b4cb7a73c0b36c74df8b4cb6ee6a49e6963c803a31356514ca4b5f04e7610467

Analysis

max time kernel
39s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-10-2024 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

101aad3251f017f5420020c89af209a5_JaffaCakes118.exe
Size

7.7MB
MD5

101aad3251f017f5420020c89af209a5
SHA1

7626756667b593f4783d7859f699b47b04482408
SHA256

b4cb7a73c0b36c74df8b4cb6ee6a49e6963c803a31356514ca4b5f04e7610467
SHA512

cb2958ddafb872d8a8054b2466be1ea32d78dcdd73d6d9ddf86a26ae15339d17c74e8ed216bf76cfdd005fc1e5fba90205ee32d452eeb9407b2268523d662826
SSDEEP

196608:EPPZsp+AQq71eNwYpNA5zv/ihur3gIfW+mfGiSbk2q97djMY:EPPZspjJZYpNGzv/KA3gI+Dft97F5

Score

7^/10

discovery persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/memory/488-20-0x0000000075440000-0x0000000075449000-memory.dmp	acprotect
behavioral1/files/0x0008000000018b3e-18.dat	acprotect

Loads dropped DLL 4 IoCs

pid	Process
488	101aad3251f017f5420020c89af209a5_JaffaCakes118.exe
488	101aad3251f017f5420020c89af209a5_JaffaCakes118.exe
488	101aad3251f017f5420020c89af209a5_JaffaCakes118.exe
2036	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\OMESupervisor = "C:\\Users\\Admin\\AppData\\Local\\omesuperv.exe"	101aad3251f017f5420020c89af209a5_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/488-20-0x0000000075440000-0x0000000075449000-memory.dmp	upx
behavioral1/files/0x0008000000018b3e-18.dat	upx

Drops file in Windows directory 39 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\InstallTemp\20241003184224892.0\8.0.50727.4053.cat	msiexec.exe
File opened for modification	C:\Windows\Installer\f781890.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2DE7.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241003184224409.0\mfc80ITA.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241003184224721.0\vcomp.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20241003184224721.0	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI20AC.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241003184224409.0\mfc80CHT.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241003184224409.0\mfc80ENU.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241003184224409.0\mfc80JPN.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241003184224721.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241003184224892.0\8.0.50727.4053.policy	msiexec.exe
File created	C:\Windows\Installer\f781890.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241003184223847.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241003184224409.0\mfc80ESP.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241003184224783.0\8.0.50727.4053.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20241003184223847.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20241003184224892.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241003184223847.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241003184223847.0\mfc80u.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241003184224721.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241003184224783.0\8.0.50727.4053.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241003184224861.0\8.0.50727.4053.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20241003184224783.0	msiexec.exe
File created	C:\Windows\Installer\f781893.ipi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241003184223847.0\mfc80.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20241003184224409.0	msiexec.exe
File opened for modification	C:\Windows\Installer\f781893.ipi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241003184224409.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241003184224409.0\mfc80CHS.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241003184224409.0\mfc80FRA.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241003184224861.0\8.0.50727.4053.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241003184223847.0\mfcm80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241003184223847.0\mfcm80u.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241003184224409.0\mfc80DEU.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241003184224409.0\mfc80KOR.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20241003184224861.0	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241003184224409.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c.manifest	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	101aad3251f017f5420020c89af209a5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1076	msiexec.exe
1076	msiexec.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeShutdownPrivilege	600	msiexec.exe
Token: SeIncreaseQuotaPrivilege	600	msiexec.exe
Token: SeRestorePrivilege	1076	msiexec.exe
Token: SeTakeOwnershipPrivilege	1076	msiexec.exe
Token: SeSecurityPrivilege	1076	msiexec.exe
Token: SeCreateTokenPrivilege	600	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	600	msiexec.exe
Token: SeLockMemoryPrivilege	600	msiexec.exe
Token: SeIncreaseQuotaPrivilege	600	msiexec.exe
Token: SeMachineAccountPrivilege	600	msiexec.exe
Token: SeTcbPrivilege	600	msiexec.exe
Token: SeSecurityPrivilege	600	msiexec.exe
Token: SeTakeOwnershipPrivilege	600	msiexec.exe
Token: SeLoadDriverPrivilege	600	msiexec.exe
Token: SeSystemProfilePrivilege	600	msiexec.exe
Token: SeSystemtimePrivilege	600	msiexec.exe
Token: SeProfSingleProcessPrivilege	600	msiexec.exe
Token: SeIncBasePriorityPrivilege	600	msiexec.exe
Token: SeCreatePagefilePrivilege	600	msiexec.exe
Token: SeCreatePermanentPrivilege	600	msiexec.exe
Token: SeBackupPrivilege	600	msiexec.exe
Token: SeRestorePrivilege	600	msiexec.exe
Token: SeShutdownPrivilege	600	msiexec.exe
Token: SeDebugPrivilege	600	msiexec.exe
Token: SeAuditPrivilege	600	msiexec.exe
Token: SeSystemEnvironmentPrivilege	600	msiexec.exe
Token: SeChangeNotifyPrivilege	600	msiexec.exe
Token: SeRemoteShutdownPrivilege	600	msiexec.exe
Token: SeUndockPrivilege	600	msiexec.exe
Token: SeSyncAgentPrivilege	600	msiexec.exe
Token: SeEnableDelegationPrivilege	600	msiexec.exe
Token: SeManageVolumePrivilege	600	msiexec.exe
Token: SeImpersonatePrivilege	600	msiexec.exe
Token: SeCreateGlobalPrivilege	600	msiexec.exe
Token: SeRestorePrivilege	1076	msiexec.exe
Token: SeTakeOwnershipPrivilege	1076	msiexec.exe
Token: SeRestorePrivilege	1076	msiexec.exe
Token: SeTakeOwnershipPrivilege	1076	msiexec.exe
Token: SeRestorePrivilege	1076	msiexec.exe
Token: SeTakeOwnershipPrivilege	1076	msiexec.exe
Token: SeRestorePrivilege	1076	msiexec.exe
Token: SeTakeOwnershipPrivilege	1076	msiexec.exe
Token: SeRestorePrivilege	1076	msiexec.exe
Token: SeTakeOwnershipPrivilege	1076	msiexec.exe
Token: SeRestorePrivilege	1076	msiexec.exe
Token: SeTakeOwnershipPrivilege	1076	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 488 wrote to memory of 600	488	101aad3251f017f5420020c89af209a5_JaffaCakes118.exe	29
PID 488 wrote to memory of 600	488	101aad3251f017f5420020c89af209a5_JaffaCakes118.exe	29
PID 488 wrote to memory of 600	488	101aad3251f017f5420020c89af209a5_JaffaCakes118.exe	29
PID 488 wrote to memory of 600	488	101aad3251f017f5420020c89af209a5_JaffaCakes118.exe	29
PID 488 wrote to memory of 600	488	101aad3251f017f5420020c89af209a5_JaffaCakes118.exe	29
PID 488 wrote to memory of 600	488	101aad3251f017f5420020c89af209a5_JaffaCakes118.exe	29
PID 488 wrote to memory of 600	488	101aad3251f017f5420020c89af209a5_JaffaCakes118.exe	29
PID 1076 wrote to memory of 2036	1076	msiexec.exe	31
PID 1076 wrote to memory of 2036	1076	msiexec.exe	31
PID 1076 wrote to memory of 2036	1076	msiexec.exe	31
PID 1076 wrote to memory of 2036	1076	msiexec.exe	31
PID 1076 wrote to memory of 2036	1076	msiexec.exe	31
PID 1076 wrote to memory of 2036	1076	msiexec.exe	31
PID 1076 wrote to memory of 2036	1076	msiexec.exe	31

C:\Users\Admin\AppData\Local\Temp\101aad3251f017f5420020c89af209a5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\101aad3251f017f5420020c89af209a5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:488
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\nsjFCE7.tmp\vcredist.msi" /qn
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:600

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C117DF5E3152DC03F820D0566E240027
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsjFCE7.tmp\vcredist.msi

Filesize
2.6MB

MD5
f194e681c552647c95441877b5552415

SHA1
285c6b1dbbc2d1525c9b1c276a4901b98d49b202

SHA256
6d4f42d5856384c2566ed79bdc587993208013640b035b04540de9f05ee597d6

SHA512
8ed21ce7829a1cb6c2dd4eff2e3701171aeba5b7e4337eaf0ddff86ea3fda812198a2e3fb4f1873b129944bdc8ddb09ebbd78e5c2b9811900cb853ef2afdab8c

Download Submit
C:\Windows\Installer\MSI20AC.tmp

Filesize
28KB

MD5
85221b3bcba8dbe4b4a46581aa49f760

SHA1
746645c92594bfc739f77812d67cfd85f4b92474

SHA256
f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

SHA512
060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

Download Submit
\Users\Admin\AppData\Local\Temp\nsjFCE7.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsjFCE7.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
\Users\Admin\AppData\Local\Temp\nsjFCE7.tmp\nsRichEdit.dll

Filesize
5KB

MD5
02f1858b3131ffc3fc5e3a5391d3a489

SHA1
454a6d749cf55ff990bd9f57941aca9d1f1674f6

SHA256
f00bd6d3e7c7b8e8ad18b7dc6275fb80cc720fb164200a6506f50f6e66998b12

SHA512
8147fa8014a5065f4fed7de1fbb9c2ee2c1b94d63596f7bbcf6821ecd41a73d25ebdfa1e71ca74d7598cba063042b6dfcaf050a23d0c855a7b6fbc94147ab41b

Download Submit
memory/488-20-0x0000000075440000-0x0000000075449000-memory.dmp

Filesize
36KB

Download