16a02dde00b3a8035cf504cbabef9bb6441c33f9e08f2b8e5ffca88042a625f3

Analysis

max time kernel
142s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c3a16403d4ea9dc68e8154de90c1787_JaffaCakes118.exe
Size

227KB
MD5

6c3a16403d4ea9dc68e8154de90c1787
SHA1

fb1350ca83caf36ab32e8cd635c8c393e9763d97
SHA256

16a02dde00b3a8035cf504cbabef9bb6441c33f9e08f2b8e5ffca88042a625f3
SHA512

94dafb301ba328cf071fc25d2ef3df3678243e3315ac889733ae291a415b8c4ef846d670d27a369f7bfa1c31a13825f6ce9557157b724a04c56af22bc2670012
SSDEEP

6144:CifApVMqplDf/h5O/lBC8+2hyDRlX7llrnz2P4t8oSRVWL:Vfk6kDqHw2hmxlrz2HoSR2

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2812-0-0x00000000011F0000-0x000000000128E000-memory.dmp	upx
behavioral1/memory/2812-45-0x00000000036E0000-0x000000000377E000-memory.dmp	upx
behavioral1/memory/2408-46-0x00000000011F0000-0x000000000128E000-memory.dmp	upx
behavioral1/memory/2812-109-0x00000000011F0000-0x000000000128E000-memory.dmp	upx
behavioral1/memory/2408-140-0x00000000011F0000-0x000000000128E000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\PROGRA~2\Zona\License_uk.rtf	6C3A16~1.EXE
File created	C:\PROGRA~2\Zona\License_en.rtf	6C3A16~1.EXE
File created	C:\PROGRA~2\Zona\utils.jar	6C3A16~1.EXE
File created	C:\PROGRA~2\Zona\License_ru.rtf	6C3A16~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 3056	2812	6c3a16403d4ea9dc68e8154de90c1787_JaffaCakes118.exe	28
PID 2812 wrote to memory of 3056	2812	6c3a16403d4ea9dc68e8154de90c1787_JaffaCakes118.exe	28
PID 2812 wrote to memory of 3056	2812	6c3a16403d4ea9dc68e8154de90c1787_JaffaCakes118.exe	28
PID 2812 wrote to memory of 3056	2812	6c3a16403d4ea9dc68e8154de90c1787_JaffaCakes118.exe	28
PID 2812 wrote to memory of 2408	2812	6c3a16403d4ea9dc68e8154de90c1787_JaffaCakes118.exe	31
PID 2812 wrote to memory of 2408	2812	6c3a16403d4ea9dc68e8154de90c1787_JaffaCakes118.exe	31
PID 2812 wrote to memory of 2408	2812	6c3a16403d4ea9dc68e8154de90c1787_JaffaCakes118.exe	31
PID 2812 wrote to memory of 2408	2812	6c3a16403d4ea9dc68e8154de90c1787_JaffaCakes118.exe	31
PID 2812 wrote to memory of 2408	2812	6c3a16403d4ea9dc68e8154de90c1787_JaffaCakes118.exe	31
PID 2812 wrote to memory of 2408	2812	6c3a16403d4ea9dc68e8154de90c1787_JaffaCakes118.exe	31
PID 2812 wrote to memory of 2408	2812	6c3a16403d4ea9dc68e8154de90c1787_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\6c3a16403d4ea9dc68e8154de90c1787_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6c3a16403d4ea9dc68e8154de90c1787_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  PID:3056
- C:\Users\Admin\AppData\Local\Temp\6C3A16~1.EXE
  "C:\Users\Admin\AppData\Local\Temp\6C3A16~1.EXE" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"
  2⤵
  - Drops file in Program Files directory
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
8KB

MD5
709328827151137db48bce66e7f5ec16

SHA1
29baad88bd770ea44d226536b08dd1fb82789d47

SHA256
fe0b0fd58a3ea44265e4152dba33faff00f1f0a9813981ba3e2ce36e08d49a1c

SHA512
5ff6b5c002528a9ad666bab1b1a92479d0b4be377a2dfbcbb606720ab980c9c86a20d7afdf25686a2c1a1e0660a0f338ba0955d4650273efbd775c7a97e6fb46

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
10KB

MD5
e8d7d4e7ac533600bd0dc24d24f37a85

SHA1
4370236e2e364a9ad140ea32eb159bfab728a338

SHA256
d7a654234cee9c9ec01b48abb82fdfd3a5988f1ad6829df31d785e940f6f9dbd

SHA512
32d05190e87d1bda4cb4ac42d0890ce672e70d3f821a9ffb07e943e6650cea8beeb154bc7d9fe91ab6800378cd718103b2e69cafe2d440ab3a96c2fd7bb04173

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
12KB

MD5
f80f848afb85ebc9fa933ea71ed86526

SHA1
469ea650603c884fecd92eda947cb797efa878f5

SHA256
0377256eb36e1f296eb5e9639ee6193177361db46f38d746442e18843ae720c1

SHA512
073cd6431198b7c165064f51992880cc0907e236eb6e7bd18208f65e743569be41bcb16dbafb46d63ff8ab94b6da8bc04e28fd07e19801c6cd6421e1ae9fb4f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
13KB

MD5
5d9dbdc7d5fcfa133e95cde0b5a66d06

SHA1
9704a7312f66b9212bdb22767debce8b117a8a5f

SHA256
cbcfea6fdc476e3f6a458228703d6a906b44be3ed80fb22f4143858b758d3480

SHA512
3fbe799b647ef4eb243efefb03c6f9035f8565cc1240a6cc073fbb7cb7875c822093d430e8f5726047ebd2afd59262159f6065e5425ed8ef0f8298763f9cfacc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
14KB

MD5
46c9922f80b56ca43d6944d438781f26

SHA1
096fc3d7578767ddb56d4b06d359915900917a30

SHA256
4df6092943a6166557e3c50deaa2c5bf3f2e547c90cb17938329d431c945becb

SHA512
8ccf3e3ee8308728d59f8446efa7c7d6f59809125db7ba9f7df7d804b8e0965983be069236510eb92a78b9a406032a8e4193743f5d9859a27a7c5a303203a6fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
b744e09cd4f2989db3d9e05f13faeea1

SHA1
8e9410b37470fb104891e3c7e7e1e8ab8ff02ee7

SHA256
dd669efe7220edb58b5e4d74c793aec9016bd480c546405e3db52e46340dcc9d

SHA512
e85b8853cc7ed1648417a72705973b35524bd3d4232c54e9a966107ea122f68337e365d812ac46bcf6ae5ff0b5f569cabf059f739c505d3d8c1b6a97dac0c7da

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
557e61b1c53484bc4ab28b2b6c5675f3

SHA1
390dde798fad5188f3724ad071f73df59d7dab7a

SHA256
aa432c6713bee117e3c9984de2ef6cda7446b8a8c74f330f2d8aa544990e4b21

SHA512
8a5519c26272e1d1a38bf493edd94c2bc36a6a38c2e4c27627d659cad31d98d3763081626165e037011f58f9c82cae0d8c772e34aa4ec0bd03d1ad030ffb0f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
f7bed86242c929b3f434e0a23e02ced0

SHA1
a96fb6c4ad0e84bd7a72babf79d5df2537297e35

SHA256
0e15907d0374c7a7a5b909dd25165b6edb597d7cfabd0163beadd60a4de0699e

SHA512
cc67a1b2c8d6e5e5cd117c27d1bf5cd5e087fcdd871f0c181222c947619a651202d6ae4b6b398a8a2f6249ac26b62685c6669803c8fe63c738eae7ba39ee5030

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
6KB

MD5
ade29f27531dad393369f9c1b22e2d85

SHA1
7943ae3d6664579515f5c674f8e31f9d0792778b

SHA256
b5807e6193a1d2a13d33b95187b861e30a12cac4c2af17805db1072b9ca5d647

SHA512
6691c0cf8e1b8409d2c2b6cd888bddd54500ea9957d466ae5f8f61f0eb6bc9001fd2383a2e80100f27664c502c9af55c20ab8e55414b40713324ef1b91148b71

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
2KB

MD5
9bb82e265f003d4e9c11cf4d48304b76

SHA1
ce0b56c1777605b69e8ae49299371bd0ec9d897c

SHA256
913cc788f1edc34fb3f755f2fbb20fcf3645c0db8f8ddaca3fd77dcfd6924867

SHA512
a9477592ca0858c69d84c80982f0ac33f1c3985f7c345981f8acb1c8176be06fb13194a3f093bb47743f83ed06b2658c8404015d63acafdaf4d588f577c02ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
85370ce6cd586de53cdf4f9f0da0a157

SHA1
42ea3a29248313e7e3bd2e521a9128b33183de97

SHA256
2e7e1e39739b2653972d3d8840c9ff50d071fe6a24758a294488f99d6fd8ece4

SHA512
fa0b210303c0f86c3b8b746d3d435dcd466b6b472f9626086f5ded21c397e6731de0a6f110690e10754de29e9326a109d568146fd4df6afcd3044e5a28e55446

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
8KB

MD5
2c430f38dd49a9f22deeb1d67dfe3beb

SHA1
4655c04ca04bd0eac18f370d95fd35c991ce1510

SHA256
b0bba55c48ecfe3899510239797eee0af71c552f5c0f173e0eed49ffa2f12c15

SHA512
e40db9911440e034238a5077261dab4e04c6fd9c94fc876898f3a561b98fc84ab2e840f052ba5851997eab827af6e51eb3c7a262e013524b19a024a6a823eb62

Download Submit
C:\Users\Admin\AppData\Local\Temp\hd.vbs

Filesize
245B

MD5
d8682d715a652f994dca50509fd09669

SHA1
bb03cf242964028b5d9183812ed8b04de9d55c6e

SHA256
4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba

SHA512
eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\tmp\133609713435654000jre_packed.exe

Filesize
153B

MD5
a53e183b2c571a68b246ad570b76da19

SHA1
7eac95d26ba1e92a3b4d6fd47ee057f00274ac13

SHA256
29574dc19a017adc4a026deb6d9a90708110eafe9a6acdc6496317382f9a4dc7

SHA512
1ca8f70acd82a194984a248a15541e0d2c75e052e00fc43c1c6b6682941dad6ce4b6c2cab4833e208e79f3546758c30857d1d4a3b05d8e571f0ce7a3a5b357be

Download Submit
memory/2408-140-0x00000000011F0000-0x000000000128E000-memory.dmp

Filesize
632KB

Download
memory/2408-46-0x00000000011F0000-0x000000000128E000-memory.dmp

Filesize
632KB

Download
memory/2812-109-0x00000000011F0000-0x000000000128E000-memory.dmp

Filesize
632KB

Download
memory/2812-0-0x00000000011F0000-0x000000000128E000-memory.dmp

Filesize
632KB

Download
memory/2812-177-0x00000000036E0000-0x000000000377E000-memory.dmp

Filesize
632KB

Download
memory/2812-188-0x00000000036E0000-0x000000000377E000-memory.dmp

Filesize
632KB

Download
memory/2812-45-0x00000000036E0000-0x000000000377E000-memory.dmp

Filesize
632KB

Download