20cac668826046b1891754630ec34e11f4b333ac8b4484f50cbf4b980544d6d5

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f4c1108029ec8522f744da4f61b3772_JaffaCakes118.exe
Size

227KB
MD5

1f4c1108029ec8522f744da4f61b3772
SHA1

e07edce9945340015f54e96eb3cb6536cb023b3b
SHA256

20cac668826046b1891754630ec34e11f4b333ac8b4484f50cbf4b980544d6d5
SHA512

ebd08ecb26c3fdbe45884f2a2680cc093d673e074d22aab4b07b6b39182bfe503cc2672a1e547851218d3c2baeac30a5ecea9ebc4adcb9c06ba119bf7a9066ca
SSDEEP

6144:iifApVMqplDf/h5O/lBC8+2hyDRlX7llrnz2P4t8oSRV2r:1fk6kDqHw2hmxlrz2HoSR2

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/756-0-0x0000000001170000-0x000000000120E000-memory.dmp	upx
behavioral1/memory/2480-46-0x0000000001170000-0x000000000120E000-memory.dmp	upx
behavioral1/memory/756-131-0x0000000001170000-0x000000000120E000-memory.dmp	upx
behavioral1/memory/2480-137-0x0000000001170000-0x000000000120E000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\PROGRA~2\Zona\utils.jar	1F4C11~1.EXE
File created	C:\PROGRA~2\Zona\License_ru.rtf	1F4C11~1.EXE
File created	C:\PROGRA~2\Zona\License_uk.rtf	1F4C11~1.EXE
File created	C:\PROGRA~2\Zona\License_en.rtf	1F4C11~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 2656	756	1f4c1108029ec8522f744da4f61b3772_JaffaCakes118.exe	28
PID 756 wrote to memory of 2656	756	1f4c1108029ec8522f744da4f61b3772_JaffaCakes118.exe	28
PID 756 wrote to memory of 2656	756	1f4c1108029ec8522f744da4f61b3772_JaffaCakes118.exe	28
PID 756 wrote to memory of 2656	756	1f4c1108029ec8522f744da4f61b3772_JaffaCakes118.exe	28
PID 756 wrote to memory of 2480	756	1f4c1108029ec8522f744da4f61b3772_JaffaCakes118.exe	31
PID 756 wrote to memory of 2480	756	1f4c1108029ec8522f744da4f61b3772_JaffaCakes118.exe	31
PID 756 wrote to memory of 2480	756	1f4c1108029ec8522f744da4f61b3772_JaffaCakes118.exe	31
PID 756 wrote to memory of 2480	756	1f4c1108029ec8522f744da4f61b3772_JaffaCakes118.exe	31
PID 756 wrote to memory of 2480	756	1f4c1108029ec8522f744da4f61b3772_JaffaCakes118.exe	31
PID 756 wrote to memory of 2480	756	1f4c1108029ec8522f744da4f61b3772_JaffaCakes118.exe	31
PID 756 wrote to memory of 2480	756	1f4c1108029ec8522f744da4f61b3772_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\1f4c1108029ec8522f744da4f61b3772_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1f4c1108029ec8522f744da4f61b3772_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  PID:2656
- C:\Users\Admin\AppData\Local\Temp\1F4C11~1.EXE
  "C:\Users\Admin\AppData\Local\Temp\1F4C11~1.EXE" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"
  2⤵
  - Drops file in Program Files directory
  PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
8KB

MD5
c76c15523ae37bf314d41591b2dbb25c

SHA1
3e367eee5fadef215a30cc9c24ea363e7caf89c3

SHA256
53939545dfc8d27511c434174136fba438f8654145fa907abd18c77b74256f65

SHA512
3f00e84e3a30208da4172b53c1622d5b6564c86c08450ef26dd4de3fe572e5a4975eb7243a72b84784ac68860dc0af2046d3b873e2224fa8d18f0d012f1a5072

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
8KB

MD5
2faa45770a8570a0906f9f76af13a270

SHA1
aa325c7f9ee0ab3bdf3d45223249ec2a48c334c1

SHA256
46a687004697bf9d6531a1a28c89bab58903278d4bb9b8ccd15d9af619919114

SHA512
24ba31b8a0831a7a253ddb544141d682b6d9dd736bc2bce59ee1ea8bcb337e1e9fc4746a007ef22c0e68fc62ca9acf027d6488365d830932e5b53001b5685c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
9KB

MD5
340252f6847a7a153d5f64552e2ca421

SHA1
cae0a694be0f6ac51ad8a07eabf85141fa6bee92

SHA256
f0962935f1a5c77c441baf69af1070f7c9ce3716b45fdb917663896fdc79eaa2

SHA512
86647c7ec29cfc20f84bcaa341c15f6a4e15d4373e3cdbc70ca1b0eb81277369a49222611e82762429e96a9ebe358d2e46ba7aeb505faef87b2ca4838ced0770

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
11KB

MD5
b0332012ae8050449b5b34949d6a328c

SHA1
149d4e7b96ebf00cb666458b224037c48f5fb11d

SHA256
e8c7840eea6d7acf51d0520a2fa079d2f258531593f3e2fc539f5cd2209ad99f

SHA512
d5e8df3f8fe7daee04b17566e092d5510f37dc655cab902181dc897c39a1b7011b047c446d77b532ba8f3be40964725870ac3f42e0748b0c0ffb49823582b8b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
1KB

MD5
01f60082ccf050b2f2b28132f3e6bbb5

SHA1
872ae759281069afa801ed8b2f7957dde0e5d3c5

SHA256
6800b6a371c6cd2b4afc610818cac75bc938783c3729f5bfeaf641342910380f

SHA512
620b438b1f97f4395f4802002b0369310123697f62fda0bdf3ec7fb9b4b8b8af9cee4155a45810d7f276702af63cd62d6484881230e30c5045e5e5a749d1666f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
11KB

MD5
5b0ba05e51fea5ca2bc7ceadbfefbdb7

SHA1
723e2c21e3c44f8707ac55785e987c90e9fb5310

SHA256
1d045cc8889473dd5ee01873aeb97037396fadc4f285932dfca0220a62bc63ca

SHA512
bb8179d647a7808292acbde933748711b0a69dc5559a0aea649a7507109bc945e472e34dbac112acf3e03d4dab9b18eeac3c006d89340629f6cd13c1dbcf4fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
12KB

MD5
d987cfcb9dd6d1f3ab7df175bbbca4b9

SHA1
9454652dceb1f33fc6c07881140897f8f2c7a3c0

SHA256
81d352b71a0d2bc85dd0f91bdc18038f7a3e398c1db001e2567f55492ab0e1b7

SHA512
5b76dcdff3be2ef3f9b7b2e240cad05779381394ee21fca86ba361d8213d4f75899a368c66e85b12027006ae60bbd4926d06ca24c7ab60a1a856d3fb22b09954

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
13KB

MD5
c5898857e73ce92b49d7537ccd09ccec

SHA1
79a91430f2dc2a286fab952a39394fb44e2ec46e

SHA256
aed0bdacf3bc57f4c49a83fcfac74668841085e446111c81a889ff495d8f43d7

SHA512
e7203af2cebfab89606fed31b391e0685f22ee0c37b3525c034b4d69d2430c928d8c394cc17031f7c5889ae74331ec718fe01ad39423ab4edef3b7d2f9d3cf02

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
2KB

MD5
f2b5bd1a10c27a8cfc799d541440acab

SHA1
75220ddeb2a915ed93db15b8220ef88873ead308

SHA256
1cd00dadcae1ab1be81a59924a37dfbf1dd5ce5ed60a676560543463e2048fc5

SHA512
a747886a3022a1a5db7898fedf84266aa22ea92d3b205c942f3db28b0790a6f4e1f78b2f6dea0129a6fef108255bc0ad26d69127558c76eac21faf45b45f19e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
e399b04061fdceca053bf4b379ad2ee7

SHA1
886615cbe1e718e3d8db6d5d65ab7dff2df9f0bd

SHA256
2cd6bbf0deefeed5be89cbac663c97859014db600939981c3d8c3ad3d8b4c56e

SHA512
988dbd861a02e11d1684e9200716734cb9919fb81d000cfbac5cb434342d17f4ac7234155b2eae20cacbad9b1187e8aae57803c848a6aa72c845d52ec98687dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
9ee5d70d78f672ca179e9dd00b6cd407

SHA1
a20c64b8978fef80dfcd17ab8050529044c267f1

SHA256
d3ae5ea24a1b5873a688d42dbb7cf4ffdda3656c0c50231efca710cdb33b5136

SHA512
4ffce55ddf88030e2a9b5f23297b6ed4fd624c4c1575e14f5b12c5a2b7468a59d3b7bb85743138e5788440710db398ae76a35e03c258db3b8741d2eb5e3d895d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
fb591a6bffcdde746e93a35b85f4effa

SHA1
43558b1eaeda94e422fab14f641f43e36f50ed2c

SHA256
23979e7ec86e3b43d6f537d75819c5f84ce056287be201855f5e646f7654b5ad

SHA512
9f1fb74c8b392092697a3d0ce74c411426f6a4d1f4a774af4ea096f83ff39f385f0316dd243fa30b6e32d75bec3c6ac7411113c3123ff6139134352d01e9dd46

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
827b7ffbb4696b71ec79adf1b26daab3

SHA1
ebea17e031238e8a3bddfa6109834260cbc34e74

SHA256
14c831c384943782c601248a67458c4f2f76663d9818ea0a58a4e63b79e2b223

SHA512
06e5edaf7991634e5674a0cae095cd4b1c5362b3d639036744fe7b764b039560932d3d6e813aa7f020b8db0ca852bd06598b9f5798266c66d997f8f558a5b38a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
95dccf3f7205cc8570d6f41d4118d801

SHA1
c379d94fadc89eaa0fef1ff27a4af43f1864a5c9

SHA256
d4a4614768f928eb390908739b3c1b7851153df0ff405c603d8e9da228cc92bd

SHA512
b9ebc909940776f2012a606c47aebb3d5233a017375847c3f044c614788bf5057994d0ec19083668763a06ad3161d3c129d66f34088ec5c6a13c118d54c81f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
f756c2775f55846090de992798844f2f

SHA1
e71b076af618168d81f5c5956a34d1f1f10ba65f

SHA256
6a49f2335154df3cb7c2524c5395980c2d321a9ff12166d725c48da7b405af02

SHA512
f3511faa25b6f29fdfc87bd657236c1ad99d2f3b24280c2173ec46cbb439e5214a108574fe2c9c1e9106d8c9ddceb9c8403ec532b872c30366c4ab04874e8dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\hd.vbs

Filesize
245B

MD5
d8682d715a652f994dca50509fd09669

SHA1
bb03cf242964028b5d9183812ed8b04de9d55c6e

SHA256
4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba

SHA512
eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\tmp\133595259857462000jre_packed.exe

Filesize
153B

MD5
a53e183b2c571a68b246ad570b76da19

SHA1
7eac95d26ba1e92a3b4d6fd47ee057f00274ac13

SHA256
29574dc19a017adc4a026deb6d9a90708110eafe9a6acdc6496317382f9a4dc7

SHA512
1ca8f70acd82a194984a248a15541e0d2c75e052e00fc43c1c6b6682941dad6ce4b6c2cab4833e208e79f3546758c30857d1d4a3b05d8e571f0ce7a3a5b357be

Download Submit
memory/756-45-0x00000000030E0000-0x000000000317E000-memory.dmp

Filesize
632KB

Download
memory/756-131-0x0000000001170000-0x000000000120E000-memory.dmp

Filesize
632KB

Download
memory/756-44-0x00000000030E0000-0x000000000317E000-memory.dmp

Filesize
632KB

Download
memory/756-0-0x0000000001170000-0x000000000120E000-memory.dmp

Filesize
632KB

Download
memory/2480-137-0x0000000001170000-0x000000000120E000-memory.dmp

Filesize
632KB

Download
memory/2480-46-0x0000000001170000-0x000000000120E000-memory.dmp

Filesize
632KB

Download