Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 22:07
Static task
static1
Behavioral task
behavioral1
Sample
1e84f9bcc1faf2e8b4c9638add720008_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1e84f9bcc1faf2e8b4c9638add720008_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
1e84f9bcc1faf2e8b4c9638add720008_JaffaCakes118.exe
-
Size
40KB
-
MD5
1e84f9bcc1faf2e8b4c9638add720008
-
SHA1
e0422a8e309de04b3f71919e3b86362722cfb2e1
-
SHA256
a51667fcf9ac9bc47c41f9c99a314a2c666a6006f30188baec64de6e5d33809f
-
SHA512
64a08ae2594da20e82fcc5954b5512a48f57eb847a5e94d81cbd1949aa55f7834e30c81d0b1978ae427a0914a8078f52711954a3fdfe8a7b8f5b78d7184625a6
-
SSDEEP
768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHF:aqk/Zdic/qjh8w19JDHF
Malware Config
Signatures
-
Detected microsoft outlook phishing page
-
Executes dropped EXE 1 IoCs
pid Process 3920 services.exe -
resource yara_rule behavioral2/files/0x000a000000023b86-4.dat upx behavioral2/memory/3920-7-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3920-13-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3920-17-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3920-21-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3920-22-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3920-101-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3920-219-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3920-220-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3920-224-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3920-228-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3920-246-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3920-249-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3920-261-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3920-262-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3920-266-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 1e84f9bcc1faf2e8b4c9638add720008_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\services.exe 1e84f9bcc1faf2e8b4c9638add720008_JaffaCakes118.exe File opened for modification C:\Windows\java.exe 1e84f9bcc1faf2e8b4c9638add720008_JaffaCakes118.exe File created C:\Windows\java.exe 1e84f9bcc1faf2e8b4c9638add720008_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3408 wrote to memory of 3920 3408 1e84f9bcc1faf2e8b4c9638add720008_JaffaCakes118.exe 86 PID 3408 wrote to memory of 3920 3408 1e84f9bcc1faf2e8b4c9638add720008_JaffaCakes118.exe 86 PID 3408 wrote to memory of 3920 3408 1e84f9bcc1faf2e8b4c9638add720008_JaffaCakes118.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e84f9bcc1faf2e8b4c9638add720008_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1e84f9bcc1faf2e8b4c9638add720008_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3920
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
Filesize
175KB
MD563fdb7ce175a3e1d6aa6bd5b7ef0dfa8
SHA1d5ceb894dc65e787a94b20106fe1a858fcdf351b
SHA25639c1d0ec945d0e42b93e70ff973eed565a7245ffcad8896faf13415adf4404bd
SHA512aad3f59908ec0ff50f98f4aa70f137d368a18a1d6bfc939c0867497e69faac70d8fa94fa121f2c9012c721a2f2aa21fe2d6dd538276b38bae6e54624db19323b
-
Filesize
109KB
MD5685aaf80d05ee873ab020d9097934ca8
SHA1377437c235f4982f1ab0f69333d2a27deddeb9a3
SHA256f459b67232d594cea33125f6738056225cdc3bbf1fe036cb82c5265f8cc2c915
SHA5124c340655cd722bc90fc0154869ea5e98130a4a1bf867a1abdf65b90f3ce1cad3af97552a992613fd1e5f6c2a79cc2ce65bb763536c75d511ed456b155a4dd959
-
Filesize
40KB
MD5448d8063c6c9c3ce2fb1da97286d7185
SHA18707e670c18ea682912ae915cc90b65658b1c2c1
SHA2566c8545ef2fc11cc9373cdf282286fc12f660c79c40a1fc60bd3e598788d43b9c
SHA5128917fc9f23a6c1765534dbb55f3722cd3eab7df4c9539fa1c7a71cbadaa6c6a9c9848ec88bee0e1fb50a105fd42c615f2ab562b4546aa79b26db0afc7fa0cf8f
-
Filesize
1KB
MD5e9b83582d4ba0d9d5c9f5a3194c3df7e
SHA10e8fa6e7269f6d761a504b023ba9f1a8ca954e1f
SHA256a80192f79cc528d3f337cd9e23f924e2e27d1b8ecbb2b573a6fa99a6914fb432
SHA51291bf8d9bde4ab46ad06577aa5a38d44ecfa614f707d68161df407cc5a8738342de10ed124f7aac6d559c057d6315fe11ab852e12ee9235f12ffc36b934b59742
-
Filesize
1KB
MD5c6fc5db5a55e60fcb177fb45716aa765
SHA1295c6f4267a6619f45d9db3215869fe1d0d94e42
SHA2568ff450da55c448f7efa84ba132050051a0fafc0e20a961e10df6c651499439f9
SHA5128aaac3c7554992ea0f3e206ff1c5bc9b37fe9b10304d7220e96f0155e118ab58516e19bd935e5ee09e828c417fc102b396f9377012e375c4423fe4f08fbd7368
-
Filesize
1KB
MD5da30aa29ca9226eed7e4846460a1f394
SHA19b24ee7ad32920f1f341a0b0d368ac21f9d41b7a
SHA256db4c25c083944c77c6b75c3bee97b039b1cf234c577ec8bdaad14f2711d14e33
SHA512b71611beff1392c2752107f20f9ec53879bb5dd5ff6a67447469eb14c5624d9a958ee071efd4892761c185c4d72156ae76840c342aefdd2b482c312199976e11
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2