Analysis
-
max time kernel
93s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2024 10:44
Behavioral task
behavioral1
Sample
eb22dd8e4b78ddd44ceb9336e556ebd7_JaffaCakes118.msi
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
eb22dd8e4b78ddd44ceb9336e556ebd7_JaffaCakes118.msi
Resource
win10v2004-20241007-en
General
-
Target
eb22dd8e4b78ddd44ceb9336e556ebd7_JaffaCakes118.msi
-
Size
996KB
-
MD5
eb22dd8e4b78ddd44ceb9336e556ebd7
-
SHA1
c18c3f48bed890333ab98ae83241003db6b95c73
-
SHA256
a38477583f2c2fd9b07c6c5ba26473893bfa3ff638abf760d933902eadcdcbc6
-
SHA512
7ee234aa221f3bdd0095215eba0ed4666d7a1bd98fcf52eb7e3ce0f756d7ae3440ebf6c2b2626f2b519fc2374901ea6da3c540a501a61faa73d8d53fa3973b28
-
SSDEEP
24576:Y7aBqnGIQ5M6DLrVVdWG859GCHrSoUzLyaVtFUl:Y78lrXVVdWX59GUrSLzeaVtFU
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIA5BB.tmp msiexec.exe File created C:\Windows\Installer\e57a2f7.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIA354.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA4BD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA53C.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{80395032-1630-4C4B-A997-0A7CCB72C75B} msiexec.exe File opened for modification C:\Windows\Installer\e57a2f7.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIA52B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA54C.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Loads dropped DLL 5 IoCs
pid Process 1352 MsiExec.exe 1352 MsiExec.exe 1352 MsiExec.exe 1352 MsiExec.exe 1352 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 3128 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3252 msiexec.exe 3252 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeShutdownPrivilege 3128 msiexec.exe Token: SeIncreaseQuotaPrivilege 3128 msiexec.exe Token: SeSecurityPrivilege 3252 msiexec.exe Token: SeCreateTokenPrivilege 3128 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3128 msiexec.exe Token: SeLockMemoryPrivilege 3128 msiexec.exe Token: SeIncreaseQuotaPrivilege 3128 msiexec.exe Token: SeMachineAccountPrivilege 3128 msiexec.exe Token: SeTcbPrivilege 3128 msiexec.exe Token: SeSecurityPrivilege 3128 msiexec.exe Token: SeTakeOwnershipPrivilege 3128 msiexec.exe Token: SeLoadDriverPrivilege 3128 msiexec.exe Token: SeSystemProfilePrivilege 3128 msiexec.exe Token: SeSystemtimePrivilege 3128 msiexec.exe Token: SeProfSingleProcessPrivilege 3128 msiexec.exe Token: SeIncBasePriorityPrivilege 3128 msiexec.exe Token: SeCreatePagefilePrivilege 3128 msiexec.exe Token: SeCreatePermanentPrivilege 3128 msiexec.exe Token: SeBackupPrivilege 3128 msiexec.exe Token: SeRestorePrivilege 3128 msiexec.exe Token: SeShutdownPrivilege 3128 msiexec.exe Token: SeDebugPrivilege 3128 msiexec.exe Token: SeAuditPrivilege 3128 msiexec.exe Token: SeSystemEnvironmentPrivilege 3128 msiexec.exe Token: SeChangeNotifyPrivilege 3128 msiexec.exe Token: SeRemoteShutdownPrivilege 3128 msiexec.exe Token: SeUndockPrivilege 3128 msiexec.exe Token: SeSyncAgentPrivilege 3128 msiexec.exe Token: SeEnableDelegationPrivilege 3128 msiexec.exe Token: SeManageVolumePrivilege 3128 msiexec.exe Token: SeImpersonatePrivilege 3128 msiexec.exe Token: SeCreateGlobalPrivilege 3128 msiexec.exe Token: SeRestorePrivilege 3252 msiexec.exe Token: SeTakeOwnershipPrivilege 3252 msiexec.exe Token: SeRestorePrivilege 3252 msiexec.exe Token: SeTakeOwnershipPrivilege 3252 msiexec.exe Token: SeRestorePrivilege 3252 msiexec.exe Token: SeTakeOwnershipPrivilege 3252 msiexec.exe Token: SeRestorePrivilege 3252 msiexec.exe Token: SeTakeOwnershipPrivilege 3252 msiexec.exe Token: SeRestorePrivilege 3252 msiexec.exe Token: SeTakeOwnershipPrivilege 3252 msiexec.exe Token: SeRestorePrivilege 3252 msiexec.exe Token: SeTakeOwnershipPrivilege 3252 msiexec.exe Token: SeRestorePrivilege 3252 msiexec.exe Token: SeTakeOwnershipPrivilege 3252 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3128 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3252 wrote to memory of 1352 3252 msiexec.exe 84 PID 3252 wrote to memory of 1352 3252 msiexec.exe 84 PID 3252 wrote to memory of 1352 3252 msiexec.exe 84
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\eb22dd8e4b78ddd44ceb9336e556ebd7_JaffaCakes118.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3128
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 90EE1CBDDA554CA592A167DE00D070F72⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1352
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
Filesize
537KB
MD5d7ec04b009302b83da506b9c63ca775c
SHA16fa9ea09b71531754b4cd05814a91032229834c0
SHA25600c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4
SHA512171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c