92dc93d00d23934b3ca24ed19ba79d4be9eb2012658b41ed32570a2bb1d86ad8

General

Target

db8147c277df25be04918bb25776d9b3_JaffaCakes118.msi
Size

384KB
MD5

db8147c277df25be04918bb25776d9b3
SHA1

5786894210952d0e3f46bada4d068fede586ab7a
SHA256

92dc93d00d23934b3ca24ed19ba79d4be9eb2012658b41ed32570a2bb1d86ad8
SHA512

dfbf4d62fd6595132839de9beefc3bbe737fa789d4d4593b528ae3ecb48b0c06d74a86a96a86887e4b734370ba3b2c0822a0cbce79a69d6c369beb517cf3c2cd
SSDEEP

6144:BbZjgS007NNMX/+DoklCAFNWClCA+jp02GmaZ/ZJSEPavLFjt+WN:BbZNNNzbCClCA+jp02GmWhJnav5jUk

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

4 4356 msiexec.exe

flow	pid	process
4	4356	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in Windows directory 10 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\e57c091.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC13D.tmp	msiexec.exe
File created	C:\Windows\Installer\e57c093.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ARPIcon	msiexec.exe
File created	C:\Windows\Installer\e57c091.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}	msiexec.exe
File created	C:\Windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ARPIcon	msiexec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Msiexec
T1218.007

Processes:

msiexec.exe

pid process

4356 msiexec.exe

pid	process
4356	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000532ba7f3274a467a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000532ba7f30000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900532ba7f3000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d532ba7f3000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000532ba7f300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\SourceList\Media\1 = ";1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4AE2841C3D7016247914C7DE6E8A2CA5\D7314F9862C648A4DB8BE2A5B47BE100	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D7314F9862C648A4DB8BE2A5B47BE100	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\AuthorizedLUAApp = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4AE2841C3D7016247914C7DE6E8A2CA5	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\SourceList\PackageName = "db8147c277df25be04918bb25776d9b3_JaffaCakes118.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\PackageCode = "FB66A8474BA24C8439AA68CE17006060"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\ProductName = "Microsoft Silverlight"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\ProductIcon = "C:\\Windows\\Installer\\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\\ARPIcon"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\SourceList\Media\DiskPrompt = "Microsoft's Silverlight Installation [1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D7314F9862C648A4DB8BE2A5B47BE100\Complete	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

