Overview
overview
7Static
static
340a33b0318...18.exe
windows7-x64
740a33b0318...18.exe
windows10-2004-x64
7$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$PLUGINSDIR/w7tbp.dll
windows7-x64
3$PLUGINSDIR/w7tbp.dll
windows10-2004-x64
3$TEMP/Virt...za.exe
windows7-x64
3$TEMP/Virt...za.exe
windows10-2004-x64
3$TEMP/Virt...st.msi
windows7-x64
6$TEMP/Virt...st.msi
windows10-2004-x64
6VirtualBox...le.exe
windows7-x64
7VirtualBox...le.exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...ry.dll
windows7-x64
3$PLUGINSDI...ry.dll
windows10-2004-x64
3$PLUGINSDI...SC.dll
windows7-x64
3$PLUGINSDI...SC.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
13/10/2024, 15:30
Static task
static1
Behavioral task
behavioral1
Sample
40a33b0318fccc2dd41bd564936ca62a_JaffaCakes118.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral2
Sample
40a33b0318fccc2dd41bd564936ca62a_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/Dialer.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/Dialer.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral14
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$PLUGINSDIR/w7tbp.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
$PLUGINSDIR/w7tbp.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$TEMP/VirtualBoxPortableTemp/7za.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral20
Sample
$TEMP/VirtualBoxPortableTemp/7za.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$TEMP/VirtualBoxPortableTemp/Test.msi
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral22
Sample
$TEMP/VirtualBoxPortableTemp/Test.msi
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
VirtualBoxPortable.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
VirtualBoxPortable.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral26
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
$PLUGINSDIR/Registry.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral28
Sample
$PLUGINSDIR/Registry.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
$PLUGINSDIR/SimpleSC.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral30
Sample
$PLUGINSDIR/SimpleSC.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral32
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
$TEMP/VirtualBoxPortableTemp/Test.msi
-
Size
32KB
-
MD5
8f847011d0eb0ab210d72f8df444a510
-
SHA1
99c753b1d04e459d03c655c093e363aebb3557f7
-
SHA256
3f352c15b6251f87e70dfdfe96ee729f5eb08f712451384ab9ef312fb25ffa53
-
SHA512
98a534b2bc711eaa2491d8d6950359f5ed4a731b733d884745901e4c665fabe3b7d7b4c8fd82d2692bcd1ee0f6d296af46e2f14a9fd9db4e44b121be5bad3ec4
-
SSDEEP
384:z2CMqS6GmOYSvEM5IC0IXey3M5IC0ioXhhU:Ve5oMmCTeWMmC
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: msiexec.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Test Program\readme.txt msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Installer\f76b5a9.msi msiexec.exe File created C:\Windows\Installer\f76b5aa.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIB654.tmp msiexec.exe File opened for modification C:\Windows\Installer\f76b5aa.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f76b5a9.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\f76b5ac.msi msiexec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 1652 msiexec.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2124 msiexec.exe 2124 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1652 msiexec.exe Token: SeIncreaseQuotaPrivilege 1652 msiexec.exe Token: SeRestorePrivilege 2124 msiexec.exe Token: SeTakeOwnershipPrivilege 2124 msiexec.exe Token: SeSecurityPrivilege 2124 msiexec.exe Token: SeCreateTokenPrivilege 1652 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1652 msiexec.exe Token: SeLockMemoryPrivilege 1652 msiexec.exe Token: SeIncreaseQuotaPrivilege 1652 msiexec.exe Token: SeMachineAccountPrivilege 1652 msiexec.exe Token: SeTcbPrivilege 1652 msiexec.exe Token: SeSecurityPrivilege 1652 msiexec.exe Token: SeTakeOwnershipPrivilege 1652 msiexec.exe Token: SeLoadDriverPrivilege 1652 msiexec.exe Token: SeSystemProfilePrivilege 1652 msiexec.exe Token: SeSystemtimePrivilege 1652 msiexec.exe Token: SeProfSingleProcessPrivilege 1652 msiexec.exe Token: SeIncBasePriorityPrivilege 1652 msiexec.exe Token: SeCreatePagefilePrivilege 1652 msiexec.exe Token: SeCreatePermanentPrivilege 1652 msiexec.exe Token: SeBackupPrivilege 1652 msiexec.exe Token: SeRestorePrivilege 1652 msiexec.exe Token: SeShutdownPrivilege 1652 msiexec.exe Token: SeDebugPrivilege 1652 msiexec.exe Token: SeAuditPrivilege 1652 msiexec.exe Token: SeSystemEnvironmentPrivilege 1652 msiexec.exe Token: SeChangeNotifyPrivilege 1652 msiexec.exe Token: SeRemoteShutdownPrivilege 1652 msiexec.exe Token: SeUndockPrivilege 1652 msiexec.exe Token: SeSyncAgentPrivilege 1652 msiexec.exe Token: SeEnableDelegationPrivilege 1652 msiexec.exe Token: SeManageVolumePrivilege 1652 msiexec.exe Token: SeImpersonatePrivilege 1652 msiexec.exe Token: SeCreateGlobalPrivilege 1652 msiexec.exe Token: SeBackupPrivilege 2024 vssvc.exe Token: SeRestorePrivilege 2024 vssvc.exe Token: SeAuditPrivilege 2024 vssvc.exe Token: SeBackupPrivilege 2124 msiexec.exe Token: SeRestorePrivilege 2124 msiexec.exe Token: SeRestorePrivilege 2616 DrvInst.exe Token: SeRestorePrivilege 2616 DrvInst.exe Token: SeRestorePrivilege 2616 DrvInst.exe Token: SeRestorePrivilege 2616 DrvInst.exe Token: SeRestorePrivilege 2616 DrvInst.exe Token: SeRestorePrivilege 2616 DrvInst.exe Token: SeRestorePrivilege 2616 DrvInst.exe Token: SeLoadDriverPrivilege 2616 DrvInst.exe Token: SeLoadDriverPrivilege 2616 DrvInst.exe Token: SeLoadDriverPrivilege 2616 DrvInst.exe Token: SeRestorePrivilege 2124 msiexec.exe Token: SeTakeOwnershipPrivilege 2124 msiexec.exe Token: SeRestorePrivilege 2124 msiexec.exe Token: SeTakeOwnershipPrivilege 2124 msiexec.exe Token: SeRestorePrivilege 2124 msiexec.exe Token: SeTakeOwnershipPrivilege 2124 msiexec.exe Token: SeRestorePrivilege 2124 msiexec.exe Token: SeTakeOwnershipPrivilege 2124 msiexec.exe Token: SeRestorePrivilege 2124 msiexec.exe Token: SeTakeOwnershipPrivilege 2124 msiexec.exe Token: SeRestorePrivilege 2124 msiexec.exe Token: SeTakeOwnershipPrivilege 2124 msiexec.exe Token: SeRestorePrivilege 2124 msiexec.exe Token: SeTakeOwnershipPrivilege 2124 msiexec.exe Token: SeRestorePrivilege 2124 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1652 msiexec.exe 1652 msiexec.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\$TEMP\VirtualBoxPortableTemp\Test.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1652
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005DC" "00000000000003D4"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2616
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5a54f120730eda770e440f901d36b4fa8
SHA11ef5b3cc5c8614df3a9dd320820bda8afc11d199
SHA256a18096b0dde6e76d031210bae20abfd73315859d161c2d613f8e8d3860de0278
SHA5123a30c127b9dea6eb5d57ef0c0a82083afbdc365e7a5fc0fd2c8512cfdf4103ad644fa7350bb4a10c201ffe40d250175331883cb18a59c2e7828729593f3f4988
-
Filesize
32KB
MD58f847011d0eb0ab210d72f8df444a510
SHA199c753b1d04e459d03c655c093e363aebb3557f7
SHA2563f352c15b6251f87e70dfdfe96ee729f5eb08f712451384ab9ef312fb25ffa53
SHA51298a534b2bc711eaa2491d8d6950359f5ed4a731b733d884745901e4c665fabe3b7d7b4c8fd82d2692bcd1ee0f6d296af46e2f14a9fd9db4e44b121be5bad3ec4