Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    18-06-2024 17:28

General

  • Target

    bd1f699ebdbed1859fa33109edf795de_JaffaCakes118.exe

  • Size

    40KB

  • MD5

    bd1f699ebdbed1859fa33109edf795de

  • SHA1

    17229d64d1d2b92e61fe1cee5eed9c53575a5d8c

  • SHA256

    e13d5cbf259d93cc4de2fb782a95f8a429dbec1cb166b3bc60389035c5d0da58

  • SHA512

    e9b77be48b53b3767d3cbf66b0040a505689407297fb98c76269375ce1bbce5274c8c742666f7abec240e315e570eee419c033f038215044eaccea67a76d3c2f

  • SSDEEP

    768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtH9:aqk/Zdic/qjh8w19JDH9

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd1f699ebdbed1859fa33109edf795de_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bd1f699ebdbed1859fa33109edf795de_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:2740
    • C:\Windows\services.exe
      "C:\Windows\services.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:1680

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    6045c0310b4827f8bf50f46f3cbddcba

    SHA1

    b12fe7266886c66efacbddcab494d5233065844b

    SHA256

    62d7f040a6a30223b343cf9fbca1e355f28a1b9b5978423935cfc9b82047fcad

    SHA512

    67c0948353c66554479cb19a27c8fffd7b00e3fd7184484887f242918fc4d3c63915bc123c7ecd97282998d64a6cd836878132211ba1ba9d4f3b5e6cc9763442

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G17BROQF\Y6N3F4QO.htm
    Filesize

    175KB

    MD5

    3e170a5b6bd5080ae850af5a641c8a1e

    SHA1

    11f21d28459bfe97ed6b67826e5c0638448785ff

    SHA256

    43db0592ad0c73298b5aabe4e98a2862d1568893100f3ead70d080c084f84e7e

    SHA512

    c590c06cbbda1e828c3e07347a2809cacb4a99969d4d970c9623a444245632d73120e0810c883e3abd23c1cc6498ebb8602100a5b13ba0b34c712bde25e92d2c

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J8SD872Q\72RPB43R.htm
    Filesize

    175KB

    MD5

    c2e7f5a5892fa64604be62da7e9bad5f

    SHA1

    b0bcd74983d5a152c67e427de3f74d9efe5c7da5

    SHA256

    2ce967bdbb97d9ee95e64c8f2beddf5b89a54d02b5e3670905b6963ed46a025a

    SHA512

    553779fd29354fd04be5a5f39d35e31b8f1aba740e076c052fcf1a9eccb9e28eb1e9f28e5de9bc262f3d740de323d6b6bf93c0f29972ed972804df6104e6554c

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J8SD872Q\search[2].htm
    Filesize

    127KB

    MD5

    8408a9e077f4d2fe4cf6cbb2157a8a42

    SHA1

    eb8af5069b150d94a6b145169645fbc19cfbc0de

    SHA256

    27e131df22d60dffdbd0c50a8c43d0b2b52d6112bf4be6f39812ce303df7e110

    SHA512

    bc23f3a95f104a4525b0c7496d9af072554d72737d79595c9fbe4ef5367ff4a678834643d5d71c10a0834efb9cc9958d3b3a3ea6c6b421bc8fae61ab37299871

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TTL9DZJ3\results[1].htm
    Filesize

    1KB

    MD5

    ee4aed56584bf64c08683064e422b722

    SHA1

    45e5ba33f57c6848e84b66e7e856a6b60af6c4a8

    SHA256

    a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61

    SHA512

    058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TTL9DZJ3\search[5].htm
    Filesize

    25B

    MD5

    8ba61a16b71609a08bfa35bc213fce49

    SHA1

    8374dddcc6b2ede14b0ea00a5870a11b57ced33f

    SHA256

    6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

    SHA512

    5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

  • C:\Users\Admin\AppData\Local\Temp\Cab2E0D.tmp
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

  • C:\Users\Admin\AppData\Local\Temp\Tar2ED0.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Local\Temp\tmp3130.tmp
    Filesize

    40KB

    MD5

    c47c99accaf1ac5ab4ecfe43aa3537f7

    SHA1

    0a5ef4abd0a2050023841e0d8ab6249333317897

    SHA256

    00d4561a267b9a234486c1f3cf46bb0cd938cdd17d618fb10b5e693698bcb0e4

    SHA512

    336e62f63e7395ae29cc1120f81456942a95c47e8995e5d495fbdadbdb03610654f92974a404c0a4656047c1270a6b26c4154dd741d2bac87c53b56d1a657224

  • C:\Users\Admin\AppData\Local\Temp\zincite.log
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Users\Admin\AppData\Local\Temp\zincite.log
    Filesize

    1KB

    MD5

    af951f65db7ba6c83690429b5944b9ce

    SHA1

    2725c3641f4d2513fc63f28a7aff014e37dac6f5

    SHA256

    8476a1495e3c9fb8519341069c4e2791b9fd4e65015b3d7071f711c7e2fa8bff

    SHA512

    698d318f71432be34f402b7aca7f972179acb229e64a2eb304977f0ae2d7ac881b9fb9a1e731d5ec9791b0341dc435266f179b86609d53b91487cbf71f0dc69d

  • C:\Users\Admin\AppData\Local\Temp\zincite.log
    Filesize

    1KB

    MD5

    807a59f7108d57ec6dc222cbb48bac62

    SHA1

    ee4bde584169fa5d9798de64e2b204c1eaee2d57

    SHA256

    1d780608813538056f8a9887ec28ef55db0a2876abb1b0b1129f347b85335efe

    SHA512

    f0a90fe07d25a40df7f9defcc8eee174f5339d4da0aea08cd54a1b580bca9b3cbcb72d7b330876629b59eb3fc446aeaa3d484c414ceb0a93b73207252940366f

  • C:\Windows\services.exe
    Filesize

    8KB

    MD5

    b0fe74719b1b647e2056641931907f4a

    SHA1

    e858c206d2d1542a79936cb00d85da853bfc95e2

    SHA256

    bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

    SHA512

    9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

  • memory/1680-25-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/1680-30-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/1680-62-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/1680-63-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/1680-67-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/1680-71-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/1680-72-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/1680-35-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/1680-34-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/1680-58-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/1680-26-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/1680-10-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/1680-16-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/1680-203-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/1680-20-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

  • memory/2740-21-0x0000000000220000-0x0000000000228000-memory.dmp
    Filesize

    32KB

  • memory/2740-0-0x0000000000500000-0x000000000050D000-memory.dmp
    Filesize

    52KB

  • memory/2740-4-0x0000000000220000-0x0000000000228000-memory.dmp
    Filesize

    32KB