b81326b4036b634fc4fa871d25cfb11ac9c80b010d521c6bf4e1c0cff0468fe2

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2024, 13:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0e9a8e8bfb73406e5cbc3e18520bd6af_JaffaCakes118.exe
Size

40KB
MD5

0e9a8e8bfb73406e5cbc3e18520bd6af
SHA1

f6888782e9ef509563e54292b9b50c46c934b263
SHA256

b81326b4036b634fc4fa871d25cfb11ac9c80b010d521c6bf4e1c0cff0468fe2
SHA512

359898dbd4acfe91a81019f264d5b8f33a14aabaf4ee67fda1fb14580e618eb332fe97d9e426bca933beb4028a3f1abe1af36e5615df55cc0755fbb1beea4ed8
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHpqpu:aqk/Zdic/qjh8w19JDH9

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1552	services.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000d000000023b90-4.dat	upx
behavioral2/memory/1552-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1552-13-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1552-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1552-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1552-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1552-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1552-169-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1552-170-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1552-174-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1552-178-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1552-204-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1552-207-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1552-303-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1552-403-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1552-485-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	0e9a8e8bfb73406e5cbc3e18520bd6af_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\java.exe	0e9a8e8bfb73406e5cbc3e18520bd6af_JaffaCakes118.exe
File created	C:\Windows\services.exe	0e9a8e8bfb73406e5cbc3e18520bd6af_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	0e9a8e8bfb73406e5cbc3e18520bd6af_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 1552	1608	0e9a8e8bfb73406e5cbc3e18520bd6af_JaffaCakes118.exe	84
PID 1608 wrote to memory of 1552	1608	0e9a8e8bfb73406e5cbc3e18520bd6af_JaffaCakes118.exe	84
PID 1608 wrote to memory of 1552	1608	0e9a8e8bfb73406e5cbc3e18520bd6af_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\0e9a8e8bfb73406e5cbc3e18520bd6af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e9a8e8bfb73406e5cbc3e18520bd6af_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5ACXXH1H\5EBN3FAB.htm

Filesize
175KB

MD5
ae5a019cde88822d3f33d34b01739a7e

SHA1
b9e44f2444b316db85d378c51d0e735e8df2f8c7

SHA256
2118e993a3afa4f94183eec7bb99ff7815cac71bb51105854b929121ea8f03a1

SHA512
1dd0c5fca184b915b8a1567e30cfd8159184d49b4e5cbf4317a5df46e29a708d1596779cacfd8e907b2ca82156f0528799ebc901a0b7282e342d88a19f6693bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5ACXXH1H\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KQH3BVSD\results[2].htm

Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KQH3BVSD\searchVR1DHJ14.htm

Filesize
126KB

MD5
cb065172cc8e05c8fe9d0a48781fcef5

SHA1
50699a6524299f722349845fb93e3e101c5d7c32

SHA256
56163fe0e3557c5767aad82c46e395334816e823cb8955741aa138ff4a242b5c

SHA512
7cf7d8cef5d526ebca04414b0fcee4609474e386dd53527e977ab4c87e091d1386434d0bcd1ad902e2f0848ed8f0fe5a118bd3c7261bef92bdfacdfab57d18b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KQH3BVSD\search[2].htm

Filesize
163KB

MD5
f1ec3e77c685d29e4551893d4a1e6027

SHA1
d85a35e7e0d1ece9c22efd551981ad2a4bc5138e

SHA256
988b46f713ce694f0f4b346d78ee1c420685aab89bd74669e8bcbd2fd5ac2e03

SHA512
ae1e6c3f94aee037d3b822314adf86fd15f6903372961cea71cf1481354687140f0f61b19bde0ff883dbba87942c22bbd76e13cb0adbd333816ac99653f5d120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KQH3BVSD\search[5].htm

Filesize
133KB

MD5
2a5cb579190217bb5a37743f8e836820

SHA1
d39617627b5023ed6397d6eeb1a4e64591a88ec7

SHA256
60a53a54fcbce898787c97847bfee4f61502ebbc83c063e30f719a4df2d4de52

SHA512
fcb47ee111194f024185655a79d7e9638a86270894325d3adac3005e1cd4eb17b5ae4b1b5de52cc3fc737e6d153d10599986977abc6e3b27662d69bd5b20ccf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KQH3BVSD\search[6].htm

Filesize
110KB

MD5
17e24935a9460cec70a82d8dc0335e0e

SHA1
48b70d981c081539f7b5720f5ba035cd3c07463a

SHA256
0888b16ce4228276636a0da9f51ada413697d9acc6bc4ce287f9d2ef1b0eb1b5

SHA512
f293109a8bd9e39e260615a7aea45d1e42cb02c571fd371a6d683dc34d5d37afbe342716c8a684f72ba516e6252d99a839a6b371a1e2f99eefb56364147dba42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KQH3BVSD\search[9].htm

Filesize
114KB

MD5
52e61ca28506f212452ad1188165463c

SHA1
d793a3289f82e0eb331194ca72982807a3c361d2

SHA256
94f7ae2edb26181d3c07d1388891dd1f74d62d1a85092d623579bca253c6b3b8

SHA512
930d281765e07916cb188ef61426bf3a264e93bfac06ef1a3b25f12916ecd5a600528475f9387e257b4515483c7e2e35dae551ba16d302a826f95e10ab876bf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LYH0CKVD\results[3].htm

Filesize
1KB

MD5
ee4aed56584bf64c08683064e422b722

SHA1
45e5ba33f57c6848e84b66e7e856a6b60af6c4a8

SHA256
a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61

SHA512
058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LYH0CKVD\search[5].htm

Filesize
102KB

MD5
44d400187773a6708cd7e40e43bb23b4

SHA1
c0977164f83ced7d15195b0393ad6d0059225154

SHA256
1799c7637bc8c77cb2c7851534b26688b6a1856d18ba12a4fb5d94ce969ed912

SHA512
1f2e23945b98f9b88ef760da9a8451f8438cd12c43873924076ed0269019e66dc05a3c0aa886fc817c8a2e0b11827866a7e5e546d64595c3211b27fa4013472d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LYH0CKVD\search[7].htm

Filesize
121KB

MD5
ecee9c327fb0d4920bfadae9eb9d2dc8

SHA1
72510cecf9e2d321979817fa6aee209a76aadc26

SHA256
559233c104b099fe8e36971e3a5ed8eba07cfea10de77656db74ca37280399de

SHA512
ae02635e02a953919d845572c4973f7016c9c0fa1e3285c4e99a5fe3fc3c2b28fb5709ffde7f353aca342cf32b2a8eeca6fe29693285db84595ec1a32ce85f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA3E.tmp

Filesize
40KB

MD5
3dbeadc2b91b3b15f805df597c836d30

SHA1
9a9976bfd117dfa648310a50388f38973b78d93b

SHA256
ae187b3b9ff50703d2f0664196481643490767d4a888f379515186af06856d29

SHA512
60744a79320e7433ab77cfad855b4e778d85c15d4bbea64511639156a2edb3787707fdd9da39ca914afe6d6865e7d0d33731b1c5b2135e97654a9fe76a77266c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
4a6b04aca60181ad2816d7554a4e9b93

SHA1
f400cad6b096c018ed73fa75fec4476374cb1d38

SHA256
3218ef285dfb5c892896f34df2113046ef93184631a3e174f35028c8e9f4cf6c

SHA512
2750c929fc4c9bb08c67bf2fe20e9d46acdc691351353c2705a79ff2a8698e128ded74c0c0974a508cb396e28fff418bb91656278a45498b1dd251d0e16f29fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
0b526dc1ee24feb48e2ef6718debef29

SHA1
ba6b964ddc53b0af6653af5ef216c38b0747f5f5

SHA256
b92090a74dc00203fc9dbafac3b0feaa317ec1960ce88b4a08711a8a31bc5fa0

SHA512
54f18801562d65982ec65fb219b5ab89507a321f4b1b90f062d34a4c2bbf639b1d300636797f209838741d6f1179ba6b41d5e429f340f715e270bd34a5b76cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
29ed50e9b6d2e05863be3329954a6829

SHA1
4979b4892bceadb6e81dd2dc15d31fc36f3704a3

SHA256
6272c251a9eceba8db031a68591f9f7cc5c8b1e849c99b6e4bf63ad24d3d0ea9

SHA512
220a28e1d213cffa9d0e7c2eb4c81d2cdd49b1765ed18bdb3f211e42954b8565d1d01d242aec399fec1dfe88102f397ae0c719acd5932cd11808d2d11df88d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
2f9e947a6eee8a7221bc14b640038865

SHA1
c2bc61245f77f3ac66fd7b73b5e418d383a3f7fa

SHA256
154deae6c719623b656fbe7b201a6755357383858b5eb6ad03c549409a572e59

SHA512
8c412c4e825ba4ecb497fd35093e8bf9695385cc5ef5255e4cc6a7e61289b72bb09c0570caca65fb65376e9836b8e9fe710e08df8ec278aa6d12a13fb3e3d3cd

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1552-174-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1552-403-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1552-207-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1552-178-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1552-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1552-170-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1552-303-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1552-169-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1552-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1552-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1552-204-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1552-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1552-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1552-485-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1552-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1608-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads