Malware Analysis Report

2025-01-19 00:36

Sample ID 240505-k3gvyadc3v
Target 40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe
SHA256 21797e18dd8010b1f0140b5673ffe9e97a954246a866653a82102ed0b5404d94
Tags
microsoft persistence phishing product:outlook upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

21797e18dd8010b1f0140b5673ffe9e97a954246a866653a82102ed0b5404d94

Threat Level: Known bad

The file 40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe was found to be: Known bad.

Malicious Activity Summary

microsoft persistence phishing product:outlook upx

Detected microsoft outlook phishing page

UPX packed file

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-05 09:07

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-05 09:07

Reported

2024-05-05 09:09

Platform

win10v2004-20240419-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe"

Signatures

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.213.60.59:1034 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
N/A 10.128.8.216:1034 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 172.16.1.3:1034 tcp
N/A 10.53.7.27:1034 tcp
US 8.8.8.8:53 49.15.97.104.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
N/A 10.159.126.116:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 aspmx.l.google.com udp
IE 74.125.193.27:25 aspmx.l.google.com tcp
US 8.8.8.8:53 acm.org udp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.1.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 65.254.254.50:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 52.101.42.16:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:80 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 search.lycos.com udp
GB 142.250.178.4:443 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 consent.google.com udp
GB 172.217.16.238:443 consent.google.com tcp
GB 172.217.16.238:443 consent.google.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
IE 212.82.100.137:80 search.yahoo.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
IE 212.82.100.137:443 www.altavista.com tcp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 www.alumni.caltech.edu udp
US 8.8.8.8:53 www.alumni.caltech.edu udp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
N/A 172.16.1.5:1034 tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
NL 142.250.27.27:25 alt1.aspmx.l.google.com tcp
US 8.8.8.8:53 acm.org udp
US 104.17.79.30:25 acm.org tcp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 65.254.227.224:25 burtleburtle.net tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 99.83.190.102:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
N/A 192.168.2.111:1034 tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
NL 142.250.153.27:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 mx.acm.org udp
US 8.8.8.8:53 mail.acm.org udp
US 8.8.8.8:53 smtp.acm.org udp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
SG 52.101.137.1:25 outlook-com.olc.protection.outlook.com tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 65.254.254.50:25 mx.burtleburtle.net tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 mail.gzip.org udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 85.187.148.2:25 mail.gzip.org tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.178.4:80 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.178.4:443 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.178.4:80 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.178.4:443 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.178.4:80 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.178.4:443 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.178.4:443 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.178.4:80 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.178.4:80 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 hachyderm.io udp
IE 74.125.193.27:25 aspmx.l.google.com tcp
GB 142.250.178.4:80 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:80 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.178.4:443 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.178.4:80 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.178.4:80 www.google.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:80 www.google.com tcp
GB 142.250.178.4:80 www.google.com tcp
GB 142.250.178.4:80 www.google.com tcp
GB 142.250.178.4:80 www.google.com tcp
N/A 10.218.249.159:1034 tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp

Files

memory/3140-0-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/3040-6-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3140-13-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3040-14-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3040-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3040-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3040-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3040-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3040-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3040-38-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3140-42-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3040-43-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3140-47-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3040-48-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 716e4b239d45c3007e980e23cfcb49ff
SHA1 fed5c1bee4f683d9e883b38f3547d9d393f8b683
SHA256 4849f0594674b15c9355588c4f847b99ef5d392849997d3b0443661f5d381b4c
SHA512 1313ce1cbe1c82a98f86b40dc365d19e9bea601059c180520fcf3372eb457b7580d42a1e8fd3e359d5c194264b6dd51149d3fe5f55c5f2ec358b38c75a571087

C:\Users\Admin\AppData\Local\Temp\tmpA1DC.tmp

MD5 a6a5e57884992364f9819b978d798bee
SHA1 b0b6310b6e8678b8b6926b5619a4394c15124415
SHA256 8a36793b175e452d0e15e73e1269a3637ea0f5e39e46bdf6e11f45944fc928ca
SHA512 979c79a12babb68572336e57ee935f4325cd932fc19f9faffac0b4af22dc9219c255d2d86f340d4a0db41d4d23a48b75d69cb2324b2a18228d954409fa844a3d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I50YRZD3\6U86M0YO.htm

MD5 8693123e3c468fd62fbdd16ff5d65d29
SHA1 48911d097d0ba39c005680fa9026484f915e0a22
SHA256 b4ff77b059f98ace4c9e6965ab232c3129ea3886c33f802d20cdd7fac852eb2f
SHA512 48220b549cdb8819222b12c77597ea11320caa003602048e0089a6b37cff694c4908367f495094a227345dcb03d6db29d6c4a1221cf12e4a397c3d1dbb655422

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WEG78UAE\search[3].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WEG78UAE\search[1].htm

MD5 4538dff4e7f5b7ca93605f67b4a34612
SHA1 68a068b6485ccfe6acf5bd30132167508e5136bc
SHA256 4dd7d40c3155638b93d66351a660f4d85d1358e7231ccaed9a4a721240795592
SHA512 ffbb3d66c211edaad0867c1c8a66fc9181d1463c4edbb79a2fd15304de7bbd3146d847849c1728553257eea8f10cbe4b831166c099d9dfdee88d2d8484f33936

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I50YRZD3\search[5].htm

MD5 78ee9d280b0f1881bdd9c6219c17da1a
SHA1 f9872d18b52170ea372e362a47313a381502fa27
SHA256 bdc6cfa1e37a501e6ecd289601083915963870e214c036d090cda8da21d951ff
SHA512 88bb4f4ab5f034f417b2a83d59602e24270b642abe07144453e1b80ffb6d435e98571c024706867b03aeee0eadb2f031cd659bafed51f9ebbf525611d31749ed

memory/3140-283-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3040-284-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X2NSSXLH\default[1].htm

MD5 c15952329e9cd008b41f979b6c76b9a2
SHA1 53c58cc742b5a0273df8d01ba2779a979c1ff967
SHA256 5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7
SHA512 6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 a6c1bcee7852413b9020aff34c686d9e
SHA1 a2288d8f1de6f1e9083c94b941a494ac22594486
SHA256 533cc6b966bdc6b5417d7f4ddcb83a4226c360d3481ea1d0b2b014261d23d316
SHA512 0e078a333704f2a26d095d13b237568b54abb3ebb38f63363b8cb66c16a378454b33f4a31e94781795eb78e7def5fe092ea8fed6beb70c34c4fdf22ef2cc3b89

memory/3140-393-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3040-394-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3040-398-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3140-399-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3040-400-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 5dfab162acf8f5e3772f0b0d4c7b035c
SHA1 9da6c4bd3861cddffa7517e731e79ebfca946cdd
SHA256 0c617b8ed047bd8582b3b13c4633b99fdceca94abb22eb9336fb94ca0b2c8902
SHA512 492504e1f621e5688ce0b006e62adb742d2308094f4409e79503ef14fae76fa95746a16776a23dd82504a1c52991b8f1c2c4c9100e03e99662d9065124c4440b

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I50YRZD3\search[6].htm

MD5 5590d393382981b1d0b0d3c362086b2c
SHA1 3550a193d198ef42f336d8bceccc451c7b095a02
SHA256 ef5a2b7793f7ae8c2132dcaa0f886fe42aec3341e2f872df972b42e255a57856
SHA512 27279f8ca39fee8b00a887dd65a00b11917d5627910f4c1a067d1de95b6fdecbae754e077e96b0a86b4e335fe0e228e25295b0279350038154b60cfde579d446

memory/3140-482-0x0000000000500000-0x0000000000510200-memory.dmp

memory/3040-483-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GOM5RXN2\searchQPJFC2PU.htm

MD5 78eb386c9213822dcdef074884c00d78
SHA1 11b7479ca4815bb399d5c28e7852af9d4201624a
SHA256 a0b1c7da9733d625f757742a68a1a4af2739b8f3520721813c65d5cd39bacd57
SHA512 053f0213672aa49130a94094acd176e53df7c19d570115421db96315f90886ec1297128b9d37d94eab5c7364bd5964ed16f80f6d242f22400c44c1eddb72c454

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GOM5RXN2\searchAB5994EN.htm

MD5 2071d1098f21d1833a7cfeb6cfc84c0e
SHA1 70d370afdab2e295af9d282ef8e0c95d1e540c55
SHA256 09ee49726f7e58cac4b842c0cb33dbb69ad0b56ac5da73d9c5f933753677dceb
SHA512 4c5f6f20d02c3c49a0239c46b1ebfe25d82c39a8ba1a7e3fe1a52c80da3be3e0e61389d2a921a81e95ea98539a8486767dba95a128fd3b0aa280100a21a91cd8

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-05 09:07

Reported

2024-05-05 09:09

Platform

win7-20240220-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe N/A
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
N/A 10.213.60.59:1034 tcp
N/A 10.128.8.216:1034 tcp
N/A 172.16.1.3:1034 tcp
N/A 10.53.7.27:1034 tcp
N/A 10.159.126.116:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.42.10:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
N/A 172.16.1.5:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 85.187.148.2:25 gzip.org tcp
US 99.83.190.102:25 alumni.caltech.edu tcp
N/A 192.168.2.111:1034 tcp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 mail.gzip.org udp
US 85.187.148.2:25 mail.gzip.org tcp
N/A 10.218.249.159:1034 tcp

Files

memory/2008-0-0x0000000000500000-0x0000000000510200-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2008-10-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1256-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2008-9-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2008-17-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1256-18-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1256-23-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2008-25-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2008-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1256-30-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1256-32-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1256-37-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1256-42-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1256-44-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2008-48-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1256-49-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2008-53-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1256-54-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 dbcddce6a94377fffd859fb7b3180e03
SHA1 c8b7cb8b17e8d3e1913a5c303721225b20a285f1
SHA256 07a5037ad68ed3f583afd22aa6b13376541ccae1e931b18a52c93b79b3f11150
SHA512 39cdf711fb274bdbbd5fe2ae5dc77dde19a2d9706ea407b302e2f11ca9c69d9f8b28ec58650b9e5080c15e0489942d9e7fd6f3967e0a98397f0cb2c311e2c894

C:\Users\Admin\AppData\Local\Temp\tmp7C15.tmp

MD5 c1affe614db0ff2fefa641e1079cbea4
SHA1 c382f345521b80709834cd43865ec110a92d62cb
SHA256 fcdad7593a7e803bf996b563bedec657e8ca2cdf4fe5f2d13ffed30ee010d97c
SHA512 945d4ec11dfa1fb736be27adc4f1dff1acb8e35a1e4313b2a44a32573af9417b9155f65867741f0be2809c86340d0352bf83f050d2724353fa391492cc907051

memory/2008-72-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1256-73-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2008-76-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1256-77-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2008-81-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1256-82-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1256-84-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2008-88-0x0000000000500000-0x0000000000510200-memory.dmp

memory/1256-89-0x0000000000400000-0x0000000000408000-memory.dmp