Overview

overview

10

Static

static

10

df718f483c...18.msi

windows7-x64

df718f483c...18.msi

windows10-2004-x64

Analysis

  • max time kernel
    8s
  • max time network
    9s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-09-2024 03:54

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    df718f483c5ea64837d0c39362f9217c_JaffaCakes118.msi

  • Size

    10.0MB

  • MD5

    df718f483c5ea64837d0c39362f9217c

  • SHA1

    f9013f3eb437ef214fdeb185f3ceaa8486feac4b

  • SHA256

    b38fbe4ab4fd48381ff5e54790671a333f8218cf06864210629c87c106b4ad03

  • SHA512

    4b1cdcd09d17d3779f8f45c090e24c17f26c1b6c807239ed1134f9c241e9f8ccfc9ccce8d349dc56800cff24203acae0a9ea5a5a44aa32e4f17028ef6c2dfc17

  • SSDEEP

    196608:/u6Ls0D6u3xBVHnIsTbINdGWhegniZ6MNCuBRKsyl0JcftAGXVITQ:/fLDzxLIsvINdzA2AylHlA8P

Score
8/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 12 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Runs .reg file with regedit 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 55 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\df718f483c5ea64837d0c39362f9217c_JaffaCakes118.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2124
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2508
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A5C0DD5CDBB271DC15274E177124A790
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2196
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter1
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1856
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:3000
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:752
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1660
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1748
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1644
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2460
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2452
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1680
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:876
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1828
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2340
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2832
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8443 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2852
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8888 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:3052
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2352
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9999 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2720
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14443 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2176
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14444 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2564
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1576
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1876
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1884
    • C:\Windows\Installer\MSIC3B3.tmp
      "C:\Windows\Installer\MSIC3B3.tmp" /HideWindow "C:\Msupdate\service.bat"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Msupdate\service.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:664
        • \??\c:\Msupdate\instsrv.exe
          c:\Msupdate\instsrv.exe Msupdate c:\Msupdate\srvany.exe
          4⤵
          • Executes dropped EXE
          PID:2388
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s 1.reg
          4⤵
          • System Location Discovery: System Language Discovery
          • Runs .reg file with regedit
          PID:2020
        • C:\Msupdate\update.exe
          update.exe /S
          4⤵
          • Drops file in Drivers directory
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2892
          • C:\Windows\SysWOW64\net.exe
            net stop npf
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2500
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop npf
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1880
          • C:\Windows\SysWOW64\net.exe
            net start npf
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1780
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 start npf
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2956
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:844
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:1856

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\f76c066.rbs
        Filesize

        15KB

        MD5

        c404513b288040c761345396d52c6d24

        SHA1

        01cb965e01ac49c060b769adf2e64e0f7c7ac1e2

        SHA256

        7db55c6896ad03d2cf8170ac9d9b0739da189e6bebc793c08f8260265ac45503

        SHA512

        09b607cb22d48efc20c5ece9bbde119c24cb9d8288a1c80f6479e3a27cefd42e7f538cedb06a6b0c7345f3f3027963f6db18813a29495102ca8c9a5196218fa5

        Download Submit

      • C:\Msupdate\1.reg
        Filesize

        416B

        MD5

        8dacf3ded9159fb1f5b065215e1fd8aa

        SHA1

        0c43e91b996ca72b75a02de3f85a695ded7a4a5e

        SHA256

        1d5766733fdbeb1ecd8ddc4c49634d96024398621a55f3de9d20dbdc9f3c24c5

        SHA512

        a682ce938d8ecb78fd93e085c35f868968ad9e94b571fcf4de3c007314dfa5495304e31f643f8f3df2f553dadd6cc65f932479103c7570c4ba9939839d6eb0c6

        Download Submit

      • C:\Msupdate\instsrv.exe
        Filesize

        31KB

        MD5

        9f7acaad365af0d1a3cd9261e3208b9b

        SHA1

        b4c7049562e770093e707ac1329cb37ad6313a37

        SHA256

        f7b0a444b590eb8a6b46cedf544bcb3117c85cab02b599b45d61b8a590095c9c

        SHA512

        6847bb10cf08f7e594907b5d160768e60468b14a62cdd87ad33dcc0bc2b523549c1c91e9854069ca11ee074e43a6f41f11351201626922c02aaea41fd32c2a54

        Download Submit

      • C:\Msupdate\service.bat
        Filesize

        88B

        MD5

        b10428f1774d2caa81092891a980f9e7

        SHA1

        6fb6df8cb4d293c0e0264c83d97f016fbb0da926

        SHA256

        884abdf05624ab4d76db2e35720014a616378d299a8c64ab3743d9320258886c

        SHA512

        9412ac38e876f9232172c6ff6d890dd0c2d1258126bf712602a9e5795ed52aadebad113fc0b985557b615f6305b704ce19bb3440942ee02f56b06793cb4ee105

        Download Submit

      • C:\Windows\Installer\MSIC081.tmp
        Filesize

        243KB

        MD5

        aaab8d3f7e9e8f143a17a0d15a1d1715

        SHA1

        8aca4e362e4cdc68c2f8f8f35f200126716f9c74

        SHA256

        fd3d6c50c3524063f7c28f815838e0fb06fd4ebff094e7b88902334abd463889

        SHA512

        1999224f57cd453d5d4d7d678144e0b719290ae925bb3574ce28ae787dc406a6b3df8e44475b12b9cdc0ff43d2979f626f08291304c66cdca536cd1897715c9a

        Download Submit

      • C:\Windows\Installer\MSIC3B3.tmp
        Filesize

        17KB

        MD5

        73c578ca2383a2e7f4687cdee410aefe

        SHA1

        431b7de3091245b3affbf1911da17a6964b813dc

        SHA256

        67fdafaf7c115fab48e50b3031f8b7f599770ca333321ded1dcb24db06fe6db1

        SHA512

        915d88ec68e061c880f319345a4e5d709b4e789b5cc3c6a1c84fd83cc95fe765ef7324a722abf8935f2f8567bffbb3ede9e78fb4baa3f004118959f7ae7f43dd

        Download Submit

      • \??\c:\Msupdate\srvany.exe
        Filesize

        8KB

        MD5

        4635935fc972c582632bf45c26bfcb0e

        SHA1

        7c5329229042535fe56e74f1f246c6da8cea3be8

        SHA256

        abd4afd71b3c2bd3f741bbe3cec52c4fa63ac78d353101d2e7dc4de2725d1ca1

        SHA512

        167503133b5a0ebd9f8b2971bca120e902497eb21542d6a1f94e52ae8e5b6bde1e4cae1a2c905870a00d772e0df35f808701e2cfbd26dcbb130a5573fa590060

        Download Submit

      • \Msupdate\update.exe
        Filesize

        422KB

        MD5

        c6f1d4a6cccd04e4b15a96942372d5f7

        SHA1

        2f79839fe5cb740f21b29dae3181f43c1ae9de9c

        SHA256

        89b74dc79f229b0488bf43b552da9f84864a6a38c11039898e4f9d854411a26e

        SHA512

        1ce87f5b4b0897a6a4cd4d9a58548db47d335eba860714598b297a939e476edc6a8b3e597b71ee92e655857c2320f5812e375da4d67d503e70623f6828eb2119

        Download Submit

      • \Users\Admin\AppData\Local\Temp\nsoC4B8.tmp\System.dll
        Filesize

        11KB

        MD5

        00a0194c20ee912257df53bfe258ee4a

        SHA1

        d7b4e319bc5119024690dc8230b9cc919b1b86b2

        SHA256

        dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

        SHA512

        3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

        Download Submit

      • \Users\Admin\AppData\Local\Temp\nsoC4B8.tmp\nsExec.dll
        Filesize

        6KB

        MD5

        e54eb27fb5048964e8d1ec7a1f72334b

        SHA1

        2b76d7aedafd724de96532b00fbc6c7c370e4609

        SHA256

        ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

        SHA512

        c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

        Download Submit

      • \Windows\Installer\MSIC110.tmp
        Filesize

        380KB

        MD5

        3eb31b9a689d506f3b1d3738d28ab640

        SHA1

        1681fe3bbdcbe617a034b092ea77249dd4c3e986

        SHA256

        3a7d9cdd6be9ce0e4d01e9894242b497536336bf1850fb0a814a369c8a189c46

        SHA512

        2598e39f4fd139775bbb040218af802db722d4dca99a4230edfde282362b433c5e30c15d5385063aa76bff916031b0e43586ef05d2ada4edc3c1410371b98e09

        Download Submit