Malware Analysis Report

2024-09-09 11:54

Sample ID 240615-wafyqaygma
Target af9bb29a99d8305669087ed6b33de18e_JaffaCakes118
SHA256 2902288bc854de345ebe57cf0d8b2ba7dcfaf153c962468ba8a1886cde71f66a
Tags
microsoft persistence phishing product:outlook upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2902288bc854de345ebe57cf0d8b2ba7dcfaf153c962468ba8a1886cde71f66a

Threat Level: Known bad

The file af9bb29a99d8305669087ed6b33de18e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

microsoft persistence phishing product:outlook upx

Detected microsoft outlook phishing page

Executes dropped EXE

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-15 17:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 17:42

Reported

2024-06-15 17:45

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\af9bb29a99d8305669087ed6b33de18e_JaffaCakes118.exe"

Signatures

Detected microsoft outlook phishing page

phishing microsoft product:outlook

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\af9bb29a99d8305669087ed6b33de18e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\af9bb29a99d8305669087ed6b33de18e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\af9bb29a99d8305669087ed6b33de18e_JaffaCakes118.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\af9bb29a99d8305669087ed6b33de18e_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\af9bb29a99d8305669087ed6b33de18e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\af9bb29a99d8305669087ed6b33de18e_JaffaCakes118.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
US 63.96.163.39:1034 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 204.214.145.6:1034 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 24.27.0.9:1034 tcp
US 8.8.8.8:53 m-ou.se udp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
US 8.8.8.8:53 acm.org udp
FI 142.250.150.27:25 alt2.aspmx.l.google.com tcp
US 8.8.8.8:53 mail.mailroute.net udp
US 199.89.3.120:25 mail.mailroute.net tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 8.8.8.8:53 smtp2.cs.stanford.edu udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 burtleburtle.net udp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 mx.burtleburtle.net udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 52.101.9.14:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 65.254.254.50:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 search.yahoo.com udp
IE 212.82.100.137:80 search.yahoo.com tcp
GB 142.250.187.196:443 www.google.com tcp
IE 212.82.100.137:80 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
IE 212.82.100.137:443 search.yahoo.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 search.lycos.com udp
US 209.202.254.10:80 search.lycos.com tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 www.altavista.com udp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 consent.google.com udp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.238:443 consent.google.com tcp
GB 142.250.187.238:443 consent.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
NL 23.63.101.177:80 r11.o.lencr.org tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 8.8.8.8:53 10.254.202.209.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
IE 212.82.100.137:80 www.altavista.com tcp
US 8.8.8.8:53 177.101.63.23.in-addr.arpa udp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 171.64.64.26:25 smtp2.cs.stanford.edu tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 209.202.254.10:443 search.lycos.com tcp
US 15.139.235.103:1034 tcp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
US 8.8.8.8:53 acm.org udp
NL 142.251.9.26:25 alt1.aspmx.l.google.com tcp
US 104.17.78.30:25 acm.org tcp
US 8.8.8.8:53 cs.stanford.edu udp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 99.83.190.102:25 alumni.caltech.edu tcp
US 85.187.148.2:25 gzip.org tcp
US 8.8.8.8:53 burtleburtle.net udp
US 65.254.227.224:25 burtleburtle.net tcp
US 171.64.64.64:25 cs.stanford.edu tcp
N/A 172.16.3.36:1034 tcp
US 8.8.8.8:53 aspmx4.googlemail.com udp
US 8.8.8.8:53 mx.acm.org udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 mail.acm.org udp
SG 74.125.200.27:25 aspmx4.googlemail.com tcp
US 8.8.8.8:53 smtp.acm.org udp
US 8.8.8.8:53 smtp1.cs.stanford.edu udp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 8.8.8.8:53 email.com udp
US 8.8.8.8:53 mx01.mail.com udp
US 74.208.5.22:25 mx01.mail.com tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mx.gzip.org udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 mail.gzip.org udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 85.187.148.2:25 mail.gzip.org tcp
US 8.8.8.8:53 outlook.com udp
US 65.254.254.50:25 mx.burtleburtle.net tcp
US 8.8.8.8:53 outlook-com.olc.protection.outlook.com udp
US 52.101.11.18:25 outlook-com.olc.protection.outlook.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 171.64.64.25:25 smtp1.cs.stanford.edu tcp
US 15.137.228.133:1034 tcp
US 8.8.8.8:53 aspmx2.googlemail.com udp
NL 142.251.9.26:25 aspmx2.googlemail.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 8.8.8.8:53 mx00.mail.com udp
US 74.208.5.20:25 mx00.mail.com tcp
US 8.8.8.8:53 hachyderm.io udp
US 8.8.8.8:53 outlook.com udp
US 8.8.8.8:53 alt4.aspmx.l.google.com udp
IE 212.82.100.137:80 www.altavista.com tcp
US 52.96.91.34:25 outlook.com tcp
TW 142.250.157.26:25 alt4.aspmx.l.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
US 209.202.254.10:80 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
TW 142.250.157.26:25 alt4.aspmx.l.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:80 search.lycos.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
IE 212.82.100.137:80 www.altavista.com tcp
US 209.202.254.10:443 search.lycos.com tcp
IE 212.82.100.137:443 www.altavista.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 209.202.254.10:443 search.lycos.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 171.64.64.64:25 cs.stanford.edu tcp
US 16.190.236.201:1034 tcp
US 8.8.8.8:53 aspmx3.googlemail.com udp
FI 142.250.150.26:25 aspmx3.googlemail.com tcp
US 8.8.8.8:53 mx.cs.stanford.edu udp
US 8.8.8.8:53 mail.com udp
US 8.8.8.8:53 mail.cs.stanford.edu udp
US 74.208.5.22:25 mx01.mail.com tcp
US 171.64.64.160:25 mail.cs.stanford.edu tcp
US 8.8.8.8:53 email.com udp
US 3.33.243.145:25 email.com tcp
US 8.8.8.8:53 mx.outlook.com udp
NL 142.251.9.26:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 mail.outlook.com udp
US 8.8.8.8:53 smtp.outlook.com udp
GB 52.97.219.210:25 smtp.outlook.com tcp
NL 142.251.9.26:25 aspmx2.googlemail.com tcp
US 8.8.8.8:53 kinoho.net udp
US 8.8.8.8:53 aspmx.l.google.com udp
NL 142.250.102.26:25 aspmx.l.google.com tcp
US 205.243.78.51:1034 tcp

Files

memory/2504-0-0x0000000000500000-0x000000000050D000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/4300-7-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4300-13-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4300-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4300-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4300-22-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 b7679ea4423f41d35fad204c01807765
SHA1 d494810a553eb3423ec598e2e2ccb3976a60a0c3
SHA256 5c105cd37fe34de33cb1d8870b8bbabfe666945bbac557e94cb7eac7ad2932db
SHA512 211d30b8c4c74bad9bf67c3914e02223cb0ae10714aab1410630ee7497dcf3dd701a1ea9d334f2f4361afba3a01d0ed7629e36167bb06aa05ee3819dcfa5a553

C:\Users\Admin\AppData\Local\Temp\tmpFA1F.tmp

MD5 c83086b89836df99b6bb13e955cb4934
SHA1 583da8ddaaa9af341ad2294e40eaf5fc6c6ddd7e
SHA256 b33f902e4e44a186b57b98e6d8aa99301fdafd029c5f20a2fd1f840deeacce5b
SHA512 b9e22c760909878dd82affa4ccaa404f39aef8764cb710d92608dceaf8693a912106133cb6e679ccb6bdbae04f7407216c1ab8b21c9502d9d045e2cadbc8f886

memory/4300-81-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G7AAJOBN\search[2].htm

MD5 8ba61a16b71609a08bfa35bc213fce49
SHA1 8374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA256 6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA512 5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E9YVC3IR\E2G4TYJC.htm

MD5 cdada4ed3b1a6aa4bbee231f8971152c
SHA1 d358f23bf1af370969bac65c6089d720c92bb2c9
SHA256 a027624f2d71e3b1480bbd501c89595edb128d6e1a16eaa6f03d900db89ee58f
SHA512 6270e2ecbfedb1d51f230f42cab9408a838875913ebdc9cd47f0774df918d541b6f1d228b8664673889415f5f87d9babca096dd69b94336261d77567c5ecb5ca

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\REQ5K173\HNYNQ7Y4.htm

MD5 9ee65211970f90eb1bace578756d4ad6
SHA1 b5faa69c75a5618ad5e7ce908d11a3dc02da5258
SHA256 fc6c4f0843aa390859a738b966ebd7317d21c28b1420a759f519e798725c81f8
SHA512 5b9dc2e316aa69ee6f70edf75a430e9150fb61dcda3c1d6b0abf0ce9209e550717f3f6e3246be56d1ca0504c8169ddc0f525c7df384860fce53b65c2448213cc

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G7AAJOBN\results[2].htm

MD5 211da0345fa466aa8dbde830c83c19f8
SHA1 779ece4d54a099274b2814a9780000ba49af1b81
SHA256 aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA512 37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\REQ5K173\search[8].htm

MD5 f38f268cce37f454084f0634a2a01daf
SHA1 313fa37151275d81481538241438322cb6b192c5
SHA256 e4bbddb9fd3c72e832f9b1866730ca85bf1b125cd8e37785c455d95aef2c7df7
SHA512 35644cbb0a906f0b7542e3565541913333478e60a48eb50d38f2572c0b90184f769504f4020a4d064aad8c6da746fea9e4447a66f7bac0b5c6bed5a46055c307

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XIQH11PJ\search[9].htm

MD5 2c96d7669637fc44049f6401ba5fba5d
SHA1 308f2fc95a372f99e772a0077ae6f136858c0f12
SHA256 007d02b9409c2ff12dde987514b6706e1cdb7924020d4ceb51118beff8d51d23
SHA512 04ad65e08e169c27e0fcedf27370b2c4d2daea16639f48199d52e8b701119bb9dec5804cf3dca31d2f72b282dcfbce7c42c88491be18f6b6c2b7698a9b45330a

memory/4300-412-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 9a4cf575be829efaa5e076e8f92bb045
SHA1 011753507a5a3f312438d02755af38dc3bce66e3
SHA256 49e6b41e990b67a66f79ea94aaf9a8024902231fbd14dbe3d6fff4ce430cfcb5
SHA512 781489b65354e95ef81f727baad7018fc35275a564790f23b650b6314cfbd8aacb971e6d4dc07ee560a9e1478b213aaa1da5e7db0ee2bf71c4dd913f5e000eba

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G7AAJOBN\search[10].htm

MD5 354d0c0bb1452845aaa2c7dca9763066
SHA1 3861a12317fe4fabdbc707cd24571b4fce759ec8
SHA256 70d5e9bafe4d0d35a44ea5a513564061ee22d31c0410ec5117e0e5ed258e3b96
SHA512 1b7d7a4868f877888a28dd6b1659278800fe94f923c42d097719ff3d5d772d8754a6f335e35deeeaa751a4b07e01c2e6d9c458de44a64e742a17ce5ec9c68254

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G7AAJOBN\search6IFVMJFA.htm

MD5 78f956ebe772db28480f34aeb24f79b8
SHA1 a7f7f99a9c076b5b368f523dbb30e4af74ef2f15
SHA256 c5e67be970c32cec30ede054e97c76e6af2cc024393cd7dde8a28eceabc808e4
SHA512 150f3d7c5d9be62972f0ab9135e98373fb84994597d67f8857ae4d2c605449edcd54c4d952edf7501bc5e9cdaa9c54689445b0516c2775fe59a297a8a1b70a90

memory/4300-455-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4300-458-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4300-462-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d9c6c7fc8846e1af078d28603da27097
SHA1 8f5871770f4de7421dbdd1547a64c75acf43dc43
SHA256 92193ae6358d1132dfe72ebe7d8fcfb8156b22b3d912f857c52c98252fe3e5ff
SHA512 44dbd8d63eb7dca22b6c177b746c738bf3d817e259c49c9e5538c3b2c6f85a24fdb0c66ed54fc15b78c6b6fecc894a898c7d7f4033262dce3dce01667bc345c8

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XIQH11PJ\results[3].htm

MD5 35a826c9d92a048812533924ecc2d036
SHA1 cc2d0c7849ea5f36532958d31a823e95de787d93
SHA256 0731a24ba3c569a734d2e8a74f9786c4b09c42af70457b185c56f147792168ea
SHA512 fd385904a466768357de812d0474e34a0b5f089f1de1e46bd032d889b28f10db84c869f5e81a0e2f1c8ffdd8a110e0736a7d63c887d76de6f0a5fd30bb8ebecd

memory/4300-549-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4300-552-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 68b3b79a7a099b964ab8af1ef64508fe
SHA1 5c9b5313879bb82f3d1d49e14988975b1c9742b5
SHA256 aa22ba9af48fd5afe8e76a54831b4e99b78d9afeea093be1188ce2b299dda27f
SHA512 4e3b0106c5c2069e8300f0876df1f9d9476e9392e61dd8536df0a4326a4476d77bfecdcb9466c17a758efdfdd021215270e514403428747353f4b7f2853f9cfb

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G7AAJOBN\search770IEGKQ.htm

MD5 e1afc2af83ddba77f32bfb34c8769125
SHA1 8cc71d342f4e2d71d215e701d7d33d91bcb56456
SHA256 c095973cdefca79652257892e619ce0fb25341a35a732f506f7a7930f752a331
SHA512 f791e5ae3520881a6c5f4855b9fdb0db84a36aa2193fc5c1db12240f2171dfd803e0f167810429d5d646ceb43d929fff47bae61de492f46896218c24db28850c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G7AAJOBN\search[3].htm

MD5 97a0755700342ef5fcef92c96381d942
SHA1 afadba3ba10f500f7dd2f57a64cb147ae84d3a0a
SHA256 54c2ec0d0262a5c5ce7ba40e1c672b5fbd481cad8420a7fe916a00485fd7d5de
SHA512 f0b63a82558f0ee7a05f71ed676f9e659ca50cb42b14a6999011a526ef3a788c7626289bc6461746e07954f5c7a5d36b610e5c875169601b086e72a4c80ff7e9

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XIQH11PJ\searchR0V67B8E.htm

MD5 091b1a29884d1a606a5ffd0e91c04f8b
SHA1 b600fb4e4c5a584ec84492a8a5284812f151d279
SHA256 286196e3702b356962a66d970704a1c132568bde7827a617cdcb569be65ab64e
SHA512 adb9417705a7eb925ecacd56a0ef6cc196e31a5323a33dd831dc681c98204df3d6deaae9de467ead591e5ae5dfb1d136c7d4838699cd784bb8e4da0e1c41bf8e

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 53d466e6ca70dda820fd620b62445cc2
SHA1 c4ce6f0daa6cf8e2f8aeb253fb1d78e00a9afa86
SHA256 845e31e2fd817535f42ace98e382cbf55ccc0f870e3033fbb104e2ad1fd660c3
SHA512 b7812d90da54701b5102250ce35d06afd6531229f3dde57a36894e22642dbca60827b1b2fec93c579333a849d73535472c9e773b517cf0778313f8806834898f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E9YVC3IR\searchZEY52NDC.htm

MD5 ac5f3185184458ca654f287afa9230fa
SHA1 6a3c772ec2117bac65c56f916584cc99b77ecd96
SHA256 1952c689b875050fdf3793f58fc6447550b82202573a93fbca97b2ac058dc898
SHA512 ad7b52fc08f12e73f7d92c11775316e7d8ec33b769ce64daf96bbe269dc924fbf10b3434f65f800b3a479e0c947f24103d54298db6f164360c3a04499a1ec1d0

memory/4300-706-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4300-739-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 08997ce89b684222b4d59e6b575d41c2
SHA1 1b1ef305592b1fec30075f0dd975ebe096e32e8f
SHA256 9d380721b71c6341c252e0a81dae6314d664f8dba240c091192bc069fe96dce0
SHA512 6629e77ec618a16ed179f4fca2d6a2fd6e12fc2e7d59e439623537658ba54735c645e26c93d7bd573c455a9b42f6a00f9f99eb039787eae52019026975b72ee0

memory/4300-751-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 17:42

Reported

2024-06-15 17:45

Platform

win7-20240611-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\af9bb29a99d8305669087ed6b33de18e_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\services.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" C:\Users\Admin\AppData\Local\Temp\af9bb29a99d8305669087ed6b33de18e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" C:\Windows\services.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\af9bb29a99d8305669087ed6b33de18e_JaffaCakes118.exe N/A
File created C:\Windows\java.exe C:\Users\Admin\AppData\Local\Temp\af9bb29a99d8305669087ed6b33de18e_JaffaCakes118.exe N/A
File created C:\Windows\services.exe C:\Users\Admin\AppData\Local\Temp\af9bb29a99d8305669087ed6b33de18e_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\af9bb29a99d8305669087ed6b33de18e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\af9bb29a99d8305669087ed6b33de18e_JaffaCakes118.exe"

C:\Windows\services.exe

"C:\Windows\services.exe"

Network

Country Destination Domain Proto
US 63.96.163.39:1034 tcp
US 204.214.145.6:1034 tcp
US 24.27.0.9:1034 tcp
US 15.139.235.103:1034 tcp
N/A 172.16.3.36:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 8.8.8.8:53 alumni-caltech-edu.mail.protection.outlook.com udp
US 8.8.8.8:53 gzip.org udp
US 8.8.8.8:53 gzip.org udp
US 85.187.148.2:25 gzip.org tcp
US 15.137.228.133:1034 tcp
US 52.101.9.14:25 alumni-caltech-edu.mail.protection.outlook.com tcp
US 85.187.148.2:25 gzip.org tcp
US 16.190.236.201:1034 tcp
US 8.8.8.8:53 alumni.caltech.edu udp
US 99.83.190.102:25 alumni.caltech.edu tcp
US 8.8.8.8:53 mx.gzip.org udp
US 205.243.78.51:1034 tcp
US 8.8.8.8:53 mx.alumni.caltech.edu udp
US 8.8.8.8:53 mail.alumni.caltech.edu udp
US 8.8.8.8:53 smtp.alumni.caltech.edu udp
US 8.8.8.8:53 udp
US 85.187.148.2:25 tcp

Files

memory/1768-0-0x0000000000500000-0x000000000050D000-memory.dmp

memory/1768-3-0x0000000000220000-0x0000000000228000-memory.dmp

C:\Windows\services.exe

MD5 b0fe74719b1b647e2056641931907f4a
SHA1 e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256 bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA512 9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

memory/2892-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1768-10-0x0000000000220000-0x0000000000228000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2892-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2892-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1768-22-0x0000000000220000-0x0000000000228000-memory.dmp

memory/2892-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2892-27-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2892-31-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2892-35-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2892-36-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2892-40-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2892-44-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2892-45-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zincite.log

MD5 63dbf13208b57b0850f96937d8d86242
SHA1 46e071b49a7e3c1873e78b7262fa45a0c41e2517
SHA256 cdd66103c2b5c9eb18c78ed9c82fb36f2a494191a5e84f254cd1084d9a982020
SHA512 843494abb1d8e7a1d18acef2c78e20519237727e6818a9f79907ec4e4abf7ea07bcad389f80051c90904b2d9307c4cd2246ff83c9e965db2c870daf4879b8de2

C:\Users\Admin\AppData\Local\Temp\tmpF6FE.tmp

MD5 0b574c6e5517e5a4ba58798c0332bc17
SHA1 18229173c819c9e14eafd8c6daf8a06c3bcb1f84
SHA256 6d0da35615c09df33d3bb0b93f70174f6e2fc9398ee799a8bc829cc96bb3023c
SHA512 54cdcfe2812f1bc0ddb17c3c843ef0cfe34124bbad3ff21accb5a33d103d80d6227ef6ac6f4a7dc396b4e2d2ff2abbc196968091fc398824397a73d8bed25ef9

memory/2892-66-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2892-69-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2892-70-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2892-74-0x0000000000400000-0x0000000000408000-memory.dmp