Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
04-05-2024 19:31
Behavioral task
behavioral1
Sample
60994e7e20bc54fb809e1d2f8a1cdd87_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
60994e7e20bc54fb809e1d2f8a1cdd87_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
60994e7e20bc54fb809e1d2f8a1cdd87_JaffaCakes118.exe
-
Size
29KB
-
MD5
60994e7e20bc54fb809e1d2f8a1cdd87
-
SHA1
f0df32cedf39c14d459ac0385e03edefe044bbdb
-
SHA256
d543f5328b39a1fd411c8bf5a3acba300e93acc6f7c6ec42ce46c2cc857c9210
-
SHA512
1dd3406c04c89cf327705fc981be87928c24192268c69384803198495479a10932d7b7b01f953ae6be53c13d5afb6778d638d17a3ac5cbf2fbe0504599c04a0f
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/A:AEwVs+0jNDY1qi/q4
Malware Config
Signatures
-
Detected microsoft outlook phishing page
-
Executes dropped EXE 1 IoCs
pid Process 4008 services.exe -
resource yara_rule behavioral2/memory/3420-0-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/files/0x000c000000023ba9-4.dat upx behavioral2/memory/4008-6-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3420-13-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4008-14-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4008-19-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4008-24-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3420-25-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4008-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3420-30-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4008-31-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/files/0x0010000000023bb2-41.dat upx behavioral2/memory/3420-192-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4008-193-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3420-194-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4008-195-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4008-200-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3420-204-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4008-205-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3420-300-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4008-301-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3420-335-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4008-336-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4008-341-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4008-343-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3420-347-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/4008-348-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 60994e7e20bc54fb809e1d2f8a1cdd87_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\java.exe 60994e7e20bc54fb809e1d2f8a1cdd87_JaffaCakes118.exe File created C:\Windows\services.exe 60994e7e20bc54fb809e1d2f8a1cdd87_JaffaCakes118.exe File opened for modification C:\Windows\java.exe 60994e7e20bc54fb809e1d2f8a1cdd87_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3420 wrote to memory of 4008 3420 60994e7e20bc54fb809e1d2f8a1cdd87_JaffaCakes118.exe 84 PID 3420 wrote to memory of 4008 3420 60994e7e20bc54fb809e1d2f8a1cdd87_JaffaCakes118.exe 84 PID 3420 wrote to memory of 4008 3420 60994e7e20bc54fb809e1d2f8a1cdd87_JaffaCakes118.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\60994e7e20bc54fb809e1d2f8a1cdd87_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\60994e7e20bc54fb809e1d2f8a1cdd87_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4008
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD523cf11edf0b77503e9dc0c97eec33a17
SHA192b423c21984a256c75de00b012a1c3839479b83
SHA256803a87dfe73b79f6e054248823295f82574df6e13a3f6d9e9ef03e5882b276e8
SHA512c9cd1b156eb1574dddbb6860764288d57e9717b33c2a0c4b43d783c990fc24122b72dfcd03b1870981d977e8b7ff2bfc8812f89f483b7cb9cb8be4504b6fc5aa
-
Filesize
157KB
MD5621c7b2805c32f6c790b5ca876a93967
SHA1f9a0af8a6729c17fabe3af337edf6df69d21de7e
SHA2567a3bc144e733eb37fe7a2880c0dbbc0bf9568347de58041a3e2f96fd616489f8
SHA512865cdcb82f6716e347e33d8bf89aab65aa26cf276cd3b3add45b092536f6def1f8dc8f2ba42912b3eca1241c4f444efd91b6582f35f3980404ca05b2969bce3b
-
Filesize
1KB
MD5211da0345fa466aa8dbde830c83c19f8
SHA1779ece4d54a099274b2814a9780000ba49af1b81
SHA256aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA51237fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca
-
Filesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
Filesize
109KB
MD55b6fcbc58d83cdda5d18be4e0b63d1c5
SHA164c26ddb6baa855581ee2a118a318567dc5d255e
SHA256ad9a8f2b9334e8177f6930557d6837a0ce7464140e9bad211de0579e10116d9d
SHA512efcb8802aa1b5ec7c07f03922e7b852b49353f5c25b53a2ff81af11e864400de510f142427d4db6b2912bb588c89fcc77a9be390836d67a3c22654e245c84a1d
-
Filesize
29KB
MD580e65c45bbfb5bc29c9cf2f7f5b4d6f8
SHA1078c01f0d38285ee67095cf3e55cdf8a586209c5
SHA2569f6abb0e825620a2d36ee180059e97dce823557c59081366bfe9429e551d25fb
SHA512c7af7e4498f2f90e0821b2109c0a1fe03953e3121486c614c63ca542f9c97c453f0ebc929a19f117d29da37f7e658353e020e113b5b45dd94bc025aa15025dc4
-
Filesize
320B
MD57d15017ba83e595f2da341785d959aa9
SHA1d795cc50c916742a4241e2cad4b6225bd0192130
SHA256d958964c7b2bac27607bc919a7005cf93660afe82731a27805131c6bf60da2e3
SHA512fcf0fa99e4517a965eaad284b7869bb96888c47f7dc502ce3366f228d3f7641c17031b113f59c2047862c466cafd25755e18e2bc91ea84a4a4a47542c77cbd24
-
Filesize
320B
MD5ecade9895ed038cce62384d8726e7dbc
SHA18a6762fc076f92b03dfd73ab79cc2535c2a861c8
SHA25632c401e41dd507d42952a8c6c0d4121037de97888dcc58555c8db59560daa789
SHA512e42bbedeefc2fd91aa438497d951be573c93e7e2aed8e3184c25bab68464acbec57fadbd2b7f922deb221b8663a321a68552d07bd8dcd3b5466ad294ec09b9cf
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2