e54310d51c8fa33be1ff614eeea026f47d1a7f43b6fe7d35d8f7920763fae26e

General

Target

f0f621acaad2f2a1c5982e4c8dd57a00_JaffaCakes118.exe
Size

40KB
MD5

f0f621acaad2f2a1c5982e4c8dd57a00
SHA1

b36f1d3cdb9ed67714fda138c82f931b90f63f75
SHA256

e54310d51c8fa33be1ff614eeea026f47d1a7f43b6fe7d35d8f7920763fae26e
SHA512

690a9379d160df5bd68c02430a05e0a67006fc0e0371fb37700563b6f87002a553bfc931300c7deeeb6255ddbf261547d8d19108ccbcf8eecb6a61abf6c36320
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHch:aqk/Zdic/qjh8w19JDHI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1312	services.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023403-4.dat	upx
behavioral2/memory/1312-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1312-13-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1312-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1312-18-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1312-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1312-23-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1312-27-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1312-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1312-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1312-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1312-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1312-41-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1312-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1312-180-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1312-181-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1312-185-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	f0f621acaad2f2a1c5982e4c8dd57a00_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	f0f621acaad2f2a1c5982e4c8dd57a00_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	f0f621acaad2f2a1c5982e4c8dd57a00_JaffaCakes118.exe
File created	C:\Windows\java.exe	f0f621acaad2f2a1c5982e4c8dd57a00_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 1312	3052	f0f621acaad2f2a1c5982e4c8dd57a00_JaffaCakes118.exe	86
PID 3052 wrote to memory of 1312	3052	f0f621acaad2f2a1c5982e4c8dd57a00_JaffaCakes118.exe	86
PID 3052 wrote to memory of 1312	3052	f0f621acaad2f2a1c5982e4c8dd57a00_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\f0f621acaad2f2a1c5982e4c8dd57a00_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f0f621acaad2f2a1c5982e4c8dd57a00_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp339C.tmp

Filesize
40KB

MD5
d9ff415053ad1d3b7522b875e8987418

SHA1
e2040cb0e215690b678e277f2426eb1402321df8

SHA256
b80c743ca891ceeb66be769657383bbf2bddb19c1bc8970695ceda1e45649171

SHA512
374b3dddfb50a876b39985f2decfd500e2bc1752728f0bc64cf0e09f7ca96e49ffed9678cf408e8a9df6ea507a8f8cd1908da153e0c265a6ef2aa6af6c381d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp349D.tmp

Filesize
40KB

MD5
c374845d3050ae9e82bfcae30f897c7e

SHA1
35b50699ca4d8c059716d8eeb4a7cf07bb7ce35a

SHA256
aac9a1a2f2a3caf29499c66390f5ec2e589b8a17df4f8e3cbcb4df094809e92d

SHA512
054006bed905d08f183b7543c85df0ea1cdb6b2f5c11289ebbd7437dc49efdfbe46f0111bd478b59eb0a1b723b62d32cde93842bcfa8db500faef591514a9cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
a6cbf7721555767fdde71750ef69edad

SHA1
dce57bfd842371b64dd3a1e1b2b0db904ba2a279

SHA256
2d61ba1918bc74ba3be37e803e16fdac7f78ead00f44d7b50809fd267d65a5a6

SHA512
100c10276d6f710fccc0732481a29ed447e44bedc8c365f60d8671e340c510f91274ae4c7860bf49e30e2918aa9d3209d184b48556d1296cba0738a3ca8a5bf2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1312-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1312-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1312-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1312-23-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1312-27-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1312-185-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1312-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1312-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1312-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1312-41-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1312-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1312-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1312-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1312-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1312-180-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1312-181-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3052-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads