ea8127dc1790d0c0835146812f3d2ce116f9bb404c125bdb0723770f1af4c6d4

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62643b4224da7ef592ac67fd56641434_JaffaCakes118.exe
Size

28KB
MD5

62643b4224da7ef592ac67fd56641434
SHA1

61ab06c814def1f6f42287e93302c2b809dca25a
SHA256

ea8127dc1790d0c0835146812f3d2ce116f9bb404c125bdb0723770f1af4c6d4
SHA512

861773287cbdfba0bce5daa5ebea0961f547bdf736b52e532d92ec77fb9773daa4f9472d6dfebf27fd975357c8c52a8a4f5744c9bf9cdc016757dd7612c49dae
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyN8Fq:Dv8IRRdsxq1DjJcqfZA

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1396	services.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3252-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x00080000000234f9-4.dat	upx
behavioral2/memory/1396-6-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3252-13-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1396-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1396-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1396-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1396-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1396-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1396-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1396-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1396-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3252-47-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1396-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000e000000023445-53.dat	upx
behavioral2/memory/3252-104-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1396-105-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3252-158-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1396-159-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3252-195-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1396-196-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3252-221-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1396-222-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3252-232-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/1396-233-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	62643b4224da7ef592ac67fd56641434_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\java.exe	62643b4224da7ef592ac67fd56641434_JaffaCakes118.exe
File created	C:\Windows\services.exe	62643b4224da7ef592ac67fd56641434_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	62643b4224da7ef592ac67fd56641434_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3252 wrote to memory of 1396	3252	62643b4224da7ef592ac67fd56641434_JaffaCakes118.exe	84
PID 3252 wrote to memory of 1396	3252	62643b4224da7ef592ac67fd56641434_JaffaCakes118.exe	84
PID 3252 wrote to memory of 1396	3252	62643b4224da7ef592ac67fd56641434_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\62643b4224da7ef592ac67fd56641434_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\62643b4224da7ef592ac67fd56641434_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6ISG5HPW\82B2VVSR.htm

Filesize
175KB

MD5
9758c4039a8b6e1138edc86638515057

SHA1
c83549fd42171b728c33af1b8f31f8767ce716fb

SHA256
a90dae1d8021bcf6dcb7fb24e5ab5b926b8b1e2b98ca162e90711f37ba33119a

SHA512
faab2e9a85eeee8c299dab6c68fdc9b8960a93d4dde130d83e59ae4df73bc2fda11685f8366cab4c70be0dd8f5c45b642414d0bd933a54ff49e072034581d456

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6ISG5HPW\search[1].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UEL5ICRL\results[3].htm

Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UEL5ICRL\results[4].htm

Filesize
1KB

MD5
ee4aed56584bf64c08683064e422b722

SHA1
45e5ba33f57c6848e84b66e7e856a6b60af6c4a8

SHA256
a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61

SHA512
058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hjUt1g.log

Filesize
1KB

MD5
ee155b974de6f15dfe330d0b334e7cfa

SHA1
55cb4a532624eff79d78618155ae09b604348762

SHA256
14a9b1777b9a0e985eead0ddda70b7265fbda164ab82df870badcdf89f3d99b6

SHA512
f8ae6dba81b06914061d9458d8a8e35371de2dfe75c02c246e8d4e4f8323cdefae446d053e21eb714186936c0810a3e699b206bd50dd1a8b20cb31ef94232437

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp824.tmp

Filesize
28KB

MD5
1d2894ce378686d8f737266e5a3cba45

SHA1
f3042ae0e10873af59a2f60a9afa49c6c15839ce

SHA256
de92a4a102be178b1d4e639853e954c6789309962586a174c0259f677a78ef7b

SHA512
8c95ffcacdfa2f1c2a5c91944147dba44a675363b743179a35fd52438c3635dae100babfa6527fa4f46e9717f146e669d6791913e8491afbcf7c0fb11c108429

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
516336d49632624fafdc467679245086

SHA1
7a1b850d0101abdd95502aa79ec6d456a226f28f

SHA256
19641254854f645994391008ebe8c0948c6edceb357be28e6511f467e7210092

SHA512
e3b5a73354e327b432817d04efe73d322ff68b466db2d0e2887fd1c20d6d5bfb82640a923180fe413a43d20aadfcbb9017e1755d7f60cedde056581e26631bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
9e45ee4af639b45e2bbc1363e2eaa90a

SHA1
30c4973a2ed7cb25c424ab113a294700f123b7f5

SHA256
22980406890ea7ac791e227b2accb82353eca3def2cc676e1d83eec87b6eb2a8

SHA512
df9b036dadd05aa6d8240a9d28fc51fa175179da50d3d382fe7a09c2f3838f9d6486e08d133c74730e20dc3d9443d7431ceba90c6083133427cf6985714145fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
84f90901f9d1350aedcb28ed8b9174fa

SHA1
e76c3f6e94c321ed974250be8b27df753cf7a1bb

SHA256
6810de91c2152489592e41396b3d85d17b1a1280130baa52299ee0eb9a5107f9

SHA512
781eb7b0c5c847d06a9ddafe78eaf3cd34417717628e18871b71581cf9e5b4e883e049e0dd8b1e5417c4d897eac163199feeaf3736a9fbd9dde9aeb186569c62

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1396-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1396-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1396-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1396-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1396-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1396-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1396-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1396-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1396-105-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1396-233-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1396-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1396-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1396-222-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1396-159-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1396-196-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3252-195-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3252-221-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3252-158-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3252-232-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3252-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3252-104-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3252-13-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3252-47-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads