743461bc76ac2964a0c31a01155ac9bc77c94bb0319f3188d7f55d492a64d64c

General

Target

3348f375aee8ca086bd9d3b198704317_JaffaCakes118.exe
Size

28KB
MD5

3348f375aee8ca086bd9d3b198704317
SHA1

14949f79bde3eaf6a8cf4746825fa088086d3f86
SHA256

743461bc76ac2964a0c31a01155ac9bc77c94bb0319f3188d7f55d492a64d64c
SHA512

4fe408cc9d2622dc718a170d6e74e91d277f815092d61efe5a4d31150f519f8b7b628700f203ddd6d4628bd370ca60e7679cb8ebdbca248f81dadc1a3e5658a1
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNoCpk:Dv8IRRdsxq1DjJcqffUk

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2696	services.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/280-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/280-4-0x0000000000220000-0x0000000000228000-memory.dmp	upx
behavioral1/files/0x0008000000016eb4-9.dat	upx
behavioral1/memory/280-16-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2696-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2696-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2696-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2696-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2696-35-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2696-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2696-42-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/280-46-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2696-47-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2696-52-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0031000000016db0-57.dat	upx
behavioral1/memory/280-67-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2696-68-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/280-71-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2696-72-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/280-76-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2696-77-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2696-79-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/280-83-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2696-84-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	3348f375aee8ca086bd9d3b198704317_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	3348f375aee8ca086bd9d3b198704317_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	3348f375aee8ca086bd9d3b198704317_JaffaCakes118.exe
File created	C:\Windows\java.exe	3348f375aee8ca086bd9d3b198704317_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 280 wrote to memory of 2696	280	3348f375aee8ca086bd9d3b198704317_JaffaCakes118.exe	30
PID 280 wrote to memory of 2696	280	3348f375aee8ca086bd9d3b198704317_JaffaCakes118.exe	30
PID 280 wrote to memory of 2696	280	3348f375aee8ca086bd9d3b198704317_JaffaCakes118.exe	30
PID 280 wrote to memory of 2696	280	3348f375aee8ca086bd9d3b198704317_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\3348f375aee8ca086bd9d3b198704317_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3348f375aee8ca086bd9d3b198704317_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:280
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Gfarw.log

Filesize
1KB

MD5
f247e829fa0e6ec87185fa533635422a

SHA1
9d8231e05536a36fbd6d9a17b68df725c90ba1dd

SHA256
152e7176d16cf4faaf4b43d572b4a092ee9cddf6de5c69ab5c91de43d4cf77bb

SHA512
f683791a160d96f970e836e5a658c90158f14765a5d68635a67488c5d0b999bc1149eb41f100452a56c9a61676c71643973ce58b52ffed8581a2ab9d551fc3b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8343.tmp

Filesize
28KB

MD5
57db42589c42000c4800848d66675393

SHA1
0018007aa9f002267f76ffad6b39b3305d048bfd

SHA256
7b2d4f7a622e6a610f878d6b80d4717119659c90a6cda1ee4e4da117751f0b76

SHA512
2d41cc593a1bc603c00bf28a9b79d86fe7a9f4c70fb0d234aeb6f20724573a494d3ecf48b16c08545b03df00aeee914b51fd3f06a0eee9d649622a277c4df445

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
117243bf6bb226d3f1a46b816b5da064

SHA1
9e0f4cb2da4ee101b4d1869759609821cf527390

SHA256
29d3087afb6f5252a9f740a20353e0f00f68c5131c0dbb854a161c5171684889

SHA512
7f3cdd87388d249391ca1b94d837f472ad14890edf9617e24f5c78d0ceffdafd966486f0e74961806ef2b7e66939624983c078cb756a7b9f01b576fe682d46f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
423d0168956b46446e9a8242e18c9653

SHA1
7cab51fd8e7d20d15f494d2d601a5d8bc371ad10

SHA256
a83867f5207cc61515d917740cb930a902c7225fc99ac53c2fd2e51a254668da

SHA512
460882fd9c5dcce3456032aa1a6cdb3a77e433b0cbadacfd2ea097bb5f2b3680db1fc142bfa39c2fbbcf370bbd669732e8fcdc9c42dcb50d7b0953282522686c

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/280-83-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/280-46-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/280-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/280-23-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/280-76-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/280-71-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/280-67-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/280-16-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/280-10-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/280-4-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2696-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2696-47-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2696-52-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2696-42-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2696-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2696-35-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2696-68-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2696-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2696-72-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2696-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2696-77-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2696-79-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2696-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2696-84-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads