6472de894c5cb6050fd80cdd893b8772aef71f8bdb5c65a0175cf7cbb90e6ec6

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/10/2024, 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70d0bd7633d10c492839272c97b2544e_JaffaCakes118.exe
Size

1.3MB
MD5

70d0bd7633d10c492839272c97b2544e
SHA1

4da0e8c2fe1f06b13985d700fe15686a1015c3bb
SHA256

6472de894c5cb6050fd80cdd893b8772aef71f8bdb5c65a0175cf7cbb90e6ec6
SHA512

99d43ed2060eb6371a54f73af407fe4cc7644a93e5f856419ad0cb8769b2664139cb9097ff4be4b8dbb93f2c5da4fc90bc48eeac6fe0b3df5f8bc12428b5b5b2
SSDEEP

24576:91OYdaPtyx5f3bpaOZpBr8Mok3CwAvCJYNsO7z7YHgEzmvDjvANu29N:91Os1gOpBrRokSwAqJY73Sz2Qv

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	setup.exe

Executes dropped EXE 1 IoCs

pid	Process
916	setup.exe

Loads dropped DLL 4 IoCs

pid	Process
4156	MsiExec.exe
4156	MsiExec.exe
3760	MsiExec.exe
3760	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\AppData\WMIProducts.vbs	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\System.Windows.Controls.Layout.Toolkit.dll	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\Microsoft.WindowsAPICodePack.dll	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\PatchCleaner.exe	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\AppData\Readme.rtf	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\Microsoft.WindowsAPICodePack.Shell.dll	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\HomeDev.Common.dll	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\log4net.dll	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\System.Windows.Controls.Input.Toolkit.dll	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\HomeDev.Software.dll	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\WPFToolkit.dll	msiexec.exe
File created	C:\Program Files (x86)\HomeDev\PatchCleaner\PatchCleaner.exe.config	msiexec.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3D91.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3F29.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{727DA176-50BB-452C-8DB5-96EE0A573ED4}\_853F67D554F05449430E7E.exe	msiexec.exe
File created	C:\Windows\Installer\e583cc6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e583cc6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{727DA176-50BB-452C-8DB5-96EE0A573ED4}\_F50716A801D63468497CD3.exe	msiexec.exe
File created	C:\Windows\Installer\{727DA176-50BB-452C-8DB5-96EE0A573ED4}\_853F67D554F05449430E7E.exe	msiexec.exe
File created	C:\Windows\Installer\{727DA176-50BB-452C-8DB5-96EE0A573ED4}\_F50716A801D63468497CD3.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{727DA176-50BB-452C-8DB5-96EE0A573ED4}\_9C79D8932B8391D44D5ECB.exe	msiexec.exe
File created	C:\Windows\Installer\{727DA176-50BB-452C-8DB5-96EE0A573ED4}\_9C79D8932B8391D44D5ECB.exe	msiexec.exe
File created	C:\Windows\Installer\e583cc8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3E6C.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{727DA176-50BB-452C-8DB5-96EE0A573ED4}	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70d0bd7633d10c492839272c97b2544e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e6cf55ff94a5976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e6cf55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e6cf55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de6cf55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e6cf55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe

Modifies registry class 41 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\Clients = 3a0000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|Microsoft.WindowsAPICodePack.Shell.dll\Microsoft.WindowsAPICodePack.Shell,Version="1.1.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 2b00600069006c004c0050004000670037003d0046003f007d006200750047007900390036006d003e004d00650037005f0065004800240051004c003d0076006d006c006c00250067005f004d003600570000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|log4net.dll\log4net,Version="1.2.15.0",Culture="neutral",ProcessorArchitecture="MSIL",PublicKeyToken="669E0DDF0BB1AA2A" = 2b00600069006c004c0050004000670037003d0046003f007d006200750047007900390036006d003e006300430042005500760062002b0045005f0028006500430062007e005f002c00350077004c00540000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|WPFToolkit.dll\WPFToolkit,Version="3.5.40128.1",Culture="neutral",ProcessorArchitecture="MSIL",PublicKeyToken="31BF3856AD364E35" = 2b00600069006c004c0050004000670037003d0046003f007d006200750047007900390036006d003e00590055003200650062003100210032006a006500520042002e007d007a006d00420047002900390000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7zSA22B.tmp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|HomeDev.Common.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|log4net.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|WPFToolkit.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|PatchCleaner.exe\PatchCleaner,Version="1.4.2.0",Culture="neutral",ProcessorArchitecture="MSIL" = 2b00600069006c004c0050004000670037003d0046003f007d006200750047007900390036006d003e00290049004e004800470076004b006c004700600053006f0075006e004c0048003f0053007d00660000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\ProductName = "PatchCleaner"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\26E051A48C561874BB8CF174125F2F04	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\26E051A48C561874BB8CF174125F2F04\671AD727BB05C254D85B69EEA075E34D	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|System.Windows.Controls.Layout.Toolkit.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\671AD727BB05C254D85B69EEA075E34D\DefaultFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\ProductIcon = "C:\\Windows\\Installer\\{727DA176-50BB-452C-8DB5-96EE0A573ED4}\\_853F67D554F05449430E7E.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\SourceList\PackageName = "PatchCleaner.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\671AD727BB05C254D85B69EEA075E34D	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|System.Windows.Controls.Layout.Toolkit.dll\System.Windows.Controls.Layout.Toolkit,Version="3.5.40128.1",Culture="neutral",ProcessorArchitecture="MSIL",Publi = 2b00600069006c004c0050004000670037003d0046003f007d006200750047007900390036006d003e00240037003700640067006e0049006b0060006b00600051004f004200550050002d00560075002a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\PackageCode = "185E25D16CE049341B4DA8BD645C594E"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|Microsoft.WindowsAPICodePack.Shell.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|System.Windows.Controls.Input.Toolkit.dll\System.Windows.Controls.Input.Toolkit,Version="3.5.40128.1",Culture="neutral",ProcessorArchitecture="MSIL",PublicK = 2b00600069006c004c0050004000670037003d0046003f007d006200750047007900390036006d003e003900730036007d0060005500290067006b005400600045005b00480027004f005f0053006e00520000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|Microsoft.WindowsAPICodePack.dll\Microsoft.WindowsAPICodePack,Version="1.1.2.0",Culture="neutral",ProcessorArchitecture="MSIL" = 2b00600069006c004c0050004000670037003d0046003f007d006200750047007900390036006d003e004a0072006b00540036005600370047007a00510062006b0064006b00420031005a0078002b005e0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|PatchCleaner.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|System.Windows.Controls.Input.Toolkit.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|HomeDev.Software.dll\HomeDev.Software,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL",PublicKeyToken="EB089AF34F3501AB" = 2b00600069006c004c0050004000670037003d0046003f007d006200750047007900390036006d003e0046002100610039004b0064003100340059006c0062002800360053004e00510050004e004c00370000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\Version = "17039380"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|HomeDev.Software.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|Microsoft.WindowsAPICodePack.dll	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\671AD727BB05C254D85B69EEA075E34D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7zSA22B.tmp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|HomeDev\|PatchCleaner\|HomeDev.Common.dll\HomeDev.Common,Version="1.1.5.2",Culture="neutral",ProcessorArchitecture="MSIL",PublicKeyToken="86819A5907809173" = 2b00600069006c004c0050004000670037003d0046003f007d006200750047007900390036006d003e003400260041002c0044004400510072003400450062005a0049006d00540072005e006a007800270000000000	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2320	msiexec.exe
2320	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2724	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2724	msiexec.exe
Token: SeSecurityPrivilege	2320	msiexec.exe
Token: SeCreateTokenPrivilege	2724	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2724	msiexec.exe
Token: SeLockMemoryPrivilege	2724	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2724	msiexec.exe
Token: SeMachineAccountPrivilege	2724	msiexec.exe
Token: SeTcbPrivilege	2724	msiexec.exe
Token: SeSecurityPrivilege	2724	msiexec.exe
Token: SeTakeOwnershipPrivilege	2724	msiexec.exe
Token: SeLoadDriverPrivilege	2724	msiexec.exe
Token: SeSystemProfilePrivilege	2724	msiexec.exe
Token: SeSystemtimePrivilege	2724	msiexec.exe
Token: SeProfSingleProcessPrivilege	2724	msiexec.exe
Token: SeIncBasePriorityPrivilege	2724	msiexec.exe
Token: SeCreatePagefilePrivilege	2724	msiexec.exe
Token: SeCreatePermanentPrivilege	2724	msiexec.exe
Token: SeBackupPrivilege	2724	msiexec.exe
Token: SeRestorePrivilege	2724	msiexec.exe
Token: SeShutdownPrivilege	2724	msiexec.exe
Token: SeDebugPrivilege	2724	msiexec.exe
Token: SeAuditPrivilege	2724	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2724	msiexec.exe
Token: SeChangeNotifyPrivilege	2724	msiexec.exe
Token: SeRemoteShutdownPrivilege	2724	msiexec.exe
Token: SeUndockPrivilege	2724	msiexec.exe
Token: SeSyncAgentPrivilege	2724	msiexec.exe
Token: SeEnableDelegationPrivilege	2724	msiexec.exe
Token: SeManageVolumePrivilege	2724	msiexec.exe
Token: SeImpersonatePrivilege	2724	msiexec.exe
Token: SeCreateGlobalPrivilege	2724	msiexec.exe
Token: SeCreateTokenPrivilege	2724	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2724	msiexec.exe
Token: SeLockMemoryPrivilege	2724	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2724	msiexec.exe
Token: SeMachineAccountPrivilege	2724	msiexec.exe
Token: SeTcbPrivilege	2724	msiexec.exe
Token: SeSecurityPrivilege	2724	msiexec.exe
Token: SeTakeOwnershipPrivilege	2724	msiexec.exe
Token: SeLoadDriverPrivilege	2724	msiexec.exe
Token: SeSystemProfilePrivilege	2724	msiexec.exe
Token: SeSystemtimePrivilege	2724	msiexec.exe
Token: SeProfSingleProcessPrivilege	2724	msiexec.exe
Token: SeIncBasePriorityPrivilege	2724	msiexec.exe
Token: SeCreatePagefilePrivilege	2724	msiexec.exe
Token: SeCreatePermanentPrivilege	2724	msiexec.exe
Token: SeBackupPrivilege	2724	msiexec.exe
Token: SeRestorePrivilege	2724	msiexec.exe
Token: SeShutdownPrivilege	2724	msiexec.exe
Token: SeDebugPrivilege	2724	msiexec.exe
Token: SeAuditPrivilege	2724	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2724	msiexec.exe
Token: SeChangeNotifyPrivilege	2724	msiexec.exe
Token: SeRemoteShutdownPrivilege	2724	msiexec.exe
Token: SeUndockPrivilege	2724	msiexec.exe
Token: SeSyncAgentPrivilege	2724	msiexec.exe
Token: SeEnableDelegationPrivilege	2724	msiexec.exe
Token: SeManageVolumePrivilege	2724	msiexec.exe
Token: SeImpersonatePrivilege	2724	msiexec.exe
Token: SeCreateGlobalPrivilege	2724	msiexec.exe
Token: SeCreateTokenPrivilege	2724	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2724	msiexec.exe
Token: SeLockMemoryPrivilege	2724	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2724	msiexec.exe
2724	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 916	4860	70d0bd7633d10c492839272c97b2544e_JaffaCakes118.exe	97
PID 4860 wrote to memory of 916	4860	70d0bd7633d10c492839272c97b2544e_JaffaCakes118.exe	97
PID 4860 wrote to memory of 916	4860	70d0bd7633d10c492839272c97b2544e_JaffaCakes118.exe	97
PID 916 wrote to memory of 2724	916	setup.exe	98
PID 916 wrote to memory of 2724	916	setup.exe	98
PID 916 wrote to memory of 2724	916	setup.exe	98
PID 2320 wrote to memory of 4156	2320	msiexec.exe	103
PID 2320 wrote to memory of 4156	2320	msiexec.exe	103
PID 2320 wrote to memory of 4156	2320	msiexec.exe	103
PID 2320 wrote to memory of 692	2320	msiexec.exe	118
PID 2320 wrote to memory of 692	2320	msiexec.exe	118
PID 2320 wrote to memory of 3760	2320	msiexec.exe	120
PID 2320 wrote to memory of 3760	2320	msiexec.exe	120
PID 2320 wrote to memory of 3760	2320	msiexec.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\70d0bd7633d10c492839272c97b2544e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\70d0bd7633d10c492839272c97b2544e_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Users\Admin\AppData\Local\Temp\7zSA22B.tmp\setup.exe
  .\setup.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\7zSA22B.tmp\PatchCleaner.msi"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2724

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8C4032444C6D0158C3E135F24F7F9170 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4156
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:692
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E008D6FE8302D5FCBE1AA319F99A205A
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3760

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e583cc7.rbs

Filesize
13KB

MD5
19a38c919bbce8a84d1fc0d258585a86

SHA1
511dc85363339338feb5891a420eafe9cab771f5

SHA256
8d7e23f90a96e37f3aadc92ed3aad1097756b4c2fa51660489cf6cbdfd413247

SHA512
423958f8c579b9ec1b0b226303232ed8297dd5de6e8f47b402e5b97b17d6e27de31b953ec7c675a375dfcb56c1a128878cfb6e37af3d294e619970fcb2fce545

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA22B.tmp\PatchCleaner.msi

Filesize
2.0MB

MD5
ca19dc264e480db621d11429e08ca62b

SHA1
732fa43146301e30c7dfbb700081691ddb4e28c7

SHA256
c43f57c1aff7a3571fb89a6467247417bdf5b5ae2cd3ab60ce444490bc4df164

SHA512
af419f36fa581d6fb1cbfb6f598283c1a9a4e3315e19d227cb4806e3de7b929b400913ca3f09e5c3c58646907b363ebf2cf282610d54ac507a3d66eaf71b1a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA22B.tmp\setup.exe

Filesize
772KB

MD5
fb3fdbb47f9b738a64f8a874247ad219

SHA1
2103c9ffd7f5af42f5e0e3a929ff59f61b9e4eab

SHA256
e1c84c55cd245d0b487cfc816676c13729c53cb8f0462d955dd6a39219053c62

SHA512
bd82b76fa95730cfa2fd3e833a9b1a65f5c27b0d348d26e245c57f15d34a3ff2988cf19625d0351cd0fa7f56bca372085092394397f7d3a19d5ad6cae428a57c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA70D.tmp

Filesize
305KB

MD5
79a1dc3e058699630f44eaef8736d637

SHA1
cdaa694b65dd49d726e2ef676749351adf97165a

SHA256
adf737e044c8125286b7f0c2907597d840ca6f3dc92e8cb56a5bc20243c723d4

SHA512
16db5d41c07e568c7cba18d5dc2cf2f566b0f1059256574cec69b00796850fc2e5a8c12e5b27e0547817b204db5a9532f893f42ab4f3c5c165a2e654e17a0605

Download Submit
C:\Windows\Installer\{727DA176-50BB-452C-8DB5-96EE0A573ED4}\_9C79D8932B8391D44D5ECB.exe

Filesize
184KB

MD5
37831340b21b0e54552139628fe6d9c7

SHA1
455ce35b74be73487e494f5f87812fb5db4f93a6

SHA256
962011dd08a688f53d4b9e4f2574ce330f1f2b317e96ef5bf1a808b8ecd8bb34

SHA512
b5723a24142dfc2e2a6d7f7dc1533ee3d769c1cd0db9665671f9538406350ec8c7cc4afb30408aa66391baf27c7ad9586a8dafdbefc28a1d28549ff84c6d36d8

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
31379eaac886112bb03d3d89ff2dc067

SHA1
57f743f051dac735ba218debff663faef466bda4

SHA256
e9e0d96795dec63e73b4f3161cd1c2025dd9e611d4cbd28bc98580b59fcaf8be

SHA512
139ca6b04109e287a1960f95ffc67360bae835d8420cfd718b6c28f4c5ac87ea12ba68b780e9fcab422bf2418ce6ebd7ac36047a68eac838fec16c708adf7677

Download Submit
\??\Volume{ff55cfe6-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{8b27acbf-2b8b-4c74-b9a6-59c2c495fcf1}_OnDiskSnapshotProp

Filesize
6KB

MD5
45e2fe299d6cca12bd522958f35ef70d

SHA1
777eaa6e52c842c1d0b4257589eed620035f67b2

SHA256
cafdc1af5722cb35b4824312df1d5f6f2a40d52d0cebb6fcea0b96b97f1e3fc1

SHA512
a261891e71616ea6836bae26522df37fd86a905478bd2c86da9c4c3b8bb4454bca98c8cfc5f0ddaecf0ad32d85ea902762bc0848e4c7cc80644ed7bcbc82c575

Download Submit