bb374565e85714d84da222a9f0a64d93b5e74d936c75e820d0a6c9e3c82b4bb7

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a82e6e214154536d029149aabae69c78_JaffaCakes118.exe
Size

40KB
MD5

a82e6e214154536d029149aabae69c78
SHA1

b6031db9501d397c1c0f97b8a024b671809ed160
SHA256

bb374565e85714d84da222a9f0a64d93b5e74d936c75e820d0a6c9e3c82b4bb7
SHA512

6ab49ec7789e6fee59a1174296e6ca07d252c6616c79a092fc0fa8e1b1ae8fa9be4b9d4a2313ecdbdf695b722c33c2b27eb53cc9d987def0b35c215b30a5ed10
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHQXot:aqk/Zdic/qjh8w19JDHFt

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

2664 services.exe

pid	process
2664	services.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\services.exe	upx
behavioral2/memory/2664-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2664-13-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2664-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2664-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2664-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2664-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2664-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2664-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2664-35-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2664-39-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2664-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2664-44-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2664-158-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2664-306-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2664-309-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a82e6e214154536d029149aabae69c78_JaffaCakes118.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	a82e6e214154536d029149aabae69c78_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

a82e6e214154536d029149aabae69c78_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\services.exe	a82e6e214154536d029149aabae69c78_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	a82e6e214154536d029149aabae69c78_JaffaCakes118.exe
File created	C:\Windows\java.exe	a82e6e214154536d029149aabae69c78_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a82e6e214154536d029149aabae69c78_JaffaCakes118.exe

description	pid	process	target process
PID 4896 wrote to memory of 2664	4896	a82e6e214154536d029149aabae69c78_JaffaCakes118.exe	services.exe
PID 4896 wrote to memory of 2664	4896	a82e6e214154536d029149aabae69c78_JaffaCakes118.exe	services.exe
PID 4896 wrote to memory of 2664	4896	a82e6e214154536d029149aabae69c78_JaffaCakes118.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\a82e6e214154536d029149aabae69c78_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a82e6e214154536d029149aabae69c78_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4896

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2664

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8Z1Z4637\search[3].htm
Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCKU5E0S\FUKAQ2PX.htm
Filesize
185KB

MD5
cc35b4374c511ebcd612b256c0fb1173

SHA1
9b61f3dc483eef83805a2fb9dc762c3797a2a43c

SHA256
763af7663aa21969412212d32a6736e64009ece0213a4f2b3b8710e0c16d9080

SHA512
d4df6da3be30f6da1561f7167273d4da5d9abf233c3bf1f7cb80da95bd13b8fd6a1dff8ae6c8fd2c6cbe9b67f721c95c63d7beed5f5b7fe1506b97de617aba5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCKU5E0S\QSU2IYHZ.htm
Filesize
185KB

MD5
181b66865a3361f61971ab5f37ed63b6

SHA1
aca1c6ca00fe9da671e16ce0f9d017cde5df120c

SHA256
49bc50c30e7487a6adf46f1cd148451ddd406623bb8c87150d32b8f7a3feba70

SHA512
ce6567085358c26e972f1cc57cb32293742ea63724c1d21b822d20b47f83de24b0dba876db76f48f3528354e21370ff94f705630204804663255b7c18aaae914

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCKU5E0S\search[1].htm
Filesize
159KB

MD5
199013728228f2a3f453a1343a8b05e5

SHA1
22face282fc1490de668860913c02ec26545476d

SHA256
59d8d594f985ac82dea568c7193b76faa2fa762f0635c02b85c1840fe9e42ee5

SHA512
447a39aaecca9f0d627a6ca3c77fb4cd2768ddccfa2903fd233cafe7abab67db5b91dc5ecfd3472fa3b456afa8948b21474e6e47a1fd8c03f557fa27948bf337

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QQACG5HD\search[2].htm
Filesize
114KB

MD5
3bc89b49ea29fa1b300778cfe29645ef

SHA1
f5b7ab56a13d9787c6788c27f76310c87b922b92

SHA256
1736b2d05756e813a5aa8d49fba33338cb42cb4c20ddedcc0f3c2e5319acc14e

SHA512
108c4fd2b23f3677f2a6618999007f91424ccf49bfc6edcb8b8dc32c3dac96f63aca3c27f149e18ece19634cbced83645f40db24dfe2cf3ad04a383e153c8876

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZRDQ3WBJ\results[1].htm
Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZRDQ3WBJ\search[2].htm
Filesize
130KB

MD5
77414aecfeb870e74cdfcf064402eea6

SHA1
a7e2e01c2d9095d18690dbd88104ce080c6792d8

SHA256
4ee2c5e1b61ad9a088bfe4068af04a2944678f0d52d2445a41c8b3f34972d0c4

SHA512
b5f7100e7ad36afbbac7aa7ed1138d6e7822a5968872167bdf861d76b3a6ea905dd4c594f73f3e95f840606cea2a4ab7aa3390913c4014a98ed103a9fcc5d4fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp64.tmp
Filesize
40KB

MD5
a9026fa2d0f2e184a7d654d21e8fe7aa

SHA1
48a973377e57c20787944c9c7fcf0f330b92fb75

SHA256
b2a6bcd68f92f0f7061f0b69c06b7e080b9510e743ebcd6b59006467a4c5b4fc

SHA512
3c34b1f299d77b0b50eebe8a2a3cd2c025a199cc8f70f90ea36624aa8d4c12c85d377b76ab080ea90470eb088938dc50554add3e52c0f39c24003edb4306afea

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
1KB

MD5
a4f416adb70efb9186915588222eb9e3

SHA1
50b1655ce6cc76c6091edae51886c7bad5f70089

SHA256
93395751ecbe4b820be81436eaa8761a7d07558768ec6e4453cbb2864b80cd1b

SHA512
bf215517e17881b0099480452c6d19dbd04ad3421f1584b9da06d7699d4f599204bc2d381bf3835964bc7c88a56732b34d76904ed9421043ed2649e90497da87

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
1KB

MD5
aac1ac7d48d54cb25259f064fa58a086

SHA1
e89e56cf20d0cff2a2fb8cbf04866d317b08007e

SHA256
1edb4084c84ed0a387d10c677ec4aaee09b10ee9e82c4b9a3792de147433582f

SHA512
2dd6de3e54bcb96cc3ad8f39d6523dda2d56441591be48658e322af4f1f58ef1a2361c50531a13b82e3881beff66321604327bf47dfa5db60153761c1686a00d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe
Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2664-44-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2664-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2664-309-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2664-39-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2664-35-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2664-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2664-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2664-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2664-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2664-158-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2664-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2664-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2664-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2664-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2664-306-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4896-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download