7e137d2a5b6bd0ebfcc9116d84e9102065def969adbebf550befb7f333d70b22

Analysis

max time kernel
59s
max time network
61s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2024 22:54

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

153747a1dcd8b744c9786f816ce619a6_JaffaCakes118.msi
Size

2.3MB
MD5

153747a1dcd8b744c9786f816ce619a6
SHA1

284f23673721cb8c47afe3b386d4c84b8ebd04de
SHA256

7e137d2a5b6bd0ebfcc9116d84e9102065def969adbebf550befb7f333d70b22
SHA512

5ff7d556553cb51cd5b860cec392f1282825f74b6829b6d13ac3c48bacc86145a857146c5d222b6b6e95771558bfe7c13a1739ab0bef5a6a127b27de21ceda02
SSDEEP

49152:vBeroYyZ61blZlQBBpdUKF21E1bMCIBODxkALgJo2rL4Mixs7bToxth:XYyZeOBBpdUaMC9EJXJ4skxD

Score

8^/10

aspackv2 discovery persistence privilege_escalation

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DRIVERS\ccflpyds.sys	MSI3FCF.tmp

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\flpydisk\ImagePath = "System32\\DRIVERS\\ccflpyds.sys"	MSI3FCF.tmp

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000a00000002362c-55.dat	aspack_v212_v242

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Alkonost ContraCopy\Sndmm1.dac	msiexec.exe
File created	C:\Program Files (x86)\Alkonost ContraCopy\demo\Acc_de.dll	msiexec.exe
File created	C:\Program Files (x86)\Alkonost ContraCopy\demo\YourApplication.exe	msiexec.exe
File created	C:\Program Files (x86)\Alkonost ContraCopy\ContraCopy.GID	msiexec.exe
File created	C:\Program Files (x86)\Alkonost ContraCopy\License.txt	msiexec.exe
File created	C:\Program Files (x86)\Alkonost ContraCopy\Pr32.dll	msiexec.exe
File created	C:\Program Files (x86)\Alkonost ContraCopy\Seprd.dll	msiexec.exe
File created	C:\Program Files (x86)\Alkonost ContraCopy\_sysinfo.txt	msiexec.exe
File created	C:\Program Files (x86)\Alkonost ContraCopy\ContraCopy.hlp	msiexec.exe
File created	C:\Program Files (x86)\Alkonost ContraCopy\Perkdm.dll	msiexec.exe
File created	C:\Program Files (x86)\Alkonost ContraCopy\Dmm1.dll	msiexec.exe
File created	C:\Program Files (x86)\Alkonost ContraCopy\Medium.dll	msiexec.exe
File created	C:\Program Files (x86)\Alkonost ContraCopy\Psdmm.dac	msiexec.exe
File created	C:\Program Files (x86)\Alkonost ContraCopy\DeMake.exe	msiexec.exe
File created	C:\Program Files (x86)\Alkonost ContraCopy\DeMake.exe.manifest	msiexec.exe
File created	C:\Program Files (x86)\Alkonost ContraCopy\ReadMe.txt	msiexec.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e59384c.msi	msiexec.exe
File created	C:\Windows\Installer\{DB292991-32FF-4058-8446-36FBAC096BE1}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{DB292991-32FF-4058-8446-36FBAC096BE1}\NewShortcut1_DB29299132FF4058844636FBAC096BE1.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{DB292991-32FF-4058-8446-36FBAC096BE1}\NewShortcut1_DB29299132FF4058844636FBAC096BE1.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{DB292991-32FF-4058-8446-36FBAC096BE1}\NewShortcut2_DB29299132FF4058844636FBAC096BE1.exe	msiexec.exe
File created	C:\Windows\Installer\e59384c.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\{DB292991-32FF-4058-8446-36FBAC096BE1}\NewShortcut3_DB29299132FF4058844636FBAC096BE1.hlp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{DB292991-32FF-4058-8446-36FBAC096BE1}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3956.tmp	msiexec.exe
File created	C:\Windows\Installer\{DB292991-32FF-4058-8446-36FBAC096BE1}\NewShortcut2_DB29299132FF4058844636FBAC096BE1.exe	msiexec.exe
File created	C:\Windows\Installer\e59384e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3FCF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\{DB292991-32FF-4058-8446-36FBAC096BE1}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{DB292991-32FF-4058-8446-36FBAC096BE1}\NewShortcut3_DB29299132FF4058844636FBAC096BE1.hlp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
780	MSI3FCF.tmp

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
5744	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI3FCF.tmp

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f7b83aff83bcb26e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f7b83aff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f7b83aff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df7b83aff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f7b83aff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "66"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\InstanceType = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\ProductIcon = "C:\\Windows\\Installer\\{DB292991-32FF-4058-8446-36FBAC096BE1}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\SourceList\PackageName = "153747a1dcd8b744c9786f816ce619a6_JaffaCakes118.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C6B675DA3214A0E41804AAFF6020B5C1\199292BDFF238504486463BFCA90B61E	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\ProductName = "Alkonost ContraCopy"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\PackageCode = "B229F6E698D541E46B5220B4E0AA9B31"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\Version = "50331648"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C6B675DA3214A0E41804AAFF6020B5C1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\199292BDFF238504486463BFCA90B61E	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\199292BDFF238504486463BFCA90B61E\Alkonost_ContraCopy_Dem	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\199292BDFF238504486463BFCA90B61E\SourceList\Net	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5048	msiexec.exe
5048	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5744	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5744	msiexec.exe
Token: SeSecurityPrivilege	5048	msiexec.exe
Token: SeCreateTokenPrivilege	5744	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5744	msiexec.exe
Token: SeLockMemoryPrivilege	5744	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5744	msiexec.exe
Token: SeMachineAccountPrivilege	5744	msiexec.exe
Token: SeTcbPrivilege	5744	msiexec.exe
Token: SeSecurityPrivilege	5744	msiexec.exe
Token: SeTakeOwnershipPrivilege	5744	msiexec.exe
Token: SeLoadDriverPrivilege	5744	msiexec.exe
Token: SeSystemProfilePrivilege	5744	msiexec.exe
Token: SeSystemtimePrivilege	5744	msiexec.exe
Token: SeProfSingleProcessPrivilege	5744	msiexec.exe
Token: SeIncBasePriorityPrivilege	5744	msiexec.exe
Token: SeCreatePagefilePrivilege	5744	msiexec.exe
Token: SeCreatePermanentPrivilege	5744	msiexec.exe
Token: SeBackupPrivilege	5744	msiexec.exe
Token: SeRestorePrivilege	5744	msiexec.exe
Token: SeShutdownPrivilege	5744	msiexec.exe
Token: SeDebugPrivilege	5744	msiexec.exe
Token: SeAuditPrivilege	5744	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5744	msiexec.exe
Token: SeChangeNotifyPrivilege	5744	msiexec.exe
Token: SeRemoteShutdownPrivilege	5744	msiexec.exe
Token: SeUndockPrivilege	5744	msiexec.exe
Token: SeSyncAgentPrivilege	5744	msiexec.exe
Token: SeEnableDelegationPrivilege	5744	msiexec.exe
Token: SeManageVolumePrivilege	5744	msiexec.exe
Token: SeImpersonatePrivilege	5744	msiexec.exe
Token: SeCreateGlobalPrivilege	5744	msiexec.exe
Token: SeBackupPrivilege	5144	vssvc.exe
Token: SeRestorePrivilege	5144	vssvc.exe
Token: SeAuditPrivilege	5144	vssvc.exe
Token: SeBackupPrivilege	5048	msiexec.exe
Token: SeRestorePrivilege	5048	msiexec.exe
Token: SeRestorePrivilege	5048	msiexec.exe
Token: SeTakeOwnershipPrivilege	5048	msiexec.exe
Token: SeRestorePrivilege	5048	msiexec.exe
Token: SeTakeOwnershipPrivilege	5048	msiexec.exe
Token: SeBackupPrivilege	1364	srtasks.exe
Token: SeRestorePrivilege	1364	srtasks.exe
Token: SeSecurityPrivilege	1364	srtasks.exe
Token: SeTakeOwnershipPrivilege	1364	srtasks.exe
Token: SeBackupPrivilege	1364	srtasks.exe
Token: SeRestorePrivilege	1364	srtasks.exe
Token: SeSecurityPrivilege	1364	srtasks.exe
Token: SeTakeOwnershipPrivilege	1364	srtasks.exe
Token: SeRestorePrivilege	5048	msiexec.exe
Token: SeTakeOwnershipPrivilege	5048	msiexec.exe
Token: SeRestorePrivilege	5048	msiexec.exe
Token: SeTakeOwnershipPrivilege	5048	msiexec.exe
Token: SeRestorePrivilege	5048	msiexec.exe
Token: SeTakeOwnershipPrivilege	5048	msiexec.exe
Token: SeRestorePrivilege	5048	msiexec.exe
Token: SeTakeOwnershipPrivilege	5048	msiexec.exe
Token: SeRestorePrivilege	5048	msiexec.exe
Token: SeTakeOwnershipPrivilege	5048	msiexec.exe
Token: SeRestorePrivilege	5048	msiexec.exe
Token: SeTakeOwnershipPrivilege	5048	msiexec.exe
Token: SeRestorePrivilege	5048	msiexec.exe
Token: SeTakeOwnershipPrivilege	5048	msiexec.exe
Token: SeRestorePrivilege	5048	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5744	msiexec.exe
5744	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4092	LogonUI.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 1364	5048	msiexec.exe	104
PID 5048 wrote to memory of 1364	5048	msiexec.exe	104
PID 5048 wrote to memory of 780	5048	msiexec.exe	107
PID 5048 wrote to memory of 780	5048	msiexec.exe	107
PID 5048 wrote to memory of 780	5048	msiexec.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\153747a1dcd8b744c9786f816ce619a6_JaffaCakes118.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5744

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1364
- C:\Windows\Installer\MSI3FCF.tmp
  "C:\Windows\Installer\MSI3FCF.tmp" inst
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4768,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=948 /prefetch:8
1⤵
PID:3840

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5144

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3970055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e59384d.rbs

Filesize
12KB

MD5
59c97fc4299a2794e17d9548ce190858

SHA1
de2079bcda62ed5318f0ad8d60709cfb112df8a7

SHA256
935df44288cf00906e62573be6b22eba7420c17e1dc13407e45bbd0b9fd26504

SHA512
d0c19e9308da73bc3b8950418ab6f822620c8427be3ef311863a32122f1c1c8048367dc5fa925ef218cd3bf533139f7f034e65354bad56bfb4369b77a0d28340

Download Submit
C:\Windows\Installer\MSI3FCF.tmp

Filesize
39KB

MD5
7fc3802f8432044400b55c94f4f36dbc

SHA1
c35fc5465051a13c1f8423b6a23f860241fd2d08

SHA256
e2e7c49a68c490885841e6e39c80baf9b63ce1cad7ef67e3b4bb73a20ad88cdf

SHA512
4bc821ee545507d2181470b0aaff6bde36826466d9bb4639f387659164ad7ba3e6191805fabbbb32be5d4cc737070d495e528cc8fc66869f24cfb858e6c57c61

Download Submit
C:\Windows\Installer\e59384c.msi

Filesize
2.3MB

MD5
153747a1dcd8b744c9786f816ce619a6

SHA1
284f23673721cb8c47afe3b386d4c84b8ebd04de

SHA256
7e137d2a5b6bd0ebfcc9116d84e9102065def969adbebf550befb7f333d70b22

SHA512
5ff7d556553cb51cd5b860cec392f1282825f74b6829b6d13ac3c48bacc86145a857146c5d222b6b6e95771558bfe7c13a1739ab0bef5a6a127b27de21ceda02

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
056410822002aa595a3970f1541cd007

SHA1
cf0eeccb2bd82f2d0f95bfb93ce5ffed2f9058cb

SHA256
8ded3cfae89e018bbcfba3e3ff99f472c08d603710b061e234d6c89e39a1b698

SHA512
4a7c8a6180f93ff71ae9e4acc239dc449af657a553efe248295fe53e5a566506433afd121bedda287bf171594e57f5c926d2b415c7a4c48ff1af520f7eef0f50

Download Submit
\??\Volume{ff3ab8f7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{40e0329e-23c9-49cd-b91e-1551c7d483a4}_OnDiskSnapshotProp

Filesize
6KB

MD5
ae29085d6fc01f817858290af2f03478

SHA1
26f62c1d05442c815977339e574cb657d1052891

SHA256
a1cc81a146ea19cbd5a7a50908521c4584acd7e5cade8e4d1f14f36e24aa7510

SHA512
0a012c2899169836acbb493cad798e0f810ba717181a0a336493dde62015b4684671e31990c734aa4d0919c18d27330f942b842dd9c1886d84d74545f5a5b976

Download Submit
memory/780-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads