Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28/09/2024, 16:48

General

  • Target

    fcbab66716f2764ec763283a31aea632_JaffaCakes118.msi

  • Size

    384KB

  • MD5

    fcbab66716f2764ec763283a31aea632

  • SHA1

    2a915e1b9dbd6976bebdc91eede18e2150964440

  • SHA256

    1cd7639b91bf66a497cf80433f9b30b559dde4062ee9206a7018166ff87ffb97

  • SHA512

    c98a10257f7c39b2011f6d513f574f49a8ae902e38759ccb522c228619fc82f157669690c97e64151fc419b7a4112655943fb7b727a3e503e68094eaba2c9483

  • SSDEEP

    6144:BESymvXBLL/nA9w7l/Fqn7UqGg1d8WZbxTB:BESd9Lhl/Fqn7XG+vXTB

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 1 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 62 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fcbab66716f2764ec763283a31aea632_JaffaCakes118.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2416
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Windows\Installer\MSI7226.tmp
      "C:\Windows\Installer\MSI7226.tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2612
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2576
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D4" "000000000000052C"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2792

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f76712e.rbs

    Filesize

    663B

    MD5

    8f290a1abf56d1c2994527b524921fcf

    SHA1

    3e51edbd838cf9fcb4a700b6441175b75e8dc0d3

    SHA256

    44c7c56abafb4bb1cfd7b99f0bcdc74c5c5f29e610d4d5581a66b67115ab24ac

    SHA512

    5513dd907d141d4678841da31edf45c8c048ae254367ddf32de33cfcb9091fb2dda32a300c827883b5829c9850cd632727298e3508f62d6771ddafbe32a67a4f

  • C:\Windows\Installer\MSI7226.tmp

    Filesize

    357KB

    MD5

    f8739e104580fdda6302c7d4022d0613

    SHA1

    c19d4db77c4e10f829e6ca4798f75e22fd89a5b5

    SHA256

    8163f92c4b861cb6911e7629f48aa5f2a3a5fb794f64dc75c5796902733a71cb

    SHA512

    5d2f3dae9fa3b9750af8a16f953e738241f3e3a358514a7d98035a717ddd97523db71d528bba3381d158f677a9804e8c2127237032d0134439221de6b63ef404