1536 msiexec.exe
1536 msiexec.exe

pid	process
1536	msiexec.exe
1536	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	4356	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4356	msiexec.exe
Token: SeSecurityPrivilege	1536	msiexec.exe
Token: SeCreateTokenPrivilege	4356	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4356	msiexec.exe
Token: SeLockMemoryPrivilege	4356	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4356	msiexec.exe
Token: SeMachineAccountPrivilege	4356	msiexec.exe
Token: SeTcbPrivilege	4356	msiexec.exe
Token: SeSecurityPrivilege	4356	msiexec.exe
Token: SeTakeOwnershipPrivilege	4356	msiexec.exe
Token: SeLoadDriverPrivilege	4356	msiexec.exe
Token: SeSystemProfilePrivilege	4356	msiexec.exe
Token: SeSystemtimePrivilege	4356	msiexec.exe
Token: SeProfSingleProcessPrivilege	4356	msiexec.exe
Token: SeIncBasePriorityPrivilege	4356	msiexec.exe
Token: SeCreatePagefilePrivilege	4356	msiexec.exe
Token: SeCreatePermanentPrivilege	4356	msiexec.exe
Token: SeBackupPrivilege	4356	msiexec.exe
Token: SeRestorePrivilege	4356	msiexec.exe
Token: SeShutdownPrivilege	4356	msiexec.exe
Token: SeDebugPrivilege	4356	msiexec.exe
Token: SeAuditPrivilege	4356	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4356	msiexec.exe
Token: SeChangeNotifyPrivilege	4356	msiexec.exe
Token: SeRemoteShutdownPrivilege	4356	msiexec.exe
Token: SeUndockPrivilege	4356	msiexec.exe
Token: SeSyncAgentPrivilege	4356	msiexec.exe
Token: SeEnableDelegationPrivilege	4356	msiexec.exe
Token: SeManageVolumePrivilege	4356	msiexec.exe
Token: SeImpersonatePrivilege	4356	msiexec.exe
Token: SeCreateGlobalPrivilege	4356	msiexec.exe
Token: SeBackupPrivilege	2392	vssvc.exe
Token: SeRestorePrivilege	2392	vssvc.exe
Token: SeAuditPrivilege	2392	vssvc.exe
Token: SeBackupPrivilege	1536	msiexec.exe
Token: SeRestorePrivilege	1536	msiexec.exe
Token: SeRestorePrivilege	1536	msiexec.exe
Token: SeTakeOwnershipPrivilege	1536	msiexec.exe
Token: SeRestorePrivilege	1536	msiexec.exe
Token: SeTakeOwnershipPrivilege	1536	msiexec.exe
Token: SeRestorePrivilege	1536	msiexec.exe
Token: SeTakeOwnershipPrivilege	1536	msiexec.exe
Token: SeRestorePrivilege	1536	msiexec.exe
Token: SeTakeOwnershipPrivilege	1536	msiexec.exe
Token: SeRestorePrivilege	1536	msiexec.exe
Token: SeTakeOwnershipPrivilege	1536	msiexec.exe
Token: SeRestorePrivilege	1536	msiexec.exe
Token: SeTakeOwnershipPrivilege	1536	msiexec.exe
Token: SeRestorePrivilege	1536	msiexec.exe
Token: SeTakeOwnershipPrivilege	1536	msiexec.exe
Token: SeRestorePrivilege	1536	msiexec.exe
Token: SeTakeOwnershipPrivilege	1536	msiexec.exe
Token: SeRestorePrivilege	1536	msiexec.exe
Token: SeTakeOwnershipPrivilege	1536	msiexec.exe
Token: SeRestorePrivilege	1536	msiexec.exe
Token: SeTakeOwnershipPrivilege	1536	msiexec.exe
Token: SeRestorePrivilege	1536	msiexec.exe
Token: SeTakeOwnershipPrivilege	1536	msiexec.exe
Token: SeRestorePrivilege	1536	msiexec.exe
Token: SeTakeOwnershipPrivilege	1536	msiexec.exe
Token: SeRestorePrivilege	1536	msiexec.exe
Token: SeTakeOwnershipPrivilege	1536	msiexec.exe
Token: SeRestorePrivilege	1536	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

4356 msiexec.exe
4356 msiexec.exe

pid	process
4356	msiexec.exe
4356	msiexec.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 1536 wrote to memory of 3984	1536	msiexec.exe	srtasks.exe
PID 1536 wrote to memory of 3984	1536	msiexec.exe	srtasks.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\db8147c277df25be04918bb25776d9b3_JaffaCakes118.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4356

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3984

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Installer Packages

1

T1546.016

Privilege Escalation

Event Triggered Execution

1

T1546

Installer Packages

1

T1546.016

Defense Evasion

System Binary Proxy Execution

1

T1218

Msiexec

1

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57c092.rbs

Filesize
7KB

MD5
5aa81583de8d0199e58862a289a5a39d

SHA1
c4995f838bc642b957eb2bd1c81f1b1ced2aa69b

SHA256
735d6f5ab39b34f35cb6e59d3de1d2fa85001ee94a9ba1e511cd0b4590b40dce

SHA512
650cafc935957522e4653ba5cc62fefab896846b4a16651d648960f0057277a5cb7f4ee05151ead3e08a87224d57dee4fdee805feef574b1e8eab7baccfd6dd4

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
d3adcd42f5f0e3dc2e19feabf723ce67

SHA1
f2d9149874bc7cb71e011a5710609f6744cf8267

SHA256
ea6ff3001ad3d0d6ef8a81a5d0df23435ad6ebe2f5121d6347f05daa0aa722ab

SHA512
a912700a7d60dd6986d0fccacaefdf82b91b1333627e2c074685ddc031d83b10ee7c5e8f0da2600964248aa8c052998ac3ab66aa2e5d534306942e878d193cf7

Download Submit
\??\Volume{f3a72b53-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{624d38ad-d051-4792-a8e9-3f8ee2ae11f0}_OnDiskSnapshotProp

Filesize
6KB

MD5
09c275ce89d44d9de95e37596608ea1e

SHA1
4d4ef72f51178a87fb86c85fdd8a06c6fb30e580

SHA256
fbebcb36df88efeb249f8d680ed6aca6b92fcbc3c1bb38ae4ed1e977c7ff78f4

SHA512
b8a65076ff0846a0c381f7e046d5491d0cf32203c58da606f05f6febf511fad9683dcc5901068072265f0f74825e9e82911cc7d15490d55d986e378ffb0e3854

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads