a0d971ed07a0c12fa2483e1beafb4fc8cb8cb93719bd62d3d15ec862f394b54a

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d20c816f892566affa58d09158b0d5e_JaffaCakes118.exe
Size

40KB
MD5

5d20c816f892566affa58d09158b0d5e
SHA1

aec62381701dab69c596d33c248e7a250777427e
SHA256

a0d971ed07a0c12fa2483e1beafb4fc8cb8cb93719bd62d3d15ec862f394b54a
SHA512

de7736d1b417a321677bc8c54cdd27cf1a964ddb0ab6f3436a1dc303fd13417dc5e759e61a140b7475b55d7e6a2bc6ab3142809987a2210debf61c0a234e1bb4
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHSyV:aqk/Zdic/qjh8w19JDHSE

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4824	services.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000233ec-4.dat	upx
behavioral2/memory/4824-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4824-13-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4824-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4824-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4824-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4824-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4824-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4824-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4824-35-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4824-39-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4824-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4824-186-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4824-278-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4824-279-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4824-283-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	5d20c816f892566affa58d09158b0d5e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\java.exe	5d20c816f892566affa58d09158b0d5e_JaffaCakes118.exe
File created	C:\Windows\java.exe	5d20c816f892566affa58d09158b0d5e_JaffaCakes118.exe
File created	C:\Windows\services.exe	5d20c816f892566affa58d09158b0d5e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 4824	4700	5d20c816f892566affa58d09158b0d5e_JaffaCakes118.exe	83
PID 4700 wrote to memory of 4824	4700	5d20c816f892566affa58d09158b0d5e_JaffaCakes118.exe	83
PID 4700 wrote to memory of 4824	4700	5d20c816f892566affa58d09158b0d5e_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\5d20c816f892566affa58d09158b0d5e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5d20c816f892566affa58d09158b0d5e_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7KQBJSM0\results[3].htm

Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CMPDKH9Q\search[3].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EO73ZF47\DEQB0IIH.htm

Filesize
176KB

MD5
3282c676ef287d863410c318f59d87ac

SHA1
d297eba44c44f2a4e6bd13b8cafdf0a957601220

SHA256
8fc55aa8842068f91dc56adf707d2608bc97426b51384ba8a4347e64bd9cdf52

SHA512
d1326f8753461919441f69ffc672d58cd5b1b3fae1dd4844809707d191454b1ad5c044db308ca4e97c931958167b94787b0d3e14e602b6a4ebeb736effc666d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EO73ZF47\search[2].htm

Filesize
114KB

MD5
ba7b7073c2eb7b5e15c544d6f5477abd

SHA1
711e469604fc00a95148854d8f67e7b4c65f4424

SHA256
c688d600da0efe2fadd8de83e3b43ad7ad124f02c9b251f01c290242967aa2ad

SHA512
cec79359d4e3268723ca5dfa86f97b05c438e7c9701597d34d0a26a38713917b97495ff205d985d5d04994b7eb5b3bad43dd2e79143ecf997cccc60f3ea807c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GOWSKSPC\search[4].htm

Filesize
117KB

MD5
5fe5e144e1f6014e18697d652eb2059f

SHA1
9df65317cd45fc8c7abfa3ab188a77802fef2524

SHA256
904d8c996f470e314b2e4ab51f0e5d307c0486d8aa5eb95fcced63839ce41aa0

SHA512
710b58bebd8f988c7f32783631031d93f212bd93f7ca34221ee2d591a88dd557572fd9d9449ffbd04dc2ccab09ade077b232ae2f1f3c0dcc28e93f537ff7fa84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GOWSKSPC\search[7].htm

Filesize
104KB

MD5
4cb0ee801eed7af2c977e3051bdbc2ff

SHA1
878304c7b728f2f87867e12bcfe5df59c66ad9df

SHA256
c7b37f60973ad4e4ce8735e85b8d8ff1b1df5f7d7d314a029297e143c15f2a52

SHA512
6088eae5ae91b34b75e17bf3a415447c77ccf6fd3e3bb3f38bc37e22dc021c8b2ceb2f20650fa28ca963852fc9b978be9ec56046c99284ce0c8878bd3b1e451b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD5FA.tmp

Filesize
40KB

MD5
d95dda921739a3e37fb5a2887c1065ef

SHA1
d83f73db10a10a698959618193e994ce1918c220

SHA256
50071874242279123590df95542f6849476a586fa96a034bdbe04dc6e4d43613

SHA512
80e0b83da70de82c7b8e8a5af8ef92961c6dd559b45c28df9264cf601cb09efa1e58dcd4bd1a601da478f1d97e6a547846e246a96d294bed52295c1a23589e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgnwBe2a.log

Filesize
1KB

MD5
b589f40c7f0c26cdc548465641312f53

SHA1
06dec609d330cf079fc3463a25171439952831c3

SHA256
80d7163409230d6eeb2c737a6e39b2a06f773191b4614f83b8fc9bde55b1267a

SHA512
c1dde22772e15ca78598bb202b85e74f016781ac4f899d85836ffb06fc654b03bb589a1bced7f5bbf8f763bc96f3bcdfd279a31163abf9d25d5ed30e981157a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
f5f851a5cd17dd8d91f701e1c6b2ecd0

SHA1
d334c5219c141974b1b2758fd31287ba0b13d045

SHA256
06251e62c4374dbbb997a6b83db210bc5d12fdc0482e43c82195c61855e623a2

SHA512
3900914fcb97af2578adfd9646b24427a815973d6fd19fa4a0c61ebf87b235db705dca46fd31507960a13ae6d75830915a28d7880cb0e22c6bb00ddb67ee8dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
f2182fb98c3654fbd818b13012b1421c

SHA1
1b0cfa15c0be86011123d33719d146f770796bbc

SHA256
4647edcbfe758444479d42a47ecdcf01a4f447239b8624a581d9d43c680ea10a

SHA512
1791f8b0190e23840f6b83e178e38ac6e5e908e0277a700322aa2fce7f554a999a4bf32567d4d26e9176b62511e4984928586976725abd161d2b01117d519191

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
ef8897f7ede59f2d2464b209db17af44

SHA1
d8ad0b3fc2802dbd10d21a1351bb6f721840f650

SHA256
6d6fb1c426278734f0f18ddcf83d3dc3d8ea58128b251ffa2f1d49545361604a

SHA512
81f2231943d66942c53ee4db45556c4e4a0f518515880cbcc30dcde00d54a53239030d940b19d536bc0728a42050618aab4811c95db2736ec38816a898813c53

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/4700-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download
memory/4824-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4824-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4824-39-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4824-35-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4824-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4824-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4824-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4824-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4824-186-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4824-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4824-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4824-278-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4824-279-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4824-283-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4824-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads