e2b6ee521ee0b25eff01e10c2e5b0f185061cb272f883f8f9e393a6053531fe2

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 15:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4257f23239bc23d9e2dba438d5d325d5_JaffaCakes118.exe
Size

28KB
MD5

4257f23239bc23d9e2dba438d5d325d5
SHA1

acd5a4ddc1b4dda6f90773eca3fa8a54c814e7db
SHA256

e2b6ee521ee0b25eff01e10c2e5b0f185061cb272f883f8f9e393a6053531fe2
SHA512

3d4c15d6dff2ce35a25bbe5c7efedb5294afb1ccb4c1238bc985a890f1555105a73aee1aa31c892d71fb2b88022f86b0c80522798345603e84379e65cac3a0c0
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNGAc:Dv8IRRdsxq1DjJcqfd

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1800	services.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2308-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x00080000000234ec-4.dat	upx
behavioral2/memory/1800-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2308-13-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1800-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1800-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1800-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1800-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1800-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1800-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1800-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1800-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1800-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2308-49-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1800-50-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000c00000002344a-66.dat	upx
behavioral2/memory/2308-130-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1800-131-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2308-329-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1800-330-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2308-335-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1800-336-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1800-340-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	4257f23239bc23d9e2dba438d5d325d5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	4257f23239bc23d9e2dba438d5d325d5_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	4257f23239bc23d9e2dba438d5d325d5_JaffaCakes118.exe
File created	C:\Windows\java.exe	4257f23239bc23d9e2dba438d5d325d5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1800	2308	4257f23239bc23d9e2dba438d5d325d5_JaffaCakes118.exe	85
PID 2308 wrote to memory of 1800	2308	4257f23239bc23d9e2dba438d5d325d5_JaffaCakes118.exe	85
PID 2308 wrote to memory of 1800	2308	4257f23239bc23d9e2dba438d5d325d5_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\4257f23239bc23d9e2dba438d5d325d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4257f23239bc23d9e2dba438d5d325d5_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4DF043PQ\SRRM025C.htm

Filesize
175KB

MD5
e7ce28e01afe31e48a94e320595e5d85

SHA1
ed27419db2e77622d2eb364df11562bb575501f8

SHA256
03f26a7686abfd67e29c933f4a080c057baa1e98cb01ef9766387f06fdeec44f

SHA512
0fef239aaa8833a37923165f17f7c09b9cafc7341381d8d01fe2ebac43adc42d80c5d06179951ed5a128e8447841cf5f0e0f91930ff7843c20e383052d4047d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4DF043PQ\search[7].htm

Filesize
120KB

MD5
f2a638fa93e2ddc834b461ce86e4bc3b

SHA1
a63ef04c21d0c7fa0d5292a1a70dc7f6748334b5

SHA256
d05b782634cdf41c823c7fecfec0c05ebddaa3d93752b18e6b75e0bbb3af6f83

SHA512
98af8a264990cc63ab2a1ce7c5ec7736319896998d0c7f516492b238a5b5055f963140d010ec83488a9f02ed1cfa9829204f42ee35cff4f12b590329de9c5571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5G8JI3LV\search[1].htm

Filesize
129KB

MD5
e800ad25b47966a34935070e4cfe5be3

SHA1
892a718dd6197f4ced45bc7d704ac960bb674d4b

SHA256
d3ee7fe06ce575444a68c311564db93422916deaec82f759776379d1ee0a3c2a

SHA512
a5a40f759e837671f5971bc5d6c89ba8fb28eedc96fd2fb5b1d682fcc0f093865b2cf51de044963acdfd21991c0afd956a580bfeec0b0d23cef740c78f722f65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5G8JI3LV\search[5].htm

Filesize
132KB

MD5
de75c71db089d4055d714b98f8094d7b

SHA1
8a223b6ff6646cd18096355022bedcae14eca23a

SHA256
a7f67daac4948b4697bd90670e174f92200081e8556e4120fadd658ae668a35e

SHA512
3c13f137ebc27c5e4ddfc329c63f37bf54fc3579370ca0510b3a4bc38eca3e4edd9caeb15af6b8ea92218e9dceab48e899142697d3950090d97caa8a1e67db90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CG8E3YOC\results[3].htm

Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CG8E3YOC\search[3].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YP0CAEAA\DGIJVWXD.htm

Filesize
175KB

MD5
b2dff4544047f93375d41fdf983ac262

SHA1
8d70edaa15e247f4b5788241b0ab330048fada60

SHA256
9098214d96015d57265c867677a786dc5d3120e48cae7738b98c8f35740ff575

SHA512
71409e424c45e5c287dbc12c6dc5cae05911ddb460f78d90a9dab95a468ac5bc9e5424786e7160192220d61881bf0e7d06ce41b4994234d41db3e1f80024ec35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YP0CAEAA\search[4].htm

Filesize
117KB

MD5
04bae42e40535d88d1c93c915c072dc9

SHA1
e99fad17ea915820ecd6de022737a1530df21766

SHA256
87293052dbf4234c8e98992d472a90a94f9d14d213348aaabfe2a68e6842ecb8

SHA512
9f501e0d93abe288597e5f0fd5fdc7cb8bcc6a5a6e44fbb6ca1f1d5fe73c7035d737dcd3f4299102e7557e5c87a0a420d8006c0b8c7edc62f5b03fbcd01c4b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4196.tmp

Filesize
28KB

MD5
01b969daa3dda1adbe1d6cebac3b957d

SHA1
cf1e8896ca475e7f14023577d9d98fe2cf74a55b

SHA256
52d31d7365d8f03bcf8112cfee2ea8bad4e0bb010f3697d5c29b3c1984270de2

SHA512
a9d43399c19ed8d92285a59763f33cd289756a6d322febb878d87090904cc1c131553cfcea2e5b1bd52b31ab99b7b1cad87382f628c56eb2b2500245f73be850

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4288.tmp

Filesize
28KB

MD5
b6a8c870aa76c8cf155596ca053207cf

SHA1
e81f5bfbac496d72fbb512f4ed194b2a52556a06

SHA256
270531da1be1a01e20d0bef97ad5669fe661f40154ad4e069fd20b73cf41c0ef

SHA512
796cb67455c9fd53eaa57fa2db754ffc226cc72cb37722edeba883bd7cd962327f325bd4f748729e82d2817cd5fd433f1d538dca281b74b2b52e262dcaf6de70

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
89c845fd2cb1877941b7c16db8441801

SHA1
9a0fe4359b40468ee5f708d56d043a8c54a16229

SHA256
3e6044270f67af8d15b3f2b68f20559371d22dfb40c72f3aafc006156a5727a9

SHA512
ecdf06b9243e40ae94d0836cf1abc02b37f0a9d5663a784fccebe9399e9dbd48122d5d6b81a70e37207d7bd240692f46e179e9faadaa87a23d904fc45ccf45a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
820395cde9d2f0a71bf3af7f95e30753

SHA1
62a3b158f24bb52b2b5a4bf2e8e468cf6ec9bfbd

SHA256
604d577e7fba4789a4b1583f80c8503764504660e58bb479a8a739dc27b8b8d3

SHA512
c5f8cdcbdda3e3884f8d6603587e457d94e9f8d3f3d72cd4b160f8fbf0357db5c7fde3f79050a900c04fffaf4df380e681eb46dcb78687b1bdbaa899f828fd11

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1800-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-340-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-336-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-131-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-50-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-330-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2308-49-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2308-329-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2308-13-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2308-335-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2308-130-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2308-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads