e41752b808ff4601a55185dd6ba7c01ba61c19b9074e80516c53f84a9ee71626

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff15f7bdd60c963776b7db29730c223e_JaffaCakes118.msi
Size

2.7MB
MD5

ff15f7bdd60c963776b7db29730c223e
SHA1

70bdfbad5501d2fc7a62ab15c91640e5cedf11be
SHA256

e41752b808ff4601a55185dd6ba7c01ba61c19b9074e80516c53f84a9ee71626
SHA512

ea57abe9f0e288ed887db1c9940a868a7f33eee4aa72a8b0ff303a222e0c447f6f02f7c4bf21672bf5c4b2672ad28fb7d8ea8ca2e4b23ba4d30fc094c11f768c
SSDEEP

49152:abHZBWVR9qVfMV6s0m2it3xHMAB6HTX3hoDej1MSKDy1NJ2nvX++VuCiPaL:2U50LinsWYNoDU6Dy1NJ2nvOAL

Score

7^/10

aspackv2 discovery persistence privilege_escalation

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000700000002342f-4.dat	aspack_v212_v242
behavioral2/files/0x000a00000002342f-23.dat	aspack_v212_v242

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{80395032-1630-4C4B-A997-0A7CCB72C75B}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI88FB.tmp	msiexec.exe
File created	C:\Windows\Installer\e578608.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8666.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI87BF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI885E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e578608.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI881F.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\winupdate64.log	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI87EF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\sysupdate.log	msiexec.exe

Loads dropped DLL 5 IoCs

pid	Process
2484	MsiExec.exe
2484	MsiExec.exe
2484	MsiExec.exe
2484	MsiExec.exe
2484	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
5064	msiexec.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4492	msiexec.exe
4492	msiexec.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5064	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5064	msiexec.exe
Token: SeSecurityPrivilege	4492	msiexec.exe
Token: SeCreateTokenPrivilege	5064	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5064	msiexec.exe
Token: SeLockMemoryPrivilege	5064	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5064	msiexec.exe
Token: SeMachineAccountPrivilege	5064	msiexec.exe
Token: SeTcbPrivilege	5064	msiexec.exe
Token: SeSecurityPrivilege	5064	msiexec.exe
Token: SeTakeOwnershipPrivilege	5064	msiexec.exe
Token: SeLoadDriverPrivilege	5064	msiexec.exe
Token: SeSystemProfilePrivilege	5064	msiexec.exe
Token: SeSystemtimePrivilege	5064	msiexec.exe
Token: SeProfSingleProcessPrivilege	5064	msiexec.exe
Token: SeIncBasePriorityPrivilege	5064	msiexec.exe
Token: SeCreatePagefilePrivilege	5064	msiexec.exe
Token: SeCreatePermanentPrivilege	5064	msiexec.exe
Token: SeBackupPrivilege	5064	msiexec.exe
Token: SeRestorePrivilege	5064	msiexec.exe
Token: SeShutdownPrivilege	5064	msiexec.exe
Token: SeDebugPrivilege	5064	msiexec.exe
Token: SeAuditPrivilege	5064	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5064	msiexec.exe
Token: SeChangeNotifyPrivilege	5064	msiexec.exe
Token: SeRemoteShutdownPrivilege	5064	msiexec.exe
Token: SeUndockPrivilege	5064	msiexec.exe
Token: SeSyncAgentPrivilege	5064	msiexec.exe
Token: SeEnableDelegationPrivilege	5064	msiexec.exe
Token: SeManageVolumePrivilege	5064	msiexec.exe
Token: SeImpersonatePrivilege	5064	msiexec.exe
Token: SeCreateGlobalPrivilege	5064	msiexec.exe
Token: SeRestorePrivilege	4492	msiexec.exe
Token: SeTakeOwnershipPrivilege	4492	msiexec.exe
Token: SeRestorePrivilege	4492	msiexec.exe
Token: SeTakeOwnershipPrivilege	4492	msiexec.exe
Token: SeRestorePrivilege	4492	msiexec.exe
Token: SeTakeOwnershipPrivilege	4492	msiexec.exe
Token: SeRestorePrivilege	4492	msiexec.exe
Token: SeTakeOwnershipPrivilege	4492	msiexec.exe
Token: SeRestorePrivilege	4492	msiexec.exe
Token: SeTakeOwnershipPrivilege	4492	msiexec.exe
Token: SeRestorePrivilege	4492	msiexec.exe
Token: SeTakeOwnershipPrivilege	4492	msiexec.exe
Token: SeRestorePrivilege	4492	msiexec.exe
Token: SeTakeOwnershipPrivilege	4492	msiexec.exe
Token: SeRestorePrivilege	4492	msiexec.exe
Token: SeTakeOwnershipPrivilege	4492	msiexec.exe
Token: SeRestorePrivilege	4492	msiexec.exe
Token: SeTakeOwnershipPrivilege	4492	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5064	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 2484	4492	msiexec.exe	84
PID 4492 wrote to memory of 2484	4492	msiexec.exe	84
PID 4492 wrote to memory of 2484	4492	msiexec.exe	84
PID 4492 wrote to memory of 4300	4492	msiexec.exe	85
PID 4492 wrote to memory of 4300	4492	msiexec.exe	85
PID 4492 wrote to memory of 4300	4492	msiexec.exe	85
PID 4300 wrote to memory of 3588	4300	MsiExec.exe	86
PID 4300 wrote to memory of 3588	4300	MsiExec.exe	86
PID 4300 wrote to memory of 3588	4300	MsiExec.exe	86
PID 4300 wrote to memory of 5000	4300	MsiExec.exe	88
PID 4300 wrote to memory of 5000	4300	MsiExec.exe	88
PID 4300 wrote to memory of 5000	4300	MsiExec.exe	88
PID 4300 wrote to memory of 4084	4300	MsiExec.exe	90
PID 4300 wrote to memory of 4084	4300	MsiExec.exe	90
PID 4300 wrote to memory of 4084	4300	MsiExec.exe	90
PID 4300 wrote to memory of 1712	4300	MsiExec.exe	92
PID 4300 wrote to memory of 1712	4300	MsiExec.exe	92
PID 4300 wrote to memory of 1712	4300	MsiExec.exe	92
PID 4300 wrote to memory of 4104	4300	MsiExec.exe	94
PID 4300 wrote to memory of 4104	4300	MsiExec.exe	94
PID 4300 wrote to memory of 4104	4300	MsiExec.exe	94
PID 4300 wrote to memory of 2332	4300	MsiExec.exe	96
PID 4300 wrote to memory of 2332	4300	MsiExec.exe	96
PID 4300 wrote to memory of 2332	4300	MsiExec.exe	96
PID 4300 wrote to memory of 2272	4300	MsiExec.exe	98
PID 4300 wrote to memory of 2272	4300	MsiExec.exe	98
PID 4300 wrote to memory of 2272	4300	MsiExec.exe	98
PID 4300 wrote to memory of 2112	4300	MsiExec.exe	100
PID 4300 wrote to memory of 2112	4300	MsiExec.exe	100
PID 4300 wrote to memory of 2112	4300	MsiExec.exe	100
PID 4300 wrote to memory of 4936	4300	MsiExec.exe	102
PID 4300 wrote to memory of 4936	4300	MsiExec.exe	102
PID 4300 wrote to memory of 4936	4300	MsiExec.exe	102
PID 4300 wrote to memory of 3928	4300	MsiExec.exe	104
PID 4300 wrote to memory of 3928	4300	MsiExec.exe	104
PID 4300 wrote to memory of 3928	4300	MsiExec.exe	104
PID 4300 wrote to memory of 3692	4300	MsiExec.exe	106
PID 4300 wrote to memory of 3692	4300	MsiExec.exe	106
PID 4300 wrote to memory of 3692	4300	MsiExec.exe	106
PID 4300 wrote to memory of 4576	4300	MsiExec.exe	108
PID 4300 wrote to memory of 4576	4300	MsiExec.exe	108
PID 4300 wrote to memory of 4576	4300	MsiExec.exe	108
PID 4300 wrote to memory of 392	4300	MsiExec.exe	110
PID 4300 wrote to memory of 392	4300	MsiExec.exe	110
PID 4300 wrote to memory of 392	4300	MsiExec.exe	110
PID 4300 wrote to memory of 5104	4300	MsiExec.exe	112
PID 4300 wrote to memory of 5104	4300	MsiExec.exe	112
PID 4300 wrote to memory of 5104	4300	MsiExec.exe	112
PID 4300 wrote to memory of 4636	4300	MsiExec.exe	114
PID 4300 wrote to memory of 4636	4300	MsiExec.exe	114
PID 4300 wrote to memory of 4636	4300	MsiExec.exe	114
PID 4300 wrote to memory of 4568	4300	MsiExec.exe	116
PID 4300 wrote to memory of 4568	4300	MsiExec.exe	116
PID 4300 wrote to memory of 4568	4300	MsiExec.exe	116
PID 4300 wrote to memory of 2444	4300	MsiExec.exe	120
PID 4300 wrote to memory of 2444	4300	MsiExec.exe	120
PID 4300 wrote to memory of 2444	4300	MsiExec.exe	120
PID 4300 wrote to memory of 4660	4300	MsiExec.exe	122
PID 4300 wrote to memory of 4660	4300	MsiExec.exe	122
PID 4300 wrote to memory of 4660	4300	MsiExec.exe	122
PID 4300 wrote to memory of 528	4300	MsiExec.exe	125
PID 4300 wrote to memory of 528	4300	MsiExec.exe	125
PID 4300 wrote to memory of 528	4300	MsiExec.exe	125
PID 4300 wrote to memory of 180	4300	MsiExec.exe	128

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ff15f7bdd60c963776b7db29730c223e_JaffaCakes118.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5064

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 34C679902C8C6661E0AD742B02E75997
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2484
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B29E05D9EDF7140ABC2F3F746EE83BBA E Global\MSI0000
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" interface ipv6 install
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3588
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:5000
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter1
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4084
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1712
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4104
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2332
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2272
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2112
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4936
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=21 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3928
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3692
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4576
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:392
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:5104
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4636
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4568
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8443 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2444
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8888 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4660
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:528
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9999 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:180
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14443 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2336
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14444 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3192
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1948
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:212
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Netsh Helper DLL

T1546.007

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57860b.rbs

Filesize
3KB

MD5
b05dbccedef761c422290e217982d170

SHA1
f0346b849903ced52a5f25afb4cf667468458f04

SHA256
6efad9039186898a06e3ec21d1b04a814fcf964816d3492de601e00df244e319

SHA512
f836271fadc5c792493540d4eb6731f847397dd86015c1dea1142e48673b35643ac395c9dbf759ac2e48ffff5e7fa3def25337f1d5038dc4026ecaab68b2d34d

Download Submit
C:\Windows\Installer\MSI8666.tmp

Filesize
227KB

MD5
86ae9ede65e1163d5f98d52c0c402c2f

SHA1
31e01227bc4225733dd593c19ab95d3e3708f8d4

SHA256
4dd9fe3bfb862a61c22c104af758eb4cbf0c5ab3465891cee0da33bebacc22ee

SHA512
2c7239d3413dda3f8bec4efa4ad3fd90e3cee4f8087c239e32abd592af1a3ff5fa555a6adba1039529617edcc70dfd73ba2192e309ac8c24bf0cb84e2e3ea24a

Download Submit
C:\Windows\Installer\MSI881F.tmp

Filesize
288KB

MD5
c625553f92e25719a64f0ee9805e9a69

SHA1
e53066055bb35818b9fc1d9717f5a035b39139f1

SHA256
d62ba3fe050f85f818582acccaf49a499c6fcaed23a2b914c08626e8b8cf4286

SHA512
8e0875946f115166dc2a54d73f0d5cfdee3aa4d669bf86623e74b0363d1863c4fea18ba0ce2e3335fd4a9385924026f0dc11973ef4405502625ef8ecabe54273

Download Submit
memory/2484-8-0x0000000074F80000-0x0000000074FE3000-memory.dmp

Filesize
396KB

Download
memory/2484-19-0x0000000074F80000-0x0000000074FE3000-memory.dmp

Filesize
396KB

Download
memory/2484-20-0x0000000074F80000-0x0000000074FE3000-memory.dmp

Filesize
396KB

Download
memory/2484-7-0x0000000074F80000-0x0000000074FE3000-memory.dmp

Filesize
396KB

Download
memory/2484-25-0x0000000074F60000-0x0000000074FEA000-memory.dmp

Filesize
552KB

Download
memory/2484-27-0x0000000074F60000-0x0000000074FEA000-memory.dmp

Filesize
552KB

Download
memory/2484-26-0x0000000074F60000-0x0000000074FEA000-memory.dmp

Filesize
552KB

Download
memory/2484-33-0x0000000074F80000-0x0000000074FE3000-memory.dmp

Filesize
396KB

Download
memory/2484-32-0x0000000074F80000-0x0000000074FE3000-memory.dmp

Filesize
396KB

Download
memory/2484-34-0x0000000074F80000-0x0000000074FE3000-memory.dmp

Filesize
396KB

Download
memory/2484-6-0x0000000074F80000-0x0000000074FE3000-memory.dmp

Filesize
396KB

Download