Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
02-07-2024 17:05
Behavioral task
behavioral1
Sample
20207f4a5db78197387b5b05ea3c33cf_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
20207f4a5db78197387b5b05ea3c33cf_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
20207f4a5db78197387b5b05ea3c33cf_JaffaCakes118.exe
-
Size
28KB
-
MD5
20207f4a5db78197387b5b05ea3c33cf
-
SHA1
42b90770c67f6c2e9cd367c86bb14033519a4cc7
-
SHA256
3041e03eb013d1a6a21146d64626367732487231ab5ec87507f5a2684c9b0c0d
-
SHA512
6b6ffa20ac8a755ea7fbdd6a91bb480f15797542f3774bdf6331b079040073a0f83a11b08b5cbfc659fcf4289b52da7b6a87bdefc2edb62fc49f01376e8aa7ba
-
SSDEEP
384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNs30:Dv8IRRdsxq1DjJcqfJ0
Malware Config
Signatures
-
Detected microsoft outlook phishing page
-
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 3920 services.exe -
Processes:
resource yara_rule behavioral2/memory/2664-0-0x0000000000500000-0x0000000000510000-memory.dmp upx C:\Windows\services.exe upx behavioral2/memory/3920-7-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2664-13-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/3920-14-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3920-19-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3920-24-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3920-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3920-31-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3920-36-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3920-38-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3920-43-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2664-47-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/3920-48-0x0000000000400000-0x0000000000408000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\tmpB5FF.tmp upx behavioral2/memory/2664-109-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/3920-110-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2664-252-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/3920-253-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2664-318-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/3920-319-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/3920-321-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2664-325-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/3920-326-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
20207f4a5db78197387b5b05ea3c33cf_JaffaCakes118.exeservices.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 20207f4a5db78197387b5b05ea3c33cf_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
Processes:
20207f4a5db78197387b5b05ea3c33cf_JaffaCakes118.exedescription ioc process File created C:\Windows\services.exe 20207f4a5db78197387b5b05ea3c33cf_JaffaCakes118.exe File opened for modification C:\Windows\java.exe 20207f4a5db78197387b5b05ea3c33cf_JaffaCakes118.exe File created C:\Windows\java.exe 20207f4a5db78197387b5b05ea3c33cf_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
20207f4a5db78197387b5b05ea3c33cf_JaffaCakes118.exedescription pid process target process PID 2664 wrote to memory of 3920 2664 20207f4a5db78197387b5b05ea3c33cf_JaffaCakes118.exe services.exe PID 2664 wrote to memory of 3920 2664 20207f4a5db78197387b5b05ea3c33cf_JaffaCakes118.exe services.exe PID 2664 wrote to memory of 3920 2664 20207f4a5db78197387b5b05ea3c33cf_JaffaCakes118.exe services.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\20207f4a5db78197387b5b05ea3c33cf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\20207f4a5db78197387b5b05ea3c33cf_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3920
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
157KB
MD511ba3465fd5866f4d027354225723284
SHA1ab0df90b5641e5dad483fd0fccf66735ab89d9fc
SHA256e88afa4dc648353e233762e822b9d00117c115979e2102fe7926a0fcdb858fa6
SHA5121626606aa9ba805b31ed692609f3bff4f45bcee9c078bbfd61f21774e6fae7608051fcad2f09d1b2cf90a9452fea850b8972641d5c8569318d4c7068bb0ce05a
-
Filesize
168KB
MD5b9710e8b0b877cf04a51b4594280f22d
SHA147411653f95705d906906c883f8e3f7c56df53a6
SHA2568dd1b8d1b02eef6b9094ad4313ec014f2c671d504253263f1f7634d47b37551e
SHA512cffb2ce85e301490dec75b026ce260ff2a839f7070a50d2afb45c23c40cbb60373bad789adb09137ea614df549413a979029e6443c046c42ae6426add59e3d14
-
Filesize
139KB
MD5f8e0e6353240c2fccf95649ea19bb4a9
SHA13b41bd1bbf0336fc033a27d5c5220406965bc939
SHA2569c4a2459c756e37340b4cb1e2e70bacdef3fd2a22fc0a7b170403dd535a92dc4
SHA512c3882464ec9deaf89062c7590510ef089c7c34890e70317748666fa1e1257d0739e0658659c55b070871310b94b03f1cfcae95e38babe0a63e89744e06e83c85
-
Filesize
171KB
MD5bfa6d3466b90d842f176064e85102517
SHA1826d53b25f5d9253af7ce89b392f734e5ef33159
SHA256f753c0e51e664afe1d5f393cfc66ffc40c585e21c5a80d545f1838fe8e4f897b
SHA51238b768838e0ff0926633630c5abbbbb6cef9e89e49d2ff4800008997e8d672b35415e34cd1a86232fdc64f682644ba79853765391d804846d8a570217d29e5c4
-
Filesize
148KB
MD549ea03725d18a6eed0cd3971313499ca
SHA116970ad42a7cce57f34bae1ceae568120e794f68
SHA256b22d26f5878a81632073419800ceb6c4b1c20f22b6eddf532c27916ae495f843
SHA5124c1f9d4b3acc307cd2699dace0f7f932f6bd59ed721d079fc86e5952144dd492c9c4babdf7ee782345070431fece3473b94079152ef21f7de4ff71e0a3051687
-
Filesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
Filesize
175KB
MD585b80b469bee18b38b2c88ecc805bc67
SHA139104a680760a2aa5b4ed682f96e9300066c0669
SHA2565d259121996b21816b503437d5a2167bad97a4bc855982a32eee86f1eedfbc4a
SHA5128b107476d3a9e06acb83a82a211b10878dcab2af6ce2225b34cb6e77dfd108d0e47aae990f516b06502e0026c005f46d7c54d3794d64a99ae9c80be51e7a2e2d
-
Filesize
1KB
MD5ee4aed56584bf64c08683064e422b722
SHA145e5ba33f57c6848e84b66e7e856a6b60af6c4a8
SHA256a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61
SHA512058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6
-
Filesize
106KB
MD53a894fff96b58e2dff3f4c9566d70b2b
SHA104b2b7e5dd460fa081623c806c2351c734c5be11
SHA25648cbbba3d27eb95b4a5c6c210f6fea7ed707f9b7822b66b7cf1ef38b932342d7
SHA512a5ca14a0394c873890a5b6b94adbbc0bca3ca97cd143f02169f43dd9ef6d0162bed55705accdc66f12870e35912a3cae985712aef9d2f83d207a76ee3c724c42
-
Filesize
28KB
MD5f1d5cc01d9809546d108757a6f4466fb
SHA170e33676e4a263a3d561c998dd849ac467f420d5
SHA256d9ea80b59895f93dbc3e23ced3aba58bc2d111598138c3791d1fb03dda637ee1
SHA512faed10e4ab6969aa07c21be3b606b8fc8393248d3f47a7aa31a2f3013ab8d3067ff088730fb6a4a12fdf9de97bf556adddbf434acc8850412b928b6c8fef152a
-
Filesize
1KB
MD5c8c5a65a03bb8560ba91beb836fac566
SHA153f8b47ee1531745892d829a54cd4e593f685a04
SHA256443d6cb5b62f536fa77c929749ccebbd0e9c0bdadcb5d4141aadb0ea337f5201
SHA512151573cb953277d1c0bfc0ef36fda2205895538244ad6b7386aa8ad704ecfd92ed47f2041a4ad218a1f98f49de6f74c578f2ca3a52c64b7c5b100fb1ac9f806c
-
Filesize
1KB
MD574c38955909396c198837e342c0a84c8
SHA19b948e026d295907f29a2e148743369ecd03398c
SHA256fe925f5cb6f9123a42fb8641551201f1c5021407b81abba068dbf5b7f3ba49ac
SHA5128795718b7386e343bc6113f29a03453beb85680ed32556ab60433ccb6419379a0ec316c5581f9e1b699bcca611131a25cf65211c46c4e24b49329e207939d1d9
-
Filesize
1KB
MD5466ad3452b36cb6bb983e13f2036a281
SHA13adbe1c6119a248a992aaca9754796c4812e954b
SHA256a79c0fec58eb055b58f940ba1bb5b5ed698eef162204b3dc8d56bbb771062c3e
SHA5129edc8405f8d57a07e44c9348c4881315dd93cb67ee5d5e4e4ef2e0893290306700e890fbe0bc905ae06a2fd4bdcaf24c4903cb4c31bd12c627b86fe9080bdb12
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2