41bd936780175c8426596c4412ec550d9e34afc5ebcce436e38b43268cf66d2f

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa830d37b6634687837dfbba5ca55c09_JaffaCakes118.exe
Size

40KB
MD5

aa830d37b6634687837dfbba5ca55c09
SHA1

8b3fb03d5b73abdfdd94fa651722b919e7e0e871
SHA256

41bd936780175c8426596c4412ec550d9e34afc5ebcce436e38b43268cf66d2f
SHA512

55da7a48a2a714cf279fe84bbf93814ad0b8f0732fcda3e3b966d19f3fe93938f218e5d306e3fb902067b90fbc96a95635d04ec7a7e38009dcd2956513337265
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHNFYl:aqk/Zdic/qjh8w19JDHkl

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

1492 services.exe

pid	process
1492	services.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\services.exe	upx
behavioral2/memory/1492-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1492-13-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1492-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1492-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1492-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1492-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1492-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1492-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1492-35-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1492-39-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1492-239-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1492-392-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1492-395-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1492-396-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1492-454-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

aa830d37b6634687837dfbba5ca55c09_JaffaCakes118.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	aa830d37b6634687837dfbba5ca55c09_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

aa830d37b6634687837dfbba5ca55c09_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\java.exe	aa830d37b6634687837dfbba5ca55c09_JaffaCakes118.exe
File created	C:\Windows\java.exe	aa830d37b6634687837dfbba5ca55c09_JaffaCakes118.exe
File created	C:\Windows\services.exe	aa830d37b6634687837dfbba5ca55c09_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

aa830d37b6634687837dfbba5ca55c09_JaffaCakes118.exe

description	pid	process	target process
PID 1528 wrote to memory of 1492	1528	aa830d37b6634687837dfbba5ca55c09_JaffaCakes118.exe	services.exe
PID 1528 wrote to memory of 1492	1528	aa830d37b6634687837dfbba5ca55c09_JaffaCakes118.exe	services.exe
PID 1528 wrote to memory of 1492	1528	aa830d37b6634687837dfbba5ca55c09_JaffaCakes118.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\aa830d37b6634687837dfbba5ca55c09_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aa830d37b6634687837dfbba5ca55c09_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1492

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8Z1Z4637\NI9LYEQ0.htm
Filesize
185KB

MD5
eee349648f71037a7b62baf55cf40402

SHA1
3daaa849b0e5c679f6268a24cb50521045034c6f

SHA256
e2831a4918b61a3558510e25329d8515e09ef7885283acaf53620c454a2355af

SHA512
c9648e54a8bd11c29aaae09ca378a5b229ddbb7975fa6043ac23a92be532f76fc867a0d0746ca07ff9c7fc53e8b63229cfb5dc017fe84594a1d85261f05063e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8Z1Z4637\YHWTCJR0.htm
Filesize
185KB

MD5
f451cc6784a216f767b653cffb930506

SHA1
17633026dab207aaa32f3d4fa3148b3927695b6b

SHA256
060c1104267dd912359fcd82765f5e48c3be6fe6c17923860371eb3b15bf6913

SHA512
9bf72d52acba27c7875177b9d562954eaaeb8d435e6fe035d7ab8481a5bccfd249948712ff8a5bd7dc11928742977b91ebc6ff4771e51d3bd4d2631f09bf7369

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8Z1Z4637\results[8].htm
Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCKU5E0S\default[1].htm
Filesize
312B

MD5
c15952329e9cd008b41f979b6c76b9a2

SHA1
53c58cc742b5a0273df8d01ba2779a979c1ff967

SHA256
5d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7

SHA512
6aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCKU5E0S\searchNC9A0XHY.htm
Filesize
139KB

MD5
3f90e0ba8935206f16ec491d1553eeec

SHA1
c292fceb18cdbb171ffb2c8879220dfd219c8db2

SHA256
b3b6cc4e792d89bee1b1ca37c7382cb4b9b95c5a0179d41e13fd7ead0ed772db

SHA512
506101d8c7461f67a6fe9a98c3c34716015d7dc5847828f105eaf684b8fc12fbadf2b577d1c840e5dccfcfaa466ef790d7365ad5322a94a4746ad4d6abf6dbbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCKU5E0S\search[10].htm
Filesize
137KB

MD5
02fd5d89ff333944530b4c5c8220cdd5

SHA1
a95401f241ac061e6959fa2ba26f791956575b05

SHA256
d74700b5b4ee0820c4371d3632073778476dff2c4283dddda0490d0f1debfc82

SHA512
caf05c98abe0cdc09e3096dfec1973f83ed6292df5d0564007e09018f41a7b84ef819deb9915b17c38fb9ccad1403f06de31b28cafebc73d599a1fa1f4e60052

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QQACG5HD\results[3].htm
Filesize
1KB

MD5
ee4aed56584bf64c08683064e422b722

SHA1
45e5ba33f57c6848e84b66e7e856a6b60af6c4a8

SHA256
a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61

SHA512
058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZRDQ3WBJ\search[2].htm
Filesize
148KB

MD5
f7f9acf8b55ae19313dba7cc8e682720

SHA1
d323033719590fe68c745ab61ad882e6c6c419bf

SHA256
54f1e48ca0f8fc9b8f2d02050059a1123889cbef66c21695ea51ac69afaba423

SHA512
a27ce1b1753550ecd9a4d84567b540232a5de8b1de2289761fa9f78508fd9b67c8c291737c3ac67ea3b5250f199c987aa82411939b41bc71463a6ca85c2ea519

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZRDQ3WBJ\search[3].htm
Filesize
117KB

MD5
0157ec5f4e33ae31e6f3448d5148f93f

SHA1
0c06902fb619233b772687a5946e0f067067acf9

SHA256
f28bdeaef1b38c0f25d636857f8a1c193f00bc0ee2ecac95b05c64b3c59a5f51

SHA512
18a2122b215ad601011ec1ecfcb63064d184ec3738a2a7deacc279f52e2c043bc7b5a35bb2c4f2da6158eb76ea474516e27ce75ed302e37a7e234eca529944b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZRDQ3WBJ\search[4].htm
Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA797.tmp
Filesize
40KB

MD5
aa830d37b6634687837dfbba5ca55c09

SHA1
8b3fb03d5b73abdfdd94fa651722b919e7e0e871

SHA256
41bd936780175c8426596c4412ec550d9e34afc5ebcce436e38b43268cf66d2f

SHA512
55da7a48a2a714cf279fe84bbf93814ad0b8f0732fcda3e3b966d19f3fe93938f218e5d306e3fb902067b90fbc96a95635d04ec7a7e38009dcd2956513337265

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
1KB

MD5
c97995760810073ed6dae941e1f44f6f

SHA1
2da8f641907e25b1353d1989896d34cdf6aca624

SHA256
bf9d10684be7d9a8a8677259a3f080a987e96316821c88c96c80239927ef07c1

SHA512
b96e7da0b648791f09b7f7ea571ff5941031fe56a835cb41bbb79793e55362b9726d9d8a8da6564718caff9182e84bed3fb5eae81471e71e7fc0b61dccf746b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
1KB

MD5
3f054943031005eee380ddd74ba1c1f3

SHA1
f6adcd9a32d3f3d7b8de422e76911920d1cbe7a4

SHA256
5179ac34417b3f4ba26fcee445c36751c070832d2952c0d6f090a5d47ee6b5a8

SHA512
e2915f1693d70979d8f7254310ecb9a0ac2c8f3e73babde3c6a8c264e8a40d6d6001ad571baa899c3b74e00850e3971701ab463626c0c69185c6f4f0b9f53875

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
1KB

MD5
9311f88c4e6d27c174ea81d959b9b7f5

SHA1
fb7a2dabacaaf0fc16efc622f37b75e1f168939a

SHA256
1bf4ae5e78731dbba022fb59239940206cc1e651994b2cd88776618d707c4e84

SHA512
f8e6c0369b25c6c85a5b731ee3dfe17b1d81daed6e2710cedc7380dd4a23b19de871660384901107c1541c0059d7bc784a45f26194fc1873ab73886501d2f597

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe
Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1492-239-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1492-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1492-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1492-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1492-39-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1492-35-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1492-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1492-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1492-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1492-392-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1492-395-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1492-396-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1492-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1492-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1492-454-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1528-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download