Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
02-07-2024 17:35
Behavioral task
behavioral1
Sample
2039eaa3b12fe61374e0c4b977366c4d_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
2039eaa3b12fe61374e0c4b977366c4d_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
2039eaa3b12fe61374e0c4b977366c4d_JaffaCakes118.exe
-
Size
28KB
-
MD5
2039eaa3b12fe61374e0c4b977366c4d
-
SHA1
c19dea80181b77eb79155f03936e23a0a63b94d8
-
SHA256
557548955d31a8e2d0a2ff5f93e6149c367f6b3a606376282fa35a9d9aa69d0a
-
SHA512
4219a40492d144080a0d9631c220d55ce22bf19de1b08b146e5f4f026d619d4e8b0d2273c4c65e936cf9e00ae27749cb7abcd6e1ef6a15523ad8780b658a999b
-
SSDEEP
384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNvIDE:Dv8IRRdsxq1DjJcqf4
Malware Config
Signatures
-
Detected microsoft outlook phishing page
-
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 3324 services.exe -
Processes:
resource yara_rule behavioral2/memory/3284-0-0x0000000000500000-0x0000000000510000-memory.dmp upx C:\Windows\services.exe upx behavioral2/memory/3324-5-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3284-13-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/3324-14-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3324-19-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3324-24-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3324-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3324-31-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3324-36-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3324-38-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3284-42-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/3324-43-0x0000000000400000-0x0000000000408000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\tmpAAA3.tmp upx behavioral2/memory/3284-110-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/3324-111-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3284-248-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/3324-249-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3284-252-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/3324-253-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3284-263-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/3324-264-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3284-282-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/3324-283-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3284-450-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/3324-451-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2039eaa3b12fe61374e0c4b977366c4d_JaffaCakes118.exeservices.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 2039eaa3b12fe61374e0c4b977366c4d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
Processes:
2039eaa3b12fe61374e0c4b977366c4d_JaffaCakes118.exedescription ioc process File created C:\Windows\services.exe 2039eaa3b12fe61374e0c4b977366c4d_JaffaCakes118.exe File opened for modification C:\Windows\java.exe 2039eaa3b12fe61374e0c4b977366c4d_JaffaCakes118.exe File created C:\Windows\java.exe 2039eaa3b12fe61374e0c4b977366c4d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2039eaa3b12fe61374e0c4b977366c4d_JaffaCakes118.exedescription pid process target process PID 3284 wrote to memory of 3324 3284 2039eaa3b12fe61374e0c4b977366c4d_JaffaCakes118.exe services.exe PID 3284 wrote to memory of 3324 3284 2039eaa3b12fe61374e0c4b977366c4d_JaffaCakes118.exe services.exe PID 3284 wrote to memory of 3324 3284 2039eaa3b12fe61374e0c4b977366c4d_JaffaCakes118.exe services.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2039eaa3b12fe61374e0c4b977366c4d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2039eaa3b12fe61374e0c4b977366c4d_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3324
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
125KB
MD53a5cbfccf833f3687c487f16f5e3d78c
SHA1c81510f67e9d16129992b7063ccd59a3026a1905
SHA256641615d372f3d4174bde2d0a8c2aa807e43322e121787058e6f2e79a78212a8e
SHA512f43018da7430e0daa2698fd0006be2cfdb2eee0d120fa8f660a6ba6fae57bcb9b8952955ad64765fdfe1dd6e606b946beaadb17d21c05bfffe5208d2effcfa70
-
Filesize
114KB
MD536f42dab85c172f143ef7756cc5c4ef4
SHA1570f99e43162ca7bf91cfe5974d770065b4aa9b7
SHA2568d6911e9f46b9fdb55a650ad6bc983dec89607f200319ced88e2ef05943f3bf3
SHA5123026a9758c9c8263610e3651e5ce33bf5a841a501a0866fcbd3240b33eaf9060acfb513239760dbfcc670b3d4dcb3a90fb1cb92c4850c36a04c14daa3751c124
-
Filesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
Filesize
1KB
MD5211da0345fa466aa8dbde830c83c19f8
SHA1779ece4d54a099274b2814a9780000ba49af1b81
SHA256aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5
SHA51237fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca
-
Filesize
159KB
MD5482c2be289e796855ad3c5245371935c
SHA11a2ddb3edc514204b565e82cd8506889d3730e51
SHA2560f023132f9ef635e97d342af8070320aefbe505db20d30c31f810eb670bc03da
SHA5126f4141eb6201eeef259e3e378b815e180a79f9092d7df2f12f08dc3fa0ca19f3ba28b8e74ee14ef3585a88330d53d0cd7d3eab41bc237d4f3552877347e8e493
-
Filesize
106KB
MD55ef9ae0177b4749cb4458288fd39c1c5
SHA1af3471656b24630e2ad08364baed5c65d16c89ca
SHA2564dabdde638413a9bf650692634c164258d47dfa0dac05c57ef696b054b24ebdc
SHA5125a459e60c1876377f3e35ddf1ccc0a55333c3e25b6e0b1702903bf970c4a31bd13336f6ff0e0cdfd2dd0b8a3b9e364b15a3fc1687674432e06766de0544405e3
-
Filesize
175KB
MD5b6a4e3ded24c3abb6724b4a707e3dd28
SHA18c5ec033361d7628d0412041da3773d9e6d5c30a
SHA2560ec79d83b7f9d4fef337395be8eb035debbe80745c36681a094ef57f2745d9ea
SHA512e5c04c3702e4664fa1dd3fefd2e2e63a7986b2433d67ddd09ff2cc85b329186fb1cd61651dd93e3e827ea7373e9e4aa6e28a7a4c80b2f435707bc4e4a31ce077
-
Filesize
1KB
MD5ee4aed56584bf64c08683064e422b722
SHA145e5ba33f57c6848e84b66e7e856a6b60af6c4a8
SHA256a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61
SHA512058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6
-
Filesize
126KB
MD5f4e6dbdaaa453bd03af8c4e8bbae2bcd
SHA19f45e5458449b07b6cbf46d6d896b4f29cdd309e
SHA256d4da1f05c0c4ec4801782afb8b558faf6fb48ac6d4f4f6dee6e0a5aaf46ffb0b
SHA512d064d289baea2c9d1271b2267554ab8c8468c6e03367db241ce3a734d9fe92b66435a21ac9eef6e0f44b6854987a8d40001493b5f0e624e9b9422f56a6b92dce
-
Filesize
182KB
MD58317f3fd8aa44035b3eb28790f23fa1e
SHA127cd37c3a1cada476aa2a6127af619aef55ea1fa
SHA256201677b8ce52e901c772953223f5ff1d2ee97a6d4da9fd3c4a4d8ec4f923b6f9
SHA51264fd81582c4fceeb796b869f42c8fcfa8b89eb5f04265b32baf8a9cf47bbbc8cdfa4060ce4ff97c5d8e5e3c74c3b22d3ddef0c5f9172ec163e442fa1cfbe1a6a
-
Filesize
28KB
MD5cbd852762bcdf2967d511ac451f6a6a5
SHA17c16422e2892120d15597f8077a39484cd586806
SHA25621b62da94de837c7c680aad1ff7e35f7fd60634eabc69a0f3b2d966f853ac6e2
SHA5125ab7cb67171f90d8d50c2ed1f2cbdb776f4f82b27e1f3cf69c503a5dae5879367f7d682f26e56740273260b12e06a6cbc9a80c1b4b03200b4effcbac3822e004
-
Filesize
1KB
MD5172b83958d35e9a1b9b902efbf75a3e9
SHA1d0d325daf8c47538e86b0933ce0df9460d575aed
SHA25671212b5e1f1ee109ac40b9509462905d6de15f1096e643bb6b28b40b9960ec5c
SHA5126288e0aacda5f6ab60111bfcf5a3a770e81d4aade4cba05354ed3d15c51ba891cb8699aea62b94cea9b3866913c6902b65396721e8b4666e916586f4ffdb8323
-
Filesize
1KB
MD5ceea153c79b7899b4f39d4615514fbac
SHA1f69f98d6ab4ce7e9cb2f96b9ca1276ac688f16aa
SHA256b7b49ac56e9239f92412979deadff045dc0dd3d587dda271cc11a50e034d2e26
SHA512235755c592c3395e39731803868bc514547e0826c217a2f019229ef6a403b8341f7171c3ba4af0b60e6ac54c3fa05715c098a8ea3152d6a8571cf45174ceaed7
-
Filesize
1KB
MD5e21acc06e07d4a3c187462895dac1f93
SHA1f242411447cedeaf40a46813678ed037876342c6
SHA25669f372ad1250ca741ddd04d22c4b9f3a02c9d418e31bc513a3ffafe25a2d056c
SHA512be0d558d01ab107013da56f2b162c8dc8b96fac4935cb2c889c24f87bcba82a426e86b558a196e48696bbfdce59d755aee23009113ca839313969648d589f2c8
-
Filesize
1KB
MD52b5cbbd28caf2ee442f1dc3150c2be0d
SHA1de79ad8c2622c776500c6bf36a3dfeb8b857097c
SHA256d340e92be83d710f8ac31cd5c9943be37e60a8be71c6d7c4e0cfacd62a0caf88
SHA51232c842c52aa06fa2bd9df2c2522f1249e00b8158c8bcd5cc83f5625380b8f861ed667ba593c9bc3cd09969478ab51a0ba781a89554dc6a4e93b7ccdb6e9dad86
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2