1cd7639b91bf66a497cf80433f9b30b559dde4062ee9206a7018166ff87ffb97

Analysis

max time kernel
125s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcbab66716f2764ec763283a31aea632_JaffaCakes118.msi
Size

384KB
MD5

fcbab66716f2764ec763283a31aea632
SHA1

2a915e1b9dbd6976bebdc91eede18e2150964440
SHA256

1cd7639b91bf66a497cf80433f9b30b559dde4062ee9206a7018166ff87ffb97
SHA512

c98a10257f7c39b2011f6d513f574f49a8ae902e38759ccb522c228619fc82f157669690c97e64151fc419b7a4112655943fb7b727a3e503e68094eaba2c9483
SSDEEP

6144:BESymvXBLL/nA9w7l/Fqn7UqGg1d8WZbxTB:BESd9Lhl/Fqn7XG+vXTB

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e584a81.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e584a81.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4B7B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4BEA.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
3676	MSI4BEA.tmp

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3124	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI4BEA.tmp

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f7b83aff83bcb26e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f7b83aff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f7b83aff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df7b83aff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f7b83aff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
112	msiexec.exe
112	msiexec.exe
3676	MSI4BEA.tmp
3676	MSI4BEA.tmp
3676	MSI4BEA.tmp
3676	MSI4BEA.tmp
3676	MSI4BEA.tmp
3676	MSI4BEA.tmp

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3124	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3124	msiexec.exe
Token: SeSecurityPrivilege	112	msiexec.exe
Token: SeCreateTokenPrivilege	3124	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3124	msiexec.exe
Token: SeLockMemoryPrivilege	3124	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3124	msiexec.exe
Token: SeMachineAccountPrivilege	3124	msiexec.exe
Token: SeTcbPrivilege	3124	msiexec.exe
Token: SeSecurityPrivilege	3124	msiexec.exe
Token: SeTakeOwnershipPrivilege	3124	msiexec.exe
Token: SeLoadDriverPrivilege	3124	msiexec.exe
Token: SeSystemProfilePrivilege	3124	msiexec.exe
Token: SeSystemtimePrivilege	3124	msiexec.exe
Token: SeProfSingleProcessPrivilege	3124	msiexec.exe
Token: SeIncBasePriorityPrivilege	3124	msiexec.exe
Token: SeCreatePagefilePrivilege	3124	msiexec.exe
Token: SeCreatePermanentPrivilege	3124	msiexec.exe
Token: SeBackupPrivilege	3124	msiexec.exe
Token: SeRestorePrivilege	3124	msiexec.exe
Token: SeShutdownPrivilege	3124	msiexec.exe
Token: SeDebugPrivilege	3124	msiexec.exe
Token: SeAuditPrivilege	3124	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3124	msiexec.exe
Token: SeChangeNotifyPrivilege	3124	msiexec.exe
Token: SeRemoteShutdownPrivilege	3124	msiexec.exe
Token: SeUndockPrivilege	3124	msiexec.exe
Token: SeSyncAgentPrivilege	3124	msiexec.exe
Token: SeEnableDelegationPrivilege	3124	msiexec.exe
Token: SeManageVolumePrivilege	3124	msiexec.exe
Token: SeImpersonatePrivilege	3124	msiexec.exe
Token: SeCreateGlobalPrivilege	3124	msiexec.exe
Token: SeBackupPrivilege	1056	vssvc.exe
Token: SeRestorePrivilege	1056	vssvc.exe
Token: SeAuditPrivilege	1056	vssvc.exe
Token: SeBackupPrivilege	112	msiexec.exe
Token: SeRestorePrivilege	112	msiexec.exe
Token: SeRestorePrivilege	112	msiexec.exe
Token: SeTakeOwnershipPrivilege	112	msiexec.exe
Token: SeRestorePrivilege	112	msiexec.exe
Token: SeTakeOwnershipPrivilege	112	msiexec.exe
Token: SeRestorePrivilege	112	msiexec.exe
Token: SeTakeOwnershipPrivilege	112	msiexec.exe
Token: SeDebugPrivilege	3676	MSI4BEA.tmp
Token: SeRestorePrivilege	112	msiexec.exe
Token: SeTakeOwnershipPrivilege	112	msiexec.exe
Token: SeRestorePrivilege	112	msiexec.exe
Token: SeTakeOwnershipPrivilege	112	msiexec.exe
Token: SeBackupPrivilege	3004	srtasks.exe
Token: SeRestorePrivilege	3004	srtasks.exe
Token: SeSecurityPrivilege	3004	srtasks.exe
Token: SeTakeOwnershipPrivilege	3004	srtasks.exe
Token: SeBackupPrivilege	3004	srtasks.exe
Token: SeRestorePrivilege	3004	srtasks.exe
Token: SeSecurityPrivilege	3004	srtasks.exe
Token: SeTakeOwnershipPrivilege	3004	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3124	msiexec.exe
3124	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 112 wrote to memory of 3004	112	msiexec.exe	102
PID 112 wrote to memory of 3004	112	msiexec.exe	102
PID 112 wrote to memory of 3676	112	msiexec.exe	104
PID 112 wrote to memory of 3676	112	msiexec.exe	104
PID 112 wrote to memory of 3676	112	msiexec.exe	104

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fcbab66716f2764ec763283a31aea632_JaffaCakes118.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3124

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:112
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\Installer\MSI4BEA.tmp
  "C:\Windows\Installer\MSI4BEA.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3676

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4164,i,1330210614411927383,9239043499051775691,262144 --variations-seed-version --mojo-platform-channel-handle=4428 /prefetch:8
1⤵
PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e584a84.rbs

Filesize
663B

MD5
e788c42dd57065fdf806d3f5093e398e

SHA1
c6d27fbba588e40c43921091db2f778a72076479

SHA256
9ab3e4d750d29c4ee63ca6aa8faa9b186c448dd9b07f9e7d688efedf5d1353b8

SHA512
f243f4eae818e0fd1e763a3af5cca4e176b02d81333cc65b8ad3ecfaa8ef6b5ca1e8a1c690176c31afb08ccf6a7f16f566c327852b80901ca7c5a84f461d6af2

Download Submit
C:\Windows\Installer\MSI4BEA.tmp

Filesize
357KB

MD5
f8739e104580fdda6302c7d4022d0613

SHA1
c19d4db77c4e10f829e6ca4798f75e22fd89a5b5

SHA256
8163f92c4b861cb6911e7629f48aa5f2a3a5fb794f64dc75c5796902733a71cb

SHA512
5d2f3dae9fa3b9750af8a16f953e738241f3e3a358514a7d98035a717ddd97523db71d528bba3381d158f677a9804e8c2127237032d0134439221de6b63ef404

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
e232b95c43401d26d390a893c2821041

SHA1
041c71fd66b4526e08f1e7649fb70c79f95ba477

SHA256
1792a9378c6476ac593493e556b0585b4f5d22f1c913de014bb3b42763611615

SHA512
90d54bac76273b0b5067304129252b3c2cdaa829f1e8143f5804c5af75f8a1e3444652836bdb4ae041b7e62f8f6370522cf657fe2bc0f7d2442cb70a6446d2f4

Download Submit
\??\Volume{ff3ab8f7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0402b5e0-635c-457e-a7cb-0e7468e36e7b}_OnDiskSnapshotProp

Filesize
6KB

MD5
f4e103c47ce004044f2988ac6a415bb7

SHA1
c2adbff245267aecd06b0344f7dcaf1f4c30a87a

SHA256
37e1061831a704574b37e8af8e0982df938c22b19bb2fba64191d5eed9001fdf

SHA512
12737c4e16cfaabc1e6c54b635e74aadb1b7c14e2e2948dbb9878f3fa2e641ceef1c4fcac8344a244ad5e000bcd09d987be6b734804c7f42cb70c9f232eb77f6

Download Submit