d3d6b02f0bb3a8cc5db01a6f07df1b26d201f0b462f67792f6268cadc2ede0ca

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7ea89003187ef6cef046870dc568cfb_JaffaCakes118.exe
Size

64KB
MD5

b7ea89003187ef6cef046870dc568cfb
SHA1

6739b2b7172e6dc46f9165e47ac57adfae7c9e17
SHA256

d3d6b02f0bb3a8cc5db01a6f07df1b26d201f0b462f67792f6268cadc2ede0ca
SHA512

c1ee292fa5a51a090cfff361e731938b4629d9640d5e5c47e57aa16a9990562dbf7581753d3209c645ec03b661c9d72962ee9f524f8df8b346587c947cafcda2
SSDEEP

1536:LWNXc5SO0fbpZQYSQUuFUSqOXkmu4jLzauhlw37e1r6Q34fSRW:L4Xc5SO0fbpKuFD7YsPhlg7eG9n

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1644	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1136	inlD359.tmp

Loads dropped DLL 2 IoCs

pid	Process
2512	cmd.exe
2512	cmd.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f79d450.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f79d450.msi	msiexec.exe
File created	C:\Windows\Installer\f79d453.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID4DC.tmp	msiexec.exe
File created	C:\Windows\Installer\f79d455.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f79d453.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7ea89003187ef6cef046870dc568cfb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1808	msiexec.exe
1808	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3020	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3020	msiexec.exe
Token: SeRestorePrivilege	1808	msiexec.exe
Token: SeTakeOwnershipPrivilege	1808	msiexec.exe
Token: SeSecurityPrivilege	1808	msiexec.exe
Token: SeCreateTokenPrivilege	3020	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3020	msiexec.exe
Token: SeLockMemoryPrivilege	3020	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3020	msiexec.exe
Token: SeMachineAccountPrivilege	3020	msiexec.exe
Token: SeTcbPrivilege	3020	msiexec.exe
Token: SeSecurityPrivilege	3020	msiexec.exe
Token: SeTakeOwnershipPrivilege	3020	msiexec.exe
Token: SeLoadDriverPrivilege	3020	msiexec.exe
Token: SeSystemProfilePrivilege	3020	msiexec.exe
Token: SeSystemtimePrivilege	3020	msiexec.exe
Token: SeProfSingleProcessPrivilege	3020	msiexec.exe
Token: SeIncBasePriorityPrivilege	3020	msiexec.exe
Token: SeCreatePagefilePrivilege	3020	msiexec.exe
Token: SeCreatePermanentPrivilege	3020	msiexec.exe
Token: SeBackupPrivilege	3020	msiexec.exe
Token: SeRestorePrivilege	3020	msiexec.exe
Token: SeShutdownPrivilege	3020	msiexec.exe
Token: SeDebugPrivilege	3020	msiexec.exe
Token: SeAuditPrivilege	3020	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3020	msiexec.exe
Token: SeChangeNotifyPrivilege	3020	msiexec.exe
Token: SeRemoteShutdownPrivilege	3020	msiexec.exe
Token: SeUndockPrivilege	3020	msiexec.exe
Token: SeSyncAgentPrivilege	3020	msiexec.exe
Token: SeEnableDelegationPrivilege	3020	msiexec.exe
Token: SeManageVolumePrivilege	3020	msiexec.exe
Token: SeImpersonatePrivilege	3020	msiexec.exe
Token: SeCreateGlobalPrivilege	3020	msiexec.exe
Token: SeRestorePrivilege	1808	msiexec.exe
Token: SeTakeOwnershipPrivilege	1808	msiexec.exe
Token: SeRestorePrivilege	1808	msiexec.exe
Token: SeTakeOwnershipPrivilege	1808	msiexec.exe
Token: SeRestorePrivilege	1808	msiexec.exe
Token: SeTakeOwnershipPrivilege	1808	msiexec.exe
Token: SeRestorePrivilege	1808	msiexec.exe
Token: SeTakeOwnershipPrivilege	1808	msiexec.exe
Token: SeRestorePrivilege	1808	msiexec.exe
Token: SeTakeOwnershipPrivilege	1808	msiexec.exe
Token: SeRestorePrivilege	1808	msiexec.exe
Token: SeTakeOwnershipPrivilege	1808	msiexec.exe
Token: SeRestorePrivilege	1808	msiexec.exe
Token: SeTakeOwnershipPrivilege	1808	msiexec.exe
Token: SeRestorePrivilege	1808	msiexec.exe
Token: SeTakeOwnershipPrivilege	1808	msiexec.exe
Token: SeRestorePrivilege	1808	msiexec.exe
Token: SeTakeOwnershipPrivilege	1808	msiexec.exe
Token: SeRestorePrivilege	1808	msiexec.exe
Token: SeTakeOwnershipPrivilege	1808	msiexec.exe
Token: SeRestorePrivilege	1808	msiexec.exe
Token: SeTakeOwnershipPrivilege	1808	msiexec.exe
Token: SeRestorePrivilege	1808	msiexec.exe
Token: SeTakeOwnershipPrivilege	1808	msiexec.exe
Token: SeRestorePrivilege	1808	msiexec.exe
Token: SeTakeOwnershipPrivilege	1808	msiexec.exe
Token: SeRestorePrivilege	1808	msiexec.exe
Token: SeTakeOwnershipPrivilege	1808	msiexec.exe
Token: SeRestorePrivilege	1808	msiexec.exe
Token: SeTakeOwnershipPrivilege	1808	msiexec.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 3020	3068	b7ea89003187ef6cef046870dc568cfb_JaffaCakes118.exe	31
PID 3068 wrote to memory of 3020	3068	b7ea89003187ef6cef046870dc568cfb_JaffaCakes118.exe	31
PID 3068 wrote to memory of 3020	3068	b7ea89003187ef6cef046870dc568cfb_JaffaCakes118.exe	31
PID 3068 wrote to memory of 3020	3068	b7ea89003187ef6cef046870dc568cfb_JaffaCakes118.exe	31
PID 3068 wrote to memory of 3020	3068	b7ea89003187ef6cef046870dc568cfb_JaffaCakes118.exe	31
PID 3068 wrote to memory of 3020	3068	b7ea89003187ef6cef046870dc568cfb_JaffaCakes118.exe	31
PID 3068 wrote to memory of 3020	3068	b7ea89003187ef6cef046870dc568cfb_JaffaCakes118.exe	31
PID 1808 wrote to memory of 2372	1808	msiexec.exe	33
PID 1808 wrote to memory of 2372	1808	msiexec.exe	33
PID 1808 wrote to memory of 2372	1808	msiexec.exe	33
PID 1808 wrote to memory of 2372	1808	msiexec.exe	33
PID 1808 wrote to memory of 2372	1808	msiexec.exe	33
PID 1808 wrote to memory of 2372	1808	msiexec.exe	33
PID 1808 wrote to memory of 2372	1808	msiexec.exe	33
PID 3068 wrote to memory of 2512	3068	b7ea89003187ef6cef046870dc568cfb_JaffaCakes118.exe	35
PID 3068 wrote to memory of 2512	3068	b7ea89003187ef6cef046870dc568cfb_JaffaCakes118.exe	35
PID 3068 wrote to memory of 2512	3068	b7ea89003187ef6cef046870dc568cfb_JaffaCakes118.exe	35
PID 3068 wrote to memory of 2512	3068	b7ea89003187ef6cef046870dc568cfb_JaffaCakes118.exe	35
PID 3068 wrote to memory of 1644	3068	b7ea89003187ef6cef046870dc568cfb_JaffaCakes118.exe	36
PID 3068 wrote to memory of 1644	3068	b7ea89003187ef6cef046870dc568cfb_JaffaCakes118.exe	36
PID 3068 wrote to memory of 1644	3068	b7ea89003187ef6cef046870dc568cfb_JaffaCakes118.exe	36
PID 3068 wrote to memory of 1644	3068	b7ea89003187ef6cef046870dc568cfb_JaffaCakes118.exe	36
PID 2512 wrote to memory of 1136	2512	cmd.exe	39
PID 2512 wrote to memory of 1136	2512	cmd.exe	39
PID 2512 wrote to memory of 1136	2512	cmd.exe	39
PID 2512 wrote to memory of 1136	2512	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\b7ea89003187ef6cef046870dc568cfb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b7ea89003187ef6cef046870dc568cfb_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\INSD0D~1.INI /quiet
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Users\Admin\AppData\Local\Temp\inlD359.tmp
    C:\Users\Admin\AppData\Local\Temp\inlD359.tmp cdf1912.tmp
    3⤵
    - Executes dropped EXE
    PID:1136
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\B7EA89~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1644

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B143B6D49F3403A3E132DB49A4645EFC
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f79d454.rbs

Filesize
7KB

MD5
1fa4606f2b355b47d8814fb21f7c3102

SHA1
1eb5df4bc322a344937c89d4ae943b7ada25be1e

SHA256
8f1f343d11e4d64a5c844832aff5f4a20534e4bc8db062823e36335c6cc517f4

SHA512
808896a366aa6fe867c13fdb90f02405d3684846413cd769b2269daf4dad1c1dbea7bc9d36419a852c7caebb60880d76f10454811d46ca5b0929c9a458d09f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSD0D~1.INI

Filesize
66KB

MD5
25f0b0c5f4fbc4c0c936c67209b5116d

SHA1
d19a7e0a76a3462c5dfabd82be45a73280aa5e2a

SHA256
73e2e15491aebf197a854081b8deb18a23d2e7454f579dc2f2f83425a4567099

SHA512
238342c40eea012b470b5fc99f101909cc7818f67aaa57942bb97d0ae99bfbfe2b5007cdca0b5028725433d433ba430ff4c74324dea14afaec0fb27f31cfd040

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
768B

MD5
d20d9eda31a2d0300e4589df7f352370

SHA1
79b46d2dbb489914cfedafdbc90e62951471b48e

SHA256
d7a1d6a8cf5c3fbb85cd06147a599f5274630b86b1c89721f10a60c1bbe994d8

SHA512
d28c5b69325a9833776ea362445b77b231a0ec9b9b8b4a2ad37a434ee8b2b0c1903d6ade1e372f73ac8ada951e0a24076cf23d9307d27fed5927f4bf8b0d0a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
57B

MD5
9c06914b6d128939f9d683f492b380ac

SHA1
2e618e97cc2b4194b3f4bb48a17ce18bb1fea59d

SHA256
e81d3080bfcaebd6097218bc4605ca0ef62f8579fb0d56e27b3a0a9e85f3b044

SHA512
98eb3ddc0cccafc39aa7a5d7ca114d4cd8a3f1b26d8a6bf9677635b6fd1f329143a17f0cccb3a0897869834681adc9dcc207d32b16513a8e30edc6babec9f5ae

Download Submit
memory/3068-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/3068-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3068-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3068-6-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/3068-25-0x0000000003180000-0x0000000003190000-memory.dmp

Filesize
64KB

Download
memory/3068-49-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download