Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
04-05-2024 16:24
Static task
static1
Behavioral task
behavioral1
Sample
138a1335180409c666db663d40b5c132_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
138a1335180409c666db663d40b5c132_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
138a1335180409c666db663d40b5c132_JaffaCakes118.exe
-
Size
40KB
-
MD5
138a1335180409c666db663d40b5c132
-
SHA1
4bd93903e0e2636e7ba087e1d84a078c87187db5
-
SHA256
791bf93cfa3042bb68c2fb39239ec170db06f40af15a1c1adafe6720c3d3b730
-
SHA512
92bcded5e793374efadfc2d1e2ed65aec9b8f6a7b294f2910364c6542c6be1f6d4df46af2febd0073a491a5d0b682c8acd957e06e14b21dac43099fae7566282
-
SSDEEP
768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHeh:aqk/Zdic/qjh8w19JDHq
Malware Config
Signatures
-
Detected microsoft outlook phishing page
-
Executes dropped EXE 1 IoCs
pid Process 3420 services.exe -
resource yara_rule behavioral2/files/0x000c000000023bc2-4.dat upx behavioral2/memory/3420-7-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3420-13-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3420-17-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3420-21-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3420-22-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3420-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3420-137-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3420-224-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3420-229-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3420-233-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3420-248-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3420-374-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3420-540-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3420-541-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3420-544-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 138a1335180409c666db663d40b5c132_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\services.exe 138a1335180409c666db663d40b5c132_JaffaCakes118.exe File opened for modification C:\Windows\java.exe 138a1335180409c666db663d40b5c132_JaffaCakes118.exe File created C:\Windows\java.exe 138a1335180409c666db663d40b5c132_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2764 wrote to memory of 3420 2764 138a1335180409c666db663d40b5c132_JaffaCakes118.exe 83 PID 2764 wrote to memory of 3420 2764 138a1335180409c666db663d40b5c132_JaffaCakes118.exe 83 PID 2764 wrote to memory of 3420 2764 138a1335180409c666db663d40b5c132_JaffaCakes118.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\138a1335180409c666db663d40b5c132_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\138a1335180409c666db663d40b5c132_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3420
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD560ed6f81026159886bf2b18132cd9b11
SHA15e44aa933c342be4597a891026d48d0881b544ba
SHA2562d8356b680764e1c1f85d8676189ce694e01486edec80bdd7ded6e81d9b7c64b
SHA512ced6b8f72692103c1dd2b817143ba586bde1f7dee425222032f10a7f88b008e27327dad6135e9cea7cf1efe6a091d4988cff1bf8f5fd8ae996a7f5963c7010d0
-
Filesize
175KB
MD5219fd481b1aa2646b200cd00d527da69
SHA1fcc926f93686774bd4eab32a06499ecdd360a392
SHA25697f867fc39a1f42de53b83ad2b703487ed7c5541b1551f2196de293b2ab0b0d7
SHA5128327b20c13854f9d05648214fb31361ac64eab00d52eb85865303cf7a0ec5f40c223084b204a6ae82a86102ebce5dd5799eb59184dd34d1e720fc5925c494d1c
-
Filesize
163KB
MD54a3726ad5a1150ffe1f48973cff94738
SHA1503ffa562c835630cf15e524824fb21068284830
SHA256e2f88e2ac226ba38f03e98ce83f994fd5d3f752c2f590ba275dfe4bae207b23d
SHA512cb48feaff3a7c756ee6b314f19bcd50ba4bea9d9a554ccbf26ce98f124dfe42c253d7f92a983df5f21b9e175ba7dc1cfaa6deef61061a36fda5d03a7c8079044
-
Filesize
304B
MD56b54f5f065c6b30df33cab58ffb07dc0
SHA1ffd007ab5083d69cf84ea25fa88dcadf6831ef30
SHA2568a051a90af376c0d7688fdda4ba987ccffd26b75551e0558cec0cfe029a758a4
SHA512949cb3e10170c744a8e465fc0031f6f4f7f9098848cfd4b73192cda67265a7799e35efa8bd3db5c3a162941dca724dabd983e8d1ad8b058a55dfaace5659e81c
-
Filesize
1KB
MD5211da0345fa466aa8dbde830c83c19f8
SHA1779ece4d54a099274b2814a9780000ba49af1b81
SHA256aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA51237fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca
-
Filesize
103KB
MD55f8897c2dfdfaf90c34d0b7c941b98f3
SHA1125bad20e33a039c5e49be9fc7ea5dd4bdedc907
SHA256d9201ddf71b3f9baf36afdc171a90853e1a3dd8c00e063725ebb60284a8928f9
SHA512e6fbecf60b7e3b1eb9d63ec3eb09008a5dd74f2fb041761138036bd4959fb2cda018537e60f3e6eaaa11be531f385ddfb6662601a093d3cdbe666b47351d424d
-
Filesize
158KB
MD55e8f7fd3808d7fc13eab68e90c70ded5
SHA1981ffebf984c7d8cf85259e574cfcd9363dd283e
SHA25617c16e966961cbe1bc5a178e6eab4be0d8d0656f9e01cf3245c94871d0f617cb
SHA512963ae089c88bad1454d0054f24e8917f8757fb00635da7539a3a1e36ecf9b928117e293a12aa95d863d61207e91d918648908ef2fe5254c8bb54288cfd7582ff
-
Filesize
315B
MD514b82aec966e8e370a28053db081f4e9
SHA1a0f30ebbdb4c69947d3bd41fa63ec4929dddd649
SHA256202eada95ef503b303a05caf5a666f538236c7e697f5301fd178d994fa6e24cf
SHA512ec04f1d86137dc4d75a47ba47bb2f2c912115372fa000cf986d13a04121aae9974011aa716c7da3893114e0d5d0e2fb680a6c2fd40a1f93f0e0bfd6fd625dfa7
-
Filesize
1KB
MD535a826c9d92a048812533924ecc2d036
SHA1cc2d0c7849ea5f36532958d31a823e95de787d93
SHA2560731a24ba3c569a734d2e8a74f9786c4b09c42af70457b185c56f147792168ea
SHA512fd385904a466768357de812d0474e34a0b5f089f1de1e46bd032d889b28f10db84c869f5e81a0e2f1c8ffdd8a110e0736a7d63c887d76de6f0a5fd30bb8ebecd
-
Filesize
97KB
MD59551e043e5b31b9972bb77cce476e371
SHA1a54843ccb57b185c147c7389c80c6bff0f4133d2
SHA2568d141b9b2fdc536894e3eb05bc5b3028535df96a8e140d57fcd70dd93051da19
SHA512783405e4a3c7dac48f27f22f4f3ac8249fa771fd0ff4e409bc32111e21c016b041bff57bd151e13a580576fcd2439eb7a5ac6ea9b3ca657eca6080590bd57893
-
Filesize
120KB
MD57d81b0048d0f5d24b7236a85d1af6eb2
SHA13c6ce8798599b3320d8447bbd4692a9026a2bc07
SHA2562ddf19640260698723d2679aae7ba1e4101c42a72eed2f066f787cb9d1beedd0
SHA512097da391de9e74060a39be6d25257db0ac6cd49deade66654c847e54f73cdaabfaddbd9a4f7f2d72f6934ceca288fdb3dc146dae08a57c0459908a5b29116e0f
-
Filesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
Filesize
143KB
MD541c9fc52486d4ba3f3098e505dc6c92b
SHA1aedf890d30ec3a70c61846d1f9da6ac93c92fb49
SHA25610383b44d4554274d8894e3bae4a7259ec664265bc9c69cfc72500edca54e4ed
SHA5120c00f9319ba66449c3065711e07ae176ec4bfbb6374b3c4f77c79ac494295cdd1dfc2f43c3da7d7013f52c7b4621bf4329c1a29f803c54e79cfd88c66dd29ec7
-
Filesize
40KB
MD55914521b5612157aa78f42412780698f
SHA1608ce44202258354520e6ab41435b1bae9f3f2bd
SHA2567720cfe1787d2b6c4161c50898ecf7bf1b029417baf71f1fc5bf9446c8477a4f
SHA51211fe7282f0613a22c425ee230a1118beb2a555c2b48864bc7b7335906f7eeff54985774a8deb89a44b1cd0eeb6aa8ebffd18b86bd70f549960c30909cc4edf75
-
Filesize
1KB
MD5a3946f8beadadb6650dcfdd6b84367db
SHA13c1a92e543b125a7f9af0082c18c3421fd996c37
SHA256865bdab10316c7afe60f1841ea971f9a1d2c84ec9db6836cb5e07da5c9d53af2
SHA5125d12a8f095fd58a56a73b2e51ae2db0bad374a290a4df099a7385569574524dc31fc8dba0a91a9ecd11271da96aa7382dc4a63b55ce4e975039e70180936ca65
-
Filesize
1KB
MD5a039058c27315c903a8ef51ef7154069
SHA19f8fb24f1889b180c152cef0e50551fdbe1decfd
SHA2561cd7c4e37e4d7c9876aac03d67809abe6fa9a42b8222d8c9d8c660d47273bfbe
SHA51225e813c9d5a4619f6ab84a6707b2076312e78ed19324fcf44d920bc1e5335bdce16384d3e6b764c1f2480d7d2e5a8d8c8e46068a38f6644688f5021b5f0300eb
-
Filesize
1KB
MD5b620c83508a8ce92d429d6fd5f9621ac
SHA1b01d4ac940d4521b0b290c39b37f48b32bc8c6a1
SHA2566f6aec70ea0ae15e9c4b450b67e9ee721d0a3d85382a5bc8c6c5fe4fea10f308
SHA5121b8fbe0442d07183b9bb454ca221b45a4d4a80619a668793d5c698f36a08644f278a73e06955476cac832b692fee707c0f0bfd7a871b2ef8bd46d009f3d8ef4b
-
Filesize
1KB
MD5286fdfdae6a46661f6eb5b70657609fb
SHA1ce17c13ee4ced644b19fdeb2cf965460abb75a2f
SHA2565b0661cf9d0026647b007ac2773459291bba275f7b777015e2ac010524d6c09b
SHA512a0cf6bb3344611d16bd4885b1aecb3b28c97a97312ce2d19c3b0ed54ee7f0a25ac6de425f1ae28aa7652f0b084ea1ece8237bf41535536fd36054f3dbd0f52b7
-
Filesize
1KB
MD52c0c5c59a43338c3e8ebf5647ca18c62
SHA130794ce0cb0522492571ac89bc5b5fd1ed8bb697
SHA256ecd9fa827cd2fc8dd1132cef631d064f991b5440abad6fe0b6b1b57f14d43d05
SHA512117e2defe442836ec3245faec010cd77fd32273b0be16ade106f9dd7f698cdfb38aeb1d3bf6b6f67a29ffb80f66cf4798059e9589d833a2e9de28d8990773fb6
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2