f41313345680edbd1bf0666e8233ba0436a13ecf6c3ab98606580099748b415b

General

Target

f6c6b4d83cfffbfea44b65d4315d05c0_JaffaCakes118.msi
Size

384KB
MD5

f6c6b4d83cfffbfea44b65d4315d05c0
SHA1

acefb1b80fd058488207cb3898ce61c37ddcc808
SHA256

f41313345680edbd1bf0666e8233ba0436a13ecf6c3ab98606580099748b415b
SHA512

b8864d3e6d505eac17403e330f3cfbde648bcc4cda07d5fc5f3c1af8ff66a2f7c2601e8e422eb171f3117494644fc54362156891b313d406ffb5c153091c5fa8
SSDEEP

6144:BbZjgS007NNMX/+DoklCAFNWClCA+jp02GmaZ/ZJSEPavLFjt+Wk:BbZNNNzbCClCA+jp02GmWhJnav5jUX

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

4 524 msiexec.exe

flow	pid	process
4	524	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in Windows directory 10 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSID13A.tmp	msiexec.exe
File created	C:\Windows\Installer\e57d042.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d040.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ARPIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ARPIcon	msiexec.exe
File created	C:\Windows\Installer\e57d040.msi	msiexec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Msiexec
T1218.007

Processes:

msiexec.exe

pid process

524 msiexec.exe

pid	process
524	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000082ad35faf8c7b7730000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000082ad35fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090082ad35fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d82ad35fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000082ad35fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4AE2841C3D7016247914C7DE6E8A2CA5	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4AE2841C3D7016247914C7DE6E8A2CA5\D7314F9862C648A4DB8BE2A5B47BE100	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\SourceList\PackageName = "f6c6b4d83cfffbfea44b65d4315d05c0_JaffaCakes118.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\ProductName = "Microsoft Silverlight"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\ProductIcon = "C:\\Windows\\Installer\\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\\ARPIcon"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\AuthorizedLUAApp = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D7314F9862C648A4DB8BE2A5B47BE100	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D7314F9862C648A4DB8BE2A5B47BE100\Complete	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\PackageCode = "FB66A8474BA24C8439AA68CE17006060"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\SourceList\Media\DiskPrompt = "Microsoft's Silverlight Installation [1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\SourceList\Media\1 = ";1"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

1084 msiexec.exe
1084 msiexec.exe

pid	process
1084	msiexec.exe
1084	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	524	msiexec.exe
Token: SeIncreaseQuotaPrivilege	524	msiexec.exe
Token: SeSecurityPrivilege	1084	msiexec.exe
Token: SeCreateTokenPrivilege	524	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	524	msiexec.exe
Token: SeLockMemoryPrivilege	524	msiexec.exe
Token: SeIncreaseQuotaPrivilege	524	msiexec.exe
Token: SeMachineAccountPrivilege	524	msiexec.exe
Token: SeTcbPrivilege	524	msiexec.exe
Token: SeSecurityPrivilege	524	msiexec.exe
Token: SeTakeOwnershipPrivilege	524	msiexec.exe
Token: SeLoadDriverPrivilege	524	msiexec.exe
Token: SeSystemProfilePrivilege	524	msiexec.exe
Token: SeSystemtimePrivilege	524	msiexec.exe
Token: SeProfSingleProcessPrivilege	524	msiexec.exe
Token: SeIncBasePriorityPrivilege	524	msiexec.exe
Token: SeCreatePagefilePrivilege	524	msiexec.exe
Token: SeCreatePermanentPrivilege	524	msiexec.exe
Token: SeBackupPrivilege	524	msiexec.exe
Token: SeRestorePrivilege	524	msiexec.exe
Token: SeShutdownPrivilege	524	msiexec.exe
Token: SeDebugPrivilege	524	msiexec.exe
Token: SeAuditPrivilege	524	msiexec.exe
Token: SeSystemEnvironmentPrivilege	524	msiexec.exe
Token: SeChangeNotifyPrivilege	524	msiexec.exe
Token: SeRemoteShutdownPrivilege	524	msiexec.exe
Token: SeUndockPrivilege	524	msiexec.exe
Token: SeSyncAgentPrivilege	524	msiexec.exe
Token: SeEnableDelegationPrivilege	524	msiexec.exe
Token: SeManageVolumePrivilege	524	msiexec.exe
Token: SeImpersonatePrivilege	524	msiexec.exe
Token: SeCreateGlobalPrivilege	524	msiexec.exe
Token: SeBackupPrivilege	2544	vssvc.exe
Token: SeRestorePrivilege	2544	vssvc.exe
Token: SeAuditPrivilege	2544	vssvc.exe
Token: SeBackupPrivilege	1084	msiexec.exe
Token: SeRestorePrivilege	1084	msiexec.exe
Token: SeRestorePrivilege	1084	msiexec.exe
Token: SeTakeOwnershipPrivilege	1084	msiexec.exe
Token: SeRestorePrivilege	1084	msiexec.exe
Token: SeTakeOwnershipPrivilege	1084	msiexec.exe
Token: SeRestorePrivilege	1084	msiexec.exe
Token: SeTakeOwnershipPrivilege	1084	msiexec.exe
Token: SeRestorePrivilege	1084	msiexec.exe
Token: SeTakeOwnershipPrivilege	1084	msiexec.exe
Token: SeRestorePrivilege	1084	msiexec.exe
Token: SeTakeOwnershipPrivilege	1084	msiexec.exe
Token: SeRestorePrivilege	1084	msiexec.exe
Token: SeTakeOwnershipPrivilege	1084	msiexec.exe
Token: SeRestorePrivilege	1084	msiexec.exe
Token: SeTakeOwnershipPrivilege	1084	msiexec.exe
Token: SeRestorePrivilege	1084	msiexec.exe
Token: SeTakeOwnershipPrivilege	1084	msiexec.exe
Token: SeRestorePrivilege	1084	msiexec.exe
Token: SeTakeOwnershipPrivilege	1084	msiexec.exe
Token: SeRestorePrivilege	1084	msiexec.exe
Token: SeTakeOwnershipPrivilege	1084	msiexec.exe
Token: SeRestorePrivilege	1084	msiexec.exe
Token: SeTakeOwnershipPrivilege	1084	msiexec.exe
Token: SeRestorePrivilege	1084	msiexec.exe
Token: SeTakeOwnershipPrivilege	1084	msiexec.exe
Token: SeRestorePrivilege	1084	msiexec.exe
Token: SeTakeOwnershipPrivilege	1084	msiexec.exe
Token: SeRestorePrivilege	1084	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

524 msiexec.exe
524 msiexec.exe

pid	process
524	msiexec.exe
524	msiexec.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 1084 wrote to memory of 2688	1084	msiexec.exe	srtasks.exe
PID 1084 wrote to memory of 2688	1084	msiexec.exe	srtasks.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\f6c6b4d83cfffbfea44b65d4315d05c0_JaffaCakes118.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:524

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2688

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Installer Packages

1

T1546.016

Privilege Escalation

Event Triggered Execution

1

T1546

Installer Packages

1

T1546.016

Defense Evasion

System Binary Proxy Execution

1

T1218

Msiexec

1

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57d041.rbs

Filesize
7KB

MD5
116b5c6e9ec222226c39b3255ab11548

SHA1
aec4457c3ec353db528f943cfe7f4a0d608bd835

SHA256
eb2a4aad7092a62ae7b89df476e276697dc7a6c48df388556692057fc5e9e3ed

SHA512
5334400be47813c3e91b337cb5ed667fbd9e547c0711841427597e80ea721a0139ce6cf44ad37af1d63588a8d4f4c18e679839b3a6ffcef1665f728e911bcea1

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
6fbae55c455363c9109912cdbaf3d49d

SHA1
dc9410ed957e45bf3e0fdcaea8743f55edf46b4d

SHA256
09a1e03ec85962c7263efb405f318b1b71003ca78815537a48a65bcf9149fd69

SHA512
1bbe83387765b521de4e75908beb501b4b11ecc5b9d7866b31f0b6633f1479184eae097b3bb66ab481583f9a0c4f05dc36f0618f69490e172538fa41d1eebc87

Download Submit
\??\Volume{fa35ad82-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ba9dddc5-d736-466c-b2ce-3e71a0d428cc}_OnDiskSnapshotProp

Filesize
6KB

MD5
581e49a5d388ee47d832cdc43f85c1f1

SHA1
fcf027e292258887c710c3da11d272d07972f2d4

SHA256
61dfb3ffb24d625c2193da61d946d7c7ca41472ff49577aba5713228708b9981

SHA512
e6d266f654f80f3bce8f0d7cbe80bb2843c700908600b81009c2a2183eb3f5eb005d472ebd1d8d0682c211512a793b147e997e0514ea62c0ff597593fbfa8932

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads