18b85f016af2ff35fa210d54d5d5897278661c42bcbc0a77c54f138f19d5d811

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6042734645dd993eb463da9b1e938843_JaffaCakes118.exe
Size

29KB
MD5

6042734645dd993eb463da9b1e938843
SHA1

3f0d4d9a851e1645a3786bc59a23a4b1f50196bb
SHA256

18b85f016af2ff35fa210d54d5d5897278661c42bcbc0a77c54f138f19d5d811
SHA512

bb150e7a7cdc114f6bffd739cfcfe80c9396dba3df188dd72351695bfba7514d2e2f2a759d8fb260b64a00ec7a4d373e23c3212676d9517208a491f5f19dc9be
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/Z:AEwVs+0jNDY1qi/qB

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
856	services.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1160-1-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x0008000000023410-4.dat	upx
behavioral2/memory/856-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1160-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/856-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/856-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/856-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/856-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/856-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/856-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/856-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/856-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/856-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/856-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1160-49-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x000a000000023420-63.dat	upx
behavioral2/memory/1160-155-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/856-156-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1160-286-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/856-287-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1160-288-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/856-289-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/856-294-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1160-293-0x0000000000500000-0x0000000000510200-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	6042734645dd993eb463da9b1e938843_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	6042734645dd993eb463da9b1e938843_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	6042734645dd993eb463da9b1e938843_JaffaCakes118.exe
File created	C:\Windows\java.exe	6042734645dd993eb463da9b1e938843_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 856	1160	6042734645dd993eb463da9b1e938843_JaffaCakes118.exe	82
PID 1160 wrote to memory of 856	1160	6042734645dd993eb463da9b1e938843_JaffaCakes118.exe	82
PID 1160 wrote to memory of 856	1160	6042734645dd993eb463da9b1e938843_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\6042734645dd993eb463da9b1e938843_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6042734645dd993eb463da9b1e938843_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6SQF6WJH\W53FMBZ3.htm

Filesize
175KB

MD5
91ba11e1d2b1eeaa125ac16ab303ee26

SHA1
bd84b001e32ae67335b7d8352cd6d62dfc784351

SHA256
7a4ba4fdfa26180d2a80e95933a458f93985711c0ffc0ea518bc99e2ed781771

SHA512
fd62ebb24d0bb3d580b39faeb03aa419341d597dd3fc3eceec7dcd05750b0d5156ab7016318e617836fad05980a53c5f8d2527c8210346ef76560e6d08bebf83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ED9UQUDY\9W823IW1.htm

Filesize
175KB

MD5
0c3d507b65c181e0c686b0e06e68ef56

SHA1
07f381a0a0c6ddede3570d2b17bd62bd3fb55eb9

SHA256
56c85547557c505be2640942c48829ac877dbef88cf4c13d15316c9c9eca3f5f

SHA512
09acfc75392e43674eb4276baa236aba5db0fd0bf0eb015c3ae0256a541d0d25fd1a28a4e9688af662e04ec633d8a93ffc766c7e78f6b4c8084222450bb7c7c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NCVVYLW7\results[3].htm

Filesize
1KB

MD5
ee4aed56584bf64c08683064e422b722

SHA1
45e5ba33f57c6848e84b66e7e856a6b60af6c4a8

SHA256
a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61

SHA512
058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NCVVYLW7\search[10].htm

Filesize
164KB

MD5
3a7e1dd3a644f610d8e4b98b880cafdf

SHA1
3483061700cab9b94db107cdaa18568825da3443

SHA256
8825ac294171f3e0afefcdb61c3a88d628cc5d65db676e24e59a8271c6d55561

SHA512
5c6834678667bd9e87668bb87ad0ab8d46ac0cc48e4867b991d72c39a2cd0516c5eb04cc31e40064972d2475bd47e281e6ff19f4ce3761a279dd50f0d9efff10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NCVVYLW7\search[1].htm

Filesize
112KB

MD5
11123c54861f4e73b7899c399f4d6a9b

SHA1
fbea0c6a10df4c96bb792cde1416597f8a48149a

SHA256
b578259a0ed042072965f093633342d7c706380295fff2d02fe50f07c2162205

SHA512
99a25590050d8fce4ff96727f0ebb3950c8974d455451cd6b36bf1d656952a9443c91fc17fd6b5f4611ab567cb41306eb2e052c800ca181b79be4ce0b1b6b89b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NCVVYLW7\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD82D.tmp

Filesize
29KB

MD5
c8136cebc88379ce20238571bfa6f78d

SHA1
50a97cf796ffb117b50e8a2acc40ff966bd0aca5

SHA256
63a89933f73a23faf882bd6f760cf9149a322d2625484a0fbd52864a22d6f7f2

SHA512
fe7701a4ab0439c466d046e57663c9ce6f220d9a58e32f322d7265b9d23d61833cf07036b9142cc5861a4890743365d3889d842a4ed8e5b9577bff30ba3f86b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
e9fcb207be7fac86f56fb7ad57ce00c2

SHA1
866ed0c55c3a13bb7e2d04f5338fa64f4b8fae8f

SHA256
88979164646d9177ba227eba6a8ba3d485cd2a5efb9ace0f74f71005ad543bca

SHA512
048d6e5ceaef9d2401e25b1d26a9be626b540b26322111ce5033a364771a5fe6e1c5ac2d5c3995065f153a842b4b42153136bccdc7f9e57040b0aa9eda184448

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
8dfd832f56c47ef536ebcc5c76c0b935

SHA1
64fe2dbd9f1ba8bd6416c5569e687ed00c40b62f

SHA256
0ad26188d98dccab9c3fa5fff642fbd7729da4ed14bb87d35568af927b66e9d6

SHA512
59d78a8654547fcb618f49e413853494b00e3b958bf0b8d22209187b81ec13f2122ac415241f7618085eaa2b70a01b7033e5c31d261fc1c3f422532b42db4aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
1bee07f245c11b93b181e656cd8d5bb1

SHA1
2eec26c91c7820e142bfd2b9427edd0457a3263f

SHA256
b3f910994588485a5854ecfa9001cb87efce92e8b52fe9ab754de1966ce44bf7

SHA512
6e226d27cf7a548142b0ebbc6293cc5b41dd6ec8b6af310cceab6544d1346b2bfa28c4e4ea0618b9c5b7350e4c352703bfd684667b8c1bec7a1223d4047c2ede

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/856-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/856-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/856-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/856-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/856-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/856-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/856-287-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/856-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/856-156-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/856-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/856-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/856-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/856-294-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/856-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/856-289-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1160-1-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1160-288-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1160-286-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1160-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1160-293-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1160-155-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1160-49-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads