Analysis
-
max time kernel
159s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 08:12
Static task
static1
Behavioral task
behavioral1
Sample
baabc827a9d4e7a674e1362562a248f6_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
baabc827a9d4e7a674e1362562a248f6_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
baabc827a9d4e7a674e1362562a248f6_JaffaCakes118.exe
-
Size
40KB
-
MD5
baabc827a9d4e7a674e1362562a248f6
-
SHA1
0dd1f99734e4ea1fe1d60e53279acb475638d08b
-
SHA256
070221e4d974513c55b421f7555e0ed8ad918ef371d0fa3b82eb53d69d5cdce2
-
SHA512
48413d47b2e550318ec7b58a3f07e22bec3dc1b3420a94ad8ed3b2e42c9b8958fe104f11d0b130d696783b3fe27ac086be91869c540f459fcd40f2b75e7b8d70
-
SSDEEP
768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtH86jP:aqk/Zdic/qjh8w19JDH86jP
Malware Config
Signatures
-
Detected microsoft outlook phishing page
-
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 4468 services.exe -
Processes:
resource yara_rule C:\Windows\services.exe upx behavioral2/memory/4468-5-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4468-13-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4468-17-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4468-18-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4468-22-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4468-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4468-30-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4468-31-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4468-121-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4468-296-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4468-317-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4468-320-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4468-356-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/4468-529-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
baabc827a9d4e7a674e1362562a248f6_JaffaCakes118.exeservices.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" baabc827a9d4e7a674e1362562a248f6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
Processes:
baabc827a9d4e7a674e1362562a248f6_JaffaCakes118.exedescription ioc process File created C:\Windows\services.exe baabc827a9d4e7a674e1362562a248f6_JaffaCakes118.exe File opened for modification C:\Windows\java.exe baabc827a9d4e7a674e1362562a248f6_JaffaCakes118.exe File created C:\Windows\java.exe baabc827a9d4e7a674e1362562a248f6_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
baabc827a9d4e7a674e1362562a248f6_JaffaCakes118.exedescription pid process target process PID 2420 wrote to memory of 4468 2420 baabc827a9d4e7a674e1362562a248f6_JaffaCakes118.exe services.exe PID 2420 wrote to memory of 4468 2420 baabc827a9d4e7a674e1362562a248f6_JaffaCakes118.exe services.exe PID 2420 wrote to memory of 4468 2420 baabc827a9d4e7a674e1362562a248f6_JaffaCakes118.exe services.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\baabc827a9d4e7a674e1362562a248f6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\baabc827a9d4e7a674e1362562a248f6_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1348 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\search[8].htmFilesize
132KB
MD540b1e13238e5925b25c1180d3fe8ab33
SHA127548db79f5e244419f20d0584f2398bc363e010
SHA2562087eea9e22b9e24828c7524de9706c2800dc0d4317ef05cdd6d15dc9bc2ba46
SHA5120647bfe40b9df2f86639a94063a8c7b1d9a0d8e027fc0fe9bc4268aeec19b13ab04d7f308ac449ceb3c9514fe3b6a024ab835c9e2a1134d9ae4a3c90cf5d7bd3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\search11BTANAY.htmFilesize
115KB
MD58fdc1aed8055b45fd725887ee8235e1e
SHA17094a5486b3b6eddd8f25fb9e36393c0571f07d9
SHA25664fbafae4f0a5e84715041c70e19722c3371d0b87e5471bab04eb23dac2cddf8
SHA512d2f588e8227a9ff6f979c2e6b715b296d391a853fe22922d94a104ef5aa47e81178587d01592822e56cb13baa197779775eedc2265d0a22ca7a4a42061107a74
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\searchOE6UIY3D.htmFilesize
157KB
MD5c9a78a86059242ae9b1b705001961e33
SHA1a2a992f6e1cf6603c860cc2ef532b092d373420f
SHA25664d4cefee42c8c840b1c92170a945471619e2ff0126f442dc7e8cf15a9b5025d
SHA512102b65013db8e47e0f7b2b0dbe1c073f0b1ed96379dd9df4de29a129aff30188f5b42493cf2913838dd90682d0e69178bc7b6c8caf29f4116eb1ef3f1dc20a46
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\search[2].htmFilesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\MXVY0QD9.htmFilesize
175KB
MD5f7a9ff728961f3f5d957a64e48af5954
SHA1925879cd22d9c70d27157112eff581ca1b0a0d8a
SHA2568447d08e3f4f481d14873a3fa3160b790dd657435a8abe2296d6dd3e5f206d53
SHA5123bdb6d334878053cd59f9fc0f57f8c271cec981db275745b6ba8d98a3e678c88073fbd6c16351f68bdc79e9be35429202c6dc9f15d53bf793bb0d4a415368277
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\default[3].htmFilesize
312B
MD5c15952329e9cd008b41f979b6c76b9a2
SHA153c58cc742b5a0273df8d01ba2779a979c1ff967
SHA2565d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7
SHA5126aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\results[1].htmFilesize
1KB
MD535a826c9d92a048812533924ecc2d036
SHA1cc2d0c7849ea5f36532958d31a823e95de787d93
SHA2560731a24ba3c569a734d2e8a74f9786c4b09c42af70457b185c56f147792168ea
SHA512fd385904a466768357de812d0474e34a0b5f089f1de1e46bd032d889b28f10db84c869f5e81a0e2f1c8ffdd8a110e0736a7d63c887d76de6f0a5fd30bb8ebecd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\searchB34UO363.htmFilesize
134KB
MD5ff238e04c63337f6eca881b4e80376bf
SHA16e54095d62f59c387659d8f4f5f77fadd19a1cb0
SHA2566ffe5f464bfe4c2a48e111f7c8aad8f018cac1c44ddeec64fe6fc7c9b364f59d
SHA51288aa5983c42f560212511e08dbe1767f0039cf1cf74071c895cf4a38660a842c7ad22a01c72428c20762601b4ca602d45a4bdbd8ae76efa15129bd2aadecb0ac
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\searchE8WTUKAP.htmFilesize
141KB
MD5b93622547bd84870daa91062f827e2c6
SHA1bb065077e2800fc2e063f26bb4a5cbd1d9058cc7
SHA25635fda38e7f7ea0d20fb13d74b89e08add1e6ae70fc5598bf0d4336a4a409ea13
SHA512bb7025faac22b775d9e6d7598e7d1786b8eadaafee751362a185ba12f6a36093769643275c47fa15478e0ab46c35c75aafec4cc64cc3c7daf25742477b613f34
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\searchJYK1E8M5.htmFilesize
166KB
MD5f2ce3981300ee41d33bb96aef8024734
SHA1c6347382412ef1d33968dc0632efd11ec5095fe4
SHA256f4c3df8dc34a017be8707c4a4915b6f2fb26c5956bd769ed24f99ffda13d6d28
SHA512d5de9fced210531426114a1bc7a076953626fcbf36e1dd26cee2fd6f3e6b60379ce6a2c7e3393cf1b0541aa735b5c3ebf8b3cc13ce57339033a3f14de01c24eb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\search[3].htmFilesize
151KB
MD5d0ff251eb7a6e2b0a0885af103185831
SHA1fbca03b824a1a29225f558ddc5b05880bc6946c7
SHA256f840d54485cc1fc63d31d7cbbbd19b8ae3aa9611e0fb84a972830b97f89055a7
SHA512a319ab30eb60663d9bb17e351c171d84f188df1cd7755871bdefc9191162761ae2ab09b136fa9bec856810a61027225cf3f1f245068314f8eb4a311feee021a5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\search[4].htmFilesize
151KB
MD5fe053c0abf23a0555cb6f50976154ce1
SHA1846b6da2498e2aa4ad384a5741eae217d8a4781a
SHA2560969f2c4460248d9770d0a0d6513d38ee3fc1b52e683632f3741ea81a49ba6c5
SHA5121d078ebdd23e5d5ccaff0d8f0124d59cd481d54319a6e7853531156bf9598e8a7354270a2777bf6df51cba86c467bbcde59d15633521dfc57a392943fe52498e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\search[7].htmFilesize
137KB
MD5a0408b0026189c5268f236e173c86ca1
SHA1ffa78cb8b92699e46bd3fdb18e129a5c79f00c68
SHA256f78b04d12aec092942207733d1f556e1be2bc6c258bf8ef0853e1600d2230231
SHA5125612e781b320323b40bf662fcf26133c89aaa40ad667a4d4c7cc27957955a1eea2cd5f8686682bbe886075f3176edc2c0d7853f32b82321b56c2f9b9c7eca3f6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\results[2].htmFilesize
1KB
MD5ee4aed56584bf64c08683064e422b722
SHA145e5ba33f57c6848e84b66e7e856a6b60af6c4a8
SHA256a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61
SHA512058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\results[4].htmFilesize
1KB
MD5211da0345fa466aa8dbde830c83c19f8
SHA1779ece4d54a099274b2814a9780000ba49af1b81
SHA256aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA51237fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\searchC89RPSEQ.htmFilesize
167KB
MD5791dff28c78131a7678d142c61da0427
SHA1882ad84afc4565adc76f51b0be4ddff032775df6
SHA256592b54b4bd8dc0b81e8afcff7ffbb128adf4c1bd298739da54df8070ef29be2f
SHA51261401bc63ef7eab48185dbc0e1d7c285ece0d6881c9574237d4224513418052754d3a0fc6349756b5aeba38720a1f30850ac57d7b87327f60bdb1577be4f331a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\search[1].htmFilesize
170KB
MD55fbd90759ec414ba91e058d8bfceb27d
SHA1a35aa8965cff3781870dd5cd9881b15aac08c71d
SHA256efea3bb16b6064ad82184075bb709e283f95d400ff66554982b9f2af4b40edd5
SHA512f93ef4905cb90ff6fc3de361f79875e50a1e92ecde212c21799f7b99cfcbba6e735880c485f863dc7ec8f52e77f0affddfbdc99f33b98cd8d0ad24b6ed7ad303
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X0OFMNIL\search[9].htmFilesize
112KB
MD5b2abf7415c3feafce5703225c94d52a5
SHA1410499662d7237c260ee567c7d1392189c9b5d6f
SHA256e3c7ba7c73240839a83c81b6aa882bc06fb280f09a6216aaf9b9b41474616cc2
SHA5122689c3f2c30b00d7ab2623496bea66cb057f0903475f2934c0fb9d14c86804fa164465e25b3ed7ab55857a893cfd20bed0ec3daaf6cb726fc21441d3376ee7c5
-
C:\Users\Admin\AppData\Local\Temp\ngnckogk.logFilesize
1KB
MD5700cbade37758b68717fc1ed72bef7f4
SHA111264c9432884b38e2cb2fba76dca321d8015ce9
SHA2565f302a82eaf0de55813a41a0458ba409424bf6b66e3bc51574bb9ee91ffa03f0
SHA5121f0a2b1fcd89a9ff78725c7e094d7c9726ad15c941a805c5d76e7c1bf5f089b2796b44c9092d41fbea41a57f73de9c5dcf98c16c48a0191433eedf6d042146d8
-
C:\Users\Admin\AppData\Local\Temp\tmp59B1.tmpFilesize
40KB
MD52f123807423494114ba80f352f9680c3
SHA1c2868428a31d666427e5e0d84f23307588f540c9
SHA2568b649e89923be435f5094c175d93636bebc9db6b34b6914ed40079920d629461
SHA512921bbf6711e49df18bc2f0d5e56e7b4c1821819fa02a840c967439356669852498b872bace56bee3e853548913e2d9396c4c2ed0c22415040aa30f580f74cc35
-
C:\Users\Admin\AppData\Local\Temp\tmp5B91.tmpFilesize
40KB
MD58f40dfb45f652cc28b1c307f55c6629a
SHA1920d5e54cc07d175fc3f917fa44f80d225d2c613
SHA256a1b9eecb96645ca1e9c709bbebf87106328887a6060ad22f92e47a1e6799d3d7
SHA512252c92b8c3e5e8ff2ba8dc8c8edb3b6b1c6e6d77560551e21b2e17b36812577739c70ce9b3f8cddc333f8fae787179a73ba18c04eccb62b57a15c7aa3d9b16bc
-
C:\Users\Admin\AppData\Local\Temp\zincite.logFilesize
1KB
MD5d8f92b8c0cea2ce31ea6a60766528ecf
SHA15404cdc70c686cffb00c2d174c59e6b6ffba69fe
SHA2560f15236c503d744637aeb96a7ed90862376548327afedacb2378818d20f17d73
SHA512991df40da2622f2a4d9dc02b0a20d4b1d6d4ee07dd8c5785fa5193a8e1692d692e26dcfe6360792f3fd36a4b456aef371d5b3b8cdf44a3c70c7de8c581f8f33d
-
C:\Users\Admin\AppData\Local\Temp\zincite.logFilesize
1KB
MD51da89ba450ac44fdf55f9f08002dcd79
SHA12e3648c17c1b64a22a65e7e13a87db79cb6ea1a2
SHA2569f9f433f93f4a12d213aa63946b4fc4e7f18b94f7fb9cf983c25c7fbf76909f0
SHA51220cba0cf76c4f2e228e30bcfd1c46d5610c0d45150bff13f6cfb5eac89eda8d6f456dca4d22d7b3701f8007693d2348eb326debe8548881dadec850fd39e4a33
-
C:\Users\Admin\AppData\Local\Temp\zincite.logFilesize
1KB
MD516d875e92cf51ec46ed3076a7ca0dd76
SHA13e4e341fc2dee861e5d68624961a4d1d29f18d83
SHA2564a5771ac63ffc8cbd73b61c20ee04414e6e61d27761b85829639b9235d40a2d2
SHA512647368b1e35a3c5054644855744218584dcdf29b629ad97b481c3216ffaa1f21451168c567c4f344b8a5024e8b54d136259c94c3dfbbc24d8831e57b2414f199
-
C:\Users\Admin\AppData\Local\Temp\zincite.logFilesize
1KB
MD5fce7c8e9d8172d518297ee98f2a63ac0
SHA1e3de8c615f68d0509ce13728e0538d8ba2178b60
SHA256596bd4a03ed5c013ff7b576802047dd3ab76f5faf72b5e88c0ba7ea2efa3bf84
SHA512495c3dbbc1fe31bc5ce646f8c257930cf9b15d78951a51b851d576be39b60c5e4f9563ed4226c1aa1d593aad9da92da9926215e5597ff913a60454efdc25301b
-
C:\Users\Admin\AppData\Local\Temp\zincite.logMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Windows\services.exeFilesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2
-
memory/2420-0-0x0000000000500000-0x000000000050D000-memory.dmpFilesize
52KB
-
memory/4468-31-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4468-320-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4468-356-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4468-317-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4468-296-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4468-121-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4468-30-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4468-26-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4468-22-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4468-18-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4468-17-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4468-529-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4468-13-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4468-5-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB