Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
52s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/10/2024, 22:54
Static task
static1
Behavioral task
behavioral1
Sample
153747a1dcd8b744c9786f816ce619a6_JaffaCakes118.msi
Resource
win7-20240903-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
153747a1dcd8b744c9786f816ce619a6_JaffaCakes118.msi
Resource
win10v2004-20240802-en
windows10-2004-x64
18 signatures
150 seconds
Errors
Reason
Machine shutdown
General
-
Target
153747a1dcd8b744c9786f816ce619a6_JaffaCakes118.msi
-
Size
2.3MB
-
MD5
153747a1dcd8b744c9786f816ce619a6
-
SHA1
284f23673721cb8c47afe3b386d4c84b8ebd04de
-
SHA256
7e137d2a5b6bd0ebfcc9116d84e9102065def969adbebf550befb7f333d70b22
-
SHA512
5ff7d556553cb51cd5b860cec392f1282825f74b6829b6d13ac3c48bacc86145a857146c5d222b6b6e95771558bfe7c13a1739ab0bef5a6a127b27de21ceda02
-
SSDEEP
49152:vBeroYyZ61blZlQBBpdUKF21E1bMCIBODxkALgJo2rL4Mixs7bToxth:XYyZeOBBpdUaMC9EJXJ4skxD
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\DRIVERS\ccflpyds.sys MSI44E0.tmp -
Sets service image path in registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\flpydisk\ImagePath = "System32\\DRIVERS\\ccflpyds.sys" MSI44E0.tmp Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\flpydisk\ImagePath = "System32\\DRIVERS\\ccflpyds.sys" MSI44E0.tmp -
resource yara_rule behavioral1/files/0x00090000000192f0-55.dat aspack_v212_v242 -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe -
Drops file in Program Files directory 16 IoCs
description ioc Process File created C:\Program Files (x86)\Alkonost ContraCopy\Dmm1.dll msiexec.exe File created C:\Program Files (x86)\Alkonost ContraCopy\DeMake.exe msiexec.exe File created C:\Program Files (x86)\Alkonost ContraCopy\Medium.dll msiexec.exe File created C:\Program Files (x86)\Alkonost ContraCopy\Perkdm.dll msiexec.exe File created C:\Program Files (x86)\Alkonost ContraCopy\Seprd.dll msiexec.exe File created C:\Program Files (x86)\Alkonost ContraCopy\demo\YourApplication.exe msiexec.exe File created C:\Program Files (x86)\Alkonost ContraCopy\DeMake.exe.manifest msiexec.exe File created C:\Program Files (x86)\Alkonost ContraCopy\License.txt msiexec.exe File created C:\Program Files (x86)\Alkonost ContraCopy\Sndmm1.dac msiexec.exe File created C:\Program Files (x86)\Alkonost ContraCopy\ReadMe.txt msiexec.exe File created C:\Program Files (x86)\Alkonost ContraCopy\ContraCopy.hlp msiexec.exe File created C:\Program Files (x86)\Alkonost ContraCopy\Pr32.dll msiexec.exe File created C:\Program Files (x86)\Alkonost ContraCopy\ContraCopy.GID msiexec.exe File created C:\Program Files (x86)\Alkonost ContraCopy\Psdmm.dac msiexec.exe File created C:\Program Files (x86)\Alkonost ContraCopy\demo\Acc_de.dll msiexec.exe File created C:\Program Files (x86)\Alkonost ContraCopy\_sysinfo.txt msiexec.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\Installer\f77430a.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\f774309.msi msiexec.exe File created C:\Windows\Installer\{DB292991-32FF-4058-8446-36FBAC096BE1}\NewShortcut1_DB29299132FF4058844636FBAC096BE1.exe msiexec.exe File created C:\Windows\Installer\{DB292991-32FF-4058-8446-36FBAC096BE1}\NewShortcut2_DB29299132FF4058844636FBAC096BE1.exe msiexec.exe File created C:\Windows\Installer\f77430c.msi msiexec.exe File created C:\Windows\Installer\f77430a.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI43B4.tmp msiexec.exe File created C:\Windows\Installer\{DB292991-32FF-4058-8446-36FBAC096BE1}\NewShortcut3_DB29299132FF4058844636FBAC096BE1.hlp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\{DB292991-32FF-4058-8446-36FBAC096BE1}\NewShortcut2_DB29299132FF4058844636FBAC096BE1.exe msiexec.exe File opened for modification C:\Windows\Installer\{DB292991-32FF-4058-8446-36FBAC096BE1}\NewShortcut3_DB29299132FF4058844636FBAC096BE1.hlp msiexec.exe File opened for modification C:\Windows\Installer\{DB292991-32FF-4058-8446-36FBAC096BE1}\NewShortcut1_DB29299132FF4058844636FBAC096BE1.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI44E0.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File created C:\Windows\Installer\f774309.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\{DB292991-32FF-4058-8446-36FBAC096BE1}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\Installer\{DB292991-32FF-4058-8446-36FBAC096BE1}\ARPPRODUCTICON.exe msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 2020 MSI44E0.tmp -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2536 msiexec.exe -
Modifies data under HKEY_USERS 46 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe -
Modifies registry class 24 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\Clients = 3a0000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\ProductIcon = "C:\\Windows\\Installer\\{DB292991-32FF-4058-8446-36FBAC096BE1}\\ARPPRODUCTICON.exe" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C6B675DA3214A0E41804AAFF6020B5C1\199292BDFF238504486463BFCA90B61E msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\SourceList\PackageName = "153747a1dcd8b744c9786f816ce619a6_JaffaCakes118.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\199292BDFF238504486463BFCA90B61E\Alkonost_ContraCopy_Dem msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\PackageCode = "B229F6E698D541E46B5220B4E0AA9B31" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\Version = "50331648" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\199292BDFF238504486463BFCA90B61E msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\ProductName = "Alkonost ContraCopy" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C6B675DA3214A0E41804AAFF6020B5C1 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\SourceList\Media\1 = "DISK1;1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\InstanceType = "0" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2356 msiexec.exe 2356 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2536 msiexec.exe Token: SeIncreaseQuotaPrivilege 2536 msiexec.exe Token: SeRestorePrivilege 2356 msiexec.exe Token: SeTakeOwnershipPrivilege 2356 msiexec.exe Token: SeSecurityPrivilege 2356 msiexec.exe Token: SeCreateTokenPrivilege 2536 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2536 msiexec.exe Token: SeLockMemoryPrivilege 2536 msiexec.exe Token: SeIncreaseQuotaPrivilege 2536 msiexec.exe Token: SeMachineAccountPrivilege 2536 msiexec.exe Token: SeTcbPrivilege 2536 msiexec.exe Token: SeSecurityPrivilege 2536 msiexec.exe Token: SeTakeOwnershipPrivilege 2536 msiexec.exe Token: SeLoadDriverPrivilege 2536 msiexec.exe Token: SeSystemProfilePrivilege 2536 msiexec.exe Token: SeSystemtimePrivilege 2536 msiexec.exe Token: SeProfSingleProcessPrivilege 2536 msiexec.exe Token: SeIncBasePriorityPrivilege 2536 msiexec.exe Token: SeCreatePagefilePrivilege 2536 msiexec.exe Token: SeCreatePermanentPrivilege 2536 msiexec.exe Token: SeBackupPrivilege 2536 msiexec.exe Token: SeRestorePrivilege 2536 msiexec.exe Token: SeShutdownPrivilege 2536 msiexec.exe Token: SeDebugPrivilege 2536 msiexec.exe Token: SeAuditPrivilege 2536 msiexec.exe Token: SeSystemEnvironmentPrivilege 2536 msiexec.exe Token: SeChangeNotifyPrivilege 2536 msiexec.exe Token: SeRemoteShutdownPrivilege 2536 msiexec.exe Token: SeUndockPrivilege 2536 msiexec.exe Token: SeSyncAgentPrivilege 2536 msiexec.exe Token: SeEnableDelegationPrivilege 2536 msiexec.exe Token: SeManageVolumePrivilege 2536 msiexec.exe Token: SeImpersonatePrivilege 2536 msiexec.exe Token: SeCreateGlobalPrivilege 2536 msiexec.exe Token: SeBackupPrivilege 2812 vssvc.exe Token: SeRestorePrivilege 2812 vssvc.exe Token: SeAuditPrivilege 2812 vssvc.exe Token: SeBackupPrivilege 2356 msiexec.exe Token: SeRestorePrivilege 2356 msiexec.exe Token: SeRestorePrivilege 2732 DrvInst.exe Token: SeRestorePrivilege 2732 DrvInst.exe Token: SeRestorePrivilege 2732 DrvInst.exe Token: SeRestorePrivilege 2732 DrvInst.exe Token: SeRestorePrivilege 2732 DrvInst.exe Token: SeRestorePrivilege 2732 DrvInst.exe Token: SeRestorePrivilege 2732 DrvInst.exe Token: SeLoadDriverPrivilege 2732 DrvInst.exe Token: SeLoadDriverPrivilege 2732 DrvInst.exe Token: SeLoadDriverPrivilege 2732 DrvInst.exe Token: SeRestorePrivilege 2356 msiexec.exe Token: SeTakeOwnershipPrivilege 2356 msiexec.exe Token: SeRestorePrivilege 2356 msiexec.exe Token: SeTakeOwnershipPrivilege 2356 msiexec.exe Token: SeRestorePrivilege 2356 msiexec.exe Token: SeTakeOwnershipPrivilege 2356 msiexec.exe Token: SeRestorePrivilege 2356 msiexec.exe Token: SeTakeOwnershipPrivilege 2356 msiexec.exe Token: SeRestorePrivilege 2356 msiexec.exe Token: SeTakeOwnershipPrivilege 2356 msiexec.exe Token: SeRestorePrivilege 2356 msiexec.exe Token: SeTakeOwnershipPrivilege 2356 msiexec.exe Token: SeRestorePrivilege 2356 msiexec.exe Token: SeTakeOwnershipPrivilege 2356 msiexec.exe Token: SeRestorePrivilege 2356 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2536 msiexec.exe 2536 msiexec.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2356 wrote to memory of 2020 2356 msiexec.exe 35 PID 2356 wrote to memory of 2020 2356 msiexec.exe 35 PID 2356 wrote to memory of 2020 2356 msiexec.exe 35 PID 2356 wrote to memory of 2020 2356 msiexec.exe 35 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\153747a1dcd8b744c9786f816ce619a6_JaffaCakes118.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2536
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\Installer\MSI44E0.tmp"C:\Windows\Installer\MSI44E0.tmp" inst2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
PID:2020
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005E4" "00000000000003A8"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:640
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:1772
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD53fbe01dfed882ff9c253625d9b5488e5
SHA1f3d43ec1e1d3f43ad11542d7e0150604a3b78d47
SHA25698ee59d2fd2b1549e49e57de8e95f808378400a95f9be22712c12340afaa33e3
SHA5124fde1b6ca58f08ad520dcf8332c05351deed0e2f2a6b157fa47815ce0044219b650bf9365b091fc2fe8e75cd341c6b5c327466023af8733b6f4a09ac1209b590
-
Filesize
39KB
MD57fc3802f8432044400b55c94f4f36dbc
SHA1c35fc5465051a13c1f8423b6a23f860241fd2d08
SHA256e2e7c49a68c490885841e6e39c80baf9b63ce1cad7ef67e3b4bb73a20ad88cdf
SHA5124bc821ee545507d2181470b0aaff6bde36826466d9bb4639f387659164ad7ba3e6191805fabbbb32be5d4cc737070d495e528cc8fc66869f24cfb858e6c57c61
-
Filesize
2.3MB
MD5153747a1dcd8b744c9786f816ce619a6
SHA1284f23673721cb8c47afe3b386d4c84b8ebd04de
SHA2567e137d2a5b6bd0ebfcc9116d84e9102065def969adbebf550befb7f333d70b22
SHA5125ff7d556553cb51cd5b860cec392f1282825f74b6829b6d13ac3c48bacc86145a857146c5d222b6b6e95771558bfe7c13a1739ab0bef5a6a127b27de21ceda02