9ef1a9a29c0901cbc8868795668453e4b1dd4d16ab304dc785fb71d2c9c04d2f

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37e60143fb437bbfb72aae1dd16a8d5c_JaffaCakes118.exe
Size

747KB
MD5

37e60143fb437bbfb72aae1dd16a8d5c
SHA1

b4bd463885821e0accaf41b4a5a2788c25b73450
SHA256

9ef1a9a29c0901cbc8868795668453e4b1dd4d16ab304dc785fb71d2c9c04d2f
SHA512

90fc6a622d59dbefe97982e388b18985745a2ce21b23709503a1c9b4e1d62cefd3bc9d9feb240e9bc0a5955e72d428208eba35c63e265e5731d97fa273ecaa14
SSDEEP

12288:2zxveAzCm9a4hS5AzY7i1kcJDXqJQkc56J+gull+KCxwSxrO3:SmeCm9a4hUAzY7i+GXOw5mbulkxwCrQ

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
4064	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37e60143fb437bbfb72aae1dd16a8d5c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4980	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4980	msiexec.exe
Token: SeSecurityPrivilege	2280	msiexec.exe
Token: SeCreateTokenPrivilege	4980	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4980	msiexec.exe
Token: SeLockMemoryPrivilege	4980	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4980	msiexec.exe
Token: SeMachineAccountPrivilege	4980	msiexec.exe
Token: SeTcbPrivilege	4980	msiexec.exe
Token: SeSecurityPrivilege	4980	msiexec.exe
Token: SeTakeOwnershipPrivilege	4980	msiexec.exe
Token: SeLoadDriverPrivilege	4980	msiexec.exe
Token: SeSystemProfilePrivilege	4980	msiexec.exe
Token: SeSystemtimePrivilege	4980	msiexec.exe
Token: SeProfSingleProcessPrivilege	4980	msiexec.exe
Token: SeIncBasePriorityPrivilege	4980	msiexec.exe
Token: SeCreatePagefilePrivilege	4980	msiexec.exe
Token: SeCreatePermanentPrivilege	4980	msiexec.exe
Token: SeBackupPrivilege	4980	msiexec.exe
Token: SeRestorePrivilege	4980	msiexec.exe
Token: SeShutdownPrivilege	4980	msiexec.exe
Token: SeDebugPrivilege	4980	msiexec.exe
Token: SeAuditPrivilege	4980	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4980	msiexec.exe
Token: SeChangeNotifyPrivilege	4980	msiexec.exe
Token: SeRemoteShutdownPrivilege	4980	msiexec.exe
Token: SeUndockPrivilege	4980	msiexec.exe
Token: SeSyncAgentPrivilege	4980	msiexec.exe
Token: SeEnableDelegationPrivilege	4980	msiexec.exe
Token: SeManageVolumePrivilege	4980	msiexec.exe
Token: SeImpersonatePrivilege	4980	msiexec.exe
Token: SeCreateGlobalPrivilege	4980	msiexec.exe
Token: SeCreateTokenPrivilege	4980	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4980	msiexec.exe
Token: SeLockMemoryPrivilege	4980	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4980	msiexec.exe
Token: SeMachineAccountPrivilege	4980	msiexec.exe
Token: SeTcbPrivilege	4980	msiexec.exe
Token: SeSecurityPrivilege	4980	msiexec.exe
Token: SeTakeOwnershipPrivilege	4980	msiexec.exe
Token: SeLoadDriverPrivilege	4980	msiexec.exe
Token: SeSystemProfilePrivilege	4980	msiexec.exe
Token: SeSystemtimePrivilege	4980	msiexec.exe
Token: SeProfSingleProcessPrivilege	4980	msiexec.exe
Token: SeIncBasePriorityPrivilege	4980	msiexec.exe
Token: SeCreatePagefilePrivilege	4980	msiexec.exe
Token: SeCreatePermanentPrivilege	4980	msiexec.exe
Token: SeBackupPrivilege	4980	msiexec.exe
Token: SeRestorePrivilege	4980	msiexec.exe
Token: SeShutdownPrivilege	4980	msiexec.exe
Token: SeDebugPrivilege	4980	msiexec.exe
Token: SeAuditPrivilege	4980	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4980	msiexec.exe
Token: SeChangeNotifyPrivilege	4980	msiexec.exe
Token: SeRemoteShutdownPrivilege	4980	msiexec.exe
Token: SeUndockPrivilege	4980	msiexec.exe
Token: SeSyncAgentPrivilege	4980	msiexec.exe
Token: SeEnableDelegationPrivilege	4980	msiexec.exe
Token: SeManageVolumePrivilege	4980	msiexec.exe
Token: SeImpersonatePrivilege	4980	msiexec.exe
Token: SeCreateGlobalPrivilege	4980	msiexec.exe
Token: SeCreateTokenPrivilege	4980	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4980	msiexec.exe
Token: SeLockMemoryPrivilege	4980	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4980	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 4980	1684	37e60143fb437bbfb72aae1dd16a8d5c_JaffaCakes118.exe	85
PID 1684 wrote to memory of 4980	1684	37e60143fb437bbfb72aae1dd16a8d5c_JaffaCakes118.exe	85
PID 2280 wrote to memory of 4064	2280	msiexec.exe	89
PID 2280 wrote to memory of 4064	2280	msiexec.exe	89
PID 2280 wrote to memory of 4064	2280	msiexec.exe	89

C:\Users\Admin\AppData\Local\Temp\37e60143fb437bbfb72aae1dd16a8d5c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\37e60143fb437bbfb72aae1dd16a8d5c_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\system32\msiexec.exe
  /i "C:\Users\Admin\AppData\Roaming\RM Royal Media Ltd\Rummy Royal Installer\install\RummyRoyal_Live_en.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\37e60143fb437bbfb72aae1dd16a8d5c_JaffaCakes118.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4980

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 95493674A84890C8F1D79C8A858EC61C C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIBC5B.tmp

Filesize
14KB

MD5
1afa5d8db46927c210ca89b7ec81e1c7

SHA1
e5cd5b8f8afe4faf43a64d4c16d048228b9ee2fd

SHA256
e55a022de86edfd958583023e9989b94751ea36322587e047c9af642d3fb82dc

SHA512
6e860e077149e0466b267f2300ca1eba67eaee419f1bf8cc8e7ad0542472f197407b4ca6dd60632cd731ef4780a7c389bd8dedafa7e330113ef0062f188e4b24

Download Submit
C:\Users\Admin\AppData\Roaming\RM Royal Media Ltd\Rummy Royal Installer\install\RummyRoyal_Live_en.msi

Filesize
312KB

MD5
d00f361eeb57600bda1e6c3fd35e15f7

SHA1
5b3ddb962fada2f053d448521894480c7096c27a

SHA256
c0f0d30f0942633e5667815fd927355487fe368b6b243287600b8abad54860da

SHA512
918ce96e657debb2653cbef06173413886f4d1fe73406444d2cfb7642d93f26725a6b3f1729891eadcb1055b47e4ee4ae3c43e2c84bc45d44dfa42999bbe993f

Download Submit