3fc10b5c7aa573fbdd5b3cae77e4322894cca7a20a46aa510e7b309aab75991e

General

Target

f8537468081b0e4be44c420cc36af571_JaffaCakes118.exe
Size

28KB
MD5

f8537468081b0e4be44c420cc36af571
SHA1

35781b5fd883fafb85477e77be2be47f30017024
SHA256

3fc10b5c7aa573fbdd5b3cae77e4322894cca7a20a46aa510e7b309aab75991e
SHA512

c678d9f693518c9ce9a95ccc41399c66b33b39af53d4d69e4f5f42e01222735474018ab8dd57e42117d3646fe5c2ad630db4144ba188aa43ed33d87f6dfe3267
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNwG83H:Dv8IRRdsxq1DjJcqfz9H

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
512	services.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/716-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x000600000002326f-4.dat	upx
behavioral2/memory/512-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/716-13-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/512-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/512-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/512-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/512-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/512-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/512-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/512-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/512-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/512-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/716-49-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/512-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/716-54-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/512-55-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000e000000023362-60.dat	upx
behavioral2/memory/716-186-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/512-187-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/716-188-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/512-189-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/512-194-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	f8537468081b0e4be44c420cc36af571_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	f8537468081b0e4be44c420cc36af571_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	f8537468081b0e4be44c420cc36af571_JaffaCakes118.exe
File created	C:\Windows\java.exe	f8537468081b0e4be44c420cc36af571_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 716 wrote to memory of 512	716	f8537468081b0e4be44c420cc36af571_JaffaCakes118.exe	87
PID 716 wrote to memory of 512	716	f8537468081b0e4be44c420cc36af571_JaffaCakes118.exe	87
PID 716 wrote to memory of 512	716	f8537468081b0e4be44c420cc36af571_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\f8537468081b0e4be44c420cc36af571_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f8537468081b0e4be44c420cc36af571_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:716
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4LRYPNZC\N3DPQ81N.htm

Filesize
175KB

MD5
4409154ec57983ce609898b13ce6abec

SHA1
e824dafb341d85b0db25fad247ad3415754a7427

SHA256
4265ae3fa01749b3e97f5bb17c59b3928034075913ef9e7db2e85d09652cb38a

SHA512
2820b4c633148ce78b686d4d09597e32b5afa8ebcbe0f935831b1b8f93929da851921bd9d7081c529a82e27c8b5aca78d31cdc4a4807cb766f6a13f186c3e387

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE809.tmp

Filesize
28KB

MD5
64db27ea1e0f77f35527e52fae3670f1

SHA1
b94fd879a83948b5c83ba758c6f11b485a68e66b

SHA256
72017903cc34653f8e0699e5d37fb116b8e8598205b821089cb9943141e0f84a

SHA512
c87851ece3fa53ddbf14b63b023eeb9460ce438181316f23484298bb76a2b7ce5ba32256788cdb8d2bf73dc49784b6b147d135ff009c4f3c1a0aabe334b8156f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
623b30eacb5388e913afdd6fe87fa921

SHA1
ad7711a32ba7fa833632f59b2cd2ffcd1ddf3956

SHA256
dd8aa26ed52ee75ea2827355869f4e527f73dddfe4ddf33fab1a0187c096913e

SHA512
fa89bfe051ae00209c8b16aee3ae5c46cfa46be5b69d50ca83a30e04275c3accfa07c7b29bd35882036500be165a284a623618c20df22ce3861f3dbbfc7bb391

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/512-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/512-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/512-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/512-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/512-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/512-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/512-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/512-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/512-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/512-194-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/512-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/512-189-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/512-55-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/512-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/512-187-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/716-54-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/716-186-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/716-13-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/716-188-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/716-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/716-49-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads