01e884e7ea3b60efbeb0099b8280c3b27b9ed5674cc0e54efe6f03a0ead116f8

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe
Size

40KB
MD5

a880b957fbaef5933388d7edc16f3c7d
SHA1

3cb38a3c4afcdb2e7ec4e8fb5d6d6e5200180f82
SHA256

01e884e7ea3b60efbeb0099b8280c3b27b9ed5674cc0e54efe6f03a0ead116f8
SHA512

2b5c581d519b1c882687a7b5a8d2616337a21d3abf9e0e8f0d81f59fc8c232198d420a2da3215e32b203f5c6c09a55468531e4099dcc64270625435dd0f80201
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHhUCC:aqk/Zdic/qjh8w19JDHhUR

Score

10^/10

google microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected google phishing page
phishing google
Detected microsoft outlook phishing page
phishing microsoft product:outlook
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

1800 services.exe

pid	process
1800	services.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\services.exe	upx
behavioral2/memory/1800-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1800-13-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1800-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1800-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1800-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1800-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1800-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1800-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1800-35-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1800-140-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1800-244-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1800-287-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1800-291-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1800-342-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1800-480-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\services.exe	a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe
File created	C:\Windows\java.exe	a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe

description	pid	process	target process
PID 2368 wrote to memory of 1800	2368	a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe	services.exe
PID 2368 wrote to memory of 1800	2368	a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe	services.exe
PID 2368 wrote to memory of 1800	2368	a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a880b957fbaef5933388d7edc16f3c7d_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1800

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\BG6WAQR1.htm
Filesize
185KB

MD5
c181ee77ec7cf07f60ff338e3d22f88b

SHA1
b6c0f362b69fb16247c3f0549f8d638448f48281

SHA256
99fff104369b1f9a1b9c1ae8056bef04614cc31497560938b60e6973fb0a014a

SHA512
dfd3efc74803a18d93dfe5cd94eb3b1c81394e5756f4fcdf9b10f67858aed0840ae83b95ce76bda9c8f4d7d20bfc7e8a0120f325a305e0882f6b870ef1c13ec1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\HP21EDLG.htm
Filesize
185KB

MD5
aea7014e33f0b3a21f675ea497b4f4d0

SHA1
b19367e4bd4fb269798cd2b6983d48059d8e6578

SHA256
e42a0a651dfc609a5242ca0f4510d136eb8962510df21876962b75b42c84413a

SHA512
f126af64fe9f75740dd65b7619ca1e4936f8a60cf421e7c7ea7b8c02d3a341f4442eccf0bb43ad81574defb9a3e0c908022f3d4a17743fc4c95cedc7a51d3a73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\search46FIR3WS.htm
Filesize
137KB

MD5
58e3b353010032afbe95a3cbab448095

SHA1
7116d6f2bc4d6fc784d6ec3a060b8a81edc108f6

SHA256
eafc85c5a789c9a61fba0f0251a0e856f3e319bc6e611960d90ae3f14279bc97

SHA512
20cf734131cabeb4198e4aa587e278386266c68a8fb552ac8f43483ab4b152aa4671e46deceb1eee44a1f3a22d1e39bcef63008e892cfac768f610f59214f18b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\search[5].htm
Filesize
159KB

MD5
61e5328ad0c064020f66d1f069f5cb4c

SHA1
794cb7013c3a0a72c26b99ccf13999ee18e14001

SHA256
842492f92c20e9e607796b2b3aa96f36de8e2f7b38778a27a2c3cfc3cb992729

SHA512
46ada6b7453ca97adbe4d03db29b04fdc2f0ec792906498c14c3903b0ce00ca0ddd516b1af20976666c7c49179c5a2b42fac1ad96c6fe82882e356b50f1356eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\Y3MY9MLZ.htm
Filesize
185KB

MD5
23ead7ac7270c2c61759027496835b46

SHA1
4f9b9f8259a20ee7d7d5c43b63a3d6b56a41b28f

SHA256
d6cf13714626e8e18fa5f1dc9f376deaa257399a02b85b2b34694cff2be00dec

SHA512
d9836859ac7f79db5480d19dee7776e8529e6140426754e6caf137496e34679631c7729e4234d5d03f4c13f45871fcf3200a29e9ed4a4413a032d10098a68c3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\default[1].htm
Filesize
312B

MD5
c15952329e9cd008b41f979b6c76b9a2

SHA1
53c58cc742b5a0273df8d01ba2779a979c1ff967

SHA256
5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7

SHA512
6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\search[2].htm
Filesize
158KB

MD5
4d1e7bef3137f5764f30067d7661921e

SHA1
a4a6634167d5998dfb3fa75af970298c75aefdfd

SHA256
3810b99d84e7988eaeb4a712f5071bf1779c500131212a3997332dc75c546ffa

SHA512
a41c234a6ac2b9357ad66af31b4d4dffe22f0052d16d2eff4a044df27bb14c794c64dcec6c920be8244ff33608f542a62cc0953f5e55f9a2774e4bcec4aa1ac6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\search[5].htm
Filesize
130KB

MD5
fb4ad2ef3415d5d7fcf7a092bf7604e5

SHA1
98e0fc7f12fd2f27157fbc95250d29b5153921d9

SHA256
1957ea30ebd78dfa4f820dede308e504d9a2e6214765cb4d6f143ee2bccefa6c

SHA512
2151e39a1cf04244a3034e9555edd922a3bae3b7bd369d0e0fbcf98e9fc7542c0bae08ef1b4396ac086e16b3046f13cdb2b7aae4a6cc721e9ab31b8c69470369

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\search[6].htm
Filesize
100KB

MD5
6b7c0723d6ab60e1ded51f820569ffbd

SHA1
909e83b041b568fd82f802abfe002faaa32ec2e2

SHA256
b9beb9e84316c35c31835709a717c3c9613ac5891737e17799ad87e307ff2ab8

SHA512
f4ad76739af0d547fcd1f43589989e0058b976285bc2867f2d9f8525f786a846b3a51346cfeb01d8a64a359fe19e3d871d9f7e70ed9fd46cfa43b2a1c8b0b980

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\search[7].htm
Filesize
148KB

MD5
08196b12057dcb6517c7a504a4ae4cf9

SHA1
a5cb51219a97b7e2e83e4ee16651ad5c0be45b00

SHA256
cf7135cef9a4b5c3a0eca9c690825e0bf7ea405d67e62bb5770974f3558b4cea

SHA512
279f97658ca4f9e5b95982705e9539dc9211b1f9a47bc553f9be20a6ef886232614c55c36bfc522ba2f49cbf085cbb9200e7191bc04a2923b38b51763a4a0fee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EROQDKB0\results[1].htm
Filesize
1KB

MD5
35a826c9d92a048812533924ecc2d036

SHA1
cc2d0c7849ea5f36532958d31a823e95de787d93

SHA256
0731a24ba3c569a734d2e8a74f9786c4b09c42af70457b185c56f147792168ea

SHA512
fd385904a466768357de812d0474e34a0b5f089f1de1e46bd032d889b28f10db84c869f5e81a0e2f1c8ffdd8a110e0736a7d63c887d76de6f0a5fd30bb8ebecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EROQDKB0\results[5].htm
Filesize
1KB

MD5
ee4aed56584bf64c08683064e422b722

SHA1
45e5ba33f57c6848e84b66e7e856a6b60af6c4a8

SHA256
a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61

SHA512
058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EROQDKB0\results[7].htm
Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EROQDKB0\search[2].htm
Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EROQDKB0\search[7].htm
Filesize
133KB

MD5
d9fe86d012211d6ef6c8bf90a767d7fc

SHA1
039001ecea415531e565b40ad885c5a0c4cd789b

SHA256
b221eac3335fe05db33595f379b4fa3f3bf03fd755b4494869e4d421bb18e123

SHA512
46b0b066946f211b12cd651a53c27ca106d0a2d764b37a384208a96f2f8b2098dc16593b72cb5c0f502e1e39c5bf14c219096f6dcb329b43c511f50bc720d07a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RYAG7OSV\searchR5FPNVI6.htm
Filesize
137KB

MD5
58dcdc5b75231433953db6560d1398eb

SHA1
e1e6c8396ab49124322116a23083019b1be00e05

SHA256
5cfda389069f5cd9febcca516183f6193cb4f1fa123f160d912aff9965369e2b

SHA512
03625aa1840d484d472b6d72fbe0d038c6d81dff9d7b26797852797192af04d9801d7e708078ac783afaea305859a3af7055857f981e13bc857ebabad9428804

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RYAG7OSV\searchSOFMLZ83.htm
Filesize
150KB

MD5
c9e7b30cb1b578dc921c382cdf190bbf

SHA1
8e79a8febba57343d3005f866c555eecca33de4f

SHA256
2d47b0366b747fc2e9c8c432cc5906c04146a09e10a46d92b7ebce1ce98eb93e

SHA512
26b68a27be6bcd431b502a9d8734bcc290fe5d36ef70f9c179e1e7a769894a319b4960229e0c9f4b49b611aaef4e4443bda31b88f5db5cdc6a3f253595a8f9d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp875D.tmp
Filesize
40KB

MD5
06a8e6db1bf0de710e57117b9a5629ce

SHA1
7c24f0cfbf3a8447cc83c9fabda9dd325547319b

SHA256
5a2a052c869271eb20b7399d0838b4384c88e4406201cebd53a0d3d7be7cb300

SHA512
c5faff3b5effc0a26082edb441b90e2dfa064ff0cbfc1cca4096edb6c126b5f26bf3e5f294f9861dc7e716b54af4325645a13fc1ab7480aedd4ce7b7f8ad34b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp895E.tmp
Filesize
40KB

MD5
69d62347d3d95a35deba67376780c297

SHA1
7f86226cd39d0a4d72d074249f012f469c019153

SHA256
b03c0501e66c802a9192add249495f26a1ddc0884a9c60cbe16c12c04257bb1f

SHA512
7c5e862024d66b200a86fc7bf6001b4b1ec94b97ba6b3ce316c91c30c197ee2884585ab519f379b1e8e09bedff8a3c3e65ef89aa79eca6983e73c733233d01d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
1KB

MD5
7215afccbc2650cf5be990cce80535a3

SHA1
e9b363e7a5b548484aa9e4bcf79f0f7aa96060ca

SHA256
57d26a28e56240a4ddbff278c3b512d3d51355c81e13ad5c17db569a0dfcbbe0

SHA512
41a1fe01a551f421b70df386cb542395dd693078d2223a4c2f3aafb243efa1b41ead39cca7b2c85f47f63829af204b0f2885a7fca3f32dfccd2f6304d0a74dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
1KB

MD5
1274d0a0c3ef711c5de8abd751b3f65d

SHA1
ba76e10ad9cce7bba4dadf79e029d1551d872d38

SHA256
93b1a657d8036f0313fe301a1ae39d0e57c711de8eae783e46e37b17b10244a5

SHA512
cb6b2be3134eba5fe2f826be633286f4055a2a0629dd55daffc623ab599de337dee8d04899a3b2fca3a46556e963778507ef03226c39173732a10f7389fb1ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
1KB

MD5
6f90ff0356a72a5adb82465b40fa6479

SHA1
41e562306b7be32d9c2a44ba7e3a04db66657405

SHA256
39c31f0788ce3930f7ed6a8776a922cb7fbda2012d9afd46a00c53579b268578

SHA512
053fffdcdbb2d0244bf3354fd9cf4126867d9a9e6a8d148c69ee4268daebb737acf46b9d561cd00ca8ef3f7bcd9826bc0ed4b58b2deba823a8c0339e0763db44

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
1KB

MD5
f5bff138113d7949b3a831ae5e053365

SHA1
50bc58b6d954fbc9b4ea4b352ea613d05ef43a71

SHA256
8dcd179cef4555c88cc3d3c319a0c5d264b7c75487d899b15ba8b4576b42de07

SHA512
2ddb24db43e4b7a3f3d28a77cf16ef574901a2eedd5b0b35e17aad231b9a81cd0c75f2a22ec60c9cbbe11ae5e5fbd0b56ecf1024788a959c76ddb1974b01e93f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe
Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1800-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-291-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-140-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-342-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-287-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-35-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-480-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-244-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2368-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download