Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
16s -
max time network
16s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12/09/2024, 18:10
Behavioral task
behavioral1
Sample
dcc6b52d7842b93ca9ca99adb1bb6aca_JaffaCakes118.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dcc6b52d7842b93ca9ca99adb1bb6aca_JaffaCakes118.msi
Resource
win10v2004-20240802-en
Errors
General
-
Target
dcc6b52d7842b93ca9ca99adb1bb6aca_JaffaCakes118.msi
-
Size
7.1MB
-
MD5
dcc6b52d7842b93ca9ca99adb1bb6aca
-
SHA1
61b6684ecc133f98e62226838177fbb867211385
-
SHA256
b4420920593ccd0a26d9a99b8a8d027a1232a09148b074a983bfa1e850dd3ff2
-
SHA512
2f13eda67d438cb3e13fb47a83a1bcc2ecccdac640dc9646ef0462d311e56c27544bfe7ce1fb324eec93611d01b9fc38c43cad824712bb25a970b29b4b9fb425
-
SSDEEP
196608:DL4WstqqyuOsO/4MhiLX3HUP8zNvvn21IKXKlyOzw:DkWfHuOsOgMhij3dzhenVT
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\npf.sys update.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation MSI8989.tmp -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\Packet.dll update.exe File created C:\Windows\system32\wpcap.dll update.exe File created C:\Windows\system32\Packet.dll update.exe File created C:\Windows\SysWOW64\pthreadVC.dll update.exe File created C:\Windows\SysWOW64\wpcap.dll update.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\WinPcap\rpcapd.exe update.exe File created C:\Program Files\WinPcap\LICENSE update.exe File created C:\Program Files\WinPcap\uninstall.exe update.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI86C8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8794.tmp msiexec.exe File created C:\Windows\sysupdate.log msiexec.exe File opened for modification C:\Windows\Installer\MSI84C0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI85FA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8679.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{40360E66-1CE1-4EB2-A89A-697A94459BA9} msiexec.exe File opened for modification C:\Windows\Installer\e578472.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI8989.tmp msiexec.exe File created C:\Windows\Installer\e578472.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI862A.tmp msiexec.exe -
Executes dropped EXE 3 IoCs
pid Process 1224 MSI8989.tmp 984 instsrv.exe 4080 update.exe -
Loads dropped DLL 10 IoCs
pid Process 3308 MsiExec.exe 3308 MsiExec.exe 3308 MsiExec.exe 3308 MsiExec.exe 3308 MsiExec.exe 4080 update.exe 4080 update.exe 4080 update.exe 4080 update.exe 4080 update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 4728 msiexec.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 34 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language instsrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSI8989.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral2/files/0x00070000000234bd-107.dat nsis_installer_1 behavioral2/files/0x00070000000234bd-107.dat nsis_installer_2 -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "233" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe -
Runs .reg file with regedit 1 IoCs
pid Process 716 regedit.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4596 msiexec.exe 4596 msiexec.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 53 IoCs
description pid Process Token: SeShutdownPrivilege 4728 msiexec.exe Token: SeIncreaseQuotaPrivilege 4728 msiexec.exe Token: SeSecurityPrivilege 4596 msiexec.exe Token: SeCreateTokenPrivilege 4728 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4728 msiexec.exe Token: SeLockMemoryPrivilege 4728 msiexec.exe Token: SeIncreaseQuotaPrivilege 4728 msiexec.exe Token: SeMachineAccountPrivilege 4728 msiexec.exe Token: SeTcbPrivilege 4728 msiexec.exe Token: SeSecurityPrivilege 4728 msiexec.exe Token: SeTakeOwnershipPrivilege 4728 msiexec.exe Token: SeLoadDriverPrivilege 4728 msiexec.exe Token: SeSystemProfilePrivilege 4728 msiexec.exe Token: SeSystemtimePrivilege 