6472de894c5cb6050fd80cdd893b8772aef71f8bdb5c65a0175cf7cbb90e6ec6

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
23/10/2024, 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70d0bd7633d10c492839272c97b2544e_JaffaCakes118.exe
Size

1.3MB
MD5

70d0bd7633d10c492839272c97b2544e
SHA1

4da0e8c2fe1f06b13985d700fe15686a1015c3bb
SHA256

6472de894c5cb6050fd80cdd893b8772aef71f8bdb5c65a0175cf7cbb90e6ec6
SHA512

99d43ed2060eb6371a54f73af407fe4cc7644a93e5f856419ad0cb8769b2664139cb9097ff4be4b8dbb93f2c5da4fc90bc48eeac6fe0b3df5f8bc12428b5b5b2
SSDEEP

24576:91OYdaPtyx5f3bpaOZpBr8Mok3CwAvCJYNsO7z7YHgEzmvDjvANu29N:91Os1gOpBrRokSwAqJY73Sz2Qv

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2380	setup.exe

Loads dropped DLL 7 IoCs

pid	Process
2372	70d0bd7633d10c492839272c97b2544e_JaffaCakes118.exe
2380	setup.exe
2380	setup.exe
3032	MsiExec.exe
3032	MsiExec.exe
2136	MsiExec.exe
2136	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\AppData\WMIProducts.vbs	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\HomeDev.Common.dll	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\System.Windows.Controls.Input.Toolkit.dll	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\Microsoft.WindowsAPICodePack.dll	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\AppData\Readme.rtf	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\HomeDev.Software.dll	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\Microsoft.WindowsAPICodePack.Shell.dll	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\System.Windows.Controls.Layout.Toolkit.dll	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\log4net.dll	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\PatchCleaner.exe	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\WPFToolkit.dll	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\PatchCleaner.exe.config	msiexec.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f773aee.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\{727DA176-50BB-452C-8DB5-96EE0A573ED4}\_853F67D554F05449430E7E.exe	msiexec.exe
File created	C:\Windows\Installer\{727DA176-50BB-452C-8DB5-96EE0A573ED4}\_F50716A801D63468497CD3.exe	msiexec.exe
File created	C:\Windows\Installer\{727DA176-50BB-452C-8DB5-96EE0A573ED4}\_9C79D8932B8391D44D5ECB.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f773aef.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\f773aee.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{727DA176-50BB-452C-8DB5-96EE0A573ED4}\_9C79D8932B8391D44D5ECB.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI3CB5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3D72.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{727DA176-50BB-452C-8DB5-96EE0A573ED4}\_853F67D554F05449430E7E.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{727DA176-50BB-452C-8DB5-96EE0A573ED4}\_F50716A801D63468497CD3.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI3BAB.tmp	msiexec.exe
File created	C:\Windows\Installer\f773aef.ipi	msiexec.exe
File created	C:\Windows\Installer\f773af1.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70d0bd7633d10c492839272c97b2544e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe

Modifies registry class 41 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|Microsoft.WindowsAPICodePack.Shell.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|System.Windows.Controls.Input.Toolkit.dll\System.Windows.Controls.Input.Toolkit,Version="3.5.40128.1",Culture="neutral",ProcessorArchitecture="MSIL",PublicK = 2b00600069006c004c0050004000670037003d0046003f007d006200750047007900390036006d003e003900730036007d0060005500290067006b005400600045005b00480027004f005f0053006e00520000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|WPFToolkit.dll\WPFToolkit,Version="3.5.40128.1",Culture="neutral",ProcessorArchitecture="MSIL",PublicKeyToken="31BF3856AD364E35" = 2b00600069006c004c0050004000670037003d0046003f007d006200750047007900390036006d003e00590055003200650062003100210032006a006500520042002e007d007a006d00420047002900390000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|Microsoft.WindowsAPICodePack.Shell.dll\Microsoft.WindowsAPICodePack.Shell,Version="1.1.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 2b00600069006c004c0050004000670037003d0046003f007d006200750047007900390036006d003e004d00650037005f0065004800240051004c003d0076006d006c006c00250067005f004d003600570000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|HomeDev.Common.dll\HomeDev.Common,Version="1.1.5.2",Culture="neutral",ProcessorArchitecture="MSIL",PublicKeyToken="86819A5907809173" = 2b00600069006c004c0050004000670037003d0046003f007d006200750047007900390036006d003e003400260041002c0044004400510072003400450062005a0049006d00540072005e006a007800270000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|System.Windows.Controls.Layout.Toolkit.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|log4net.dll\log4net,Version="1.2.15.0",Culture="neutral",ProcessorArchitecture="MSIL",PublicKeyToken="669E0DDF0BB1AA2A" = 2b00600069006c004c0050004000670037003d0046003f007d006200750047007900390036006d003e006300430042005500760062002b0045005f0028006500430062007e005f002c00350077004c00540000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|Microsoft.WindowsAPICodePack.dll\Microsoft.WindowsAPICodePack,Version="1.1.2.0",Culture="neutral",ProcessorArchitecture="MSIL" = 2b00600069006c004c0050004000670037003d0046003f007d006200750047007900390036006d003e004a0072006b00540036005600370047007a00510062006b0064006b00420031005a0078002b005e0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|HomeDev.Software.dll	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\ProductIcon = "C:\\Windows\\Installer\\{727DA176-50BB-452C-8DB5-96EE0A573ED4}\\_853F67D554F05449430E7E.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\SourceList\PackageName = "PatchCleaner.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7zSBECD.tmp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|log4net.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|HomeDev.Software.dll\HomeDev.Software,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL",PublicKeyToken="EB089AF34F3501AB" = 2b00600069006c004c0050004000670037003d0046003f007d006200750047007900390036006d003e0046002100610039004b0064003100340059006c0062002800360053004e00510050004e004c00370000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|PatchCleaner.exe\PatchCleaner,Version="1.4.2.0",Culture="neutral",ProcessorArchitecture="MSIL" = 2b00600069006c004c0050004000670037003d0046003f007d006200750047007900390036006d003e00290049004e004800470076004b006c004700600053006f0075006e004c0048003f0053007d00660000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|HomeDev.Common.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|WPFToolkit.dll	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\Version = "17039380"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\26E051A48C561874BB8CF174125F2F04	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\26E051A48C561874BB8CF174125F2F04\671AD727BB05C254D85B69EEA075E34D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\PackageCode = "185E25D16CE049341B4DA8BD645C594E"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|System.Windows.Controls.Layout.Toolkit.dll\System.Windows.Controls.Layout.Toolkit,Version="3.5.40128.1",Culture="neutral",ProcessorArchitecture="MSIL",Publi = 2b00600069006c004c0050004000670037003d0046003f007d006200750047007900390036006d003e00240037003700640067006e0049006b0060006b00600051004f004200550050002d00560075002a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\671AD727BB05C254D85B69EEA075E34D	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\671AD727BB05C254D85B69EEA075E34D\DefaultFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\ProductName = "PatchCleaner"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7zSBECD.tmp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|System.Windows.Controls.Input.Toolkit.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|Microsoft.WindowsAPICodePack.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|PatchCleaner.exe	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\DeploymentFlags = "3"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2836	msiexec.exe
2836	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2076	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2076	msiexec.exe
Token: SeRestorePrivilege	2836	msiexec.exe
Token: SeTakeOwnershipPrivilege	2836	msiexec.exe
Token: SeSecurityPrivilege	2836	msiexec.exe
Token: SeCreateTokenPrivilege	2076	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2076	msiexec.exe
Token: SeLockMemoryPrivilege	2076	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2076	msiexec.exe
Token: SeMachineAccountPrivilege	2076	msiexec.exe
Token: SeTcbPrivilege	2076	msiexec.exe
Token: SeSecurityPrivilege	2076	msiexec.exe
Token: SeTakeOwnershipPrivilege	2076	msiexec.exe
Token: SeLoadDriverPrivilege	2076	msiexec.exe
Token: SeSystemProfilePrivilege	2076	msiexec.exe
Token: SeSystemtimePrivilege	2076	msiexec.exe
Token: SeProfSingleProcessPrivilege	2076	msiexec.exe
Token: SeIncBasePriorityPrivilege	2076	msiexec.exe
Token: SeCreatePagefilePrivilege	2076	msiexec.exe
Token: SeCreatePermanentPrivilege	2076	msiexec.exe
Token: SeBackupPrivilege	2076	msiexec.exe
Token: SeRestorePrivilege	2076	msiexec.exe
Token: SeShutdownPrivilege	2076	msiexec.exe
Token: SeDebugPrivilege	2076	msiexec.exe
Token: SeAuditPrivilege	2076	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2076	msiexec.exe
Token: SeChangeNotifyPrivilege	2076	msiexec.exe
Token: SeRemoteShutdownPrivilege	2076	msiexec.exe
Token: SeUndockPrivilege	2076	msiexec.exe
Token: SeSyncAgentPrivilege	2076	msiexec.exe
Token: SeEnableDelegationPrivilege	2076	msiexec.exe
Token: SeManageVolumePrivilege	2076	msiexec.exe
Token: SeImpersonatePrivilege	2076	msiexec.exe
Token: SeCreateGlobalPrivilege	2076	msiexec.exe
Token: SeCreateTokenPrivilege	2076	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2076	msiexec.exe
Token: SeLockMemoryPrivilege	2076	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2076	msiexec.exe
Token: SeMachineAccountPrivilege	2076	msiexec.exe
Token: SeTcbPrivilege	2076	msiexec.exe
Token: SeSecurityPrivilege	2076	msiexec.exe
Token: SeTakeOwnershipPrivilege	2076	msiexec.exe
Token: SeLoadDriverPrivilege	2076	msiexec.exe
Token: SeSystemProfilePrivilege	2076	msiexec.exe
Token: SeSystemtimePrivilege	2076	msiexec.exe
Token: SeProfSingleProcessPrivilege	2076	msiexec.exe
Token: SeIncBasePriorityPrivilege	2076	msiexec.exe
Token: SeCreatePagefilePrivilege	2076	msiexec.exe
Token: SeCreatePermanentPrivilege	2076	msiexec.exe
Token: SeBackupPrivilege	2076	msiexec.exe
Token: SeRestorePrivilege	2076	msiexec.exe
Token: SeShutdownPrivilege	2076	msiexec.exe
Token: SeDebugPrivilege	2076	msiexec.exe
Token: SeAuditPrivilege	2076	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2076	msiexec.exe
Token: SeChangeNotifyPrivilege	2076	msiexec.exe
Token: SeRemoteShutdownPrivilege	2076	msiexec.exe
Token: SeUndockPrivilege	2076	msiexec.exe
Token: SeSyncAgentPrivilege	2076	msiexec.exe
Token: SeEnableDelegationPrivilege	2076	msiexec.exe
Token: SeManageVolumePrivilege	2076	msiexec.exe
Token: SeImpersonatePrivilege	2076	msiexec.exe
Token: SeCreateGlobalPrivilege	2076	msiexec.exe
Token: SeCreateTokenPrivilege	2076	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2076	msiexec.exe
2076	msiexec.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2380	2372	70d0bd7633d10c492839272c97b2544e_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2380	2372	70d0bd7633d10c492839272c97b2544e_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2380	2372	70d0bd7633d10c492839272c97b2544e_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2380	2372	70d0bd7633d10c492839272c97b2544e_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2380	2372	70d0bd7633d10c492839272c97b2544e_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2380	2372	70d0bd7633d10c492839272c97b2544e_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2380	2372	70d0bd7633d10c492839272c97b2544e_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2076	2380	setup.exe	31
PID 2380 wrote to memory of 2076	2380	setup.exe	31
PID 2380 wrote to memory of 2076	2380	setup.exe	31
PID 2380 wrote to memory of 2076	2380	setup.exe	31
PID 2380 wrote to memory of 2076	2380	setup.exe	31
PID 2380 wrote to memory of 2076	2380	setup.exe	31
PID 2380 wrote to memory of 2076	2380	setup.exe	31
PID 2836 wrote to memory of 3032	2836	msiexec.exe	33
PID 2836 wrote to memory of 3032	2836	msiexec.exe	33
PID 2836 wrote to memory of 3032	2836	msiexec.exe	33
PID 2836 wrote to memory of 3032	2836	msiexec.exe	33
PID 2836 wrote to memory of 3032	2836	msiexec.exe	33
PID 2836 wrote to memory of 3032	2836	msiexec.exe	33
PID 2836 wrote to memory of 3032	2836	msiexec.exe	33
PID 2836 wrote to memory of 2136	2836	msiexec.exe	38
PID 2836 wrote to memory of 2136	2836	msiexec.exe	38
PID 2836 wrote to memory of 2136	2836	msiexec.exe	38
PID 2836 wrote to memory of 2136	2836	msiexec.exe	38
PID 2836 wrote to memory of 2136	2836	msiexec.exe	38
PID 2836 wrote to memory of 2136	2836	msiexec.exe	38
PID 2836 wrote to memory of 2136	2836	msiexec.exe	38

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\70d0bd7633d10c492839272c97b2544e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\70d0bd7633d10c492839272c97b2544e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\7zSBECD.tmp\setup.exe
  .\setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\7zSBECD.tmp\PatchCleaner.msi"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2076

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 57B21C53F8B1C6B2A3E120314752295F C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3032
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AD85A127CC243C1BDDE98E03D4C2C922
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2136

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2508

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005DC" "00000000000003A4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f773af0.rbs

Filesize
12KB

MD5
fa0581dc9b0b0f1e5e191ed5a424b0cc

SHA1
922c917c1ab9ca425f0a49913baf3d51286917ca

SHA256
317021b9e271bb0c869c170e1415676b9d8f69ab597d965283e685fa1d7279a6

SHA512
a3a8d7df328998ebe21c1acd06a5b87d13860cdb3edacfbb373855b1c5ab775f4a8f62e2ea91b56a6f65e21bd10de74ad76226d80396bc821e07a7ae1dcc3261

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBECD.tmp\PatchCleaner.msi

Filesize
2.0MB

MD5
ca19dc264e480db621d11429e08ca62b

SHA1
732fa43146301e30c7dfbb700081691ddb4e28c7

SHA256
c43f57c1aff7a3571fb89a6467247417bdf5b5ae2cd3ab60ce444490bc4df164

SHA512
af419f36fa581d6fb1cbfb6f598283c1a9a4e3315e19d227cb4806e3de7b929b400913ca3f09e5c3c58646907b363ebf2cf282610d54ac507a3d66eaf71b1a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3B5B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC13F.tmp

Filesize
305KB

MD5
79a1dc3e058699630f44eaef8736d637

SHA1
cdaa694b65dd49d726e2ef676749351adf97165a

SHA256
adf737e044c8125286b7f0c2907597d840ca6f3dc92e8cb56a5bc20243c723d4

SHA512
16db5d41c07e568c7cba18d5dc2cf2f566b0f1059256574cec69b00796850fc2e5a8c12e5b27e0547817b204db5a9532f893f42ab4f3c5c165a2e654e17a0605

Download Submit
C:\Windows\Installer\{727DA176-50BB-452C-8DB5-96EE0A573ED4}\_9C79D8932B8391D44D5ECB.exe

Filesize
184KB

MD5
37831340b21b0e54552139628fe6d9c7

SHA1
455ce35b74be73487e494f5f87812fb5db4f93a6

SHA256
962011dd08a688f53d4b9e4f2574ce330f1f2b317e96ef5bf1a808b8ecd8bb34

SHA512
b5723a24142dfc2e2a6d7f7dc1533ee3d769c1cd0db9665671f9538406350ec8c7cc4afb30408aa66391baf27c7ad9586a8dafdbefc28a1d28549ff84c6d36d8

Download Submit
\Users\Admin\AppData\Local\Temp\7zSBECD.tmp\setup.exe

Filesize
772KB

MD5
fb3fdbb47f9b738a64f8a874247ad219

SHA1
2103c9ffd7f5af42f5e0e3a929ff59f61b9e4eab

SHA256
e1c84c55cd245d0b487cfc816676c13729c53cb8f0462d955dd6a39219053c62

SHA512
bd82b76fa95730cfa2fd3e833a9b1a65f5c27b0d348d26e245c57f15d34a3ff2988cf19625d0351cd0fa7f56bca372085092394397f7d3a19d5ad6cae428a57c

Download Submit