Analysis Overview
SHA256
21797e18dd8010b1f0140b5673ffe9e97a954246a866653a82102ed0b5404d94
Threat Level: Known bad
The file 40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe was found to be: Known bad.
Malicious Activity Summary
Detected microsoft outlook phishing page
UPX packed file
Executes dropped EXE
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-05 09:07
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-05 09:07
Reported
2024-05-05 09:09
Platform
win10v2004-20240419-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Detected microsoft outlook phishing page
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" | C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" | C:\Windows\services.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\services.exe | C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe | N/A |
| File created | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3140 wrote to memory of 3040 | N/A | C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe | C:\Windows\services.exe |
| PID 3140 wrote to memory of 3040 | N/A | C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe | C:\Windows\services.exe |
| PID 3140 wrote to memory of 3040 | N/A | C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe | C:\Windows\services.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe"
C:\Windows\services.exe
"C:\Windows\services.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 10.213.60.59:1034 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| N/A | 10.128.8.216:1034 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| N/A | 172.16.1.3:1034 | tcp | |
| N/A | 10.53.7.27:1034 | tcp | |
| US | 8.8.8.8:53 | 49.15.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| N/A | 10.159.126.116:1034 | tcp | |
| US | 8.8.8.8:53 | m-ou.se | udp |
| US | 8.8.8.8:53 | aspmx.l.google.com | udp |
| IE | 74.125.193.27:25 | aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | acm.org | udp |
| US | 8.8.8.8:53 | mail.mailroute.net | udp |
| US | 199.89.1.120:25 | mail.mailroute.net | tcp |
| US | 8.8.8.8:53 | cs.stanford.edu | udp |
| US | 8.8.8.8:53 | cs.stanford.edu | udp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | burtleburtle.net | udp |
| US | 8.8.8.8:53 | mx.burtleburtle.net | udp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 65.254.254.50:25 | mx.burtleburtle.net | tcp |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | alumni-caltech-edu.mail.protection.outlook.com | udp |
| US | 52.101.42.16:25 | alumni-caltech-edu.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| US | 8.8.8.8:53 | search.yahoo.com | udp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| IE | 212.82.100.137:443 | search.yahoo.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | search.lycos.com | udp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| GB | 172.217.16.238:443 | consent.google.com | tcp |
| GB | 172.217.16.238:443 | consent.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | 137.100.82.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.254.202.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| IE | 212.82.100.137:80 | search.yahoo.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | www.altavista.com | udp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 8.8.8.8:53 | 80.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 8.8.8.8:53 | www.alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | www.alumni.caltech.edu | udp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| N/A | 172.16.1.5:1034 | tcp | |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 171.64.64.64:25 | cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | alt1.aspmx.l.google.com | udp |
| NL | 142.250.27.27:25 | alt1.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | acm.org | udp |
| US | 104.17.79.30:25 | acm.org | tcp |
| US | 8.8.8.8:53 | smtp1.cs.stanford.edu | udp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | burtleburtle.net | udp |
| US | 65.254.227.224:25 | burtleburtle.net | tcp |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 99.83.190.102:25 | alumni.caltech.edu | tcp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| N/A | 192.168.2.111:1034 | tcp | |
| US | 171.64.64.25:25 | smtp1.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | alt2.aspmx.l.google.com | udp |
| NL | 142.250.153.27:25 | alt2.aspmx.l.google.com | tcp |
| US | 8.8.8.8:53 | mx.acm.org | udp |
| US | 8.8.8.8:53 | mail.acm.org | udp |
| US | 8.8.8.8:53 | smtp.acm.org | udp |
| US | 8.8.8.8:53 | smtp2.cs.stanford.edu | udp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 8.8.8.8:53 | outlook.com | udp |
| US | 8.8.8.8:53 | outlook-com.olc.protection.outlook.com | udp |
| SG | 52.101.137.1:25 | outlook-com.olc.protection.outlook.com | tcp |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
| US | 65.254.254.50:25 | mx.burtleburtle.net | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 8.8.8.8:53 | mx.alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | mx.gzip.org | udp |
| US | 8.8.8.8:53 | mail.alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | mail.gzip.org | udp |
| US | 8.8.8.8:53 | smtp.alumni.caltech.edu | udp |
| US | 85.187.148.2:25 | mail.gzip.org | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | hachyderm.io | udp |
| IE | 74.125.193.27:25 | aspmx.l.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| US | 209.202.254.10:80 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 209.202.254.10:443 | search.lycos.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| IE | 212.82.100.137:80 | www.altavista.com | tcp |
| IE | 212.82.100.137:443 | www.altavista.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| N/A | 10.218.249.159:1034 | tcp | |
| US | 171.64.64.26:25 | smtp2.cs.stanford.edu | tcp |
Files
memory/3140-0-0x0000000000500000-0x0000000000510200-memory.dmp
C:\Windows\services.exe
| MD5 | b0fe74719b1b647e2056641931907f4a |
| SHA1 | e858c206d2d1542a79936cb00d85da853bfc95e2 |
| SHA256 | bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c |
| SHA512 | 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2 |
memory/3040-6-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3140-13-0x0000000000500000-0x0000000000510200-memory.dmp
memory/3040-14-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3040-19-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3040-24-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3040-26-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3040-31-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3040-36-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3040-38-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3140-42-0x0000000000500000-0x0000000000510200-memory.dmp
memory/3040-43-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3140-47-0x0000000000500000-0x0000000000510200-memory.dmp
memory/3040-48-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 716e4b239d45c3007e980e23cfcb49ff |
| SHA1 | fed5c1bee4f683d9e883b38f3547d9d393f8b683 |
| SHA256 | 4849f0594674b15c9355588c4f847b99ef5d392849997d3b0443661f5d381b4c |
| SHA512 | 1313ce1cbe1c82a98f86b40dc365d19e9bea601059c180520fcf3372eb457b7580d42a1e8fd3e359d5c194264b6dd51149d3fe5f55c5f2ec358b38c75a571087 |
C:\Users\Admin\AppData\Local\Temp\tmpA1DC.tmp
| MD5 | a6a5e57884992364f9819b978d798bee |
| SHA1 | b0b6310b6e8678b8b6926b5619a4394c15124415 |
| SHA256 | 8a36793b175e452d0e15e73e1269a3637ea0f5e39e46bdf6e11f45944fc928ca |
| SHA512 | 979c79a12babb68572336e57ee935f4325cd932fc19f9faffac0b4af22dc9219c255d2d86f340d4a0db41d4d23a48b75d69cb2324b2a18228d954409fa844a3d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I50YRZD3\6U86M0YO.htm
| MD5 | 8693123e3c468fd62fbdd16ff5d65d29 |
| SHA1 | 48911d097d0ba39c005680fa9026484f915e0a22 |
| SHA256 | b4ff77b059f98ace4c9e6965ab232c3129ea3886c33f802d20cdd7fac852eb2f |
| SHA512 | 48220b549cdb8819222b12c77597ea11320caa003602048e0089a6b37cff694c4908367f495094a227345dcb03d6db29d6c4a1221cf12e4a397c3d1dbb655422 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WEG78UAE\search[3].htm
| MD5 | 8ba61a16b71609a08bfa35bc213fce49 |
| SHA1 | 8374dddcc6b2ede14b0ea00a5870a11b57ced33f |
| SHA256 | 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1 |
| SHA512 | 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WEG78UAE\search[1].htm
| MD5 | 4538dff4e7f5b7ca93605f67b4a34612 |
| SHA1 | 68a068b6485ccfe6acf5bd30132167508e5136bc |
| SHA256 | 4dd7d40c3155638b93d66351a660f4d85d1358e7231ccaed9a4a721240795592 |
| SHA512 | ffbb3d66c211edaad0867c1c8a66fc9181d1463c4edbb79a2fd15304de7bbd3146d847849c1728553257eea8f10cbe4b831166c099d9dfdee88d2d8484f33936 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I50YRZD3\search[5].htm
| MD5 | 78ee9d280b0f1881bdd9c6219c17da1a |
| SHA1 | f9872d18b52170ea372e362a47313a381502fa27 |
| SHA256 | bdc6cfa1e37a501e6ecd289601083915963870e214c036d090cda8da21d951ff |
| SHA512 | 88bb4f4ab5f034f417b2a83d59602e24270b642abe07144453e1b80ffb6d435e98571c024706867b03aeee0eadb2f031cd659bafed51f9ebbf525611d31749ed |
memory/3140-283-0x0000000000500000-0x0000000000510200-memory.dmp
memory/3040-284-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X2NSSXLH\default[1].htm
| MD5 | c15952329e9cd008b41f979b6c76b9a2 |
| SHA1 | 53c58cc742b5a0273df8d01ba2779a979c1ff967 |
| SHA256 | 5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7 |
| SHA512 | 6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296 |
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | a6c1bcee7852413b9020aff34c686d9e |
| SHA1 | a2288d8f1de6f1e9083c94b941a494ac22594486 |
| SHA256 | 533cc6b966bdc6b5417d7f4ddcb83a4226c360d3481ea1d0b2b014261d23d316 |
| SHA512 | 0e078a333704f2a26d095d13b237568b54abb3ebb38f63363b8cb66c16a378454b33f4a31e94781795eb78e7def5fe092ea8fed6beb70c34c4fdf22ef2cc3b89 |
memory/3140-393-0x0000000000500000-0x0000000000510200-memory.dmp
memory/3040-394-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3040-398-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3140-399-0x0000000000500000-0x0000000000510200-memory.dmp
memory/3040-400-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | 5dfab162acf8f5e3772f0b0d4c7b035c |
| SHA1 | 9da6c4bd3861cddffa7517e731e79ebfca946cdd |
| SHA256 | 0c617b8ed047bd8582b3b13c4633b99fdceca94abb22eb9336fb94ca0b2c8902 |
| SHA512 | 492504e1f621e5688ce0b006e62adb742d2308094f4409e79503ef14fae76fa95746a16776a23dd82504a1c52991b8f1c2c4c9100e03e99662d9065124c4440b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I50YRZD3\search[6].htm
| MD5 | 5590d393382981b1d0b0d3c362086b2c |
| SHA1 | 3550a193d198ef42f336d8bceccc451c7b095a02 |
| SHA256 | ef5a2b7793f7ae8c2132dcaa0f886fe42aec3341e2f872df972b42e255a57856 |
| SHA512 | 27279f8ca39fee8b00a887dd65a00b11917d5627910f4c1a067d1de95b6fdecbae754e077e96b0a86b4e335fe0e228e25295b0279350038154b60cfde579d446 |
memory/3140-482-0x0000000000500000-0x0000000000510200-memory.dmp
memory/3040-483-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GOM5RXN2\searchQPJFC2PU.htm
| MD5 | 78eb386c9213822dcdef074884c00d78 |
| SHA1 | 11b7479ca4815bb399d5c28e7852af9d4201624a |
| SHA256 | a0b1c7da9733d625f757742a68a1a4af2739b8f3520721813c65d5cd39bacd57 |
| SHA512 | 053f0213672aa49130a94094acd176e53df7c19d570115421db96315f90886ec1297128b9d37d94eab5c7364bd5964ed16f80f6d242f22400c44c1eddb72c454 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GOM5RXN2\searchAB5994EN.htm
| MD5 | 2071d1098f21d1833a7cfeb6cfc84c0e |
| SHA1 | 70d370afdab2e295af9d282ef8e0c95d1e540c55 |
| SHA256 | 09ee49726f7e58cac4b842c0cb33dbb69ad0b56ac5da73d9c5f933753677dceb |
| SHA512 | 4c5f6f20d02c3c49a0239c46b1ebfe25d82c39a8ba1a7e3fe1a52c80da3be3e0e61389d2a921a81e95ea98539a8486767dba95a128fd3b0aa280100a21a91cd8 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-05 09:07
Reported
2024-05-05 09:09
Platform
win7-20240220-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" | C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" | C:\Windows\services.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe | N/A |
| File created | C:\Windows\services.exe | C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\java.exe | C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2008 wrote to memory of 1256 | N/A | C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe | C:\Windows\services.exe |
| PID 2008 wrote to memory of 1256 | N/A | C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe | C:\Windows\services.exe |
| PID 2008 wrote to memory of 1256 | N/A | C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe | C:\Windows\services.exe |
| PID 2008 wrote to memory of 1256 | N/A | C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe | C:\Windows\services.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe"
C:\Windows\services.exe
"C:\Windows\services.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 10.213.60.59:1034 | tcp | |
| N/A | 10.128.8.216:1034 | tcp | |
| N/A | 172.16.1.3:1034 | tcp | |
| N/A | 10.53.7.27:1034 | tcp | |
| N/A | 10.159.126.116:1034 | tcp | |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 8.8.8.8:53 | alumni-caltech-edu.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 52.101.42.10:25 | alumni-caltech-edu.mail.protection.outlook.com | tcp |
| US | 8.8.8.8:53 | gzip.org | udp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| N/A | 172.16.1.5:1034 | tcp | |
| US | 8.8.8.8:53 | alumni.caltech.edu | udp |
| US | 85.187.148.2:25 | gzip.org | tcp |
| US | 99.83.190.102:25 | alumni.caltech.edu | tcp |
| N/A | 192.168.2.111:1034 | tcp | |
| US | 8.8.8.8:53 | mx.gzip.org | udp |
| US | 8.8.8.8:53 | mail.gzip.org | udp |
| US | 85.187.148.2:25 | mail.gzip.org | tcp |
| N/A | 10.218.249.159:1034 | tcp |
Files
memory/2008-0-0x0000000000500000-0x0000000000510200-memory.dmp
C:\Windows\services.exe
| MD5 | b0fe74719b1b647e2056641931907f4a |
| SHA1 | e858c206d2d1542a79936cb00d85da853bfc95e2 |
| SHA256 | bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c |
| SHA512 | 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2 |
memory/2008-10-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1256-11-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2008-9-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2008-17-0x0000000000500000-0x0000000000510200-memory.dmp
memory/1256-18-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1256-23-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2008-25-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2008-24-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1256-30-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1256-32-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1256-37-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1256-42-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1256-44-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2008-48-0x0000000000500000-0x0000000000510200-memory.dmp
memory/1256-49-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2008-53-0x0000000000500000-0x0000000000510200-memory.dmp
memory/1256-54-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zincite.log
| MD5 | dbcddce6a94377fffd859fb7b3180e03 |
| SHA1 | c8b7cb8b17e8d3e1913a5c303721225b20a285f1 |
| SHA256 | 07a5037ad68ed3f583afd22aa6b13376541ccae1e931b18a52c93b79b3f11150 |
| SHA512 | 39cdf711fb274bdbbd5fe2ae5dc77dde19a2d9706ea407b302e2f11ca9c69d9f8b28ec58650b9e5080c15e0489942d9e7fd6f3967e0a98397f0cb2c311e2c894 |
C:\Users\Admin\AppData\Local\Temp\tmp7C15.tmp
| MD5 | c1affe614db0ff2fefa641e1079cbea4 |
| SHA1 | c382f345521b80709834cd43865ec110a92d62cb |
| SHA256 | fcdad7593a7e803bf996b563bedec657e8ca2cdf4fe5f2d13ffed30ee010d97c |
| SHA512 | 945d4ec11dfa1fb736be27adc4f1dff1acb8e35a1e4313b2a44a32573af9417b9155f65867741f0be2809c86340d0352bf83f050d2724353fa391492cc907051 |
memory/2008-72-0x0000000000500000-0x0000000000510200-memory.dmp
memory/1256-73-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2008-76-0x0000000000500000-0x0000000000510200-memory.dmp
memory/1256-77-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2008-81-0x0000000000500000-0x0000000000510200-memory.dmp
memory/1256-82-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1256-84-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2008-88-0x0000000000500000-0x0000000000510200-memory.dmp
memory/1256-89-0x0000000000400000-0x0000000000408000-memory.dmp