4728 msiexec.exe Token: SeProfSingleProcessPrivilege 4728 msiexec.exe Token: SeIncBasePriorityPrivilege 4728 msiexec.exe Token: SeCreatePagefilePrivilege 4728 msiexec.exe Token: SeCreatePermanentPrivilege 4728 msiexec.exe Token: SeBackupPrivilege 4728 msiexec.exe Token: SeRestorePrivilege 4728 msiexec.exe Token: SeShutdownPrivilege 4728 msiexec.exe Token: SeDebugPrivilege 4728 msiexec.exe Token: SeAuditPrivilege 4728 msiexec.exe Token: SeSystemEnvironmentPrivilege 4728 msiexec.exe Token: SeChangeNotifyPrivilege 4728 msiexec.exe Token: SeRemoteShutdownPrivilege 4728 msiexec.exe Token: SeUndockPrivilege 4728 msiexec.exe Token: SeSyncAgentPrivilege 4728 msiexec.exe Token: SeEnableDelegationPrivilege 4728 msiexec.exe Token: SeManageVolumePrivilege 4728 msiexec.exe Token: SeImpersonatePrivilege 4728 msiexec.exe Token: SeCreateGlobalPrivilege 4728 msiexec.exe Token: SeRestorePrivilege 4596 msiexec.exe Token: SeTakeOwnershipPrivilege 4596 msiexec.exe Token: SeRestorePrivilege 4596 msiexec.exe Token: SeTakeOwnershipPrivilege 4596 msiexec.exe Token: SeRestorePrivilege 4596 msiexec.exe Token: SeTakeOwnershipPrivilege 4596 msiexec.exe Token: SeRestorePrivilege 4596 msiexec.exe Token: SeTakeOwnershipPrivilege 4596 msiexec.exe Token: SeRestorePrivilege 4596 msiexec.exe Token: SeTakeOwnershipPrivilege 4596 msiexec.exe Token: SeRestorePrivilege 4596 msiexec.exe Token: SeTakeOwnershipPrivilege 4596 msiexec.exe Token: SeRestorePrivilege 4596 msiexec.exe Token: SeTakeOwnershipPrivilege 4596 msiexec.exe Token: SeRestorePrivilege 4596 msiexec.exe Token: SeTakeOwnershipPrivilege 4596 msiexec.exe Token: SeRestorePrivilege 4596 msiexec.exe Token: SeTakeOwnershipPrivilege 4596 msiexec.exe Token: SeRestorePrivilege 4596 msiexec.exe Token: SeTakeOwnershipPrivilege 4596 msiexec.exe Token: SeShutdownPrivilege 4596 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4728 msiexec.exe 4728 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4904 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4596 wrote to memory of 3308 4596 msiexec.exe 85 PID 4596 wrote to memory of 3308 4596 msiexec.exe 85 PID 4596 wrote to memory of 3308 4596 msiexec.exe 85 PID 4596 wrote to memory of 1224 4596 msiexec.exe 89 PID 4596 wrote to memory of 1224 4596 msiexec.exe 89 PID 4596 wrote to memory of 1224 4596 msiexec.exe 89 PID 1224 wrote to memory of 2520 1224 MSI8989.tmp 90 PID 1224 wrote to memory of 2520 1224 MSI8989.tmp 90 PID 1224 wrote to memory of 2520 1224 MSI8989.tmp 90 PID 2520 wrote to memory of 984 2520 cmd.exe 92 PID 2520 wrote to memory of 984 2520 cmd.exe 92 PID 2520 wrote to memory of 984 2520 cmd.exe 92 PID 2520 wrote to memory of 716 2520 cmd.exe 93 PID 2520 wrote to memory of 716 2520 cmd.exe 93 PID 2520 wrote to memory of 716 2520 cmd.exe 93 PID 2520 wrote to memory of 4080 2520 cmd.exe 94 PID 2520 wrote to memory of 4080 2520 cmd.exe 94 PID 2520 wrote to memory of 4080 2520 cmd.exe 94 PID 4080 wrote to memory of 404 4080 update.exe 95 PID 4080 wrote to memory of 404 4080 update.exe 95 PID 4080 wrote to memory of 404 4080 update.exe 95 PID 404 wrote to memory of 876 404 net.exe 97 PID 404 wrote to memory of 876 404 net.exe 97 PID 404 wrote to memory of 876 404 net.exe 97 PID 4080 wrote to memory of 540 4080 update.exe 98 PID 4080 wrote to memory of 540 4080 update.exe 98 PID 4080 wrote to memory of 540 4080 update.exe 98 PID 540 wrote to memory of 2632 540 net.exe 100 PID 540 wrote to memory of 2632 540 net.exe 100 PID 540 wrote to memory of 2632 540 net.exe 100 PID 3308 wrote to memory of 3576 3308 MsiExec.exe 101 PID 3308 wrote to memory of 3576 3308 MsiExec.exe 101 PID 3308 wrote to memory of 3576 3308 MsiExec.exe 101 PID 3308 wrote to memory of 3156 3308 MsiExec.exe 103 PID 3308 wrote to memory of 3156 3308 MsiExec.exe 103 PID 3308 wrote to memory of 3156 3308 MsiExec.exe 103 PID 3308 wrote to memory of 2132 3308 MsiExec.exe 105 PID 3308 wrote to memory of 2132 3308 MsiExec.exe 105 PID 3308 wrote to memory of 2132 3308 MsiExec.exe 105 PID 3308 wrote to memory of 4136 3308 MsiExec.exe 107 PID 3308 wrote to memory of 4136 3308 MsiExec.exe 107 PID 3308 wrote to memory of 4136 3308 MsiExec.exe 107 PID 3308 wrote to memory of 1416 3308 MsiExec.exe 111 PID 3308 wrote to memory of 1416 3308 MsiExec.exe 111 PID 3308 wrote to memory of 1416 3308 MsiExec.exe 111 PID 3308 wrote to memory of 1160 3308 MsiExec.exe 113 PID 3308 wrote to memory of 1160 3308 MsiExec.exe 113 PID 3308 wrote to memory of 1160 3308 MsiExec.exe 113 PID 3308 wrote to memory of 3212 3308 MsiExec.exe 115 PID 3308 wrote to memory of 3212 3308 MsiExec.exe 115 PID 3308 wrote to memory of 3212 3308 MsiExec.exe 115 PID 3308 wrote to memory of 4256 3308 MsiExec.exe 119 PID 3308 wrote to memory of 4256 3308 MsiExec.exe 119 PID 3308 wrote to memory of 4256 3308 MsiExec.exe 119 PID 3308 wrote to memory of 1100 3308 MsiExec.exe 121 PID 3308 wrote to memory of 1100 3308 MsiExec.exe 121 PID 3308 wrote to memory of 1100 3308 MsiExec.exe 121 PID 3308 wrote to memory of 5040 3308 MsiExec.exe 123 PID 3308 wrote to memory of 5040 3308 MsiExec.exe 123 PID 3308 wrote to memory of 5040 3308 MsiExec.exe 123 PID 3308 wrote to memory of 716 3308 MsiExec.exe 125 PID 3308 wrote to memory of 716 3308 MsiExec.exe 125 PID 3308 wrote to memory of 716 3308 MsiExec.exe 125 PID 3308 wrote to memory of 1240 3308 MsiExec.exe 127
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\dcc6b52d7842b93ca9ca99adb1bb6aca_JaffaCakes118.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4728
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0A67B6F53A3639C5C766B1E2569893F02⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3576
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter13⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3156
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2132
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4136
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1416
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1160
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3212
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4256
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1100
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5040
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:716
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1240
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:876
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1300
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8443 protocol=TCP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3436
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8888 protocol=TCP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1224
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2316
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9999 protocol=TCP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4332
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14443 protocol=TCP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3228
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14444 protocol=TCP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4152
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1648
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion13⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4564
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2376
-
-
-
C:\Windows\Installer\MSI8989.tmp"C:\Windows\Installer\MSI8989.tmp" /HideWindow "C:\Msupdate\service.bat"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Msupdate\service.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\Msupdate\instsrv.exec:\Msupdate\instsrv.exe Msupdate c:\Msupdate\srvany.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:984
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s 1.reg4⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:716
-
-
C:\Msupdate\update.exeupdate.exe /S4⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\net.exenet stop npf5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop npf6⤵
- System Location Discovery: System Language Discovery
PID:876
-
-
-
C:\Windows\SysWOW64\net.exenet start npf5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start npf6⤵
- System Location Discovery: System Language Discovery
PID:2632
-
-
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa394c855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4904
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Privilege Escalation
Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD5714b3f24cca1309cf1a2527128560a24
SHA1e5b8557056dbeb6b68535a5d25bf2e7027dfaf7f
SHA25693f84d718573d612cd18a927f7ad8c4d27adb409309464f1685110922ec2be31
SHA51285659b263282fcfa31d5b91be6331ee7dc2a9409abe69a4d94b27f803a1da16c5f200fd5fe318013a7083067e7118a57f42ae6ad8b3fe2c9f32cceb17f755572
-
Filesize
416B
MD58dacf3ded9159fb1f5b065215e1fd8aa
SHA10c43e91b996ca72b75a02de3f85a695ded7a4a5e
SHA2561d5766733fdbeb1ecd8ddc4c49634d96024398621a55f3de9d20dbdc9f3c24c5
SHA512a682ce938d8ecb78fd93e085c35f868968ad9e94b571fcf4de3c007314dfa5495304e31f643f8f3df2f553dadd6cc65f932479103c7570c4ba9939839d6eb0c6
-
Filesize
31KB
MD59f7acaad365af0d1a3cd9261e3208b9b
SHA1b4c7049562e770093e707ac1329cb37ad6313a37
SHA256f7b0a444b590eb8a6b46cedf544bcb3117c85cab02b599b45d61b8a590095c9c
SHA5126847bb10cf08f7e594907b5d160768e60468b14a62cdd87ad33dcc0bc2b523549c1c91e9854069ca11ee074e43a6f41f11351201626922c02aaea41fd32c2a54
-
Filesize
88B
MD5b10428f1774d2caa81092891a980f9e7
SHA16fb6df8cb4d293c0e0264c83d97f016fbb0da926
SHA256884abdf05624ab4d76db2e35720014a616378d299a8c64ab3743d9320258886c
SHA5129412ac38e876f9232172c6ff6d890dd0c2d1258126bf712602a9e5795ed52aadebad113fc0b985557b615f6305b704ce19bb3440942ee02f56b06793cb4ee105
-
Filesize
422KB
MD5c6f1d4a6cccd04e4b15a96942372d5f7
SHA12f79839fe5cb740f21b29dae3181f43c1ae9de9c
SHA25689b74dc79f229b0488bf43b552da9f84864a6a38c11039898e4f9d854411a26e
SHA5121ce87f5b4b0897a6a4cd4d9a58548db47d335eba860714598b297a939e476edc6a8b3e597b71ee92e655857c2320f5812e375da4d67d503e70623f6828eb2119
-
Filesize
11KB
MD500a0194c20ee912257df53bfe258ee4a
SHA1d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA5123b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667
-
Filesize
6KB
MD5e54eb27fb5048964e8d1ec7a1f72334b
SHA12b76d7aedafd724de96532b00fbc6c7c370e4609
SHA256ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824
SHA512c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4
-
Filesize
243KB
MD5aaab8d3f7e9e8f143a17a0d15a1d1715
SHA18aca4e362e4cdc68c2f8f8f35f200126716f9c74
SHA256fd3d6c50c3524063f7c28f815838e0fb06fd4ebff094e7b88902334abd463889
SHA5121999224f57cd453d5d4d7d678144e0b719290ae925bb3574ce28ae787dc406a6b3df8e44475b12b9cdc0ff43d2979f626f08291304c66cdca536cd1897715c9a
-
Filesize
380KB
MD53eb31b9a689d506f3b1d3738d28ab640
SHA11681fe3bbdcbe617a034b092ea77249dd4c3e986
SHA2563a7d9cdd6be9ce0e4d01e9894242b497536336bf1850fb0a814a369c8a189c46
SHA5122598e39f4fd139775bbb040218af802db722d4dca99a4230edfde282362b433c5e30c15d5385063aa76bff916031b0e43586ef05d2ada4edc3c1410371b98e09
-
Filesize
17KB
MD573c578ca2383a2e7f4687cdee410aefe
SHA1431b7de3091245b3affbf1911da17a6964b813dc
SHA25667fdafaf7c115fab48e50b3031f8b7f599770ca333321ded1dcb24db06fe6db1
SHA512915d88ec68e061c880f319345a4e5d709b4e789b5cc3c6a1c84fd83cc95fe765ef7324a722abf8935f2f8567bffbb3ede9e78fb4baa3f004118959f7ae7f43dd
-
Filesize
8KB
MD54635935fc972c582632bf45c26bfcb0e
SHA17c5329229042535fe56e74f1f246c6da8cea3be8
SHA256abd4afd71b3c2bd3f741bbe3cec52c4fa63ac78d353101d2e7dc4de2725d1ca1
SHA512167503133b5a0ebd9f8b2971bca120e902497eb21542d6a1f94e52ae8e5b6bde1e4cae1a2c905870a00d772e0df35f808701e2cfbd26dcbb130a5573fa590060