Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2024 09:07
Behavioral task
behavioral1
Sample
40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe
-
Size
29KB
-
MD5
40664b52e67d7256a282d947ea85fe2d
-
SHA1
3f92b30e065cfa7bd22fe663d80f727bd6fdebad
-
SHA256
21797e18dd8010b1f0140b5673ffe9e97a954246a866653a82102ed0b5404d94
-
SHA512
71c5a0e26c1ae74be1a7201d942c2ffcb11433375ddb470fd7035680c1556807259256c5d3f9df40363a0fc137cf528ffb28c111a859595218cd801e0119605c
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/PF:AEwVs+0jNDY1qi/ql
Malware Config
Signatures
-
Detected microsoft outlook phishing page
-
Executes dropped EXE 1 IoCs
pid Process 3040 services.exe -
resource yara_rule behavioral2/memory/3140-0-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/files/0x000c000000023b6e-4.dat upx behavioral2/memory/3040-6-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3140-13-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3040-14-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3040-19-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3040-24-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3040-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3040-31-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3040-36-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3040-38-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3140-42-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3040-43-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3140-47-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3040-48-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/files/0x000f000000023b7b-61.dat upx behavioral2/memory/3140-283-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3040-284-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3140-393-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3040-394-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3040-398-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3140-399-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3040-400-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3140-482-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/3040-483-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\services.exe 40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe File opened for modification C:\Windows\java.exe 40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe File created C:\Windows\java.exe 40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3140 wrote to memory of 3040 3140 40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe 84 PID 3140 wrote to memory of 3040 3140 40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe 84 PID 3140 wrote to memory of 3040 3140 40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3040
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
164KB
MD52071d1098f21d1833a7cfeb6cfc84c0e
SHA170d370afdab2e295af9d282ef8e0c95d1e540c55
SHA25609ee49726f7e58cac4b842c0cb33dbb69ad0b56ac5da73d9c5f933753677dceb
SHA5124c5f6f20d02c3c49a0239c46b1ebfe25d82c39a8ba1a7e3fe1a52c80da3be3e0e61389d2a921a81e95ea98539a8486767dba95a128fd3b0aa280100a21a91cd8
-
Filesize
144KB
MD578eb386c9213822dcdef074884c00d78
SHA111b7479ca4815bb399d5c28e7852af9d4201624a
SHA256a0b1c7da9733d625f757742a68a1a4af2739b8f3520721813c65d5cd39bacd57
SHA512053f0213672aa49130a94094acd176e53df7c19d570115421db96315f90886ec1297128b9d37d94eab5c7364bd5964ed16f80f6d242f22400c44c1eddb72c454
-
Filesize
175KB
MD58693123e3c468fd62fbdd16ff5d65d29
SHA148911d097d0ba39c005680fa9026484f915e0a22
SHA256b4ff77b059f98ace4c9e6965ab232c3129ea3886c33f802d20cdd7fac852eb2f
SHA51248220b549cdb8819222b12c77597ea11320caa003602048e0089a6b37cff694c4908367f495094a227345dcb03d6db29d6c4a1221cf12e4a397c3d1dbb655422
-
Filesize
112KB
MD578ee9d280b0f1881bdd9c6219c17da1a
SHA1f9872d18b52170ea372e362a47313a381502fa27
SHA256bdc6cfa1e37a501e6ecd289601083915963870e214c036d090cda8da21d951ff
SHA51288bb4f4ab5f034f417b2a83d59602e24270b642abe07144453e1b80ffb6d435e98571c024706867b03aeee0eadb2f031cd659bafed51f9ebbf525611d31749ed
-
Filesize
114KB
MD55590d393382981b1d0b0d3c362086b2c
SHA13550a193d198ef42f336d8bceccc451c7b095a02
SHA256ef5a2b7793f7ae8c2132dcaa0f886fe42aec3341e2f872df972b42e255a57856
SHA51227279f8ca39fee8b00a887dd65a00b11917d5627910f4c1a067d1de95b6fdecbae754e077e96b0a86b4e335fe0e228e25295b0279350038154b60cfde579d446
-
Filesize
154KB
MD54538dff4e7f5b7ca93605f67b4a34612
SHA168a068b6485ccfe6acf5bd30132167508e5136bc
SHA2564dd7d40c3155638b93d66351a660f4d85d1358e7231ccaed9a4a721240795592
SHA512ffbb3d66c211edaad0867c1c8a66fc9181d1463c4edbb79a2fd15304de7bbd3146d847849c1728553257eea8f10cbe4b831166c099d9dfdee88d2d8484f33936
-
Filesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
Filesize
312B
MD5c15952329e9cd008b41f979b6c76b9a2
SHA153c58cc742b5a0273df8d01ba2779a979c1ff967
SHA2565d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7
SHA5126aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296
-
Filesize
29KB
MD5a6a5e57884992364f9819b978d798bee
SHA1b0b6310b6e8678b8b6926b5619a4394c15124415
SHA2568a36793b175e452d0e15e73e1269a3637ea0f5e39e46bdf6e11f45944fc928ca
SHA512979c79a12babb68572336e57ee935f4325cd932fc19f9faffac0b4af22dc9219c255d2d86f340d4a0db41d4d23a48b75d69cb2324b2a18228d954409fa844a3d
-
Filesize
320B
MD5a6c1bcee7852413b9020aff34c686d9e
SHA1a2288d8f1de6f1e9083c94b941a494ac22594486
SHA256533cc6b966bdc6b5417d7f4ddcb83a4226c360d3481ea1d0b2b014261d23d316
SHA5120e078a333704f2a26d095d13b237568b54abb3ebb38f63363b8cb66c16a378454b33f4a31e94781795eb78e7def5fe092ea8fed6beb70c34c4fdf22ef2cc3b89
-
Filesize
320B
MD55dfab162acf8f5e3772f0b0d4c7b035c
SHA19da6c4bd3861cddffa7517e731e79ebfca946cdd
SHA2560c617b8ed047bd8582b3b13c4633b99fdceca94abb22eb9336fb94ca0b2c8902
SHA512492504e1f621e5688ce0b006e62adb742d2308094f4409e79503ef14fae76fa95746a16776a23dd82504a1c52991b8f1c2c4c9100e03e99662d9065124c4440b
-
Filesize
320B
MD5716e4b239d45c3007e980e23cfcb49ff
SHA1fed5c1bee4f683d9e883b38f3547d9d393f8b683
SHA2564849f0594674b15c9355588c4f847b99ef5d392849997d3b0443661f5d381b4c
SHA5121313ce1cbe1c82a98f86b40dc365d19e9bea601059c180520fcf3372eb457b7580d42a1e8fd3e359d5c194264b6dd51149d3fe5f55c5f2ec358b38c75a571087
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2