676349abee2a248ac58a6d310297d7495aa373e50b14f30c260cd9e5130dadf9

Analysis

max time kernel
135s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Size

6.9MB
MD5

b95b00c99e16d30b9b90a9e83636d950
SHA1

480657cb6dd2ce6538a5cbf15b2fa23ad80c1735
SHA256

676349abee2a248ac58a6d310297d7495aa373e50b14f30c260cd9e5130dadf9
SHA512

b69afb94197b28a26018f04550fc3b1a8bbc0a0dd4c042dd901cd97da58437fcd9793df61fcb11f4d73519b6de75461b7d4491b334b296221b17d8731565dccc
SSDEEP

196608:7uJsdx+1Qk0zBOgRYK46bz6KlzilWLgM6NQA9B1:7pdx+1B0zYP6iKJs9B1

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2540	MsiExec.exe
2540	MsiExec.exe
2540	MsiExec.exe
2540	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
File opened (read-only)	\??\Q:	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
File opened (read-only)	\??\V:	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
File opened (read-only)	\??\W:	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
File opened (read-only)	\??\E:	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
File opened (read-only)	\??\X:	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
File opened (read-only)	\??\N:	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
File opened (read-only)	\??\U:	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
File opened (read-only)	\??\K:	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
File opened (read-only)	\??\M:	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
File opened (read-only)	\??\R:	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
File opened (read-only)	\??\Z:	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
File opened (read-only)	\??\G:	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
File opened (read-only)	\??\T:	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
File opened (read-only)	\??\Y:	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
File opened (read-only)	\??\S:	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeTcbPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeSecurityPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeSystemtimePrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeBackupPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeRestorePrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeShutdownPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeDebugPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeAuditPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeUndockPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeSyncAgentPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeEnableDelegationPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeManageVolumePrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeImpersonatePrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeSecurityPrivilege	3236	msiexec.exe
Token: SeCreateTokenPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeTcbPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeSecurityPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeSystemtimePrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeBackupPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeRestorePrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeShutdownPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeDebugPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeAuditPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeUndockPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeSyncAgentPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeEnableDelegationPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeManageVolumePrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeImpersonatePrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4444	b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3236 wrote to memory of 2540	3236	msiexec.exe	89
PID 3236 wrote to memory of 2540	3236	msiexec.exe	89
PID 3236 wrote to memory of 2540	3236	msiexec.exe	89

C:\Users\Admin\AppData\Local\Temp\b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b95b00c99e16d30b9b90a9e83636d950_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4444

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FBFDA069D157D46599FE37E4F0FCD2B2 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4444\dialog

Filesize
15KB

MD5
8a3442f0689944d6e70764e6d0654bc0

SHA1
871e8d07f66aff073568396e38c72d433eb46afa

SHA256
2df6a4a85fb42c4eb6d02b290b48fb37f4b5aef676265a5e20bab7e859352bbe

SHA512
c5d658465a7926c8010ce69b5933e01f408b832ac0eabb7b64b8434122ceb80de5cb42caa3025764eaa15eb992c11729f0864feaf9ab1f729c07fee23f347dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI947F.tmp

Filesize
68KB

MD5
78aa1d816f84395e820fc5d8da54bb7e

SHA1
5785abce439c0cbdf776a0179c32e01be9b78f3a

SHA256
5064415aac7127e2511cc1f8b60f095a9472037783466ae50f689bee1cd414ba

SHA512
315abf4b6fe84a2bffbf23659c04c594108e629390b021b5138cc16b31bc2da47bcc1586639f5e4072bf532a4cafa6ae435bfd1062e79a61d1d29f18af05dd86

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9627.tmp

Filesize
264KB

MD5
3dc86992823ecea2b351ab822682c383

SHA1
99d1ccc5dab28cb3ce66e1f48132cf90c839a76a

SHA256
ba46a8f5302e38a3f21344ed6881b9cb88b7a22bf090e6c299c95ade6ad36cd1

SHA512
bbf78e195fca8fc360b305d8136f5a15fcd77d47470c37c21b387d69d70904492cc843abd639724b069dd6c6fb99a95d2643ac12af35f3f0eee505bbbac760a1

Download Submit
C:\Users\Admin\AppData\Roaming\TeddySoft inc\SecretBrowser 6.0.7.0\install\Release-Cand.msi

Filesize
730KB

MD5
c1f1e108ef77c124c496ad68d2e4d565

SHA1
e93e09a61ba7e3162e35a13b9a5a62a069b4f8c1

SHA256
a9f8e0875fb910e688cff291c629640fa8662c2b8ebf9031fbded924ac6e3f43

SHA512
7acee6ec9cee0f93d6d8551719077f6c0c8adf28aa96f24347f47e5d0942dbb34e2b10697d10b8181fdb8dffc24cd18eeb9698aa006e7a2766fa7cf1435ff671

Download Submit
memory/4444-0-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/4444-50-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download