ecdbdb30c22a8028bf998afbda3a9be2d6a70bcea24341e9dfa35fe19a375bd8

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48f42f7d2dc58ae0932513368f510e63_JaffaCakes118.exe
Size

40KB
MD5

48f42f7d2dc58ae0932513368f510e63
SHA1

fdd5d5938c5786dd9f21afc90326bece21b03ce6
SHA256

ecdbdb30c22a8028bf998afbda3a9be2d6a70bcea24341e9dfa35fe19a375bd8
SHA512

1db202ea1190c133a92da7073202d1f1361f32ea2281a2850ae519fd8a61ccf0f4bf5837ce5e4052c35d718ded2ac340cc5088d01b03eaa0da61cba8833f7bb4
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtH+:aqk/Zdic/qjh8w19JDH+

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
668	services.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023407-4.dat	upx
behavioral2/memory/668-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/668-13-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/668-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/668-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/668-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/668-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/668-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/668-123-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/668-145-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/668-149-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/668-150-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/668-177-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/668-211-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/668-240-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/668-267-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	48f42f7d2dc58ae0932513368f510e63_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	48f42f7d2dc58ae0932513368f510e63_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	48f42f7d2dc58ae0932513368f510e63_JaffaCakes118.exe
File created	C:\Windows\java.exe	48f42f7d2dc58ae0932513368f510e63_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 668	4348	48f42f7d2dc58ae0932513368f510e63_JaffaCakes118.exe	82
PID 4348 wrote to memory of 668	4348	48f42f7d2dc58ae0932513368f510e63_JaffaCakes118.exe	82
PID 4348 wrote to memory of 668	4348	48f42f7d2dc58ae0932513368f510e63_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\48f42f7d2dc58ae0932513368f510e63_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\48f42f7d2dc58ae0932513368f510e63_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7KQBJSM0\default[10].htm

Filesize
308B

MD5
5243568476eb2052b2f3b67dc9053e86

SHA1
b126aa6506772f9024b76580bdf28b45e3a7f051

SHA256
2d458622dc76eb87e44cc7db89309efdf50f99821145ae86864fd1b714cbaa80

SHA512
3c68cef4e3daa4bca6e8b3aa5a31874be1e4dec38fe9781c6fe4890980744527d0c6818eeb519f8e6b322118e1f08302d85972fa7da4ba8be9421aabf9a77833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CMPDKH9Q\default[5].htm

Filesize
315B

MD5
058e41d2b5063436d4aa0b002fd7e569

SHA1
96a4ca8e2491c6b39717b65ad133d585bc075d62

SHA256
e9db8fcc986290d2376d5478a7c5a524c2949a0ef2e8c18d56b052b6841359cc

SHA512
6e55d73e1d091f5a7e886fa08ce3c27a38ff3d70c64ab099b9c285b2437817e6228b79461aa67ef1983df1fddb790445eb7a5bc9156a82a77b3cf6c0dfdc5dc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CMPDKH9Q\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EO73ZF47\default[3].htm

Filesize
313B

MD5
0d0d1376df3380570c4bb9c520ab38de

SHA1
76971247133bf210a0c5047584be0dcd0066de28

SHA256
40a902c8739b322ee6619ebe215761bc432b3743f0bfc497522e581391fd506c

SHA512
7b492a86e2a1209f8963c614df12a07c889ca33eddcbcd92d59258da249bcbc89d1d352e20f7772022fea597ed23a52b062d4ac6d3ec77c7c01433aed3551c7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GOWSKSPC\default[2].htm

Filesize
304B

MD5
cde2c6ec81201bdd39579745c69d502f

SHA1
e025748a7d4361b2803140ed0f0abda1797f5388

SHA256
a81000fc443c3c99e0e653cca135e16747e63bccebd5052ed64d7ae6f63f227f

SHA512
de5ca6169b2bb42a452ebd2f92c23bad3a98c01845a875336d6affe7f0192c2782b1f66f149019c0b880410c836fc45b2e9157dcccc7ad0d9e5953521a2151d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2F48.tmp

Filesize
40KB

MD5
7c9e02a70bc8279ade50d8c7cd7e57af

SHA1
92e869549554a49f2d13e2f89dee572c8d32b63b

SHA256
0f5cec570f61a422e7e1e27480103d7a242eb6f1f68353ba825b306dca9e20ae

SHA512
49ea817f88a5c9838a9296b538739ab2ef545075fc913e9d382953524f82e4412033174eb609b817beb8f5aa47848541799b73f634965c6e5108b80c5c48b152

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
84ead64a18ad7e9ca631649cb520be96

SHA1
e6f62bdc374508df2ebd243a8cabc6d1fa4b59a9

SHA256
7d4e21db2ddb208c996028ef9d211ab6d8aaa5e4a90340c222ca62e8bb4db9d4

SHA512
c0a41b37dd1d86e90905c2da0478ccc41edd399a1fdba077fdaa80b38d384c8d61a2476e185495a84313b6503022384c95eb541db2752d626ba44ae973b07a9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
210d9a99c126f2fcfac7681ef82b85cd

SHA1
f7a4aafc7ccbe45b8bad104dd8c9f5651361aa22

SHA256
ae678d50f39bb6ef30bbe2381d7ab9703d613629f247fc67283965a0991b4a08

SHA512
de15e63f2b8b79d5bf6121b240968f9dc64ef4e56bcf56eb493061944777cd44a9ebcb4e80158c76207c1fa25c0a79b690c8f852126884ac5ce2ecc801da2560

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/668-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/668-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/668-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/668-123-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/668-145-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/668-149-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/668-150-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/668-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/668-177-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/668-211-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/668-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/668-240-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/668-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/668-267-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/668-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4348-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads