Overview

overview

10

Static

static

10

f6c6b4d83c...18.msi

windows7-x64

6

f6c6b4d83c...18.msi

windows10-2004-x64

6

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25-09-2024 20:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f6c6b4d83cfffbfea44b65d4315d05c0_JaffaCakes118.msi

  • Size

    384KB

  • MD5

    f6c6b4d83cfffbfea44b65d4315d05c0

  • SHA1

    acefb1b80fd058488207cb3898ce61c37ddcc808

  • SHA256

    f41313345680edbd1bf0666e8233ba0436a13ecf6c3ab98606580099748b415b

  • SHA512

    b8864d3e6d505eac17403e330f3cfbde648bcc4cda07d5fc5f3c1af8ff66a2f7c2601e8e422eb171f3117494644fc54362156891b313d406ffb5c153091c5fa8

  • SSDEEP

    6144:BbZjgS007NNMX/+DoklCAFNWClCA+jp02GmaZ/ZJSEPavLFjt+Wk:BbZNNNzbCClCA+jp02GmWhJnav5jUX

Score
6/10
persistenceprivilege_escalation

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 12 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\f6c6b4d83cfffbfea44b65d4315d05c0_JaffaCakes118.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2908
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2812
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2752
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000023C" "00000000000003CC"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:984

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f769291.rbs
    Filesize

    7KB

    MD5

    7ef4101c851cdf4275afc357b4130088

    SHA1

    24372674634c497e1b0cf2aa3da9bac56ae967d9

    SHA256

    ce53c6d95a4aefb710ae1c956c928823522fc5f6c8505e1f98815638acc5185d

    SHA512

    2c754f8cfe076b83d3d9fd7062f2f0c1a212061b1275fc29f607e404b20484bafbda4da3acff5591547345369e8cd88a98b0300ec985f56cda52ea47a114f015

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    efa51790d46f72325d4760ebbff67cb1

    SHA1

    ad3dc6ca0fa7f4f72f5e39bd05457655fa157e09

    SHA256

    08ce2672deceb1937f969710f18fe7f961cbf4c179be2752cef0ab871bff5b8c

    SHA512

    c9c912851186c128324fa32844fdd16addee3a24b347a48e27e12c14257f2b808729774ed9793d0d4dfbdf5cdd12aae8623da40400071018ddd1c13713240c61

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab92BE.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit