6fc0c57a405f4733aa8118ba8e3afe7b84923b20665228b68cc338dfa0bebc54

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16-07-2024 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4dc294b0948b72cc01a1ade3ef063f05_JaffaCakes118.exe
Size

28KB
MD5

4dc294b0948b72cc01a1ade3ef063f05
SHA1

f2213543a8ef121cda366eec4f04fa9e47c797dc
SHA256

6fc0c57a405f4733aa8118ba8e3afe7b84923b20665228b68cc338dfa0bebc54
SHA512

6a3cab5f8a039ee7be12aba8f78d0c334d3031f9b6ec6d96251096de45904bcf7f1f6484413456b6c495edc12ac084c6c18d6a856536e5a8c5ec388840b8eb19
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyN/gBPIr:Dv8IRRdsxq1DjJcqfwgRIr

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook

Executes dropped EXE 1 IoCs

pid	Process
4356	services.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4320-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x00080000000234bd-4.dat	upx
behavioral2/memory/4356-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4320-13-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4356-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4356-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4356-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4356-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4356-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4320-35-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4356-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000300000001e71e-41.dat	upx
behavioral2/memory/4320-93-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4356-94-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4320-168-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4356-169-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4320-173-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4356-174-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4356-176-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4320-180-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4356-181-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4320-203-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4356-204-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4320-205-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4356-206-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4320-355-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/4356-356-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	4dc294b0948b72cc01a1ade3ef063f05_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	4dc294b0948b72cc01a1ade3ef063f05_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	4dc294b0948b72cc01a1ade3ef063f05_JaffaCakes118.exe
File created	C:\Windows\java.exe	4dc294b0948b72cc01a1ade3ef063f05_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 4356	4320	4dc294b0948b72cc01a1ade3ef063f05_JaffaCakes118.exe	83
PID 4320 wrote to memory of 4356	4320	4dc294b0948b72cc01a1ade3ef063f05_JaffaCakes118.exe	83
PID 4320 wrote to memory of 4356	4320	4dc294b0948b72cc01a1ade3ef063f05_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\4dc294b0948b72cc01a1ade3ef063f05_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4dc294b0948b72cc01a1ade3ef063f05_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LIDWBKOU\8VMWZ209.htm

Filesize
175KB

MD5
50c3aed28874fe0b525a0f979d8fe834

SHA1
ba5f208d9dd7d1f4e15cca3c69aac66004af6594

SHA256
af0a760c15563a0bb5cf505a45c1153bde843b96b2423b4f2291b29d7042f6dc

SHA512
9871f98959834272c08bb0b310aad6c8ac3719b4506e34189d441d84ed8020f4f798f78d246a77d64facd55b7fb244391e35b678715fcefb35f562c232189743

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LIDWBKOU\searchWFVWMAI3.htm

Filesize
136KB

MD5
d35c16ab6f49d77ed0b17ea58d5eee53

SHA1
9c07f483f576c10f3ddf66d84d0055ff35b13622

SHA256
6c95909ef34b5778d0ca0d056fb3c7c07a945abceed30e373267d07b9bb8fbc7

SHA512
942c0c393f5fdb351b1e89b382d18c6c5360bad5843ec9ca79abcffd13347fdaf429b2c1023cf5462a7d8cdafb6e76f357727d92e12a39115fb49ffd14dd9400

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QOWVUGSW\search[4].htm

Filesize
118KB

MD5
b12c91dbe42224b3261d7c47aa6db7c0

SHA1
143705e4c700f32d11af9b934b44d557b25c5943

SHA256
a4cc837426c7d088997f8af1b173e7b8f5a9c72aa56b69fd4335b9684b76478f

SHA512
206c4cb406b4144fc5e3fd7e46e2793e3d897a2b0a80d5f25c5c5d30fb17a59fe5d7bb1e9d09882e1eb00d16a8ad33b87e2d93a5160058b5e3f6f8a011fe3da6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QQL8WXAG\search[1].htm

Filesize
133KB

MD5
1eef027bf3eb748656754795e39b2e4e

SHA1
be08abfe02396cc4d738d000df503556e687fa1d

SHA256
97e676303706ca45bf769c24fa3c101abea4cc349c072daafa7e3b12a4f40b6c

SHA512
c245b6cdfe09b6774b302d2f0ca2816bba0d33b87c81316371f7ad0eaabd29f96a96930c61ab85cdcee94cc9675f0c2085dbb08afc475cf9060bde5022458808

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QQL8WXAG\search[4].htm

Filesize
162KB

MD5
6c0489267bfff84f426a1cb53b80848b

SHA1
d50bfc1609e7451bc745e072aebfbb3aa96ed6fe

SHA256
84fbc3471502806f1ff387f163a62ee90d2984bc5c7c83bdb94007800a9392a3

SHA512
c9fa4a5ce2c595f2d6ccc3c50edc42d91d24e43b9540cebe07f013bc0a3d3f511c62729c27c87702fa9083b168c1724166a73a6d8fc3ebb8ed5d5dafdb4062a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QQL8WXAG\search[7].htm

Filesize
130KB

MD5
77bd21488a6dcd5d0fc83e08b0ed7d66

SHA1
1eb6a9b902765e4a4b625b78df424e540ff1b33f

SHA256
10930447993346c69b847f05c5d610c3fa6af6c70e7863aa1b17befa67ad5480

SHA512
f64bc2c4cd970cb16ca1a3d1c050cad96dcaa2d380268c03b8dfb834cc1b14b59c01afe46e3eebf0a5ab19f75b3255d1dfe3db7b83199230453c036b340fd4d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QSEI9KX6\results[4].htm

Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QSEI9KX6\searchR35VHP9T.htm

Filesize
150KB

MD5
1ab929a1e3a1e3d84914dd0f5c22a9d0

SHA1
d5978ab464486b44016c5316d5ae2729464978db

SHA256
0916c7954a32b8cd1942e2bafcb4ba72d91c653dc7c8bcb425653964b7423255

SHA512
2e72496ba0d1e5fed1538861387d37c52da193fa591d2dcc717e3e02379a3ba25da98c6bd2992b753133f17cd2d8625aa750f0a2c3cd419a9a828f6fc31914ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QSEI9KX6\searchXJGOOAAZ.htm

Filesize
115KB

MD5
c9eed4c555b2d898838f5626190f592e

SHA1
9e1140e62eb56d942c2516f8a6d7f783cf6c3340

SHA256
a5e7f2c1f65757dad2b68fa5e5c9d87b6611aacd4b865df7485289172760922d

SHA512
00a65c805ad21bb5b5af71841e2960fc0108a72ba276f17721f09635ce3d2668f1ecc017a1b260b323b291626b98065f7e71ae979c951389ad5623731e0f4b39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QSEI9KX6\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QSEI9KX6\search[4].htm

Filesize
115KB

MD5
8b168711c5f853c6a050ac0d62743f68

SHA1
545782e5f642c7311554dd284310c5732861b71d

SHA256
a57d36e239bd8b23fbbea76f7724d491fb0fe8b70ea9190c27805ea4c31b80b6

SHA512
771d337bc527770484d7af8d4cc3b36b9e0401c4b917d74b53ced5105e2192cd54fe398db995b8f66bfed58676bb06c5c57e96080e8ebf4f9e5fe6440f4a3568

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QSEI9KX6\search[5].htm

Filesize
108KB

MD5
a55eb88ac5c6fbcf40235330a33a41f8

SHA1
97d8a9bce3a620f8c99cba7e531d41c1e76e4c90

SHA256
7d5024aae95b078b8b50098df81f75ad3d82026743ff092b76451e513b3426ae

SHA512
8912298b6767835cd068974c41cc1abc9c5503b13741791352302371febddafca8a425195fe57dd24e52227d2ea3098c88e39cca7a6ae7b6ce5e666ba39973b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\igwlsnajbO.log

Filesize
1KB

MD5
539782893971e3481788979643ab6faf

SHA1
3a6ee8f14d931cf22823a32ee456ea5cb596bf2d

SHA256
a5d52808ac98990e6c4863e5b48c7b522dfea75c7af1cb9bc3e489e1e25d2588

SHA512
790791f421abf3959311ff31c414c9068b5ac8c272ab431dcacc53af64491dbce90e6a50deeb7661b021423919f733ff831f4d7fef7b6e5b54a40a7c86f9b739

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC1E4.tmp

Filesize
28KB

MD5
adccd9815b7b2b87bd54b6e4424e9930

SHA1
10d90d523b971482ae00fe8986ff543fc859e6b6

SHA256
cfb98681c02af161b17756f7ab702966c96422ef47500e5f6c61b6b2bc57a99a

SHA512
96209e3f678bef97e037a930aaaabc5189b1c461ca3db12509286ad262e536f30022f26cba71459615c0bd7db9be019abb996e11a845e3e4efad6b63cf21b3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
ec314583f49ba25bfefeea59e42f6bb9

SHA1
bd261e271e5e7990ad5a4f70bb3a3dc5a3c7ae09

SHA256
27e4d6858e5089992753d1d7bfe9f544e87f46b8f59eb3bd92975f1285a706fe

SHA512
51ae0457b53be8581cf92ae77bd18fca4b72179f7b8ec49e1d62e4e45318f082933d7a955a9f47a8251a887c23656f333bc758c9ede591649815e472f8a55567

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
d89556b27972f42f182563c27b57030f

SHA1
90939697ba2b3e302d85787ffb0c7861f89b85cb

SHA256
d976e2c2e1347499dc039bf1d4ccecb14e54195c1af0d704f5312449ffa637e6

SHA512
aa101066e1cf8e5c0e54fc27b628a91375c7558bfba9a85515ed436c1eb16d0b215dfc17a2008b7541af577204e516e7673f8b31e56e630f612767c843b1f6c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
f45a12b90ac7bfd225932bf6c5651708

SHA1
958579db971497f65bae710d5e229f508223033c

SHA256
6d5791ece04e706873ec41262e8acd2fc11d78340e0fc9b3712b0bf8e38f5fd6

SHA512
17980a4103e8277cf14f6eb10cb16763b5cd7b3e93c06972ca17c3424fe0358a3acb6c40669a319f4ad92aad9276d20df2fafb4bca5d3cb9a8a6aa1a1470dc87

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
b6b1fda6a23ca7e906112894fb5b658a

SHA1
1dd4ad7444ff121726a50d6a363dd84deac3d56e

SHA256
16c1a96ec062d99251e376acafaf1215023e6d906ec6e43f78c3f8ed8fa3a01b

SHA512
366884788dc5a6d8f42d99aa53a0c7a1a6f1ae569596cd698af482c63c75b4c3b83d34e3e5512d05b8bb3f27c06d23ee7f28fed37aab04a23e876d4be0958671

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/4320-93-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4320-173-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4320-168-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4320-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4320-180-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4320-35-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4320-355-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4320-203-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4320-13-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4320-205-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4356-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4356-206-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4356-204-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4356-181-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4356-176-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4356-174-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4356-169-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4356-94-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4356-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4356-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4356-356-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4356-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4356-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4356-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4356-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads