54d018497849e2ac5775780f6d77c0c8f646f2a4edc03ef4308e8d261b632327

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 12:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

791b92715787eacd65c5c592bb35e4b7_JaffaCakes118.exe
Size

40KB
MD5

791b92715787eacd65c5c592bb35e4b7
SHA1

0f82b65b6c55846b89b7e1cfe5cc8262d0dc02c4
SHA256

54d018497849e2ac5775780f6d77c0c8f646f2a4edc03ef4308e8d261b632327
SHA512

fa6732b9f8b4623b67ed21643efb26975b79e8e3666721e43cef41d64b7083ac4acae52b70ac2e1058f00a2bba02280a78d51d1ac56daf498c3a83cb428e1940
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHnvS:aqk/Zdic/qjh8w19JDHna

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook

Executes dropped EXE 1 IoCs

pid	Process
2520	services.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023492-4.dat	upx
behavioral2/memory/2520-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2520-13-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2520-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2520-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2520-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2520-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2520-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2520-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2520-35-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2520-39-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2520-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2520-115-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2520-277-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2520-278-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2520-281-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	791b92715787eacd65c5c592bb35e4b7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	791b92715787eacd65c5c592bb35e4b7_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	791b92715787eacd65c5c592bb35e4b7_JaffaCakes118.exe
File created	C:\Windows\java.exe	791b92715787eacd65c5c592bb35e4b7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 2520	1756	791b92715787eacd65c5c592bb35e4b7_JaffaCakes118.exe	82
PID 1756 wrote to memory of 2520	1756	791b92715787eacd65c5c592bb35e4b7_JaffaCakes118.exe	82
PID 1756 wrote to memory of 2520	1756	791b92715787eacd65c5c592bb35e4b7_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\791b92715787eacd65c5c592bb35e4b7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\791b92715787eacd65c5c592bb35e4b7_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DD719OCW\8IF5TEID.htm

Filesize
176KB

MD5
3a45234968a3d27fbe59f68d7ef88ddd

SHA1
e4ceb73014303f91103f96344127fd15b21969f8

SHA256
cd72146c8cfb80f01837fa403750734db1c89279e5c442ba704b60c05dc745b0

SHA512
1c1960a5b1eed5154cfd6211fa5ab5693097ca0febd74dd344447d967ce0cdff2381261adff4e36cfadd91b4b140a064e479fda5be1701c067c0ba9c320ba053

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DD719OCW\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DD719OCW\search[4].htm

Filesize
139KB

MD5
8d48186d9c21018115ce2dc761e8e6f4

SHA1
7a2af4f6674cc602207e46e35cf1b003c59e66bf

SHA256
ef10f98cee05f2f6ff5c948b4414d46e84a1d2a80055273c5d3ee5c34df8d2f0

SHA512
5fd2e0bb4c586eaf8eda07a4b29fcb955ae99f6e9afe29a32e368149de2e664febf37bd9011673f9c5dc01b982b0c05b1d068e0572b9d1b9d5112c3f9b272388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DD719OCW\search[7].htm

Filesize
141KB

MD5
0b3f0283b3a6fe2399063f5c5722a66b

SHA1
31ca9f9aacf9a23608fba36e10039c173363dac1

SHA256
4ff16fb9b7c61af6a2eebee7fe40611a9f9022e6ab03cefbae8aad27ea45af4e

SHA512
bb50571d40e11ff11fb906a242dda7bb9595d53a40cbbaa92f3824cb1c74eb4e048bb3638b65c67d6bc7139a48fae2eef226fd9ce78c2c0ed44c2f10ad7fd149

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SG9GK5FX\results[2].htm

Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WOBB13N1\search[9].htm

Filesize
134KB

MD5
f80abcccbeab1fc4c45ec7a5bc34d853

SHA1
2a5930d4d51646f34b8590cbdd1d5eb8965f6d1f

SHA256
6e0fbf464f9a1251d63bb8cab920acc2abbf2cd6534b57605e8895be033f2629

SHA512
83f72179f7946c35871b4f0bbe15cd79d5ebbec979101f29f2fdd89f3d9a3a287bb98dad473d258451f331bde2934aaa878f8dbd9d0308603fd619edaa2825d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YB09K3UP\I6PQTTHD.htm

Filesize
176KB

MD5
e2853370727e24ac89b1cad08985db2f

SHA1
aa1685f13659dd0f30f45ee41fafa0008810e383

SHA256
4bca52f2c73c92f082663215421df9b6ef94d3042f64363294b9f81f701d89dd

SHA512
70c90a8cd705889d291ad1927d896c895ea1e0315a1247240fec02500195110af14ddc8505f0b49bf02bd6e4f06c7261c480a506fd53da7a3ca3b9d27b63033e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YB09K3UP\search[5].htm

Filesize
133KB

MD5
35bc45d027e494acbd681056f2c9988f

SHA1
e3d022fac8f6bf1dedd58e776ad5c295518d111d

SHA256
a5b691ac438a09449cbe2d0dee3d5209974ac225778850ca2296e232f1b73312

SHA512
51d346578c555213b9c1166397ab34e37e066f5abecb12430d1c7046d66f1b9bf01f47a19087232d6a110e62e61d66f409e1fa5d64e5609d7f08294858b68aea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFFD9.tmp

Filesize
40KB

MD5
07a037d33e66ece4745c661ec7978589

SHA1
ae201d6280aeef4c604dccfe13ff52c58f75901b

SHA256
2abd18a4ce7df6039aa3ef261234a12e6b90ebf838aaf1046cc18b890fdc8a61

SHA512
9d11a4eac8940e4349c94c9b38283eb5b1cc49630cac7b6da01a7ff50182874838b07a2dd3733be7b34d38e78d177258f870ae293d4c4d9acd45d214185f8421

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
ebc5cc7754505b37e27838f6950357a3

SHA1
707c6cc677b361841681233f321666e1a7dcfbe5

SHA256
20b6bec1a2ddc78e010058f0fdf4faef1072d050d9f11d064c82a79889b81a70

SHA512
19aead6a34f1ba7bb6983ac1e442d152f4f8996a0b574da96f71277105c856e305730eee5dd5f4975a0ef8166dd466e4ef68de4af7078a477b7f3809f19b0ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
ad710520416ffd515852cc864cf3051a

SHA1
e9524a2922a2d23ff4845f341feb83c4a38081a7

SHA256
0dbadaba030692c589c8d8c0d70dd682686444cb1861c8169535b12508f83db8

SHA512
63a1350fc58894a074a1cf75798a364d7c8bf9840119cf72691e26abbd8d38b422d359876d549e42042dc35b54f5dbbe2520bce6c617c036e8057c186be6e2f2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1756-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download
memory/2520-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2520-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2520-115-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2520-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2520-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2520-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2520-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2520-35-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2520-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2520-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2520-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2520-39-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2520-277-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2520-278-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2520-281-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads