverPrivilege	4604	msiexec.exe
Token: SeSystemProfilePrivilege	4604	msiexec.exe
Token: SeSystemtimePrivilege	4604	msiexec.exe
Token: SeProfSingleProcessPrivilege	4604	msiexec.exe
Token: SeIncBasePriorityPrivilege	4604	msiexec.exe
Token: SeCreatePagefilePrivilege	4604	msiexec.exe
Token: SeCreatePermanentPrivilege	4604	msiexec.exe
Token: SeBackupPrivilege	4604	msiexec.exe
Token: SeRestorePrivilege	4604	msiexec.exe
Token: SeShutdownPrivilege	4604	msiexec.exe
Token: SeDebugPrivilege	4604	msiexec.exe
Token: SeAuditPrivilege	4604	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4604	msiexec.exe
Token: SeChangeNotifyPrivilege	4604	msiexec.exe
Token: SeRemoteShutdownPrivilege	4604	msiexec.exe
Token: SeUndockPrivilege	4604	msiexec.exe
Token: SeSyncAgentPrivilege	4604	msiexec.exe
Token: SeEnableDelegationPrivilege	4604	msiexec.exe
Token: SeManageVolumePrivilege	4604	msiexec.exe
Token: SeImpersonatePrivilege	4604	msiexec.exe
Token: SeCreateGlobalPrivilege	4604	msiexec.exe
Token: SeCreateTokenPrivilege	4604	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4604	msiexec.exe
Token: SeLockMemoryPrivilege	4604	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4604	msiexec.exe
Token: SeMachineAccountPrivilege	4604	msiexec.exe
Token: SeTcbPrivilege	4604	msiexec.exe
Token: SeSecurityPrivilege	4604	msiexec.exe
Token: SeTakeOwnershipPrivilege	4604	msiexec.exe
Token: SeLoadDriverPrivilege	4604	msiexec.exe
Token: SeSystemProfilePrivilege	4604	msiexec.exe
Token: SeSystemtimePrivilege	4604	msiexec.exe
Token: SeProfSingleProcessPrivilege	4604	msiexec.exe
Token: SeIncBasePriorityPrivilege	4604	msiexec.exe
Token: SeCreatePagefilePrivilege	4604	msiexec.exe
Token: SeCreatePermanentPrivilege	4604	msiexec.exe
Token: SeBackupPrivilege	4604	msiexec.exe
Token: SeRestorePrivilege	4604	msiexec.exe
Token: SeShutdownPrivilege	4604	msiexec.exe
Token: SeDebugPrivilege	4604	msiexec.exe
Token: SeAuditPrivilege	4604	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4604	msiexec.exe
Token: SeChangeNotifyPrivilege	4604	msiexec.exe
Token: SeRemoteShutdownPrivilege	4604	msiexec.exe
Token: SeUndockPrivilege	4604	msiexec.exe
Token: SeSyncAgentPrivilege	4604	msiexec.exe
Token: SeEnableDelegationPrivilege	4604	msiexec.exe
Token: SeManageVolumePrivilege	4604	msiexec.exe
Token: SeImpersonatePrivilege	4604	msiexec.exe
Token: SeCreateGlobalPrivilege	4604	msiexec.exe
Token: SeCreateTokenPrivilege	4604	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4604	msiexec.exe
Token: SeLockMemoryPrivilege	4604	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4604	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 4604	4304	953d3e61466aaef1feb0f1218991b834_JaffaCakes118.exe	86
PID 4304 wrote to memory of 4604	4304	953d3e61466aaef1feb0f1218991b834_JaffaCakes118.exe	86
PID 1500 wrote to memory of 2004	1500	msiexec.exe	90
PID 1500 wrote to memory of 2004	1500	msiexec.exe	90
PID 1500 wrote to memory of 2004	1500	msiexec.exe	90

C:\Users\Admin\AppData\Local\Temp\953d3e61466aaef1feb0f1218991b834_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\953d3e61466aaef1feb0f1218991b834_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Windows\system32\msiexec.exe
  /i "C:\Users\Admin\AppData\Roaming\RM Royal Media Ltd.\Romi Royal Install\install\RummyRoyal_Live_hu.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\953d3e61466aaef1feb0f1218991b834_JaffaCakes118.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4604

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 97F3CB350ACB5ACD49C0F2D91D4903B9 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIB863.tmp

Filesize
14KB

MD5
1afa5d8db46927c210ca89b7ec81e1c7

SHA1
e5cd5b8f8afe4faf43a64d4c16d048228b9ee2fd

SHA256
e55a022de86edfd958583023e9989b94751ea36322587e047c9af642d3fb82dc

SHA512
6e860e077149e0466b267f2300ca1eba67eaee419f1bf8cc8e7ad0542472f197407b4ca6dd60632cd731ef4780a7c389bd8dedafa7e330113ef0062f188e4b24

Download Submit
C:\Users\Admin\AppData\Roaming\RM Royal Media Ltd\Romi Royal Install\install\RummyRoyal_Live_hu.msi

Filesize
309KB

MD5
c274fc0ff2473e1d75051dd7e2705cad

SHA1
97ed0425861e1858778ad179c392eeddb9a4db61

SHA256
cadb0be309bbe5c11b560fc2ab724808d47f5c7091a00f03068f66679ef3444b

SHA512
2e80b0f75d3a067f62c4b37f9bfa6eae8bf27221baccf6debefd837fc70421ab0cbaadb1ce5c0736c8a2b6f64894791a54f89abfd2b80dd8c0e5f0756c5cbd54

Download Submit