f1cbc8dc31d4d92e24861352d6df7400e92cecde655927efa7840e5df8b860c0

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

955645f4b83364230ce65a74468455f5_JaffaCakes118.exe
Size

40KB
MD5

955645f4b83364230ce65a74468455f5
SHA1

719864b058d7e4d8f99f523a043913e7d0c64466
SHA256

f1cbc8dc31d4d92e24861352d6df7400e92cecde655927efa7840e5df8b860c0
SHA512

24e7bd01426aecd1a393c01c4542335bb4f13643cbfb89e34acd3d22e276122404fad4e27299a5ed8e3408cbb4b49bffabadbc3ee53c449c071864c2d8f0bdfe
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtH6Q:aqk/Zdic/qjh8w19JDHf

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook

Executes dropped EXE 1 IoCs

pid	Process
2588	services.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000023437-4.dat	upx
behavioral2/memory/2588-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2588-13-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2588-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2588-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2588-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2588-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2588-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2588-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2588-35-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2588-39-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2588-130-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2588-203-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2588-224-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2588-229-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2588-320-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	955645f4b83364230ce65a74468455f5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	955645f4b83364230ce65a74468455f5_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	955645f4b83364230ce65a74468455f5_JaffaCakes118.exe
File created	C:\Windows\java.exe	955645f4b83364230ce65a74468455f5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 2588	548	955645f4b83364230ce65a74468455f5_JaffaCakes118.exe	83
PID 548 wrote to memory of 2588	548	955645f4b83364230ce65a74468455f5_JaffaCakes118.exe	83
PID 548 wrote to memory of 2588	548	955645f4b83364230ce65a74468455f5_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\955645f4b83364230ce65a74468455f5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\955645f4b83364230ce65a74468455f5_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\default[2].htm

Filesize
312B

MD5
c15952329e9cd008b41f979b6c76b9a2

SHA1
53c58cc742b5a0273df8d01ba2779a979c1ff967

SHA256
5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7

SHA512
6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\results[3].htm

Filesize
1KB

MD5
ee4aed56584bf64c08683064e422b722

SHA1
45e5ba33f57c6848e84b66e7e856a6b60af6c4a8

SHA256
a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61

SHA512
058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\searchV7A1U6O0.htm

Filesize
160KB

MD5
3911b8e8c54f9a4c969cccf7e32bbd02

SHA1
816c8c7898bc14d7f4dcd18c22906a5dc136939e

SHA256
1b89ce3d153c2fc203ecb47739da8a5d064e34ca117668976682868b5f677914

SHA512
696b5d35f2827746de3e50afcdd670f2a97cee0d51e310e3254cfaf629daa184a192959f42359dec848cd8014f1e4381192398e0e032656973eee369460c3dbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DL7YY2B9\searchP739DT41.htm

Filesize
143KB

MD5
34af06d90e78b5364f441b249c8112cb

SHA1
43196e7be89221dbacb14d12caf14574f588b102

SHA256
0f09b9dd8bc6df2c4ea1894b9df88b6f3136665684df2a0ab0cd055b652357a3

SHA512
ac8c8558f33cff29f8e47798a3a7d952f87c98521e3bba4d7c829037c17d37ca912b0f94a5a587e893a4526e909761ecc4583061e8ac5822251bd4e2302cdf94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DL7YY2B9\search[6].htm

Filesize
114KB

MD5
8e4bcd5f45bb2f9034f719a26d1b0928

SHA1
6b2d96b8efe2b1953ccdcc63fc04749ce49660d9

SHA256
029d342f5654a69a41bfeeffa4b0c6ec07b9d151e064a61a921c77119cfbbd62

SHA512
7bb6f247ab262f2ddbb6d976668e6ac7b9b3f73ee751bb8ce1adbb701bb4fe6ea361d4be4e40700971ac2de1e8e31ab0847b68e92c42dbe803b3c06ae2f1cbd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NA35E2FV\50Y4CQYI.htm

Filesize
176KB

MD5
eb158dbe8c8fd495d994eba98d5797f6

SHA1
0ef127d65ce81dca5a82377bdb9bae434fb6c4ab

SHA256
9035136c0da6d56bc138a8782a3249def63f0f01b17dfdaf16eed3de15519d3c

SHA512
26f45c97c5923b7f218e8ffdef62fbb72401cb196269d2d47c660107913df7094efd3a654be5e9d916f9fef7ba58e6f7b6bbd323093e2ce275a0e538d387c863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NA35E2FV\results[4].htm

Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NA35E2FV\search1BUKUM17.htm

Filesize
112KB

MD5
61e1654a25300c2cdd0a9b17683ec97f

SHA1
467ee9c00433d580c4f9f1a9c6be2bd3a548ca66

SHA256
14c811d2effcf9187eb9acae8840bb06811818b22536abd5269d5aef54eadf61

SHA512
e0b5439c83c790c9ad330164eff47557079a1a7a536762cce7bacc75d54165393cd349cd51fbc1fb1b2a756878ff68c55e09203ef46d9860a85baef8f399ac0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NA35E2FV\search[4].htm

Filesize
130KB

MD5
e309f5a19750d29951e08ad2d1a73825

SHA1
2a5b5142a30c92ff5ca61e81ef246e12e0cfaa88

SHA256
bb72fb078e5b29fed7d9b8af214aae0f66a954e604aa2f9e1d961786fd06c730

SHA512
df85160d7a6a37577e3f8d1c9345dafa579cb1879f8e45997815e083b5bf81123e7178421d2d71c5b2208f9b6ca6b3d9765bf415b6d508a5a878f4e1f0c9f90e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NA35E2FV\search[5].htm

Filesize
121KB

MD5
6d48fce487db7f109e3a08f125bd102f

SHA1
c0ff82f188ff5054f4f01685deea98a92558d1dc

SHA256
255f683849de41f429faead40b4d553b6cdc94fd61e47913df29d5bd1a60dd1a

SHA512
7eb0da5495f70b2c64b08a7abe230314755acdba80a35fbafc60c47e9f26970ed2e1df512515b512534c9d5cbc92b65e2bfce9c7e0e1f188107ce37d910d67b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W5OVUPOF\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W5OVUPOF\search[9].htm

Filesize
153KB

MD5
052f2d87b75b7308554a43e621908ba4

SHA1
714b0126b4e0b87dd717cacf98b7d2ba84ed3d23

SHA256
7c50fd9b621f444c61ab2235dfdec919540a0172f496b121dbaac96d07563d99

SHA512
8fa7b145143ace3acb1a94ee2ef1413103be7c2ee116301620dd1427303b18f4a03f6b7e15e1243e29854c150b515dc633b4ae0a6e8c63577e551604820d1bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fnsmluchag.log

Filesize
1KB

MD5
dc3d46cd02bed27fec46a0f3a758f44e

SHA1
0c19c4df8338e6d4469547ec3f7a1b41eb90640e

SHA256
4bb5baf45f27fd743e9d5877928fd6e6c26f46634a9f4748c81b79a0b75d3005

SHA512
9325a01d1f3571f89b38e917afa16e331ff3ab00eb3d0cbaef38be6ca0073505ac10c52a0a7caf4f99b0e64f722a29e85d06463110057c04836b11d28834116d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB478.tmp

Filesize
40KB

MD5
77ce9cacafd72030cf8d2b518c97f2ed

SHA1
2170309d181a6075bdf183c5bca17342cc792ab4

SHA256
b26c53bde19af8ca3d7e940eb988b0449a3fd8bb0fd99c1764b607dbdb34d2e7

SHA512
5474307ba0e4d3d80b2ab214968236facee9ff3bb984e0ef4e51676743e31dbbe7cc8264a4a6ac63e81e72b72d9e7a91e6784f4f0b981015953b8cc46ff794eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
fdad888eacdf35b8b0776ba52762ac6d

SHA1
849254defb33de6b4ca870a8f165054d73b9f865

SHA256
77d55be8d4894e26f06c298ab6467970099e0fb455eca443cb2eb8c75c0c5a3e

SHA512
b8ea5256bd6c0957bbe09dec5eb7eed3d8fcc4cadaac85e3f9853c3f95837038448c1a19ce59ff7e9db90422d568ba4033b1a53a58bb5958e86fd4c83c81c2dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
ca9636ed716b0191bd9bea146b653d59

SHA1
f4e0a4d05900a050152f33438bf0cce2633fe215

SHA256
63701a3b428203b4ff3aa8cd519199b841f98c50b11f929f2dfd33d3caa960c6

SHA512
3476dec45438f243c6610c07b049917a5802f168e8c1261884e767a347a2f11ed728ed36d18cf8c52c408fb4a99b2fad732da0359741f39448928c9eee19bc62

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/548-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download
memory/2588-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2588-203-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2588-130-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2588-39-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2588-224-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2588-229-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2588-35-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2588-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2588-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2588-320-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2588-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2588-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2588-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2588-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2588-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads