3da546c3903fc1e24d072ada094646ca47a0184165364ea11f46559c02099aa1

General

Target

6f964240dfa9be07d8954fb7d2bbaa5d_JaffaCakes118.exe
Size

40KB
MD5

6f964240dfa9be07d8954fb7d2bbaa5d
SHA1

ee621baba4cae18b3cf917f105da1e6270ea30a5
SHA256

3da546c3903fc1e24d072ada094646ca47a0184165364ea11f46559c02099aa1
SHA512

41f92bc526a16f61d1533ee0577cb6c066a57cb99764e67e064259c8d677ea2adf71e6e02b609ea44fc854b2d65345a4c5f3f63d57e373c70b6487d3b908b8ce
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHc:aqk/Zdic/qjh8w19JDHc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4788	services.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000023438-4.dat	upx
behavioral2/memory/4788-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4788-13-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4788-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4788-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4788-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4788-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4788-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4788-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4788-35-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4788-39-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4788-108-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4788-160-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4788-166-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4788-167-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4788-178-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	6f964240dfa9be07d8954fb7d2bbaa5d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\java.exe	6f964240dfa9be07d8954fb7d2bbaa5d_JaffaCakes118.exe
File created	C:\Windows\services.exe	6f964240dfa9be07d8954fb7d2bbaa5d_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	6f964240dfa9be07d8954fb7d2bbaa5d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3844 wrote to memory of 4788	3844	6f964240dfa9be07d8954fb7d2bbaa5d_JaffaCakes118.exe	84
PID 3844 wrote to memory of 4788	3844	6f964240dfa9be07d8954fb7d2bbaa5d_JaffaCakes118.exe	84
PID 3844 wrote to memory of 4788	3844	6f964240dfa9be07d8954fb7d2bbaa5d_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\6f964240dfa9be07d8954fb7d2bbaa5d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6f964240dfa9be07d8954fb7d2bbaa5d_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9O7X9C7J\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1tTruzV.log

Filesize
1KB

MD5
0f2f8f1652acbce09085b69940ad792f

SHA1
76fd8240a8525dc17018e3cfba8146e994def0db

SHA256
2f12e4b9f4275917350ff64dc175bc5f7d12219b5665dfaca7118b10813e188e

SHA512
bd06c18400476a363d46418428ddf562f245f9e4ca8b100eab0c274ef9b52fbc9e9b7a24aff4243ac454f231e7c2dd5aaf840068785e0a2ffa5a224505098f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC58.tmp

Filesize
40KB

MD5
fbef8ca0a699259069f922437472418e

SHA1
ff20c39a6be60893c0aee63b7973b9e0d7388552

SHA256
4049fb61acbdbec7718fe4f665a89224546bd41563127ad4b4eec36e3cdf5c9a

SHA512
a279b2c761012ba44ed43eb7778a4a8c732322eea2e4db9507efa4276df747703bb40f28178b158fecff28499f470a64206f384e527f0feaa8046f7e12595f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
42c47ac44445603432aa705d6be24d5e

SHA1
7353133b691a512c81429d3dd9afdcfe642405a0

SHA256
56aaedcbf044e90941f386354f11cb718bf1ce07235113711566a2b3399a5167

SHA512
308c073a530f06952d9e1f4047621012e6755233221515e8f2e39c36f2b3f747f4dc450408e386611cda0baf6825a1bf0fcd9eead1bfbe240b8c33d997048f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
a099ac290ad2b2c043dd0b962688de90

SHA1
be970a05cfde21bc0d7becf83057b349a2fb6464

SHA256
6546f5b4c22bc2b97c27bfa014d831aa161d685bb178a9511df257c492be784b

SHA512
a07029ddea1be14338cd1c1aca55774b0be8e0af69fa9e5ee63a93cb6e058b70c83748ee58abe8b4af2249a44c8b0f89d3341b6ca0e1c263538432780aef8882

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
2a3737b29a428abe7fb8f55a7717276a

SHA1
803b65748ee3f2eecfdf8f78cd06c1314af0ac21

SHA256
800636ea2a3bfe6926a59a91cb1c4cda0f15042f43845a1eedc00ca307458848

SHA512
8b6573d96acbfb304393494476abdc7fb7116a7e98d56f0454c6c948831aa96ee71b71286c4158b1d3d1d69bf5dd35610b8eca6f7bcd2a71e4a97de01c6f0919

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/3844-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download
memory/4788-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4788-108-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4788-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4788-35-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4788-39-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4788-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4788-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4788-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4788-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4788-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4788-160-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4788-166-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4788-167-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4788-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4788-178-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads