85456f338acac62d5bd98502869d8a6dcbf6069e481d23ec992923e3dda54395

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

403ad937a72b20634eedb1b1041bd7ee_JaffaCakes118.exe
Size

28KB
MD5

403ad937a72b20634eedb1b1041bd7ee
SHA1

5064fa4cc8f7a9b1b5b962ccce0e850ac65478b0
SHA256

85456f338acac62d5bd98502869d8a6dcbf6069e481d23ec992923e3dda54395
SHA512

06d756541557b10a1886e7225acdf6f9bd813d1325cad65b3369ff9b01da024b15d221ef87331c3a3f27d433b6e2b7ab8d4c3b203bb48e0b546a51feedcce442
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNeBDyX:Dv8IRRdsxq1DjJcqfTB+

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1020	services.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3452-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x000a00000002341d-4.dat	upx
behavioral2/memory/1020-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3452-13-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1020-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1020-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1020-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1020-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1020-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1020-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1020-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1020-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3452-47-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1020-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000e000000023381-58.dat	upx
behavioral2/memory/3452-63-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1020-64-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3452-258-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1020-259-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3452-288-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1020-289-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1020-291-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3452-295-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1020-296-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	403ad937a72b20634eedb1b1041bd7ee_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	403ad937a72b20634eedb1b1041bd7ee_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	403ad937a72b20634eedb1b1041bd7ee_JaffaCakes118.exe
File created	C:\Windows\java.exe	403ad937a72b20634eedb1b1041bd7ee_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 1020	3452	403ad937a72b20634eedb1b1041bd7ee_JaffaCakes118.exe	84
PID 3452 wrote to memory of 1020	3452	403ad937a72b20634eedb1b1041bd7ee_JaffaCakes118.exe	84
PID 3452 wrote to memory of 1020	3452	403ad937a72b20634eedb1b1041bd7ee_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\403ad937a72b20634eedb1b1041bd7ee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\403ad937a72b20634eedb1b1041bd7ee_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CWF229A2\results[2].htm

Filesize
1KB

MD5
ee4aed56584bf64c08683064e422b722

SHA1
45e5ba33f57c6848e84b66e7e856a6b60af6c4a8

SHA256
a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61

SHA512
058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CWF229A2\search[10].htm

Filesize
144KB

MD5
3be71b2314f80bf6d043d5f99cf30320

SHA1
8b2372114080aeeb64907c5476ecd8a13b8929b3

SHA256
73310019302b537a137501095a90a3b5eae815a31700f048508c91f6a3fb1b54

SHA512
b5c4bf8671254820bd8e20be897e582420fbcd078dcfc567c97f61b94778aeb91f4a72c3de7669d2471dd299875ac2c0f01dcc5a5f6e73bea15edb2da248d07b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FMLLHXYA\search[4].htm

Filesize
114KB

MD5
b110f913eadcf28417af7dc064901a39

SHA1
8156143261437fd53d0e03f9f98bf177340b8d09

SHA256
432b411c2c08b41b5b8f67f9f7a668090cd9f0d9018c9482e7aaa50d3b11d3f8

SHA512
46f609267e3c1b5d1e3e061c7b132269537dc890a709e840bf1fc16985284c6b79c15839dc7c379b0b513e7b893a75a8c18c3c153eec9d32edba45ef34efe0ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCRJMNF7\search[10].htm

Filesize
116KB

MD5
dc065a84810c62be687c22626404c5b5

SHA1
f555f367ec517e553196d336823a9c08f21f473d

SHA256
38f94b3d60be515cb71daefa517c84f71515f04409a5e626dd7073100ed1f295

SHA512
f10bff7f40766adb84b1c00a4d82551d194ce16616c3883642723e2d1c023748e80233c9c35638031fa4d7c7eb3be745dd0c3659b01004cec3ded2c3752ae2d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCRJMNF7\search[3].htm

Filesize
132KB

MD5
ba3b83c072f7dca2bb7fd9e4dac9b169

SHA1
ed5d3c34fcde7891c8dccc347893f6ec711f6b60

SHA256
80bff95cf771e4dc84344b93ac1ceb5eb6423e8e0c576383cf5454fd168af7f2

SHA512
18ce1f48028168479d5b496a3b3b2b14032abedb9ed9b6dd78f284e9a9443514b0857923934d3c92a900e7da9cd61afdd256f4187ce5611ac26fce3335b522ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCRJMNF7\search[4].htm

Filesize
104KB

MD5
1039d01e2b518bb8deb97380aa804859

SHA1
2d5c2bc3abcc9c07022dd6c15db30072c664203f

SHA256
796a266bddb297bd1570c70ea634e4407989d873112671f0307cb94c6723d296

SHA512
ccba66550002fc8f91d9553e0c71a2791da0aa23348857f0e977715a146098043ae248bb040da123ff7a542e4fb99bd86726575645de513b95d743f8406be99c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Q90VG4IN\L4RSVOPQ.htm

Filesize
175KB

MD5
a26a75399541306959c4aa98f42cf096

SHA1
07589e2231af96f409bdefbed54c06a4cce9ca87

SHA256
e4f0458db1de974c6d924877caa3367d78a7d59f54ae97d4fa2d45a3247722d1

SHA512
040c54921a5fd174a75f6beeeda96917ec1d67055494d4ce2b6e71f77bad610a6b9fbd587444c30e474b9c240fea7a4ad68855d90de3cd7dc678c1e3c81be9f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Q90VG4IN\search[3].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA59.tmp

Filesize
28KB

MD5
bcd8bc9f190fc2c8752400b301fbee72

SHA1
d37451c6f702009a37ff2917e07432644f723b57

SHA256
d63026862456974bc6e89779cd51d8833422cc9003fef33b1a100d74ed0466c4

SHA512
bb9aa1bd58e9717b286a1f129fa4ee4ad4b6ed88fbce7f3d00315aa72703a8d57e12d138624920fa7b922893defb985eeebf18beb424e407ce43606efe5dc6cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
f66d46622dd8b4b3147e633e2da518e4

SHA1
6f1cda18f30d04140eb4970bab57e3ef7e0d51aa

SHA256
5858d5aa62295caafa2b5e46ede1e9d3c5812b674eac750d8b38dfa71cb9802f

SHA512
d11bdeb49b4252725161835ff507651fa438ff7d5078d236010c3efd0175a5bb1465eb36b6aef46706324c9330c48ddcb55828b44a138a1247bfc45c259b2c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
88740a58914d0ca98793a9d1495ab634

SHA1
e665708212d38f7f6db2caf8991f40a8da5f1aa6

SHA256
52966eaa903772507de129273558c5ee21590519fc6d881d9d5dcd314841cf7f

SHA512
a536b319a1e2d9b99fa0b38656ee0295b9205d48ed07411b7ce2d56a86898c6fd6aa6fe44023c49a46d5b187bf8209b3297ab5be63619ee75da4f58a3f66f476

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
3a54ff3bb065b09bc27406f28c6756ab

SHA1
b0464df6764b60ece245ecd64818cab6866e761d

SHA256
d55281a5910e0e8822aef1ba1956cd2bc0acb7223534a1af0fe4b80d42c59f45

SHA512
d09523aed6d5c5094d24e3860f509cae9e567799000f292f8bd95f9bd18f4e9485090a77bebc69daf9359d04274aa6e73688a82369f6b80042922c08ae000905

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1020-64-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1020-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1020-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1020-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1020-296-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1020-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1020-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1020-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1020-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1020-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1020-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1020-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1020-291-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1020-259-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1020-289-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3452-288-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3452-258-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3452-295-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3452-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3452-63-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3452-13-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3452-47-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads