Analysis
-
max time kernel
141s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 13:45
Behavioral task
behavioral1
Sample
a5dbaa806f205ed76b1e389ef7934c06_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a5dbaa806f205ed76b1e389ef7934c06_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
a5dbaa806f205ed76b1e389ef7934c06_JaffaCakes118.exe
-
Size
227KB
-
MD5
a5dbaa806f205ed76b1e389ef7934c06
-
SHA1
deaac3f62970e4a3c3087c21eed44c6899560ea2
-
SHA256
16e2e3285781170bd60f881927443d71c0c0cce4f5bfe8b1d7e2ce844ce4c646
-
SHA512
8895b86c99882b2e77d55a71b27812d85c3bba720b102a7ae72454c27721951cd6ec2d525d9d636580c7c7b914a42a03c84f97b13df19ec909b043c9d789a54d
-
SSDEEP
6144:KifApVMqplDf/h5O/lBC8+2hyDRlX7llrnz2P4t8oSRV1C:9fk6kDqHw2hmxlrz2HoSRu
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1728-0-0x00000000012B0000-0x000000000134E000-memory.dmp upx behavioral1/memory/2556-40-0x00000000012B0000-0x000000000134E000-memory.dmp upx behavioral1/memory/1728-88-0x00000000012B0000-0x000000000134E000-memory.dmp upx behavioral1/memory/2556-89-0x00000000012B0000-0x000000000134E000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
Processes:
A5DBAA~1.EXEdescription ioc process File created C:\PROGRA~2\Zona\utils.jar A5DBAA~1.EXE File created C:\PROGRA~2\Zona\License_ru.rtf A5DBAA~1.EXE File created C:\PROGRA~2\Zona\License_uk.rtf A5DBAA~1.EXE File created C:\PROGRA~2\Zona\License_en.rtf A5DBAA~1.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
a5dbaa806f205ed76b1e389ef7934c06_JaffaCakes118.exedescription pid process target process PID 1728 wrote to memory of 2688 1728 a5dbaa806f205ed76b1e389ef7934c06_JaffaCakes118.exe cscript.exe PID 1728 wrote to memory of 2688 1728 a5dbaa806f205ed76b1e389ef7934c06_JaffaCakes118.exe cscript.exe PID 1728 wrote to memory of 2688 1728 a5dbaa806f205ed76b1e389ef7934c06_JaffaCakes118.exe cscript.exe PID 1728 wrote to memory of 2688 1728 a5dbaa806f205ed76b1e389ef7934c06_JaffaCakes118.exe cscript.exe PID 1728 wrote to memory of 2556 1728 a5dbaa806f205ed76b1e389ef7934c06_JaffaCakes118.exe A5DBAA~1.EXE PID 1728 wrote to memory of 2556 1728 a5dbaa806f205ed76b1e389ef7934c06_JaffaCakes118.exe A5DBAA~1.EXE PID 1728 wrote to memory of 2556 1728 a5dbaa806f205ed76b1e389ef7934c06_JaffaCakes118.exe A5DBAA~1.EXE PID 1728 wrote to memory of 2556 1728 a5dbaa806f205ed76b1e389ef7934c06_JaffaCakes118.exe A5DBAA~1.EXE PID 1728 wrote to memory of 2556 1728 a5dbaa806f205ed76b1e389ef7934c06_JaffaCakes118.exe A5DBAA~1.EXE PID 1728 wrote to memory of 2556 1728 a5dbaa806f205ed76b1e389ef7934c06_JaffaCakes118.exe A5DBAA~1.EXE PID 1728 wrote to memory of 2556 1728 a5dbaa806f205ed76b1e389ef7934c06_JaffaCakes118.exe A5DBAA~1.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5dbaa806f205ed76b1e389ef7934c06_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a5dbaa806f205ed76b1e389ef7934c06_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\cscript.execscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs2⤵PID:2688
-
C:\Users\Admin\AppData\Local\Temp\A5DBAA~1.EXE"C:\Users\Admin\AppData\Local\Temp\A5DBAA~1.EXE" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"2⤵
- Drops file in Program Files directory
PID:2556
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.logFilesize
10KB
MD51b4f9b18ca78157770a949f2934a19f4
SHA19272f12f8d52f62ff701769355a65e21c7d4803d
SHA2566894acd8103174b3cd847346525e60b2ae61894a81b06e9598626b2407344046
SHA5121b9d86c41285f9228b38fb61aff1d743ab174f62fbf8bbe1f4a1e3b754092794f134d94d21cbe70d8c6167d3d59d7e8c972f35d7b41d54aedca64038df7084ae
-
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.logFilesize
10KB
MD5bb3fc0d9651875432b1ecb32526cade1
SHA135138f7f3c1121fe62911cbc6fbfbdaca2809822
SHA25621dec1061e61ad10c8b4ec9535e551e7c6fe74f0de6407dbcee18fae7fed2973
SHA512aecb37ac99541b7205ba9dcc64daabce708e603095b5fe0bb6945b72af8adee8e37fdbc9eed4f2d40f98e3cb4064739c40278e61ab3305e40df8daccdccd7b6b
-
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.logFilesize
11KB
MD5325729d5d5ae53a59a4a79d43fc6936f
SHA170ee738345d710b585fa6b3e787e05d3f85e7b5d
SHA256444bd79ba0b449518e9294add5eabad5e2ad16df40c3211200eb621677b76bbf
SHA512f79ee45f6f7fac623b71ceea2638c18d0e2dc41fa49f2ef0403403a35d98dafb98e8e19afa7a12793e1212db9a26e1752b6dec4c6f95e8b85eb74e7aab6cc9fd
-
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.logFilesize
11KB
MD5ef0fb29f0c086e189d7f0aa25399239f
SHA180358abd77eb3103bdece0cafd1a96509fcbc866
SHA2562f91685399b7b4ebe69d8822331c98c1aa2a32e940b5d3fc6bf13067b3b857cb
SHA51218c5712840d0269263e86822132532de136dbc1f36c7b874e8acc552da2db5053e64e320bf49b1bcc24b1c57cab659131ddc4c456616e9bc1ade17655f841b8a
-
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.logFilesize
11KB
MD504788a6a779a011504dee656142e5c1e
SHA12129c9e1d32cf77fc46386d86814f6d77e459f58
SHA256a3d266e6aad5c464bcd44187c5953fecc6aa8a37c14568285242bd8c0e48d2c4
SHA512807839d621e9de8d47d4c5927a23f05ab985e7c6282af605772eb0cd2fc5db4d040e1277ffc9a98903d77ed67777228c70fb7928ce017454da088373d721cfa0
-
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.logFilesize
12KB
MD5e78eb348f260e56cb8a9574bf1112f73
SHA1dd9003e7c235dd4c23fd9d759d913e718e4becbd
SHA256898a74d022920a6f296a025680dcdc33e5172dabf888d97d4ba15d2d53077e08
SHA512c23346656419e5c0f909e6ca1374ada5df0c549b618aabed04ec4b8288c6b07026a3666d1fc477d8e035d81fd478abe8bc7c8794377a397172f3bae69e477e11
-
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.logFilesize
13KB
MD57335f94a284d656d0a01b47c1033652b
SHA19ea033e40a9d9997e68b61b5d10bd0439885fa45
SHA2562bde286d50988e9522500a09fb03e9c30c02c5fd9481ef389aee64eb4b591cad
SHA5126c70ccfa808d5df8dc32c5884fca15ce491da7c74d91348607cdfcf775232f2e876550f85cb9c3f36418c0b2f76c7a806549dfe1c26331753bd9587bcf1b42db
-
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.logFilesize
13KB
MD59f1f7a0cdf95fa29806bdb8d8258d71c
SHA16d8809dedb81862e57b378bd00df1a704980a12c
SHA25623a793ae61f98f576c4a20ec343c74ab634a1a9d26a78f19fe4771ee524efd82
SHA512a54385e1939d43afdb1a0010fe89e3d207f899da47de3bd13cfd1e5956f062c0d812ad721a515070f6dbe5ecc9bf5ea645300ac631ad19493ee19e096a3b3b06
-
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.logFilesize
1KB
MD553f7dbd61c793054091d3ce412c910a3
SHA1c9a574340a85b68f0a60d1c3ee118b665cbf2063
SHA2565aa0b7be54ee4d38108bae1093fad9b519d1b08f1752f9b9ab00e81dc9a6a2ad
SHA512cafe0aa806ea10220a762ed9713ca75fbda653e15e060e8fd235a2f7f02dbbb7133bd9cbbf1d9467927707b8e9092684291d075acbf51be1fdc12e67563f4620
-
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.logFilesize
16KB
MD535f3b552ce41a06bb2cec26e3ab71a2c
SHA1351b0c87d6c486bfe58abb2eca72bda4670042e6
SHA25657282eb40c038e7b4e12e5a63b231af5d05aab5d23d3e94e7bfb8f94a7af4927
SHA5128f96b8b7725c18f7178f8ead9d693cc248d8dbe6f750166ccdbf320fe5009d8a63bd2c7230ed9ecc3285e7dee9f3fe9c496df00dd5b228ca4c772688959416b2
-
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.logFilesize
2KB
MD5a1bc6645c84efb23730a0ad16a0f2a70
SHA191a569deec170a5377604d52251a4d270d62633b
SHA2564225be8b31ab47be637bd0954d7534574a3f691ab195b988349480deb94150b3
SHA512b1dff4a95a30db74b6dac174612bf5d79e67081f00173cf859e333652053017d144c3ddf714205789c11b1937a45e9973133ba16ef6c63c5bf2a8c28eda53bb3
-
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.logFilesize
4KB
MD5050f7d1db71d9ed50a96f9426e8e2c86
SHA1d8d75afa829e442a9f74cc22ce9f92c025791e47
SHA25626cd2bcff5d48d211419bff68c407151dcf5546437055c1e4d00cb53a35e9de3
SHA512beae96b027234744d5d4319999eb1132ed534189eaffa4074ac4696745834c17ccb840e8a01f3079e3c22dc892cf136b3a0c07f96dc238a4ecae5d873ee08010
-
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.logFilesize
4KB
MD515f51cfba0dcb27786af46f54da46896
SHA1cc0435329fdffda352970f8b4c37bf83a960964c
SHA2561659e71b9262be4b0747065c76c0b4b391261cc3c7e7adc4946fa5ed6aeb7563
SHA51238952a9e5135aadee8ebefdba116c992dc7112bc2b550406fe83ba275b971d0112f16b012d0fef51c9f51aea1ca6ff75fe1ff46e0d104d74e232daabab6d45a3
-
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.logFilesize
5KB
MD54b246821bf38d4515729d9d8e33d3361
SHA1a6d1bf09e56b3e639e26802fab77b067af9284b9
SHA256cc025aeff8e93bcbb53065cf7d5c1d66ccf8a008b9076eac63a21f43e89d4c5c
SHA512c6a1e1fd486dd79fef938147c3147af761c2bf1b115c0a162df2d4b2c6d804659d40e2531ef167842a89231a991b00f8e82585244de7d6ba1aed598607f957b9
-
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.logFilesize
5KB
MD5c5bb1c374e2294655d021d5bed4e973b
SHA1316fc4fce8d05b3c4c2536360ac218bc36a3ea3b
SHA256b0e0ecfe80b8439b63f77f895dcd1542559e996d2681c7b493384329e8f857c3
SHA512f411877e18aee06f39a8b85a148e4d09f420712df53af0cf6de05f2bd7b952f91f4900fcb7a606ee43c3560c12185a325e1e606f1fbe409f7a8aec63633dc0ba
-
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.logFilesize
6KB
MD575aa1ce75d08f5f58836d805d8064ed9
SHA19dc3a7d5573e85c15638f7626fc4d1b24f655155
SHA2568b38be868c4067c0cd8199229ff9a86c44eddf4060810da6820b07d64881b06b
SHA512ace30f14437a181df750f46184d44c7f897ac85aef2a32faefaa03bf58c8cacfcaaec35b10f1861f387322bf574423115fb8824e375b260f755dd204cfe97667
-
C:\Users\Admin\AppData\Local\Temp\hd.vbsFilesize
245B
MD5d8682d715a652f994dca50509fd09669
SHA1bb03cf242964028b5d9183812ed8b04de9d55c6e
SHA2564bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba
SHA512eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca
-
memory/1728-88-0x00000000012B0000-0x000000000134E000-memory.dmpFilesize
632KB
-
memory/1728-0-0x00000000012B0000-0x000000000134E000-memory.dmpFilesize
632KB
-
memory/1728-39-0x0000000003580000-0x000000000361E000-memory.dmpFilesize
632KB
-
memory/2556-89-0x00000000012B0000-0x000000000134E000-memory.dmpFilesize
632KB
-
memory/2556-40-0x00000000012B0000-0x000000000134E000-memory.dmpFilesize
632KB