3da546c3903fc1e24d072ada094646ca47a0184165364ea11f46559c02099aa1

General

Target

6f964240dfa9be07d8954fb7d2bbaa5d_JaffaCakes118.exe
Size

40KB
MD5

6f964240dfa9be07d8954fb7d2bbaa5d
SHA1

ee621baba4cae18b3cf917f105da1e6270ea30a5
SHA256

3da546c3903fc1e24d072ada094646ca47a0184165364ea11f46559c02099aa1
SHA512

41f92bc526a16f61d1533ee0577cb6c066a57cb99764e67e064259c8d677ea2adf71e6e02b609ea44fc854b2d65345a4c5f3f63d57e373c70b6487d3b908b8ce
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHc:aqk/Zdic/qjh8w19JDHc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2112	services.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1960-4-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0036000000016126-9.dat	upx
behavioral1/memory/2112-11-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2112-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2112-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2112-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2112-27-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2112-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2112-35-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2112-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2112-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2112-44-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2112-45-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2112-49-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2112-53-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2112-71-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2112-74-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	6f964240dfa9be07d8954fb7d2bbaa5d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	6f964240dfa9be07d8954fb7d2bbaa5d_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	6f964240dfa9be07d8954fb7d2bbaa5d_JaffaCakes118.exe
File created	C:\Windows\java.exe	6f964240dfa9be07d8954fb7d2bbaa5d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2112	1960	6f964240dfa9be07d8954fb7d2bbaa5d_JaffaCakes118.exe	28
PID 1960 wrote to memory of 2112	1960	6f964240dfa9be07d8954fb7d2bbaa5d_JaffaCakes118.exe	28
PID 1960 wrote to memory of 2112	1960	6f964240dfa9be07d8954fb7d2bbaa5d_JaffaCakes118.exe	28
PID 1960 wrote to memory of 2112	1960	6f964240dfa9be07d8954fb7d2bbaa5d_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\6f964240dfa9be07d8954fb7d2bbaa5d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6f964240dfa9be07d8954fb7d2bbaa5d_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp946.tmp

Filesize
40KB

MD5
afc445d062bc7524db95f87348ff0364

SHA1
d597440b3a38bc9d04a0aa36e6b503a4e501a68c

SHA256
c6d626d8bebdcf46296e2eb03c1fc2a97373870f0c53d9f9a338642471bce7cc

SHA512
86af9f3b984279eb7f1cf85033d5b2c0fd28cbdf21dff35dc72b85fd907181974e0d4abdadf534636ca9870c923e8332ce654100f3a74a1928c1d883cf5b13d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ynkckbez.log

Filesize
1KB

MD5
999fd9397272dfa4af0a0851ba86a32d

SHA1
11bd766c4176254822e25813bcdcc1c6f30b5c12

SHA256
8e2a227ff819f39a632bfc7202c7dceb86f60eac61ec5cc7ca71168c8475bccb

SHA512
3c61271dc0f98cf88872f80a9c89dd127cbbbbe3885b96a24fdf12a1ab236288486bbad1c5adab94a122c500ee99dd4ad6df6355dce4a32e09bf51ce768852f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
70a950ba6c7270256e5d8701ad8adbc5

SHA1
a6f4c88a1198631f9b38cc180dc9354027ed0185

SHA256
013385b874428dc489a3b56c3735084e5ac9f9872673e9b69c4348066d74132d

SHA512
ce4c26ba34dbdc977ea1f0028284aebc3d02d9f646fbbdf27f0c5abf8e43cb40d11ef9476f3f507713934216a30efd042cdb065ebe71dea7907e2c4ce734b330

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1960-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download
memory/1960-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1960-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1960-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2112-35-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2112-44-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2112-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2112-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2112-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2112-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2112-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2112-27-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2112-45-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2112-49-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2112-53-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2112-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2112-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2112-71-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2112-74-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads