2902288bc854de345ebe57cf0d8b2ba7dcfaf153c962468ba8a1886cde71f66a

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af9bb29a99d8305669087ed6b33de18e_JaffaCakes118.exe
Size

40KB
MD5

af9bb29a99d8305669087ed6b33de18e
SHA1

1bab8fa39b92db16090a87cfcc3491f1b1c5d33c
SHA256

2902288bc854de345ebe57cf0d8b2ba7dcfaf153c962468ba8a1886cde71f66a
SHA512

0066056b754bda319cb8e3c3cebf34884844b15849495d96a6c0a87f23546e2647c6a24468131fdf4b9e4d5971cbae8b71453f1ce93c2bb27f05db0b7d73ec12
SSDEEP

768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHeNJ:aqk/Zdic/qjh8w19JDH+

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

4300 services.exe

pid	process
4300	services.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\services.exe	upx
behavioral2/memory/4300-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4300-13-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4300-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4300-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4300-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4300-81-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4300-412-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4300-455-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4300-458-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4300-462-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4300-549-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4300-552-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4300-706-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4300-739-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4300-751-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

af9bb29a99d8305669087ed6b33de18e_JaffaCakes118.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	af9bb29a99d8305669087ed6b33de18e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

af9bb29a99d8305669087ed6b33de18e_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\services.exe	af9bb29a99d8305669087ed6b33de18e_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	af9bb29a99d8305669087ed6b33de18e_JaffaCakes118.exe
File created	C:\Windows\java.exe	af9bb29a99d8305669087ed6b33de18e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

af9bb29a99d8305669087ed6b33de18e_JaffaCakes118.exe

description	pid	process	target process
PID 2504 wrote to memory of 4300	2504	af9bb29a99d8305669087ed6b33de18e_JaffaCakes118.exe	services.exe
PID 2504 wrote to memory of 4300	2504	af9bb29a99d8305669087ed6b33de18e_JaffaCakes118.exe	services.exe
PID 2504 wrote to memory of 4300	2504	af9bb29a99d8305669087ed6b33de18e_JaffaCakes118.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\af9bb29a99d8305669087ed6b33de18e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\af9bb29a99d8305669087ed6b33de18e_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4300

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E9YVC3IR\E2G4TYJC.htm
Filesize
185KB

MD5
cdada4ed3b1a6aa4bbee231f8971152c

SHA1
d358f23bf1af370969bac65c6089d720c92bb2c9

SHA256
a027624f2d71e3b1480bbd501c89595edb128d6e1a16eaa6f03d900db89ee58f

SHA512
6270e2ecbfedb1d51f230f42cab9408a838875913ebdc9cd47f0774df918d541b6f1d228b8664673889415f5f87d9babca096dd69b94336261d77567c5ecb5ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E9YVC3IR\searchZEY52NDC.htm
Filesize
150KB

MD5
ac5f3185184458ca654f287afa9230fa

SHA1
6a3c772ec2117bac65c56f916584cc99b77ecd96

SHA256
1952c689b875050fdf3793f58fc6447550b82202573a93fbca97b2ac058dc898

SHA512
ad7b52fc08f12e73f7d92c11775316e7d8ec33b769ce64daf96bbe269dc924fbf10b3434f65f800b3a479e0c947f24103d54298db6f164360c3a04499a1ec1d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G7AAJOBN\results[2].htm
Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G7AAJOBN\search6IFVMJFA.htm
Filesize
128KB

MD5
78f956ebe772db28480f34aeb24f79b8

SHA1
a7f7f99a9c076b5b368f523dbb30e4af74ef2f15

SHA256
c5e67be970c32cec30ede054e97c76e6af2cc024393cd7dde8a28eceabc808e4

SHA512
150f3d7c5d9be62972f0ab9135e98373fb84994597d67f8857ae4d2c605449edcd54c4d952edf7501bc5e9cdaa9c54689445b0516c2775fe59a297a8a1b70a90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G7AAJOBN\search770IEGKQ.htm
Filesize
118KB

MD5
e1afc2af83ddba77f32bfb34c8769125

SHA1
8cc71d342f4e2d71d215e701d7d33d91bcb56456

SHA256
c095973cdefca79652257892e619ce0fb25341a35a732f506f7a7930f752a331

SHA512
f791e5ae3520881a6c5f4855b9fdb0db84a36aa2193fc5c1db12240f2171dfd803e0f167810429d5d646ceb43d929fff47bae61de492f46896218c24db28850c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G7AAJOBN\search[10].htm
Filesize
137KB

MD5
354d0c0bb1452845aaa2c7dca9763066

SHA1
3861a12317fe4fabdbc707cd24571b4fce759ec8

SHA256
70d5e9bafe4d0d35a44ea5a513564061ee22d31c0410ec5117e0e5ed258e3b96

SHA512
1b7d7a4868f877888a28dd6b1659278800fe94f923c42d097719ff3d5d772d8754a6f335e35deeeaa751a4b07e01c2e6d9c458de44a64e742a17ce5ec9c68254

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G7AAJOBN\search[2].htm
Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G7AAJOBN\search[3].htm
Filesize
113KB

MD5
97a0755700342ef5fcef92c96381d942

SHA1
afadba3ba10f500f7dd2f57a64cb147ae84d3a0a

SHA256
54c2ec0d0262a5c5ce7ba40e1c672b5fbd481cad8420a7fe916a00485fd7d5de

SHA512
f0b63a82558f0ee7a05f71ed676f9e659ca50cb42b14a6999011a526ef3a788c7626289bc6461746e07954f5c7a5d36b610e5c875169601b086e72a4c80ff7e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\REQ5K173\HNYNQ7Y4.htm
Filesize
185KB

MD5
9ee65211970f90eb1bace578756d4ad6

SHA1
b5faa69c75a5618ad5e7ce908d11a3dc02da5258

SHA256
fc6c4f0843aa390859a738b966ebd7317d21c28b1420a759f519e798725c81f8

SHA512
5b9dc2e316aa69ee6f70edf75a430e9150fb61dcda3c1d6b0abf0ce9209e550717f3f6e3246be56d1ca0504c8169ddc0f525c7df384860fce53b65c2448213cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\REQ5K173\search[8].htm
Filesize
130KB

MD5
f38f268cce37f454084f0634a2a01daf

SHA1
313fa37151275d81481538241438322cb6b192c5

SHA256
e4bbddb9fd3c72e832f9b1866730ca85bf1b125cd8e37785c455d95aef2c7df7

SHA512
35644cbb0a906f0b7542e3565541913333478e60a48eb50d38f2572c0b90184f769504f4020a4d064aad8c6da746fea9e4447a66f7bac0b5c6bed5a46055c307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XIQH11PJ\results[3].htm
Filesize
1KB

MD5
35a826c9d92a048812533924ecc2d036

SHA1
cc2d0c7849ea5f36532958d31a823e95de787d93

SHA256
0731a24ba3c569a734d2e8a74f9786c4b09c42af70457b185c56f147792168ea

SHA512
fd385904a466768357de812d0474e34a0b5f089f1de1e46bd032d889b28f10db84c869f5e81a0e2f1c8ffdd8a110e0736a7d63c887d76de6f0a5fd30bb8ebecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XIQH11PJ\searchR0V67B8E.htm
Filesize
132KB

MD5
091b1a29884d1a606a5ffd0e91c04f8b

SHA1
b600fb4e4c5a584ec84492a8a5284812f151d279

SHA256
286196e3702b356962a66d970704a1c132568bde7827a617cdcb569be65ab64e

SHA512
adb9417705a7eb925ecacd56a0ef6cc196e31a5323a33dd831dc681c98204df3d6deaae9de467ead591e5ae5dfb1d136c7d4838699cd784bb8e4da0e1c41bf8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XIQH11PJ\search[9].htm
Filesize
127KB

MD5
2c96d7669637fc44049f6401ba5fba5d

SHA1
308f2fc95a372f99e772a0077ae6f136858c0f12

SHA256
007d02b9409c2ff12dde987514b6706e1cdb7924020d4ceb51118beff8d51d23

SHA512
04ad65e08e169c27e0fcedf27370b2c4d2daea16639f48199d52e8b701119bb9dec5804cf3dca31d2f72b282dcfbce7c42c88491be18f6b6c2b7698a9b45330a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFA1F.tmp
Filesize
40KB

MD5
c83086b89836df99b6bb13e955cb4934

SHA1
583da8ddaaa9af341ad2294e40eaf5fc6c6ddd7e

SHA256
b33f902e4e44a186b57b98e6d8aa99301fdafd029c5f20a2fd1f840deeacce5b

SHA512
b9e22c760909878dd82affa4ccaa404f39aef8764cb710d92608dceaf8693a912106133cb6e679ccb6bdbae04f7407216c1ab8b21c9502d9d045e2cadbc8f886

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
1KB

MD5
b7679ea4423f41d35fad204c01807765

SHA1
d494810a553eb3423ec598e2e2ccb3976a60a0c3

SHA256
5c105cd37fe34de33cb1d8870b8bbabfe666945bbac557e94cb7eac7ad2932db

SHA512
211d30b8c4c74bad9bf67c3914e02223cb0ae10714aab1410630ee7497dcf3dd701a1ea9d334f2f4361afba3a01d0ed7629e36167bb06aa05ee3819dcfa5a553

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
1KB

MD5
9a4cf575be829efaa5e076e8f92bb045

SHA1
011753507a5a3f312438d02755af38dc3bce66e3

SHA256
49e6b41e990b67a66f79ea94aaf9a8024902231fbd14dbe3d6fff4ce430cfcb5

SHA512
781489b65354e95ef81f727baad7018fc35275a564790f23b650b6314cfbd8aacb971e6d4dc07ee560a9e1478b213aaa1da5e7db0ee2bf71c4dd913f5e000eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
1KB

MD5
d9c6c7fc8846e1af078d28603da27097

SHA1
8f5871770f4de7421dbdd1547a64c75acf43dc43

SHA256
92193ae6358d1132dfe72ebe7d8fcfb8156b22b3d912f857c52c98252fe3e5ff

SHA512
44dbd8d63eb7dca22b6c177b746c738bf3d817e259c49c9e5538c3b2c6f85a24fdb0c66ed54fc15b78c6b6fecc894a898c7d7f4033262dce3dce01667bc345c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
1KB

MD5
68b3b79a7a099b964ab8af1ef64508fe

SHA1
5c9b5313879bb82f3d1d49e14988975b1c9742b5

SHA256
aa22ba9af48fd5afe8e76a54831b4e99b78d9afeea093be1188ce2b299dda27f

SHA512
4e3b0106c5c2069e8300f0876df1f9d9476e9392e61dd8536df0a4326a4476d77bfecdcb9466c17a758efdfdd021215270e514403428747353f4b7f2853f9cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
1KB

MD5
53d466e6ca70dda820fd620b62445cc2

SHA1
c4ce6f0daa6cf8e2f8aeb253fb1d78e00a9afa86

SHA256
845e31e2fd817535f42ace98e382cbf55ccc0f870e3033fbb104e2ad1fd660c3

SHA512
b7812d90da54701b5102250ce35d06afd6531229f3dde57a36894e22642dbca60827b1b2fec93c579333a849d73535472c9e773b517cf0778313f8806834898f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
1KB

MD5
08997ce89b684222b4d59e6b575d41c2

SHA1
1b1ef305592b1fec30075f0dd975ebe096e32e8f

SHA256
9d380721b71c6341c252e0a81dae6314d664f8dba240c091192bc069fe96dce0

SHA512
6629e77ec618a16ed179f4fca2d6a2fd6e12fc2e7d59e439623537658ba54735c645e26c93d7bd573c455a9b42f6a00f9f99eb039787eae52019026975b72ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe
Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2504-0-0x0000000000500000-0x000000000050D000-memory.dmp

Filesize
52KB

Download
memory/4300-549-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4300-455-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4300-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4300-81-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4300-552-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4300-458-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4300-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4300-462-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4300-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4300-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4300-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4300-706-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4300-739-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4300-412-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4300-751-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download