facc6089e5bdd7363863e9d7426ad6de5fd94295affce870e065cd5a206ac76a

Analysis

max time kernel
101s
max time network
103s
platform
windows11-21h2_x64
resource
win11-20250502-en
resource tags

arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system
submitted
11/05/2025, 05:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_01a93ef53355330ab4105c860f9f76a8.exe
Size

4.8MB
MD5

01a93ef53355330ab4105c860f9f76a8
SHA1

b1e1369278ff88958edfde04a31e729a12772118
SHA256

facc6089e5bdd7363863e9d7426ad6de5fd94295affce870e065cd5a206ac76a
SHA512

6d5e2a6c68cf838655eed700f05d639d1c0a316ce738ef82351675aec594fd2368fb2357797bee63b2162e8fed25d85c32d29c00c88c84e9bdcc2c15b3fbe4f7
SSDEEP

98304:YWrSa24w3rQ/pE/JFBCnpcYiKAEXXPnsNSkUe:Ty4wesJFqpc8dXfUSe

Score

9^/10

bootkit defense_evasion discovery persistence spyware stealer trojan

Malware Config

Signatures

Detected Nirsoft tools 1 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/files/0x001c00000002b14d-77.dat	Nirsoft

Executes dropped EXE 5 IoCs

pid	Process
704	6272167835D47591.exe
2304	6272167835D47591.exe
2064	1746941848818.exe
2468	1746941850256.exe
688	ThunderFW.exe

Loads dropped DLL 1 IoCs

pid	Process
1856	MsiExec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 3 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6272167835D47591.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JaffaCakes118_01a93ef53355330ab4105c860f9f76a8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6272167835D47591.exe

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ddnnjmifklogidkmpfdclcehmlanaaga\1.0.0.0_0\manifest.json	6272167835D47591.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	JaffaCakes118_01a93ef53355330ab4105c860f9f76a8.exe
File opened for modification	\??\PhysicalDrive0	6272167835D47591.exe
File opened for modification	\??\PhysicalDrive0	6272167835D47591.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4028	JaffaCakes118_01a93ef53355330ab4105c860f9f76a8.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 704 set thread context of 5116	704	6272167835D47591.exe	88
PID 704 set thread context of 2364	704	6272167835D47591.exe	93

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\gdiview\gdiview\GDIView.chm	msiexec.exe
File created	C:\Program Files (x86)\gdiview\gdiview\GDIView.exe	msiexec.exe
File created	C:\Program Files (x86)\gdiview\gdiview\readme.txt	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e5819fb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5819fb.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF3616E40C16DE5ABA.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1AB7.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF1CD9F66239472297.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF3D9CE417F11B9F55.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9A2A452C-3057-4F5E-8C7F-41B0D566B831}	msiexec.exe
File created	C:\Windows\Installer\e5819fd.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFFDE2A042D776904E.TMP	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1746941850256.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ThunderFW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6272167835D47591.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6272167835D47591.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1746941848818.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_01a93ef53355330ab4105c860f9f76a8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3896	cmd.exe
5184	PING.EXE
5844	cmd.exe
3480	PING.EXE
1600	cmd.exe
784	PING.EXE

Checks SCSI registry key(s) 3 TTPs 17 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	6272167835D47591.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	6272167835D47591.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	6272167835D47591.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	6272167835D47591.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	6272167835D47591.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	6272167835D47591.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	6272167835D47591.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	6272167835D47591.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	6272167835D47591.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	6272167835D47591.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	6272167835D47591.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	6272167835D47591.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000501329f82a62c4750000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000501329f80000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900501329f8000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d501329f8000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000501329f800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
5884	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	JaffaCakes118_01a93ef53355330ab4105c860f9f76a8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	JaffaCakes118_01a93ef53355330ab4105c860f9f76a8.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
5184	PING.EXE
3480	PING.EXE
784	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2064	1746941848818.exe
2064	1746941848818.exe
2468	1746941850256.exe
2468	1746941850256.exe
5704	msiexec.exe
5704	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4360	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4360	msiexec.exe
Token: SeSecurityPrivilege	5704	msiexec.exe
Token: SeCreateTokenPrivilege	4360	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4360	msiexec.exe
Token: SeLockMemoryPrivilege	4360	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4360	msiexec.exe
Token: SeMachineAccountPrivilege	4360	msiexec.exe
Token: SeTcbPrivilege	4360	msiexec.exe
Token: SeSecurityPrivilege	4360	msiexec.exe
Token: SeTakeOwnershipPrivilege	4360	msiexec.exe
Token: SeLoadDriverPrivilege	4360	msiexec.exe
Token: SeSystemProfilePrivilege	4360	msiexec.exe
Token: SeSystemtimePrivilege	4360	msiexec.exe
Token: SeProfSingleProcessPrivilege	4360	msiexec.exe
Token: SeIncBasePriorityPrivilege	4360	msiexec.exe
Token: SeCreatePagefilePrivilege	4360	msiexec.exe
Token: SeCreatePermanentPrivilege	4360	msiexec.exe
Token: SeBackupPrivilege	4360	msiexec.exe
Token: SeRestorePrivilege	4360	msiexec.exe
Token: SeShutdownPrivilege	4360	msiexec.exe
Token: SeDebugPrivilege	4360	msiexec.exe
Token: SeAuditPrivilege	4360	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4360	msiexec.exe
Token: SeChangeNotifyPrivilege	4360	msiexec.exe
Token: SeRemoteShutdownPrivilege	4360	msiexec.exe
Token: SeUndockPrivilege	4360	msiexec.exe
Token: SeSyncAgentPrivilege	4360	msiexec.exe
Token: SeEnableDelegationPrivilege	4360	msiexec.exe
Token: SeManageVolumePrivilege	4360	msiexec.exe
Token: SeImpersonatePrivilege	4360	msiexec.exe
Token: SeCreateGlobalPrivilege	4360	msiexec.exe
Token: SeCreateTokenPrivilege	4360	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4360	msiexec.exe
Token: SeLockMemoryPrivilege	4360	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4360	msiexec.exe
Token: SeMachineAccountPrivilege	4360	msiexec.exe
Token: SeTcbPrivilege	4360	msiexec.exe
Token: SeSecurityPrivilege	4360	msiexec.exe
Token: SeTakeOwnershipPrivilege	4360	msiexec.exe
Token: SeLoadDriverPrivilege	4360	msiexec.exe
Token: SeSystemProfilePrivilege	4360	msiexec.exe
Token: SeSystemtimePrivilege	4360	msiexec.exe
Token: SeProfSingleProcessPrivilege	4360	msiexec.exe
Token: SeIncBasePriorityPrivilege	4360	msiexec.exe
Token: SeCreatePagefilePrivilege	4360	msiexec.exe
Token: SeCreatePermanentPrivilege	4360	msiexec.exe
Token: SeBackupPrivilege	4360	msiexec.exe
Token: SeRestorePrivilege	4360	msiexec.exe
Token: SeShutdownPrivilege	4360	msiexec.exe
Token: SeDebugPrivilege	4360	msiexec.exe
Token: SeAuditPrivilege	4360	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4360	msiexec.exe
Token: SeChangeNotifyPrivilege	4360	msiexec.exe
Token: SeRemoteShutdownPrivilege	4360	msiexec.exe
Token: SeUndockPrivilege	4360	msiexec.exe
Token: SeSyncAgentPrivilege	4360	msiexec.exe
Token: SeEnableDelegationPrivilege	4360	msiexec.exe
Token: SeManageVolumePrivilege	4360	msiexec.exe
Token: SeImpersonatePrivilege	4360	msiexec.exe
Token: SeCreateGlobalPrivilege	4360	msiexec.exe
Token: SeCreateTokenPrivilege	4360	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4360	msiexec.exe
Token: SeLockMemoryPrivilege	4360	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4360	msiexec.exe
4360	msiexec.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 4360	4028	JaffaCakes118_01a93ef53355330ab4105c860f9f76a8.exe	79
PID 4028 wrote to memory of 4360	4028	JaffaCakes118_01a93ef53355330ab4105c860f9f76a8.exe	79
PID 4028 wrote to memory of 4360	4028	JaffaCakes118_01a93ef53355330ab4105c860f9f76a8.exe	79
PID 4028 wrote to memory of 704	4028	JaffaCakes118_01a93ef53355330ab4105c860f9f76a8.exe	80
PID 4028 wrote to memory of 704	4028	JaffaCakes118_01a93ef53355330ab4105c860f9f76a8.exe	80
PID 4028 wrote to memory of 704	4028	JaffaCakes118_01a93ef53355330ab4105c860f9f76a8.exe	80
PID 4028 wrote to memory of 2304	4028	JaffaCakes118_01a93ef53355330ab4105c860f9f76a8.exe	82
PID 4028 wrote to memory of 2304	4028	JaffaCakes118_01a93ef53355330ab4105c860f9f76a8.exe	82
PID 4028 wrote to memory of 2304	4028	JaffaCakes118_01a93ef53355330ab4105c860f9f76a8.exe	82
PID 4028 wrote to memory of 3896	4028	JaffaCakes118_01a93ef53355330ab4105c860f9f76a8.exe	83
PID 4028 wrote to memory of 3896	4028	JaffaCakes118_01a93ef53355330ab4105c860f9f76a8.exe	83
PID 4028 wrote to memory of 3896	4028	JaffaCakes118_01a93ef53355330ab4105c860f9f76a8.exe	83
PID 5704 wrote to memory of 1856	5704	msiexec.exe	85
PID 5704 wrote to memory of 1856	5704	msiexec.exe	85
PID 5704 wrote to memory of 1856	5704	msiexec.exe	85
PID 3896 wrote to memory of 5184	3896	cmd.exe	86
PID 3896 wrote to memory of 5184	3896	cmd.exe	86
PID 3896 wrote to memory of 5184	3896	cmd.exe	86
PID 2304 wrote to memory of 5032	2304	6272167835D47591.exe	87
PID 2304 wrote to memory of 5032	2304	6272167835D47591.exe	87
PID 2304 wrote to memory of 5032	2304	6272167835D47591.exe	87
PID 704 wrote to memory of 5116	704	6272167835D47591.exe	88
PID 704 wrote to memory of 5116	704	6272167835D47591.exe	88
PID 704 wrote to memory of 5116	704	6272167835D47591.exe	88
PID 704 wrote to memory of 5116	704	6272167835D47591.exe	88
PID 704 wrote to memory of 5116	704	6272167835D47591.exe	88
PID 704 wrote to memory of 5116	704	6272167835D47591.exe	88
PID 5032 wrote to memory of 5884	5032	cmd.exe	90
PID 5032 wrote to memory of 5884	5032	cmd.exe	90
PID 5032 wrote to memory of 5884	5032	cmd.exe	90
PID 704 wrote to memory of 2064	704	6272167835D47591.exe	92
PID 704 wrote to memory of 2064	704	6272167835D47591.exe	92
PID 704 wrote to memory of 2064	704	6272167835D47591.exe	92
PID 704 wrote to memory of 2364	704	6272167835D47591.exe	93
PID 704 wrote to memory of 2364	704	6272167835D47591.exe	93
PID 704 wrote to memory of 2364	704	6272167835D47591.exe	93
PID 704 wrote to memory of 2364	704	6272167835D47591.exe	93
PID 704 wrote to memory of 2364	704	6272167835D47591.exe	93
PID 704 wrote to memory of 2364	704	6272167835D47591.exe	93
PID 704 wrote to memory of 2468	704	6272167835D47591.exe	94
PID 704 wrote to memory of 2468	704	6272167835D47591.exe	94
PID 704 wrote to memory of 2468	704	6272167835D47591.exe	94
PID 2304 wrote to memory of 5844	2304	6272167835D47591.exe	95
PID 2304 wrote to memory of 5844	2304	6272167835D47591.exe	95
PID 2304 wrote to memory of 5844	2304	6272167835D47591.exe	95
PID 5844 wrote to memory of 3480	5844	cmd.exe	97
PID 5844 wrote to memory of 3480	5844	cmd.exe	97
PID 5844 wrote to memory of 3480	5844	cmd.exe	97
PID 704 wrote to memory of 688	704	6272167835D47591.exe	98
PID 704 wrote to memory of 688	704	6272167835D47591.exe	98
PID 704 wrote to memory of 688	704	6272167835D47591.exe	98
PID 704 wrote to memory of 1600	704	6272167835D47591.exe	99
PID 704 wrote to memory of 1600	704	6272167835D47591.exe	99
PID 704 wrote to memory of 1600	704	6272167835D47591.exe	99
PID 1600 wrote to memory of 784	1600	cmd.exe	101
PID 1600 wrote to memory of 784	1600	cmd.exe	101
PID 1600 wrote to memory of 784	1600	cmd.exe	101
PID 5704 wrote to memory of 1796	5704	msiexec.exe	105
PID 5704 wrote to memory of 1796	5704	msiexec.exe	105

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_01a93ef53355330ab4105c860f9f76a8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_01a93ef53355330ab4105c860f9f76a8.exe"
1⤵
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4360
- C:\Users\Admin\AppData\Local\Temp\6272167835D47591.exe
  C:\Users\Admin\AppData\Local\Temp\6272167835D47591.exe 0011 user01
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Checks SCSI registry key(s)
  - Suspicious use of WriteProcessMemory
  PID:704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    PID:5116
- - C:\Users\Admin\AppData\Roaming\1746941848818.exe
    "C:\Users\Admin\AppData\Roaming\1746941848818.exe" /sjson "C:\Users\Admin\AppData\Roaming\1746941848818.txt"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    PID:2364
- - C:\Users\Admin\AppData\Roaming\1746941850256.exe
    "C:\Users\Admin\AppData\Roaming\1746941850256.exe" /sjson "C:\Users\Admin\AppData\Roaming\1746941850256.txt"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2468
- - C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
    C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:688
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6272167835D47591.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 3
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:784
- C:\Users\Admin\AppData\Local\Temp\6272167835D47591.exe
  C:\Users\Admin\AppData\Local\Temp\6272167835D47591.exe 200 user01
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops Chrome extension
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Checks SCSI registry key(s)
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5032
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:5884
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6272167835D47591.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:5844
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 3
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_01a93ef53355330ab4105c860f9f76a8.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 3
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5184

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5704
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 110684411B68ECC0F177A518F3100DD1 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1856
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1796

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1912

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5819fc.rbs

Filesize
9KB

MD5
a7172a3c28219d6a6821eed51ed6ab9b

SHA1
9861b271e7838f208b87890756eb581ed48a11ee

SHA256
7055a5543ff61431338723150ad041cdd4e574af7f1067034c75e3f670097edc

SHA512
101e0d157ffdc01bbcfd814796cfb88f773a995bf0f845b83c61614eec383c444eee0310b01eb256217e859ca71768cfddd7057b2e8c79bc87fb3eb340c5c5b2

Download Submit
C:\Users\Admin\AppData\Local\Login Data1746941850224

Filesize
40KB

MD5
dfd4f60adc85fc874327517efed62ff7

SHA1
f97489afb75bfd5ee52892f37383fbc85aa14a69

SHA256
c007da2e5fd780008f28336940b427c3bfd509c72a40bfb7759592149ff3606e

SHA512
d76f75b1b5b23aa4f87c53ce44c3d3b7e41a44401e53d89f05a114600ea3dcd8beda9ca1977b489ac6ea5586cf26e47396e92d4796c370e89fab0aa76f38f3c4

Download Submit
C:\Users\Admin\AppData\Local\Login Data1746941850240

Filesize
56KB

MD5
0e2c60740cafa19c5158f4aa41a5d4e7

SHA1
f01d0f359e407fed424c30919ed64b77508b3024

SHA256
ce41f2a3255df2099ae8eea9364bd28c6fd6a56c8ca3290bd274944d16d9e6bf

SHA512
e367b88f1d984f84b9b4a8fa4002ede1afad0d375f9374636250f17e64445a60d1b99fe23a0b314c4b2bd5fd27fe5b87fa4079a84b4497629f238afd8436afe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\6272167835D47591.exe

Filesize
4.8MB

MD5
01a93ef53355330ab4105c860f9f76a8

SHA1
b1e1369278ff88958edfde04a31e729a12772118

SHA256
facc6089e5bdd7363863e9d7426ad6de5fd94295affce870e065cd5a206ac76a

SHA512
6d5e2a6c68cf838655eed700f05d639d1c0a316ce738ef82351675aec594fd2368fb2357797bee63b2162e8fed25d85c32d29c00c88c84e9bdcc2c15b3fbe4f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI88D7.tmp

Filesize
6KB

MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe

Filesize
71KB

MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdiview.msi

Filesize
231KB

MD5
7cc103f6fd70c6f3a2d2b9fca0438182

SHA1
699bd8924a27516b405ea9a686604b53b4e23372

SHA256
dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1

SHA512
92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128

Download Submit
C:\Users\Admin\AppData\Roaming\1746941848818.exe

Filesize
101KB

MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1746941848818.txt

Filesize
5KB

MD5
0afcd19de4269e4cb19695794b35f71f

SHA1
73915c911a36aad3f8e0297731101beeca6fb9b0

SHA256
e3b880ffa4e420f523edf299e6126d3ea11cc9a26bd1137d5b6469e8b88d72ce

SHA512
be4044a653b1877d85fadd206512274f7a3d2d839ea5060422527eface93be347d2fac31653fbf71508392d1258f41d38f7a07d85c72fad77819bb263ea2d0a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\783erq3o.Admin\storage\default\moz-extension+++c9cdd9b2-a8a6-4f4c-8167-86f19e1820e6^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite

Filesize
48KB

MD5
2eab03c24e521ee22c08a3e3bab16d7f

SHA1
d8ea20c5d4e7866c66ef36201e27fce4e10ad12b

SHA256
5c1fffc1e126ebbc19e4ef0cff60d5a0278cc57868737157746827acf7248ba2

SHA512
916cefe311d2b01d58062a022f5172880bd99c817b421f354a75a5c09e013676da7e2c16f333f1be121d62cb848b9739b0f2c4d2f45c56789574b93a97c7685b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.6MB

MD5
75c9bb9476e2e0f82572d42cc4782799

SHA1
ea5bf968fd489312019ddf8b5f54ec52cf08717a

SHA256
e7967abf21d38c1e047fa865660f477411c302241ba12c4d8a5fe263e0f63f51

SHA512
5c6700baf094a410298195929bbd81e458e5c09f47499701e6308fcd7aef529bb2a6b7c2c062c7aeae4b220a0cb190760ddec0db06c9fd10dd92c0c4e97ecb36

Download Submit
\??\Volume{f8291350-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c634fcc3-4ff0-449a-847a-6b8a1540ac08}_OnDiskSnapshotProp

Filesize
6KB

MD5
a363c5d1407684d0b345282ae8efda7c

SHA1
3bcf8ece98090a1e1d3b0d4b2df2add46a4ac4e5

SHA256
88d4266ef373d0b382e24708666be0a6f22c6dd64818d917e71a5891a409f073

SHA512
0a727c80a06787f29ea9930ebda7d2babe76d92ca3d49d8e0049f605b22f6bd7b51d1889342442107ba35f7440135cc94dc204d15e1550ac6bdc0970ac2270e6

Download Submit
memory/704-30-0x0000000002FB0000-0x000000000345F000-memory.dmp

Filesize
4.7MB

Download
memory/704-156-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2304-26-0x0000000003000000-0x00000000034AF000-memory.dmp

Filesize
4.7MB

Download
memory/2304-16-0x0000000010000000-0x000000001033C000-memory.dmp

Filesize
3.2MB

Download
memory/2304-128-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/4028-0-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/4028-13-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/4028-1-0x0000000010000000-0x000000001033C000-memory.dmp

Filesize
3.2MB

Download