Overview
overview
7Static
static
340a33b0318...18.exe
windows7-x64
740a33b0318...18.exe
windows10-2004-x64
7$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$PLUGINSDIR/w7tbp.dll
windows7-x64
3$PLUGINSDIR/w7tbp.dll
windows10-2004-x64
3$TEMP/Virt...za.exe
windows7-x64
3$TEMP/Virt...za.exe
windows10-2004-x64
3$TEMP/Virt...st.msi
windows7-x64
6$TEMP/Virt...st.msi
windows10-2004-x64
6VirtualBox...le.exe
windows7-x64
7VirtualBox...le.exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...ry.dll
windows7-x64
3$PLUGINSDI...ry.dll
windows10-2004-x64
3$PLUGINSDI...SC.dll
windows7-x64
3$PLUGINSDI...SC.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Analysis
-
max time kernel
94s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2024, 15:30
Static task
static1
Behavioral task
behavioral1
Sample
40a33b0318fccc2dd41bd564936ca62a_JaffaCakes118.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral2
Sample
40a33b0318fccc2dd41bd564936ca62a_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/Dialer.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/Dialer.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral14
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$PLUGINSDIR/w7tbp.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
$PLUGINSDIR/w7tbp.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$TEMP/VirtualBoxPortableTemp/7za.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral20
Sample
$TEMP/VirtualBoxPortableTemp/7za.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$TEMP/VirtualBoxPortableTemp/Test.msi
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral22
Sample
$TEMP/VirtualBoxPortableTemp/Test.msi
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
VirtualBoxPortable.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
VirtualBoxPortable.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral26
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
$PLUGINSDIR/Registry.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral28
Sample
$PLUGINSDIR/Registry.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
$PLUGINSDIR/SimpleSC.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral30
Sample
$PLUGINSDIR/SimpleSC.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral32
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
$TEMP/VirtualBoxPortableTemp/Test.msi
-
Size
32KB
-
MD5
8f847011d0eb0ab210d72f8df444a510
-
SHA1
99c753b1d04e459d03c655c093e363aebb3557f7
-
SHA256
3f352c15b6251f87e70dfdfe96ee729f5eb08f712451384ab9ef312fb25ffa53
-
SHA512
98a534b2bc711eaa2491d8d6950359f5ed4a731b733d884745901e4c665fabe3b7d7b4c8fd82d2692bcd1ee0f6d296af46e2f14a9fd9db4e44b121be5bad3ec4
-
SSDEEP
384:z2CMqS6GmOYSvEM5IC0IXey3M5IC0ioXhhU:Ve5oMmCTeWMmC
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Test Program\readme.txt msiexec.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{12345678-1234-1234-1234-123456789012} msiexec.exe File opened for modification C:\Windows\Installer\MSID2F0.tmp msiexec.exe File created C:\Windows\Installer\e57d246.msi msiexec.exe File created C:\Windows\Installer\e57d244.msi msiexec.exe File opened for modification C:\Windows\Installer\e57d244.msi msiexec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 4304 msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a47b29fbd6f9c3720000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a47b29fb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a47b29fb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da47b29fb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a47b29fb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 832 msiexec.exe 832 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4304 msiexec.exe Token: SeIncreaseQuotaPrivilege 4304 msiexec.exe Token: SeSecurityPrivilege 832 msiexec.exe Token: SeCreateTokenPrivilege 4304 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4304 msiexec.exe Token: SeLockMemoryPrivilege 4304 msiexec.exe Token: SeIncreaseQuotaPrivilege 4304 msiexec.exe Token: SeMachineAccountPrivilege 4304 msiexec.exe Token: SeTcbPrivilege 4304 msiexec.exe Token: SeSecurityPrivilege 4304 msiexec.exe Token: SeTakeOwnershipPrivilege 4304 msiexec.exe Token: SeLoadDriverPrivilege 4304 msiexec.exe Token: SeSystemProfilePrivilege 4304 msiexec.exe Token: SeSystemtimePrivilege 4304 msiexec.exe Token: SeProfSingleProcessPrivilege 4304 msiexec.exe Token: SeIncBasePriorityPrivilege 4304 msiexec.exe Token: SeCreatePagefilePrivilege 4304 msiexec.exe Token: SeCreatePermanentPrivilege 4304 msiexec.exe Token: SeBackupPrivilege 4304 msiexec.exe Token: SeRestorePrivilege 4304 msiexec.exe Token: SeShutdownPrivilege 4304 msiexec.exe Token: SeDebugPrivilege 4304 msiexec.exe Token: SeAuditPrivilege 4304 msiexec.exe Token: SeSystemEnvironmentPrivilege 4304 msiexec.exe Token: SeChangeNotifyPrivilege 4304 msiexec.exe Token: SeRemoteShutdownPrivilege 4304 msiexec.exe Token: SeUndockPrivilege 4304 msiexec.exe Token: SeSyncAgentPrivilege 4304 msiexec.exe Token: SeEnableDelegationPrivilege 4304 msiexec.exe Token: SeManageVolumePrivilege 4304 msiexec.exe Token: SeImpersonatePrivilege 4304 msiexec.exe Token: SeCreateGlobalPrivilege 4304 msiexec.exe Token: SeBackupPrivilege 3400 vssvc.exe Token: SeRestorePrivilege 3400 vssvc.exe Token: SeAuditPrivilege 3400 vssvc.exe Token: SeBackupPrivilege 832 msiexec.exe Token: SeRestorePrivilege 832 msiexec.exe Token: SeRestorePrivilege 832 msiexec.exe Token: SeTakeOwnershipPrivilege 832 msiexec.exe Token: SeRestorePrivilege 832 msiexec.exe Token: SeTakeOwnershipPrivilege 832 msiexec.exe Token: SeRestorePrivilege 832 msiexec.exe Token: SeTakeOwnershipPrivilege 832 msiexec.exe Token: SeRestorePrivilege 832 msiexec.exe Token: SeTakeOwnershipPrivilege 832 msiexec.exe Token: SeRestorePrivilege 832 msiexec.exe Token: SeTakeOwnershipPrivilege 832 msiexec.exe Token: SeRestorePrivilege 832 msiexec.exe Token: SeTakeOwnershipPrivilege 832 msiexec.exe Token: SeRestorePrivilege 832 msiexec.exe Token: SeTakeOwnershipPrivilege 832 msiexec.exe Token: SeRestorePrivilege 832 msiexec.exe Token: SeTakeOwnershipPrivilege 832 msiexec.exe Token: SeRestorePrivilege 832 msiexec.exe Token: SeTakeOwnershipPrivilege 832 msiexec.exe Token: SeRestorePrivilege 832 msiexec.exe Token: SeTakeOwnershipPrivilege 832 msiexec.exe Token: SeRestorePrivilege 832 msiexec.exe Token: SeTakeOwnershipPrivilege 832 msiexec.exe Token: SeRestorePrivilege 832 msiexec.exe Token: SeTakeOwnershipPrivilege 832 msiexec.exe Token: SeRestorePrivilege 832 msiexec.exe Token: SeTakeOwnershipPrivilege 832 msiexec.exe Token: SeRestorePrivilege 832 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4304 msiexec.exe 4304 msiexec.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 832 wrote to memory of 2692 832 msiexec.exe 92 PID 832 wrote to memory of 2692 832 msiexec.exe 92 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\$TEMP\VirtualBoxPortableTemp\Test.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4304
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:2692
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5e6738774605199e24b44705bd272d61b
SHA144d009dfb80014264507fa88386c6eb01eb17ad1
SHA256b21deb384ffa014fee0bd45a9340fb75b23da25c1a455eaa1d0388ec2e01a24b
SHA5129b7bbfecbe733645969d1d0857e844cbfcfa83fddbd2fe5f595fc88bb0e693deef97ae68e2c082622832b767507455c2338ec49bad53dce718df63fe6a4d7bfc
-
Filesize
32KB
MD58f847011d0eb0ab210d72f8df444a510
SHA199c753b1d04e459d03c655c093e363aebb3557f7
SHA2563f352c15b6251f87e70dfdfe96ee729f5eb08f712451384ab9ef312fb25ffa53
SHA51298a534b2bc711eaa2491d8d6950359f5ed4a731b733d884745901e4c665fabe3b7d7b4c8fd82d2692bcd1ee0f6d296af46e2f14a9fd9db4e44b121be5bad3ec4
-
Filesize
24.1MB
MD5702d8ff1920b04fff537f3173877068f
SHA15aaeb033a25c00b0ff43899cb6e0cf8363e88e62
SHA256e51651294b6833fcf3329af5164072c7899421311bbbf85034f48dfac9934a41
SHA51213e7f30953718da22a48d8cce426f68aa7a397b9ddc864a975254c4abf771376d810184b8da6c8450465870fb9597f4fcfb6b8d1e79e1587c6e9e31d2b6c42dd
-
\??\Volume{fb297ba4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b60c1e7e-cdc8-4169-8538-80ac0d9789ef}_OnDiskSnapshotProp
Filesize6KB
MD54be39fadd4f049cd56bf23d6db4a2456
SHA1e097e7f955a487cb6a92d44687ea8b17f81cd1b1
SHA25624b0f7cb429ecb3c42cbfa860868a8db37f15b51d00f7d8ef15595d140b57bd8
SHA512b222b060eb3701df7acc2e0405782489a16e9f629f3dcd7bed4417f19af42edf421cda97d937ded42bac901c367228f74e246837e2c61659f5192770451f0e37