Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-05-2024 22:07

General

  • Target

    1e84f9bcc1faf2e8b4c9638add720008_JaffaCakes118.exe

  • Size

    40KB

  • MD5

    1e84f9bcc1faf2e8b4c9638add720008

  • SHA1

    e0422a8e309de04b3f71919e3b86362722cfb2e1

  • SHA256

    a51667fcf9ac9bc47c41f9c99a314a2c666a6006f30188baec64de6e5d33809f

  • SHA512

    64a08ae2594da20e82fcc5954b5512a48f57eb847a5e94d81cbd1949aa55f7834e30c81d0b1978ae427a0914a8078f52711954a3fdfe8a7b8f5b78d7184625a6

  • SSDEEP

    768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHF:aqk/Zdic/qjh8w19JDHF

Malware Config

Signatures

  • Detected microsoft outlook phishing page
  • Executes dropped EXE 1 IoCs
  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e84f9bcc1faf2e8b4c9638add720008_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1e84f9bcc1faf2e8b4c9638add720008_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3408
    • C:\Windows\services.exe
      "C:\Windows\services.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:3920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3X7K2ORY\search[3].htm

    Filesize

    25B

    MD5

    8ba61a16b71609a08bfa35bc213fce49

    SHA1

    8374dddcc6b2ede14b0ea00a5870a11b57ced33f

    SHA256

    6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

    SHA512

    5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W1O6EZKR\LM5KGWSE.htm

    Filesize

    175KB

    MD5

    63fdb7ce175a3e1d6aa6bd5b7ef0dfa8

    SHA1

    d5ceb894dc65e787a94b20106fe1a858fcdf351b

    SHA256

    39c1d0ec945d0e42b93e70ff973eed565a7245ffcad8896faf13415adf4404bd

    SHA512

    aad3f59908ec0ff50f98f4aa70f137d368a18a1d6bfc939c0867497e69faac70d8fa94fa121f2c9012c721a2f2aa21fe2d6dd538276b38bae6e54624db19323b

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W1O6EZKR\search[6].htm

    Filesize

    109KB

    MD5

    685aaf80d05ee873ab020d9097934ca8

    SHA1

    377437c235f4982f1ab0f69333d2a27deddeb9a3

    SHA256

    f459b67232d594cea33125f6738056225cdc3bbf1fe036cb82c5265f8cc2c915

    SHA512

    4c340655cd722bc90fc0154869ea5e98130a4a1bf867a1abdf65b90f3ce1cad3af97552a992613fd1e5f6c2a79cc2ce65bb763536c75d511ed456b155a4dd959

  • C:\Users\Admin\AppData\Local\Temp\tmp2865.tmp

    Filesize

    40KB

    MD5

    448d8063c6c9c3ce2fb1da97286d7185

    SHA1

    8707e670c18ea682912ae915cc90b65658b1c2c1

    SHA256

    6c8545ef2fc11cc9373cdf282286fc12f660c79c40a1fc60bd3e598788d43b9c

    SHA512

    8917fc9f23a6c1765534dbb55f3722cd3eab7df4c9539fa1c7a71cbadaa6c6a9c9848ec88bee0e1fb50a105fd42c615f2ab562b4546aa79b26db0afc7fa0cf8f

  • C:\Users\Admin\AppData\Local\Temp\zincite.log

    Filesize

    1KB

    MD5

    e9b83582d4ba0d9d5c9f5a3194c3df7e

    SHA1

    0e8fa6e7269f6d761a504b023ba9f1a8ca954e1f

    SHA256

    a80192f79cc528d3f337cd9e23f924e2e27d1b8ecbb2b573a6fa99a6914fb432

    SHA512

    91bf8d9bde4ab46ad06577aa5a38d44ecfa614f707d68161df407cc5a8738342de10ed124f7aac6d559c057d6315fe11ab852e12ee9235f12ffc36b934b59742

  • C:\Users\Admin\AppData\Local\Temp\zincite.log

    Filesize

    1KB

    MD5

    c6fc5db5a55e60fcb177fb45716aa765

    SHA1

    295c6f4267a6619f45d9db3215869fe1d0d94e42

    SHA256

    8ff450da55c448f7efa84ba132050051a0fafc0e20a961e10df6c651499439f9

    SHA512

    8aaac3c7554992ea0f3e206ff1c5bc9b37fe9b10304d7220e96f0155e118ab58516e19bd935e5ee09e828c417fc102b396f9377012e375c4423fe4f08fbd7368

  • C:\Users\Admin\AppData\Local\Temp\zincite.log

    Filesize

    1KB

    MD5

    da30aa29ca9226eed7e4846460a1f394

    SHA1

    9b24ee7ad32920f1f341a0b0d368ac21f9d41b7a

    SHA256

    db4c25c083944c77c6b75c3bee97b039b1cf234c577ec8bdaad14f2711d14e33

    SHA512

    b71611beff1392c2752107f20f9ec53879bb5dd5ff6a67447469eb14c5624d9a958ee071efd4892761c185c4d72156ae76840c342aefdd2b482c312199976e11

  • C:\Windows\services.exe

    Filesize

    8KB

    MD5

    b0fe74719b1b647e2056641931907f4a

    SHA1

    e858c206d2d1542a79936cb00d85da853bfc95e2

    SHA256

    bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

    SHA512

    9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

  • memory/3408-0-0x0000000000500000-0x000000000050D000-memory.dmp

    Filesize

    52KB

  • memory/3920-220-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3920-228-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3920-7-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3920-13-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3920-219-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3920-17-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3920-224-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3920-101-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3920-22-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3920-246-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3920-249-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3920-21-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3920-261-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3920-262-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/3920-266-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB