507b903224830c5961f01d6d37bf727096252886285fdbb26774a60cf25cbf8e

General

Target

36f9823ef26ef555993b4d5e9181a704_JaffaCakes118.exe
Size

40KB
MD5

36f9823ef26ef555993b4d5e9181a704
SHA1

0c6a45f38b980c2612af5bc9090a0bba5f99730d
SHA256

507b903224830c5961f01d6d37bf727096252886285fdbb26774a60cf25cbf8e
SHA512

fdb4278ae00183e5ea269810e6b80e8b53a8af1149a547dabe80f31ae5537afc2edc09f7353d91af1a50ce91b3586813355401d3f08ce593d191d3f7c18f83f2
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHb33:aqk/Zdic/qjh8w19JDHj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5112	services.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00090000000234c4-4.dat	upx
behavioral2/memory/5112-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5112-13-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5112-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5112-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5112-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5112-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5112-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5112-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5112-35-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5112-39-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5112-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5112-106-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5112-146-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5112-148-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5112-151-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	36f9823ef26ef555993b4d5e9181a704_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	36f9823ef26ef555993b4d5e9181a704_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	36f9823ef26ef555993b4d5e9181a704_JaffaCakes118.exe
File created	C:\Windows\java.exe	36f9823ef26ef555993b4d5e9181a704_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 5112	2620	36f9823ef26ef555993b4d5e9181a704_JaffaCakes118.exe	84
PID 2620 wrote to memory of 5112	2620	36f9823ef26ef555993b4d5e9181a704_JaffaCakes118.exe	84
PID 2620 wrote to memory of 5112	2620	36f9823ef26ef555993b4d5e9181a704_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\36f9823ef26ef555993b4d5e9181a704_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\36f9823ef26ef555993b4d5e9181a704_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YB09K3UP\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2F6.tmp

Filesize
40KB

MD5
711a5ee49a745ac35c23a766212abe6b

SHA1
ac61233ba77b2499eaf7ca10c10bf5e94839f14c

SHA256
31bf47d32849c2464a3b8ad22ebae47cdb77de1656fed623f1685e4f2a82a8f7

SHA512
4d6c99d9af10732d3f346c6440bf2a589c09150f45da2b336abd727c140ced10cf0c2050a90ee889c064583a539266187ea240f5f858c7dd16ee19ca9f07b075

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
a86a8bc53123112a6a13e48810100a2a

SHA1
669148d49b5218523c07d21e5c834cade9ec3071

SHA256
8bcbdf886c86ba99a3c5c7ecefeafbc314fa726d5bb03e2f375a0ec7f1b6e674

SHA512
5977ed93bb8d165023b27ea4d8fa556d9e1bf7eb9dac195e7a36423d9e4d6ff9e63f4bdb24ee49b111985572ad707c941c3f6156a944a843adf19dba261310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
f654ae9876fd1cb0057046be4f9fe688

SHA1
a12eefe761462fc7c38198de2650ecdc36c4a847

SHA256
28683b40a3ae219a8090fc5bc6f4d490839a7fe8b1b58476aa51759cad321ac5

SHA512
d1e2765dd349344e042b37dafe177c1c212909ad66090da72452d4a0188f41fce79c3dbbcce56db91821d76188502a7869a7a9322ea618afd4340e4a5f88c691

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2620-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download
memory/5112-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5112-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5112-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5112-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5112-35-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5112-39-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5112-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5112-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5112-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5112-106-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5112-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5112-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5112-146-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5112-148-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5112-151-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads