Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/09/2024, 16:48
Static task
static1
Behavioral task
behavioral1
Sample
fcbab66716f2764ec763283a31aea632_JaffaCakes118.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fcbab66716f2764ec763283a31aea632_JaffaCakes118.msi
Resource
win10v2004-20240802-en
General
-
Target
fcbab66716f2764ec763283a31aea632_JaffaCakes118.msi
-
Size
384KB
-
MD5
fcbab66716f2764ec763283a31aea632
-
SHA1
2a915e1b9dbd6976bebdc91eede18e2150964440
-
SHA256
1cd7639b91bf66a497cf80433f9b30b559dde4062ee9206a7018166ff87ffb97
-
SHA512
c98a10257f7c39b2011f6d513f574f49a8ae902e38759ccb522c228619fc82f157669690c97e64151fc419b7a4112655943fb7b727a3e503e68094eaba2c9483
-
SSDEEP
6144:BESymvXBLL/nA9w7l/Fqn7UqGg1d8WZbxTB:BESd9Lhl/Fqn7XG+vXTB
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI7226.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\f76712d.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI71E5.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f76712a.msi msiexec.exe File opened for modification C:\Windows\Installer\f76712a.msi msiexec.exe File opened for modification C:\Windows\Installer\f76712d.ipi msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 2612 MSI7226.tmp -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2416 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSI7226.tmp -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2936 msiexec.exe 2936 msiexec.exe 2612 MSI7226.tmp 2612 MSI7226.tmp 2612 MSI7226.tmp -
Suspicious use of AdjustPrivilegeToken 62 IoCs
description pid Process Token: SeShutdownPrivilege 2416 msiexec.exe Token: SeIncreaseQuotaPrivilege 2416 msiexec.exe Token: SeRestorePrivilege 2936 msiexec.exe Token: SeTakeOwnershipPrivilege 2936 msiexec.exe Token: SeSecurityPrivilege 2936 msiexec.exe Token: SeCreateTokenPrivilege 2416 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2416 msiexec.exe Token: SeLockMemoryPrivilege 2416 msiexec.exe Token: SeIncreaseQuotaPrivilege 2416 msiexec.exe Token: SeMachineAccountPrivilege 2416 msiexec.exe Token: SeTcbPrivilege 2416 msiexec.exe Token: SeSecurityPrivilege 2416 msiexec.exe Token: SeTakeOwnershipPrivilege 2416 msiexec.exe Token: SeLoadDriverPrivilege 2416 msiexec.exe Token: SeSystemProfilePrivilege 2416 msiexec.exe Token: SeSystemtimePrivilege 2416 msiexec.exe Token: SeProfSingleProcessPrivilege 2416 msiexec.exe Token: SeIncBasePriorityPrivilege 2416 msiexec.exe Token: SeCreatePagefilePrivilege 2416 msiexec.exe Token: SeCreatePermanentPrivilege 2416 msiexec.exe Token: SeBackupPrivilege 2416 msiexec.exe Token: SeRestorePrivilege 2416 msiexec.exe Token: SeShutdownPrivilege 2416 msiexec.exe Token: SeDebugPrivilege 2416 msiexec.exe Token: SeAuditPrivilege 2416 msiexec.exe Token: SeSystemEnvironmentPrivilege 2416 msiexec.exe Token: SeChangeNotifyPrivilege 2416 msiexec.exe Token: SeRemoteShutdownPrivilege 2416 msiexec.exe Token: SeUndockPrivilege 2416 msiexec.exe Token: SeSyncAgentPrivilege 2416 msiexec.exe Token: SeEnableDelegationPrivilege 2416 msiexec.exe Token: SeManageVolumePrivilege 2416 msiexec.exe Token: SeImpersonatePrivilege 2416 msiexec.exe Token: SeCreateGlobalPrivilege 2416 msiexec.exe Token: SeBackupPrivilege 2576 vssvc.exe Token: SeRestorePrivilege 2576 vssvc.exe Token: SeAuditPrivilege 2576 vssvc.exe Token: SeBackupPrivilege 2936 msiexec.exe Token: SeRestorePrivilege 2936 msiexec.exe Token: SeRestorePrivilege 2792 DrvInst.exe Token: SeRestorePrivilege 2792 DrvInst.exe Token: SeRestorePrivilege 2792 DrvInst.exe Token: SeRestorePrivilege 2792 DrvInst.exe Token: SeRestorePrivilege 2792 DrvInst.exe Token: SeRestorePrivilege 2792 DrvInst.exe Token: SeRestorePrivilege 2792 DrvInst.exe Token: SeLoadDriverPrivilege 2792 DrvInst.exe Token: SeLoadDriverPrivilege 2792 DrvInst.exe Token: SeLoadDriverPrivilege 2792 DrvInst.exe Token: SeRestorePrivilege 2936 msiexec.exe Token: SeTakeOwnershipPrivilege 2936 msiexec.exe Token: SeRestorePrivilege 2936 msiexec.exe Token: SeTakeOwnershipPrivilege 2936 msiexec.exe Token: SeRestorePrivilege 2936 msiexec.exe Token: SeTakeOwnershipPrivilege 2936 msiexec.exe Token: SeRestorePrivilege 2936 msiexec.exe Token: SeTakeOwnershipPrivilege 2936 msiexec.exe Token: SeDebugPrivilege 2612 MSI7226.tmp Token: SeRestorePrivilege 2936 msiexec.exe Token: SeTakeOwnershipPrivilege 2936 msiexec.exe Token: SeRestorePrivilege 2936 msiexec.exe Token: SeTakeOwnershipPrivilege 2936 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2416 msiexec.exe 2416 msiexec.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2936 wrote to memory of 2612 2936 msiexec.exe 32 PID 2936 wrote to memory of 2612 2936 msiexec.exe 32 PID 2936 wrote to memory of 2612 2936 msiexec.exe 32 PID 2936 wrote to memory of 2612 2936 msiexec.exe 32 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fcbab66716f2764ec763283a31aea632_JaffaCakes118.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2416
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\Installer\MSI7226.tmp"C:\Windows\Installer\MSI7226.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D4" "000000000000052C"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2792
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
663B
MD58f290a1abf56d1c2994527b524921fcf
SHA13e51edbd838cf9fcb4a700b6441175b75e8dc0d3
SHA25644c7c56abafb4bb1cfd7b99f0bcdc74c5c5f29e610d4d5581a66b67115ab24ac
SHA5125513dd907d141d4678841da31edf45c8c048ae254367ddf32de33cfcb9091fb2dda32a300c827883b5829c9850cd632727298e3508f62d6771ddafbe32a67a4f
-
Filesize
357KB
MD5f8739e104580fdda6302c7d4022d0613
SHA1c19d4db77c4e10f829e6ca4798f75e22fd89a5b5
SHA2568163f92c4b861cb6911e7629f48aa5f2a3a5fb794f64dc75c5796902733a71cb
SHA5125d2f3dae9fa3b9750af8a16f953e738241f3e3a358514a7d98035a717ddd97523db71d528bba3381d158f677a9804e8c2127237032d0134439221de6b63ef404