pandastealer | c98de3d6b0dc4e9f54a1de1a10c8ed0f746a7c03eb71424855ca2b0ed850d4f7

Analysis

max time kernel
148s
max time network
137s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe
Size

3.1MB
MD5

a88d1914a8879ab730ff1ba9c2f2f585
SHA1

4f7d01d8c20f1137ed2621281d2824d397df1be7
SHA256

c98de3d6b0dc4e9f54a1de1a10c8ed0f746a7c03eb71424855ca2b0ed850d4f7
SHA512

f1e3fad1ae30c7f1d8fad3f4f2e9ce70e590128e45429a40e090f22621ab2c23acb4b83e5e921cfc83ed05ae743f806a1c38e89b3b8b12b5b63f9f61d7ebe2f3
SSDEEP

49152:qTNVoeuNhGQl8kwNGOZQtlKPwOxConN8PyowDHW+va4apRMVNTPAwRh1az:qTNVoeuNItNOawmCMD2+y4GIbY

Score

10^/10

pandastealer discovery stealer

Malware Config

Signatures

Panda Stealer payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00080000000162e9-16.dat	family_pandastealer
behavioral1/files/0x0009000000016d2c-104.dat	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Pandastealer family
pandastealer

Executes dropped EXE 2 IoCs

pid	Process
2896	setup.exe
1028	Reg-Tool.exe

Loads dropped DLL 21 IoCs

pid	Process
2760	a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe
2760	a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe
2760	a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
832	Process not Found
832	Process not Found
832	Process not Found
832	Process not Found
1188	Process not Found
1188	Process not Found
2104	MsiExec.exe
2104	MsiExec.exe
1188	Process not Found
1188	Process not Found

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	3028	msiexec.exe
11	2616	msiexec.exe
13	2616	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reg-Tool\privacy.db	msiexec.exe
File created	C:\Program Files (x86)\Reg-Tool\startup.db	msiexec.exe
File created	C:\Program Files (x86)\Reg-Tool\PW\general.html	Reg-Tool.exe
File created	C:\Program Files (x86)\Reg-Tool\PW\privacy.html	Reg-Tool.exe
File created	C:\Program Files (x86)\Reg-Tool\PW\scheduler.html	Reg-Tool.exe
File created	C:\Program Files (x86)\Reg-Tool\definitions.db	msiexec.exe
File created	C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe	msiexec.exe
File created	C:\Program Files (x86)\Reg-Tool\Reg-Tool.url	msiexec.exe
File created	C:\Program Files (x86)\Reg-Tool\PW\optimizations.html	Reg-Tool.exe
File created	C:\Program Files (x86)\Reg-Tool\PW\startup.html	Reg-Tool.exe
File created	C:\Program Files (x86)\Reg-Tool\PW\wizard.css	Reg-Tool.exe
File created	C:\Program Files (x86)\Reg-Tool\PW.zip	msiexec.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f77fbfc.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f77fbfe.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI734.tmp	msiexec.exe
File created	C:\Windows\Installer\{90D92A69-433F-49BF-B358-E0B785FFBD94}\Icon.exe	msiexec.exe
File opened for modification	C:\Windows\Tasks\Reg-Tool Scan.job	Reg-Tool.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Tasks\Reg-Tool Scan.job	Reg-Tool.exe
File opened for modification	C:\Windows\WindowsUpdate.log	Reg-Tool.exe
File opened for modification	C:\Windows\Tasks\Reg-Tool Startup.job	Reg-Tool.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f77fbfb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77fbfb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{90D92A69-433F-49BF-B358-E0B785FFBD94}\Icon.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f77fbfc.ipi	msiexec.exe
File created	C:\Windows\Tasks\Reg-Tool Startup.job	Reg-Tool.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Reg-Tool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Reg-Tool.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Reg-Tool.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Reg-Tool.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\Version = "34082485"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\SourceList\PackageName = "setup.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\SourceList\LastUsedSource = "n;1;C:\\Program Files (x86)\\Downloaded Installers\\{90D92A69-433F-49BF-B358-E0B785FFBD94}\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\PackageCode = "48BA83601803F4045BC521D940643267"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4BA57B859A49DD113BC7188A558D5939\96A29D09F334FB943B850E7B58FFDB49	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96A29D09F334FB943B850E7B58FFDB49\OptimizerApplication	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4BA57B859A49DD113BC7188A558D5939	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\ProductIcon = "C:\\Windows\\Installer\\{90D92A69-433F-49BF-B358-E0B785FFBD94}\\Icon.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\ProductName = "Reg-Tool"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\SourceList\Net\1 = "C:\\Program Files (x86)\\Downloaded Installers\\{90D92A69-433F-49BF-B358-E0B785FFBD94}\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96A29D09F334FB943B850E7B58FFDB49	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2616	msiexec.exe
2616	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3028	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3028	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeSecurityPrivilege	2616	msiexec.exe
Token: SeCreateTokenPrivilege	3028	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3028	msiexec.exe
Token: SeLockMemoryPrivilege	3028	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3028	msiexec.exe
Token: SeMachineAccountPrivilege	3028	msiexec.exe
Token: SeTcbPrivilege	3028	msiexec.exe
Token: SeSecurityPrivilege	3028	msiexec.exe
Token: SeTakeOwnershipPrivilege	3028	msiexec.exe
Token: SeLoadDriverPrivilege	3028	msiexec.exe
Token: SeSystemProfilePrivilege	3028	msiexec.exe
Token: SeSystemtimePrivilege	3028	msiexec.exe
Token: SeProfSingleProcessPrivilege	3028	msiexec.exe
Token: SeIncBasePriorityPrivilege	3028	msiexec.exe
Token: SeCreatePagefilePrivilege	3028	msiexec.exe
Token: SeCreatePermanentPrivilege	3028	msiexec.exe
Token: SeBackupPrivilege	3028	msiexec.exe
Token: SeRestorePrivilege	3028	msiexec.exe
Token: SeShutdownPrivilege	3028	msiexec.exe
Token: SeDebugPrivilege	3028	msiexec.exe
Token: SeAuditPrivilege	3028	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3028	msiexec.exe
Token: SeChangeNotifyPrivilege	3028	msiexec.exe
Token: SeRemoteShutdownPrivilege	3028	msiexec.exe
Token: SeUndockPrivilege	3028	msiexec.exe
Token: SeSyncAgentPrivilege	3028	msiexec.exe
Token: SeEnableDelegationPrivilege	3028	msiexec.exe
Token: SeManageVolumePrivilege	3028	msiexec.exe
Token: SeImpersonatePrivilege	3028	msiexec.exe
Token: SeCreateGlobalPrivilege	3028	msiexec.exe
Token: SeBackupPrivilege	2436	vssvc.exe
Token: SeRestorePrivilege	2436	vssvc.exe
Token: SeAuditPrivilege	2436	vssvc.exe
Token: SeBackupPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2100	DrvInst.exe
Token: SeRestorePrivilege	2100	DrvInst.exe
Token: SeRestorePrivilege	2100	DrvInst.exe
Token: SeRestorePrivilege	2100	DrvInst.exe
Token: SeRestorePrivilege	2100	DrvInst.exe
Token: SeRestorePrivilege	2100	DrvInst.exe
Token: SeRestorePrivilege	2100	DrvInst.exe
Token: SeLoadDriverPrivilege	2100	DrvInst.exe
Token: SeLoadDriverPrivilege	2100	DrvInst.exe
Token: SeLoadDriverPrivilege	2100	DrvInst.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3028	msiexec.exe
3028	msiexec.exe
1028	Reg-Tool.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1028	Reg-Tool.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe
1028	Reg-Tool.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2896	2760	a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe	30
PID 2760 wrote to memory of 2896	2760	a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe	30
PID 2760 wrote to memory of 2896	2760	a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe	30
PID 2760 wrote to memory of 2896	2760	a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe	30
PID 2760 wrote to memory of 2896	2760	a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe	30
PID 2760 wrote to memory of 2896	2760	a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe	30
PID 2760 wrote to memory of 2896	2760	a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe	30
PID 2896 wrote to memory of 3028	2896	setup.exe	31
PID 2896 wrote to memory of 3028	2896	setup.exe	31
PID 2896 wrote to memory of 3028	2896	setup.exe	31
PID 2896 wrote to memory of 3028	2896	setup.exe	31
PID 2896 wrote to memory of 3028	2896	setup.exe	31
PID 2896 wrote to memory of 3028	2896	setup.exe	31
PID 2896 wrote to memory of 3028	2896	setup.exe	31
PID 2616 wrote to memory of 2104	2616	msiexec.exe	37
PID 2616 wrote to memory of 2104	2616	msiexec.exe	37
PID 2616 wrote to memory of 2104	2616	msiexec.exe	37
PID 2616 wrote to memory of 2104	2616	msiexec.exe	37
PID 2616 wrote to memory of 2104	2616	msiexec.exe	37
PID 2616 wrote to memory of 2104	2616	msiexec.exe	37
PID 2616 wrote to memory of 2104	2616	msiexec.exe	37
PID 2104 wrote to memory of 1028	2104	MsiExec.exe	38
PID 2104 wrote to memory of 1028	2104	MsiExec.exe	38
PID 2104 wrote to memory of 1028	2104	MsiExec.exe	38
PID 2104 wrote to memory of 1028	2104	MsiExec.exe	38

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Local\Temp\7zS31BA.tmp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS31BA.tmp\setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\msiexec.exe
    "msiexec" /i "C:\Program Files (x86)\Downloaded Installers\{90D92A69-433F-49BF-B358-E0B785FFBD94}\setup.msi"
    3⤵
    - Blocklisted process makes network request
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:3028

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F31776518EC40015DCDE568ABA27B796 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe
    "C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1028

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003DC" "0000000000000588"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f77fbfd.rbs

Filesize
9KB

MD5
c479bb53933c6fd1d7a0c3e66df9c0a0

SHA1
9ed0802bd7e412141165fa5747cb20175226184a

SHA256
35ee375c33592fb644e3ff5b8b51d4b2a052a397d785cba7e8a3d76518833a63

SHA512
d98344e742da412cc443ab33d01fe7d350cbd5cee37b3dd680b8e9cec85b25c018e922c650bd6abaee0f85a63d1b41c4f19f1af7ea79dd0c01cd55b1f9f2f7c4

Download Submit
C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe

Filesize
36.5MB

MD5
5bc76411c1dfeaf988a4469f128bbb6d

SHA1
b66c018fedfca88a82c96c58a97c6006f870b32e

SHA256
26eecdb9ae714be60758560d7f8410c2d78faa13d66e1f6714db2f17b7c5bd55

SHA512
d73865f15af9c64349ff02c85a18f009ad8b8f5ccd219a4d90d13a73ed1aa0f42a6c8f7d07ea1b836ce4b8da36e191e6af371439a51b3600b53a693c71298c16

Download Submit
C:\Program Files (x86)\Reg-Tool\definitions.db

Filesize
32KB

MD5
9d5a45aa7203672bd0c16e212815f1bf

SHA1
e09162aa55916d5428ea540c11b00d8f77be9a8e

SHA256
2af162c85d8f898cf31a972c9af66caa21aa009bf84b1522c8a37cbe0d84e34c

SHA512
a274750efead11bb21bbdd6c77b2a902ec51d8d760405f2600bb62992798123995acd475b4891d0c94d52b0b0431fd244867eba33fb16c787759ca2e538b8748

Download Submit
C:\Program Files (x86)\Reg-Tool\privacy.db

Filesize
4KB

MD5
bc166f104d54c05ef2ea87d0c5509f46

SHA1
9c5068bca2fba2d6e39df6b171ecf944b14899d4

SHA256
4b489a11a37516b7f1ebbacde2cfbe173726deb570a89f367094370045c57772

SHA512
671765513c11254f5f4cfbd106898a2505299071ffd188b7505b8c5b9ef53a24b04fd7d8c0c15227a02ada5d2695417352733926e6407880bd87e6d7947f515f

Download Submit
C:\Program Files (x86)\Reg-Tool\pw.zip

Filesize
1KB

MD5
b8b098eae0638a02207abb73dba0afe2

SHA1
3316ffabbf994bcea4f3a2f4c97e8352621171ea

SHA256
0ae908b2989b4a9d7c93cd7cfe27b7c0c60cce64c265b743fb6b5f7a6d72f269

SHA512
29b0c4de613a7ece77d4668af9169d54140f2bdb49218f294b5dbc91ef48b51b7b2f556ccd530b67d8c2808a59becd5489ecfad0d4ff91283c01fdc8ae5c415b

Download Submit
C:\Program Files (x86)\Reg-Tool\startup.db

Filesize
112KB

MD5
44fa7b9f408c0b5ba1fff283808eba34

SHA1
9c9809646306f67b4ab1cdec78cacbb2a5162e84

SHA256
6573f1fe1de7541042ca6f49a0adac130fde506d6b92e1ed0ee856d69fb57946

SHA512
5bdec5ed5a21f3a2e6a04ddc9aab06fb8fc3256eddf79c62d026022fbd41f4229a73c57c775ff8c5e3723fc47f9773c951260928c4b5877fb67399b861538f68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4DD39726D4B55AC3B4119B35A893323C_E7006F6DAEDBA5B627CA573B13FD6F3A

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4DD39726D4B55AC3B4119B35A893323C_E7006F6DAEDBA5B627CA573B13FD6F3A

Filesize
400B

MD5
6e0a31bd3792936f2d7ebe2eac843d41

SHA1
c1939e6951347362a3d5fb7962cc31ce5632b97b

SHA256
e10bd2ba7497b927fc718fc1b583b291b2bd6491117caa2116a18d4fbdc13be4

SHA512
1517b288dc8d2b40aac719457656043d0b396191a6af52673da7b3e8f76531f927b3fa04802cfd8961b36907a7fdf04a7aee777baa1883f07834d2bc4f699b44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cce8374ffce4f8c6032aafbff8a9ffe1

SHA1
3a9fe5aa18e101535998ff6e18e66714f89ab37a

SHA256
63c717e71eb42cfc17adec8e5b6d1feb3d140aa46b2276cce578fd1b57670375

SHA512
61dc43187b23dbe75efd88d78455a8b5894ecd78153617c145bd6f9fd9afd785db2abda8d6ef6a24e94c7feef4e5086e0788f9edb7fd956066af4f7f9d36062a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
3c7dd4dff69c3d094e4f1db20ea72ca1

SHA1
c28312e27779b267e93fa08765396066cf8bc2c1

SHA256
cf91dc80d113dc0309569b86b834080bc4b9fc49e545dbc4f2b71f7a103e17ae

SHA512
59e109c59c57f75701380dd6ffd3077e51f8fe5b6f0e9fea5b2833ee7989fe1ff21a8ee01ff01a1c0e598b45dcee0771752cadce97dd7470f00aaec5ca57103a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS31BA.tmp\setup.msi

Filesize
37.7MB

MD5
8d5626aaf4505a65505f646959aab3fe

SHA1
65baaabfd5d1eb022083fe9df79504cc656f315e

SHA256
b479919a20b820f13ba758f5a3851045ead9315b702bf5355c66e00593a5f832

SHA512
fa2024af189f337048d4e425829bb75ff83f91b879b67502913bb25e734b2ac3371f7b9b2d502b05e8471791a765f018800edbb0ee57db5410db9d6d3fe7cfec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar45B8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Tasks\Reg-Tool Startup.job

Filesize
386B

MD5
05c3e1b66ba34d4a955b79fe006f6dc5

SHA1
884308774f7c6bc8ada95faa13e08ffaa94faefd

SHA256
9227f67dd427f033e979f0979aeb8cd3e2672541a5c5be42832bcac9d2b0c81f

SHA512
1e5bdd5e5baca48e0e17a35d8c9dbd5c68df5216ddde1d39fc94384268eccc5784480757fb8c53783da8f62121fb15fa921d90070a8fd0ba89e27342dfd7352a

Download Submit
\Users\Admin\AppData\Local\Temp\7zS31BA.tmp\setup.exe

Filesize
73KB

MD5
de1a17d4d7683738c4b0b165d36d5821

SHA1
5b175debe5ce1e700a2f420bf944b20f5f17bd2e

SHA256
1ee03147705d39bf9c2c57340bcf6576a1647ad97517e74df2ebb4443cd8ee66

SHA512
7f2ebfd3b532548aec594b4399ccec17490a924215c0dfa0683becb5b9da19af5ba37341b562d04d4adc9dfea6feacea701652fdc612d14cc17acfe869c39177

Download Submit
\Users\Admin\AppData\Local\Temp\MSI1CF5.tmp

Filesize
148KB

MD5
14c01c848d8452005734858a64b6784b

SHA1
d3d81fcd1267095880218ef09b92220248905ea8

SHA256
fa9b83479f1b955790325dc557624185a8c72df3e31870dae075437146858185

SHA512
8334c467c470c13b0245425d3bc1ba9676a04e1e015bec56122504d622e7e3858d5ad7950d09c155f3666a90b7d3c7b40f324d0786553d6e81711b7f38cf1d57

Download Submit
\Windows\Installer\{90D92A69-433F-49BF-B358-E0B785FFBD94}\Icon.exe

Filesize
84KB

MD5
9c4d469714ff8a4cb84f4d01ce79f391

SHA1
3e3ef7a2f1f9eb37ed8de407da85c5bccd3501c3

SHA256
5cfdd807f3559b2b91d4de7777c7dec47f8603b70e058dedbfa353f6fb847ca6

SHA512
bbf4fed5d1882b64fcfa22cf60e2a2f69dc7ab621159be6e191c6ffc8f6482dfccbf8e3fb25070baec30744171761723080d9abb67760caa45325c78cccc19b9

Download Submit