db41f86d17eb599190b74edc80a0d7ae9cbc66055af5667ed68bf803e0e73a63

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e68986124730ff50e87d288911b2f90_JaffaCakes118.exe
Size

28KB
MD5

3e68986124730ff50e87d288911b2f90
SHA1

920c8f4cd4f3fd5fc0127cca73c396d67494d2f6
SHA256

db41f86d17eb599190b74edc80a0d7ae9cbc66055af5667ed68bf803e0e73a63
SHA512

df78c5ebf12a789dbe7e6caf8397271d4a944d3221efacc22f33914d301b9d3406705fc3f6ee3b289ac95c19ee8e30f6f151afc13b5bc4f2aff34779ea51bdd5
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyN3plm:Dv8IRRdsxq1DjJcqfwlm

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1472	services.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5104-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1472-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x0008000000023454-4.dat	upx
behavioral2/memory/5104-13-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1472-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1472-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1472-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1472-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1472-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1472-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1472-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5104-42-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1472-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000300000001e73b-48.dat	upx
behavioral2/memory/5104-151-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1472-152-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5104-241-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1472-242-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5104-245-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1472-246-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1472-251-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5104-279-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1472-280-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/5104-359-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1472-360-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	3e68986124730ff50e87d288911b2f90_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	3e68986124730ff50e87d288911b2f90_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	3e68986124730ff50e87d288911b2f90_JaffaCakes118.exe
File created	C:\Windows\java.exe	3e68986124730ff50e87d288911b2f90_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 1472	5104	3e68986124730ff50e87d288911b2f90_JaffaCakes118.exe	83
PID 5104 wrote to memory of 1472	5104	3e68986124730ff50e87d288911b2f90_JaffaCakes118.exe	83
PID 5104 wrote to memory of 1472	5104	3e68986124730ff50e87d288911b2f90_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\3e68986124730ff50e87d288911b2f90_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3e68986124730ff50e87d288911b2f90_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\D1AP1AEC\results[3].htm

Filesize
1KB

MD5
ee4aed56584bf64c08683064e422b722

SHA1
45e5ba33f57c6848e84b66e7e856a6b60af6c4a8

SHA256
a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61

SHA512
058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I0E3LJN0\733IBGXL.htm

Filesize
175KB

MD5
2a8d76147b01ccd848029c3f4ea13ea6

SHA1
157a38d4367f38a5c1cd2f301d278f391b62f6a6

SHA256
bc7306a3c03dff2a9db8ab8b66a7e42e28021989e4877a5fa981477fbc6c7f1b

SHA512
901429e7a1a3533e2b58f421df974a8b55a59d1cbeecab094c1037d51c0c4b9c488ec2130045e91dffecfbf38eae0c6cb8fca95855b17c93d14c00e72fd935f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OZDMMIJY\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OZDMMIJY\search[3].htm

Filesize
114KB

MD5
8ce884693849ac1fb3dad3e5ba7dc244

SHA1
123a222ebafe1f487e111908a8c1b516f9f6a0c6

SHA256
b25dbe351dadea38bbb308a7c76feee7735048bb17082e289a9bf0807cf7698c

SHA512
dcc3401a0240557e72f70ecb5e117f2b0bd32e9219968180ef86d763c61cdfd3e2eac619afcd8852777050601a26b71cd6a4624996e8e3c993fd4b559d53d341

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE318.tmp

Filesize
28KB

MD5
8e0ee77b5bbcef1f94a11c7d40549814

SHA1
bfa326311b77171c78d9b4ae9897712191881c81

SHA256
bb74445f2bac3a565be183aac2edd356310797bef8771efcb4eedf8960bdef0b

SHA512
20dbeb52513a9c1052dc794728ee8fb99a5d623e04672c09a26e190ba3d01d66b18195ab9d9ee698580fef43cc8a38c50248a17e72c20b4ebbb82d9baee50723

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
18caf4d0827812e5b10fbcb7d27f2e09

SHA1
e1c34f5f88a4f2452f89e9f6d50bb663d60c0b74

SHA256
a92210b69113caf7b9586483e097a225414debb646f1b21af1a5187deba58bc4

SHA512
a89320720b93a9a55c3ba9110bde469c1202c1648f424577e3616426fbddad7dbaf4be9225e62c7954f5fd539d057e18cc927711004028eb7ae491ad90f610e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
cd2f6a52c86b50e8421a9e44318e445d

SHA1
1bac84a216b3610507adf7bb88c15ab17ef4db7e

SHA256
fc3165248fb451c95e48c8d4c8cc9acf7f5e5b1a4f1c0f3cfc38052c4e60a33a

SHA512
74119fde24bf66be588d9e36a57465aa346a0b0794f8f384207866082aa3d12dd78277108c127b339b573fcd364c0049ea6cf0cc35b3b48e8fee1ca01e6c8bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
c1091947bcc6b4c333e29cad6cdac3f6

SHA1
bf477e35523a5bbfad893e0035c8543a2247e056

SHA256
ea5be4d1cf278987692fcde67932f27655c81c79210cf9b37946db2a91997c96

SHA512
fc7aa759166375d5fe67c10f06c667161b06b4a216c3a0c607290e439bd08cf0465fa5809c68444bae0ba1840241fcbd17db007f71ec68cf5bbacc7b87568a71

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1472-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1472-251-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1472-360-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1472-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1472-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1472-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1472-280-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1472-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1472-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1472-152-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1472-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1472-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1472-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1472-242-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1472-246-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5104-245-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/5104-241-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/5104-13-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/5104-151-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/5104-279-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/5104-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/5104-359-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/5104-42-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads