Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18-06-2024 08:12

General

  • Target

    baabc827a9d4e7a674e1362562a248f6_JaffaCakes118.exe

  • Size

    40KB

  • MD5

    baabc827a9d4e7a674e1362562a248f6

  • SHA1

    0dd1f99734e4ea1fe1d60e53279acb475638d08b

  • SHA256

    070221e4d974513c55b421f7555e0ed8ad918ef371d0fa3b82eb53d69d5cdce2

  • SHA512

    48413d47b2e550318ec7b58a3f07e22bec3dc1b3420a94ad8ed3b2e42c9b8958fe104f11d0b130d696783b3fe27ac086be91869c540f459fcd40f2b75e7b8d70

  • SSDEEP

    768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtH86jP:aqk/Zdic/qjh8w19JDH86jP

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\baabc827a9d4e7a674e1362562a248f6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\baabc827a9d4e7a674e1362562a248f6_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:2944
    • C:\Windows\services.exe
      "C:\Windows\services.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:2200

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e7d0775fd7f55089293d44bef3c022c5

    SHA1

    7e3473feb6ba6d68e95dbeb36be3debd3f1c1e18

    SHA256

    31223d4411c83faaecdc362bb7cfc851300264d11ee5f54a0a91c80c1d4a6806

    SHA512

    33106c54203191fc8464461f1a4567030601cd0a51902ae5e8483bab9cc991fd9a509c5ef85485d5f04692f3f6e569c62f187f043305ab008d768988f5b83f40

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\KDEVKIQ3.htm
    Filesize

    175KB

    MD5

    b9dcf5daeaadb26ea88936f551c05d52

    SHA1

    df665d0ed993b2d127e2672218cf23fd958c5eef

    SHA256

    d460bf738fa52b97d4a2e1d33cfae29d51a1da95034e6ca573913310c1f0a2b9

    SHA512

    380ce47fb3644b4bb14d35821ce017572e8eb7238b1030a6089f251e6a454ebe08b5325289dadff97b381b47fd1180d0aa88c51678b6c17f611f4276e5629e49

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\search[1].htm
    Filesize

    164KB

    MD5

    2f5b187eb27cf774b77769db686735de

    SHA1

    e5f9bc05e69ff32434e752e4e82ce13f35f45418

    SHA256

    6313799a01c3a222e5c9d1e7c3e3ef84286e4dfbf25901f210f586b1f438ab5f

    SHA512

    59693ef9456204c1018fe5b9d22e0c8a010b00f4526d3146343edcefceb4045c80a232bcd56efdc4c699bd7c904d473f13bfbd39f2d61aeb46ff3e933fd93d18

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\search[2].htm
    Filesize

    127KB

    MD5

    3d3eaffb59337103c065a824b478f6cf

    SHA1

    538b6d57a8317ba435d695b1ad52080b2d7759b3

    SHA256

    0748da1e62f5ff9bbb431ddcb348267079fc379a94cad6ac0cb59454ff498959

    SHA512

    ba5149dc54e43239c393e29a5ad31e9738cabc145b543c2d51667a3ed4e10a5bd0d2c0a044afbfd1da182d8d636e31cfb30623302848fb3cbe5cd0ed7be9bcdc

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\search[8].htm
    Filesize

    169KB

    MD5

    db6e19bdaf96f9d86146697355f1f48e

    SHA1

    71b42e03db0eba6e3d2dfd302fb7bc7d2c92d0ff

    SHA256

    bee90a09e29da40ae7918827adae43e457da6ebc676e35c3870df381ec3369cb

    SHA512

    34ad8cc9872e55ae4fee38b213e613b0fed6ce08dcc3de611870595bb4734f1c9cf6da1a535cf9aa473de30f3f9a57b8194f76acb6c59fc776ea3ccd8274a615

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\search[1].htm
    Filesize

    25B

    MD5

    8ba61a16b71609a08bfa35bc213fce49

    SHA1

    8374dddcc6b2ede14b0ea00a5870a11b57ced33f

    SHA256

    6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

    SHA512

    5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\search[5].htm
    Filesize

    138KB

    MD5

    3be2f62bc6ba276d3edc7338d59032c7

    SHA1

    ddd4b345c1903b439f71ae263c5d63a30d7a6cb8

    SHA256

    0c9e9146adc7d47e970c9f0c8845251e3fe3a43b7b569c6acae55e08b0de6882

    SHA512

    64640270cd5a23962c700236b69ea118e20f684cc09e3394ca0e6efd8ab455b032692f0b2440228a4886da04c66a5b8abf3c9dbc1ac5bcedc9c0add867d81434

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\results[3].htm
    Filesize

    1KB

    MD5

    ee4aed56584bf64c08683064e422b722

    SHA1

    45e5ba33f57c6848e84b66e7e856a6b60af6c4a8

    SHA256

    a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61

    SHA512

    058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\results[4].htm
    Filesize

    1KB

    MD5

    211da0345fa466aa8dbde830c83c19f8

    SHA1

    779ece4d54a099274b2814a9780000ba49af1b81

    SHA256

    aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

    SHA512

    37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

  • C:\Users\Admin\AppData\Local\Temp\Cab13BB.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

  • C:\Users\Admin\AppData\Local\Temp\TVbqjvjs3p.log
    Filesize

    1KB

    MD5

    404dde493836017b71f6bd3b2007814a

    SHA1

    f42ddd9da4bd9934c8dfe86b222d36bc922d7eb2

    SHA256

    b38067ac89603967489841dadbf3b8e7b75f7366745eb6babe6d085150bd2e33

    SHA512

    8b520345313fd4daa94970256bb144b4c209bba2e522b605fcca1d36213aa9982cea6595fded19df0812a49679ef4a79cc36bb53e181cc8476c6086e21725114

  • C:\Users\Admin\AppData\Local\Temp\Tar143E.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Local\Temp\tmp18B1.tmp
    Filesize

    40KB

    MD5

    4661843d662e9cbd87bd4f16b267659f

    SHA1

    82c577cb381482311fa91b4c45c1bc10186ccf31

    SHA256

    f62c6f4592c563a5d3dd8b1b8281cf9c5e6e2944849023a78528d4740bfa18a7

    SHA512

    1a4968594a46d44bc78d0d028fa68f6692d594c2092721b248fbbcbd5041ce26af982a1c1efbe6a1c927384f155615078453523ab98c52840faacba8a58fb795

  • C:\Users\Admin\AppData\Local\Temp\zincite.log
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Users\Admin\AppData\Local\Temp\zincite.log
    Filesize

    1KB

    MD5

    6c95abbb6fe97ded6c3ae997ccb3ae13

    SHA1

    4187135a9c8861621951dfcd966b80c29a7993d0

    SHA256

    bb0fc9bc9e8fd0626a38c096fc5846fd938aa4364f1e999ee56c9d8dddc2c7e6

    SHA512

    ca2faa085d6fa4d7467fac9467a3cf3bb89ae6d21817324b8b63f4270341b0bf82782fa5b9808eef33f6c882e43fcda292ec2713f3bc3e90354ceaff33d96c2b

  • C:\Users\Admin\AppData\Local\Temp\zincite.log
    Filesize

    1KB

    MD5

    e6283637224e15fabcf586e7679b3ae9

    SHA1

    de3c39e546c053f3d0e9c16dc3b42f687eb97aea

    SHA256

    961b07ee168560b466bad250ba419c00997918901cf3cf483e517cc2b49ac1e0

    SHA512

    415990af6ba08b8529d58b7b4c0b4662e5396ce2b1f39b07ca0aef8a040a4254da83b69b59e2b1e588beb56caf670b818cbb5253a0a66a8279cab89a84b8b89b

  • C:\Users\Admin\AppData\Local\Temp\zincite.log
    Filesize

    1KB

    MD5

    045ce60ca90ca3fddcfaa7781038fe37

    SHA1

    7334f14a5e375a6c647e41b75d66f27343880655

    SHA256

    94ccf07234420f546af93019b6d5d91dfaefac2a1728b70dc8af302b5542129e

    SHA512

    ecc9f09a1d5abe4bbdd94fa1a2511e9d72b4c491fdd9c2816a66500a64cc6412dd4d0e8d8bd0c762634a7ae50bca4f6a396db014a46437303079395de5b45301

  • C:\Windows\services.exe
    Filesize

    8KB

    MD5

    b0fe74719b1b647e2056641931907f4a

    SHA1

    e858c206d2d1542a79936cb00d85da853bfc95e2

    SHA256

    bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

    SHA512

    9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

  • memory/2200-26-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2200-31-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2200-72-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2200-73-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2200-64-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2200-63-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2200-59-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2200-56-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2200-35-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2200-68-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2200-27-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2200-11-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2200-17-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2200-21-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2200-342-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2944-22-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2944-0-0x0000000000500000-0x000000000050D000-memory.dmp
    Filesize

    52KB

  • memory/2944-4-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2944-9-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB