db173bbb3329bfe347e9931edd1465b0242bc10ebeda20a6a99957dae1e8250e

General

Target

38be740473fc530739c09d7fc9ada18d_JaffaCakes118.exe
Size

28KB
MD5

38be740473fc530739c09d7fc9ada18d
SHA1

4c78763ed939a0531a1cbc1dabb5bf0e2ed68ac1
SHA256

db173bbb3329bfe347e9931edd1465b0242bc10ebeda20a6a99957dae1e8250e
SHA512

b1f94a5d5b9c4f48db1f4e4e298a547525e907d85c35eab44edbbbb04e474552a69bf869152f1ada283dd1e8be0d1261be5d7e98bcc762be9a520bdbcfcd7109
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNDk:Dv8IRRdsxq1DjJcqfQk

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
536	services.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3376-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x0008000000023467-4.dat	upx
behavioral2/memory/536-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3376-13-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/536-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/536-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/536-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/536-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/536-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/536-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/536-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/536-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/536-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/536-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3376-54-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/536-55-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000400000001e73b-65.dat	upx
behavioral2/memory/3376-177-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/536-178-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3376-288-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/536-289-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/536-293-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	38be740473fc530739c09d7fc9ada18d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\java.exe	38be740473fc530739c09d7fc9ada18d_JaffaCakes118.exe
File created	C:\Windows\java.exe	38be740473fc530739c09d7fc9ada18d_JaffaCakes118.exe
File created	C:\Windows\services.exe	38be740473fc530739c09d7fc9ada18d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3376 wrote to memory of 536	3376	38be740473fc530739c09d7fc9ada18d_JaffaCakes118.exe	83
PID 3376 wrote to memory of 536	3376	38be740473fc530739c09d7fc9ada18d_JaffaCakes118.exe	83
PID 3376 wrote to memory of 536	3376	38be740473fc530739c09d7fc9ada18d_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\38be740473fc530739c09d7fc9ada18d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\38be740473fc530739c09d7fc9ada18d_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0HGGBLFL\search[8].htm

Filesize
157KB

MD5
07b9a881ae5733dab4a7c16780656a27

SHA1
eee246d9b7f251dea1d147ddc8ec4e9f2107e469

SHA256
f6d13e2b0153bd82eb2a7a66eb108e38c617e2609abd26785d7d0fce09530b32

SHA512
595d01cc8c68889d7b7a514777c22c7fd6161c104daee233cd7487d89fa85074334592b39e04ef30bdcaa9f4001a729b15bcc34ea2a67c75ba0403ef1d8dd2c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I0E3LJN0\search[3].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OZDMMIJY\6896A0SP.htm

Filesize
175KB

MD5
f822753012b3022e55e715cf5db6175c

SHA1
b4e59c50c3eb2d3387ae0b6b88e489dc3f88af9d

SHA256
90405883889f09ac2f6b45f5bbb43a2931103f33c7585da7d225e238b9490510

SHA512
1dc9d2eb41705d51a3cc2473e49ea9cea206c503f7ea7849720beb65f651b8c44e6382a2f0dea77ddd0733ffb790239c272f5427f0d94463fff848f352522019

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OZDMMIJY\results[3].htm

Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp50A9.tmp

Filesize
28KB

MD5
85ce46f77b11b5b40790a6627efe8d77

SHA1
3868645826e518f3ee2d3f7bfea712f4f9f0f306

SHA256
4eab7648ede3cfb96f6851fa1f8644e977213bf4aeaf59e5b6dafb6bcbcae4b7

SHA512
a208d09992389aacc207b5c4a4ae7e44ac5bacd61b139d5df64ffe0e76f004b5de5f0c4e11f6db0eff5ac1494352c750617ccf7adda896f848da3cc195227fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
d5fbe37752e226646d196123b9469f04

SHA1
34de06fd8d0149d0b4e29aa7b5cfe28ff6ff9327

SHA256
23daf211d4ee2eccb7f7837e63c13c037c16cbbd55fcdb3c2e2ffcd41efd5756

SHA512
0f86d28417c77561c28ee998c757fce20d81af784372e07c928619c394edbba159895062593fb52cfee5bfb8cd70fe3059b238723beb00b96ff9472032ed1def

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
9cafa489bd87716221e2b983d9361270

SHA1
0f945f3e149d517002036f149e7114a7e195c0cf

SHA256
923149d044e0ee9b97fb5661b0b0144ea725f72bee59aa9197f51a033df2864e

SHA512
c54561a070e51a75e81777f06dcd133f3519aa10c0b67d7b0b2b85cc859d4f5c0a016bc9bbc6f4162c534aee950400b1c4281a14f377a9ed77eedd6c269257e6

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/536-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/536-178-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/536-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/536-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/536-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/536-293-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/536-289-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/536-55-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/536-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/536-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/536-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/536-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/536-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/536-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/536-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3376-13-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3376-177-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3376-288-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3376-54-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3376-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads