bf193a5fb3e9e24e87055ec9ad5909b5632b7b5f0fca26b50e31733587753fdd

General

Target

0994da2852f33678c32cd8fbb9a1c849_JaffaCakes118.exe
Size

40KB
MD5

0994da2852f33678c32cd8fbb9a1c849
SHA1

036b2ee32c57b0d27df9e5f99d53a2f9cd1b96df
SHA256

bf193a5fb3e9e24e87055ec9ad5909b5632b7b5f0fca26b50e31733587753fdd
SHA512

79f185f738ab4c6fadd04caada06449061b0d39e679e411e502e81562455de84f33a2b5510691f0b17fd11f03deb0fb33c040ddc403cfd3cb2390337a7bcb942
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHI6TP:aqk/Zdic/qjh8w19JDHI6TP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2668	services.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1712-4-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x00090000000146f4-7.dat	upx
behavioral1/memory/2668-10-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2668-16-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2668-20-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2668-25-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2668-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2668-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2668-34-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2668-35-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2668-39-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2668-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2668-44-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2668-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2668-52-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2668-64-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2668-67-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	0994da2852f33678c32cd8fbb9a1c849_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	0994da2852f33678c32cd8fbb9a1c849_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	0994da2852f33678c32cd8fbb9a1c849_JaffaCakes118.exe
File created	C:\Windows\java.exe	0994da2852f33678c32cd8fbb9a1c849_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2668	1712	0994da2852f33678c32cd8fbb9a1c849_JaffaCakes118.exe	28
PID 1712 wrote to memory of 2668	1712	0994da2852f33678c32cd8fbb9a1c849_JaffaCakes118.exe	28
PID 1712 wrote to memory of 2668	1712	0994da2852f33678c32cd8fbb9a1c849_JaffaCakes118.exe	28
PID 1712 wrote to memory of 2668	1712	0994da2852f33678c32cd8fbb9a1c849_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\0994da2852f33678c32cd8fbb9a1c849_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0994da2852f33678c32cd8fbb9a1c849_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hwkwpsnbnp.log

Filesize
1KB

MD5
887118eab8312c3b0776a246b938b438

SHA1
9a9618c5e584a7e4378313267329e69885a3c750

SHA256
9d9068e68f1903930631b7e993dbab4d2b0d540b4970dbd0f964477ff08fea99

SHA512
52260f45f99c876fb5d84b80d8808e90b885444c4cd424d292c895f9791404b76e2c4c9536a31b5d65d1efbf627d4a909709744bb60a9f2391c4a82c7df51a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2A0.tmp

Filesize
40KB

MD5
1af7370f0bfe13addfe84f57a832e5fe

SHA1
a2209577cb8548780651716e82ade4ffede4b6cb

SHA256
4a59bfb9c5d324fcfa00e536ed9aa945f324452fbfeb531698032e03c699b20a

SHA512
197944bb4d7296a1156af790658a33a3673e5f1247444e9408f3495eae88a27ce15b5725a711dd1ff5a020b540055a2e00a9f55c5efded1b6c4b716676c40909

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
4739a1244694065828501c99041697e4

SHA1
cc6d8e502970c5b0944c9d74013613ebfd947117

SHA256
0fa2c380f7d061e7a978a947f8535326506b9fb4e37c5241ffa13331cc2ce04c

SHA512
b2bc364aec2da8c4788270e2b3d74767341bcca76da3d1e0be8cf4429d5c2a08ab251dd088a5c71cff9038df8cc064826a0f25db1a344bc50ca2c159901be0d7

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1712-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download
memory/1712-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1712-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2668-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2668-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2668-25-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2668-34-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2668-35-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2668-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2668-39-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2668-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2668-44-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2668-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2668-52-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2668-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2668-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2668-64-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2668-67-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads