formbook | 5769552a9af543e41095228db9b00ab952054d801cfb3c9cf0c963f081b0db45

Analysis

max time kernel
147s
max time network
138s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddb54ca7ae8e1fc904958195c75b6ac4_JaffaCakes118.msi
Size

396KB
MD5

ddb54ca7ae8e1fc904958195c75b6ac4
SHA1

baf9719007189d2093c300eacb04b2b0b1ba7213
SHA256

5769552a9af543e41095228db9b00ab952054d801cfb3c9cf0c963f081b0db45
SHA512

70a9ea0a74656061109d63f8c7f9875a592a098a441f2359798be3f4e32739e860ce93ea2545efa942e1d76077409ca4bf827f66cd7435a9061ffd0b15f36daa
SSDEEP

6144:0E9grDJ70jCtZhT9/zB0MhKbWQrkZ9IYlWUl:0ECwjCbiMIW6kz9lW

Score

10^/10

formbook jo discovery persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

Decoy

coronaoasis.win

nourbanu.com

sz-bfh.com

kuhaier.com

qzcgs.com

thecalligraphyclub.com

moneize.com

flinkgaard.com

restaurantsdenhaag.online

yusheeta.com

666668z.com

umbilicus.net

vrpingmu.com

salajeet.net

whatyououghta.com

g3pharmaceuticals.com

news3144.photography

rcraynor.com

sztxnv.men

larwood.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/1128-55-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/1128-58-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\obj2buttonholer = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\obj2Hopscotcher.vbs\""	obj2Hopscotcher.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2668 set thread context of 1532	2668	MSIEE47.tmp	36
PID 1808 set thread context of 2024	1808	obj2Hopscotcher.exe	38
PID 2024 set thread context of 1128	2024	obj2Hopscotcher.exe	39
PID 1128 set thread context of 1224	1128	obj2Hopscotcher.exe	21
PID 1436 set thread context of 1224	1436	ipconfig.exe	21

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76ec93.ipi	msiexec.exe
File opened for modification	C:\Windows\win.ini	MSIEE47.tmp
File opened for modification	C:\Windows\win.ini	obj2Hopscotcher.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f76ec90.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEDE8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76ec93.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76ec90.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE47.tmp	msiexec.exe
File opened for modification	C:\Windows\win.ini	MSIEE47.tmp
File opened for modification	C:\Windows\win.ini	obj2Hopscotcher.exe

Executes dropped EXE 5 IoCs

pid	Process
2668	MSIEE47.tmp
1532	MSIEE47.tmp
1808	obj2Hopscotcher.exe
2024	obj2Hopscotcher.exe
1128	obj2Hopscotcher.exe

Loads dropped DLL 5 IoCs

pid	Process
2668	MSIEE47.tmp
1532	MSIEE47.tmp
1532	MSIEE47.tmp
1808	obj2Hopscotcher.exe
2024	obj2Hopscotcher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1728	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEE47.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEE47.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	obj2Hopscotcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	obj2Hopscotcher.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1436	ipconfig.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2300	msiexec.exe
2300	msiexec.exe
1128	obj2Hopscotcher.exe
1128	obj2Hopscotcher.exe
1436	ipconfig.exe
1436	ipconfig.exe
1436	ipconfig.exe
1436	ipconfig.exe
1436	ipconfig.exe
1436	ipconfig.exe
1436	ipconfig.exe
1436	ipconfig.exe
1436	ipconfig.exe
1436	ipconfig.exe
1436	ipconfig.exe
1436	ipconfig.exe
1436	ipconfig.exe
1436	ipconfig.exe
1436	ipconfig.exe
1436	ipconfig.exe
1436	ipconfig.exe
1436	ipconfig.exe
1436	ipconfig.exe
1436	ipconfig.exe
1436	ipconfig.exe
1436	ipconfig.exe
1436	ipconfig.exe
1436	ipconfig.exe
1436	ipconfig.exe
1436	ipconfig.exe
1436	ipconfig.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1128	obj2Hopscotcher.exe
1128	obj2Hopscotcher.exe
1128	obj2Hopscotcher.exe
1436	ipconfig.exe
1436	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1728	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	2300	msiexec.exe
Token: SeTakeOwnershipPrivilege	2300	msiexec.exe
Token: SeSecurityPrivilege	2300	msiexec.exe
Token: SeCreateTokenPrivilege	1728	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1728	msiexec.exe
Token: SeLockMemoryPrivilege	1728	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1728	msiexec.exe
Token: SeMachineAccountPrivilege	1728	msiexec.exe
Token: SeTcbPrivilege	1728	msiexec.exe
Token: SeSecurityPrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeLoadDriverPrivilege	1728	msiexec.exe
Token: SeSystemProfilePrivilege	1728	msiexec.exe
Token: SeSystemtimePrivilege	1728	msiexec.exe
Token: SeProfSingleProcessPrivilege	1728	msiexec.exe
Token: SeIncBasePriorityPrivilege	1728	msiexec.exe
Token: SeCreatePagefilePrivilege	1728	msiexec.exe
Token: SeCreatePermanentPrivilege	1728	msiexec.exe
Token: SeBackupPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeShutdownPrivilege	1728	msiexec.exe
Token: SeDebugPrivilege	1728	msiexec.exe
Token: SeAuditPrivilege	1728	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1728	msiexec.exe
Token: SeChangeNotifyPrivilege	1728	msiexec.exe
Token: SeRemoteShutdownPrivilege	1728	msiexec.exe
Token: SeUndockPrivilege	1728	msiexec.exe
Token: SeSyncAgentPrivilege	1728	msiexec.exe
Token: SeEnableDelegationPrivilege	1728	msiexec.exe
Token: SeManageVolumePrivilege	1728	msiexec.exe
Token: SeImpersonatePrivilege	1728	msiexec.exe
Token: SeCreateGlobalPrivilege	1728	msiexec.exe
Token: SeBackupPrivilege	804	vssvc.exe
Token: SeRestorePrivilege	804	vssvc.exe
Token: SeAuditPrivilege	804	vssvc.exe
Token: SeBackupPrivilege	2300	msiexec.exe
Token: SeRestorePrivilege	2300	msiexec.exe
Token: SeRestorePrivilege	2748	DrvInst.exe
Token: SeRestorePrivilege	2748	DrvInst.exe
Token: SeRestorePrivilege	2748	DrvInst.exe
Token: SeRestorePrivilege	2748	DrvInst.exe
Token: SeRestorePrivilege	2748	DrvInst.exe
Token: SeRestorePrivilege	2748	DrvInst.exe
Token: SeRestorePrivilege	2748	DrvInst.exe
Token: SeLoadDriverPrivilege	2748	DrvInst.exe
Token: SeLoadDriverPrivilege	2748	DrvInst.exe
Token: SeLoadDriverPrivilege	2748	DrvInst.exe
Token: SeRestorePrivilege	2300	msiexec.exe
Token: SeTakeOwnershipPrivilege	2300	msiexec.exe
Token: SeRestorePrivilege	2300	msiexec.exe
Token: SeTakeOwnershipPrivilege	2300	msiexec.exe
Token: SeRestorePrivilege	2300	msiexec.exe
Token: SeTakeOwnershipPrivilege	2300	msiexec.exe
Token: SeRestorePrivilege	2300	msiexec.exe
Token: SeTakeOwnershipPrivilege	2300	msiexec.exe
Token: SeRestorePrivilege	2300	msiexec.exe
Token: SeTakeOwnershipPrivilege	2300	msiexec.exe
Token: SeRestorePrivilege	2300	msiexec.exe
Token: SeTakeOwnershipPrivilege	2300	msiexec.exe
Token: SeDebugPrivilege	1128	obj2Hopscotcher.exe
Token: SeDebugPrivilege	1436	ipconfig.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1728	msiexec.exe
1728	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2668	MSIEE47.tmp
1532	MSIEE47.tmp
1808	obj2Hopscotcher.exe
2024	obj2Hopscotcher.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2668	2300	msiexec.exe	35
PID 2300 wrote to memory of 2668	2300	msiexec.exe	35
PID 2300 wrote to memory of 2668	2300	msiexec.exe	35
PID 2300 wrote to memory of 2668	2300	msiexec.exe	35
PID 2668 wrote to memory of 1532	2668	MSIEE47.tmp	36
PID 2668 wrote to memory of 1532	2668	MSIEE47.tmp	36
PID 2668 wrote to memory of 1532	2668	MSIEE47.tmp	36
PID 2668 wrote to memory of 1532	2668	MSIEE47.tmp	36
PID 1532 wrote to memory of 1808	1532	MSIEE47.tmp	37
PID 1532 wrote to memory of 1808	1532	MSIEE47.tmp	37
PID 1532 wrote to memory of 1808	1532	MSIEE47.tmp	37
PID 1532 wrote to memory of 1808	1532	MSIEE47.tmp	37
PID 1808 wrote to memory of 2024	1808	obj2Hopscotcher.exe	38
PID 1808 wrote to memory of 2024	1808	obj2Hopscotcher.exe	38
PID 1808 wrote to memory of 2024	1808	obj2Hopscotcher.exe	38
PID 1808 wrote to memory of 2024	1808	obj2Hopscotcher.exe	38
PID 2024 wrote to memory of 1128	2024	obj2Hopscotcher.exe	39
PID 2024 wrote to memory of 1128	2024	obj2Hopscotcher.exe	39
PID 2024 wrote to memory of 1128	2024	obj2Hopscotcher.exe	39
PID 2024 wrote to memory of 1128	2024	obj2Hopscotcher.exe	39
PID 2024 wrote to memory of 1128	2024	obj2Hopscotcher.exe	39
PID 2024 wrote to memory of 1128	2024	obj2Hopscotcher.exe	39
PID 2024 wrote to memory of 1128	2024	obj2Hopscotcher.exe	39
PID 2024 wrote to memory of 1128	2024	obj2Hopscotcher.exe	39
PID 1224 wrote to memory of 1436	1224	Explorer.EXE	40
PID 1224 wrote to memory of 1436	1224	Explorer.EXE	40
PID 1224 wrote to memory of 1436	1224	Explorer.EXE	40
PID 1224 wrote to memory of 1436	1224	Explorer.EXE	40
PID 1436 wrote to memory of 1712	1436	ipconfig.exe	41
PID 1436 wrote to memory of 1712	1436	ipconfig.exe	41
PID 1436 wrote to memory of 1712	1436	ipconfig.exe	41
PID 1436 wrote to memory of 1712	1436	ipconfig.exe	41

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\system32\msiexec.exe
  msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ddb54ca7ae8e1fc904958195c75b6ac4_JaffaCakes118.msi
  2⤵
  - Enumerates connected drives
  - Event Triggered Execution: Installer Packages
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1728
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Gathers network information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\obj2Hopscotcher.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1712

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\Installer\MSIEE47.tmp
  "C:\Windows\Installer\MSIEE47.tmp" /S
  2⤵
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\Installer\MSIEE47.tmp
    "C:\Windows\Installer\MSIEE47.tmp" /S
    3⤵
    - Drops file in Windows directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\obj2Hopscotcher.exe
      "C:\Users\Admin\AppData\Local\Temp\obj2Hopscotcher.exe"
      4⤵
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1808
    - - C:\Users\Admin\AppData\Local\Temp\obj2Hopscotcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\obj2Hopscotcher.exe"
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2024
      - C:\Users\Admin\AppData\Local\Temp\obj2Hopscotcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\obj2Hopscotcher.exe"
        6⤵
        Suspicious use of SetThreadContext
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000002C4" "000000000000056C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76ec94.rbs

Filesize
663B

MD5
05e57aa6d0eaa841475ef8dde8907177

SHA1
281569dcc9fb7031ca644d04844a0149a59153ee

SHA256
aa389f5baf2a657008c37153eba891f93b89336fab9de6ca71d3dfde19c4af47

SHA512
693af9c98d432494de5941a535800dcdb990e3dcb778c7f2f9aab1edbe0f33d126a5ff45087fc95b5f7c6ca4276230b4056472155e785078a11444902915c843

Download Submit
C:\Windows\Installer\MSIEE47.tmp

Filesize
372KB

MD5
558f64828f0728d020a1a67fb3926ba2

SHA1
358c7830694425a297f6ae4e2442644359b3be86

SHA256
8525ec065d97a02948e2a6be8de497ed30cebf72ed42b211aa3c42f0b5743bdb

SHA512
948f793c81ad758413245a25ec967e701b5c4535818c637bddccce4d621e3621ad41439ea9128179e0e0289246f0845cb56491ce6a6ea111bd9197706830c2cb

Download Submit
C:\Windows\win.ini

Filesize
509B

MD5
d2a2412bddba16d60ec63bd9550d933f

SHA1
deb3d3bdc9055f0b4909b31d3048446848fae0e1

SHA256
79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

SHA512
8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

Download Submit
\Users\Admin\AppData\Local\Temp\obj2Hopscotcher.exe

Filesize
372KB

MD5
50e7370f3a09528304e5516c8f293b41

SHA1
ee9284a07c4c97d5127ba48887d254057bc202de

SHA256
7034e383b30311c7694faf21a1042ab533f64b20514304a12a951d4a338da774

SHA512
758fc68e3c1e9c7a2e0a0f8d74d5eb450b96057bf95babae9e066af172129a3dc5b93c6eb84ef616efdf16cd7971bb644faccae0a7d808684bf1e8350fde302a

Download Submit
memory/1128-55-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1128-58-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1224-64-0x0000000005030000-0x00000000050D9000-memory.dmp

Filesize
676KB

Download
memory/1436-60-0x0000000000890000-0x000000000089A000-memory.dmp

Filesize
40KB

Download