d1a3fee43f7c69cff3a6401d0ec704185534adeb36c1a701b0ecd8424b2263b3

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb390cb81b3ec509e2db0c4ab3964396_JaffaCakes118.exe
Size

40KB
MD5

eb390cb81b3ec509e2db0c4ab3964396
SHA1

10dae46ac0452663be8bfc461e72d5eb4e9e1397
SHA256

d1a3fee43f7c69cff3a6401d0ec704185534adeb36c1a701b0ecd8424b2263b3
SHA512

04c64e5c8eaa33f1aca7f2f48556a7fbc7bd4d6f4e4be8edf4796a7413c12af360cdc1ca4d7413c2b3f5f74ae8a869c597ff273902b66e4a8f4937c28136a1a0
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHj3+Zl:aqk/Zdic/qjh8w19JDHjY

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3008	services.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023204-4.dat	upx
behavioral2/memory/3008-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3008-13-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3008-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3008-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3008-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3008-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3008-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3008-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3008-35-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3008-39-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3008-163-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3008-199-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3008-202-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3008-203-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3008-233-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	eb390cb81b3ec509e2db0c4ab3964396_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	eb390cb81b3ec509e2db0c4ab3964396_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	eb390cb81b3ec509e2db0c4ab3964396_JaffaCakes118.exe
File created	C:\Windows\java.exe	eb390cb81b3ec509e2db0c4ab3964396_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3200 wrote to memory of 3008	3200	eb390cb81b3ec509e2db0c4ab3964396_JaffaCakes118.exe	86
PID 3200 wrote to memory of 3008	3200	eb390cb81b3ec509e2db0c4ab3964396_JaffaCakes118.exe	86
PID 3200 wrote to memory of 3008	3200	eb390cb81b3ec509e2db0c4ab3964396_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\eb390cb81b3ec509e2db0c4ab3964396_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eb390cb81b3ec509e2db0c4ab3964396_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HT2TD2G4\search[3].htm

Filesize
113KB

MD5
6e275c80f0926314230744df6140f8c0

SHA1
a9cc886c506a5732b1c46ba22ff3230afb4a05d2

SHA256
d8ff434426d93e82ff70b33e79ce06030d225fbc497084b8b45f21f97b6b91c0

SHA512
658ec87ef0910e0c2521010068bc99db382c3fbdebece16d45740b0b78e48894229ab8f012f96c4b8f9a779721c717758aad84cbe16e3247c76b88b403bf29f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IGS2C121\search[2].htm

Filesize
139KB

MD5
5036fe8891369bdcd4d6e89d7104d034

SHA1
36b52b2e58d3426dbeb10fd7b370f2d49b87dd08

SHA256
13a52dd2037f18ffabe18e6a9a67b8be8ad66c270be6130516dda10da95993c5

SHA512
261dfdd08014298e02c97d77dcfb2b13088ca10f2c19bd3770919be54aed7b7c4c6f59489cfb12784d188099941aba2f99d5438b4fe7fe56a1a9e8819f1a94b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PL0BY74L\S6QKJP5T.htm

Filesize
175KB

MD5
54a73805c7e6a3a41b2264be5e73d774

SHA1
10b6c125918c7f8fb20f445b9004fae40026715f

SHA256
40bf0615ea72a443e07d513dee6d30c449f58bed566bb5d5214a9d0d576b6f78

SHA512
a8175572db195621adad0ab83bdaba440e62779c5f0eedeae301a0ee337115fa492fa79c797e0b45eceb627d2834ad4178ced55e9e5f80b0db7fa65ffbae0fa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PL0BY74L\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA891.tmp

Filesize
40KB

MD5
bd23d5b948b2794e9d022924faa48106

SHA1
45ae26a5919db96e2924e82a28968cfbbbd2abfb

SHA256
89b00f29b1c5268aace4c433fd643f2b185e714531427e2a09e0f8c3bc75218b

SHA512
264a11395dec4e8b88e34444a7eb2ac29b3894cb598574798bc530aff36ded51c2cbe93889d6552a415a7dd3e69512c94f366d31d01223afc9736dd3fd432956

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
0a0e6ee183f36109e8b318b2073843c2

SHA1
a67cd653cb0e9c839e60078086709c40cc3ad770

SHA256
fdd0b3eea6b706ea31b697182f46de1136641d8c147f177f22ab4bf318721707

SHA512
5b46583bd1847e96a70fb16c987b17d3f5dac80a3ad6b42ad0c8b35804c69724e2aaad4db60ae02d33c71efb4c951d45d7cdb69daf8028c35b4f7d7b28741571

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
7baa64f5c9770439f73b65c4284ddc16

SHA1
3cb4b1b4e07c74a8a8799426cb7e310e4de2854e

SHA256
6e7393c91fa37ee9954bc4e959e9d28f6c134902529f3bba6ecf298a09ee9eea

SHA512
a1abfaacbe33f2f2e73d4ca8e6d728b41dd417c96bad8c200bf0d5ed6a440c92b1995764e0b9f8f697f6dfc52f52dca93e8847b00c62795409679a7df7d7db75

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
c184b0fb8e3c7ec5dbdb2829901e98ea

SHA1
fda24107e8bbbf6dd28c6fb30a7668e4c7e77a1d

SHA256
48574979aeae046c31c55e6ecfa5990a412fe554cd884e131692779e7c705ea6

SHA512
af90eba87d7856811479d6dae2749831b02dc628b242e3dae80fcbb0beee738bf59a1e8ceed0a16d1fe6ada5d6a24f3a87ca10c47e91a18865529a6abb132e6a

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/3008-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3008-163-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3008-39-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3008-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3008-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3008-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3008-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3008-35-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3008-233-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3008-199-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3008-202-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3008-203-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3008-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3008-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3008-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3200-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads