4c7b0f027b45ea4ab278ce9126ff9350d7580a8c3bff63ce1460bc47c1e69851

General

Target

63cf1f3bd39877a0387ebe45fd17865f_JaffaCakes118.exe
Size

28KB
MD5

63cf1f3bd39877a0387ebe45fd17865f
SHA1

d129c97e36e9b23da0f9e26b00e2e17cd6dd7941
SHA256

4c7b0f027b45ea4ab278ce9126ff9350d7580a8c3bff63ce1460bc47c1e69851
SHA512

226e921528d61764c831a3a2b07ec6a29eb5c877d29b0465254b2441fc5a9aa01e0bd0024f99e3e31157d498f1e64c3038587b82358602449b5359dcc2a8d181
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNVnw:Dv8IRRdsxq1DjJcqfd

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1096	services.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2456-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2456-4-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0009000000016d81-7.dat	upx
behavioral1/memory/1096-10-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2456-16-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1096-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1096-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1096-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1096-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1096-35-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1096-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2456-41-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1096-42-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2456-46-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1096-47-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x000a000000016d66-60.dat	upx
behavioral1/memory/2456-70-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1096-71-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1096-73-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2456-77-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1096-78-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2456-82-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1096-83-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2456-84-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/1096-85-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1096-90-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	63cf1f3bd39877a0387ebe45fd17865f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	63cf1f3bd39877a0387ebe45fd17865f_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	63cf1f3bd39877a0387ebe45fd17865f_JaffaCakes118.exe
File created	C:\Windows\java.exe	63cf1f3bd39877a0387ebe45fd17865f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 1096	2456	63cf1f3bd39877a0387ebe45fd17865f_JaffaCakes118.exe	30
PID 2456 wrote to memory of 1096	2456	63cf1f3bd39877a0387ebe45fd17865f_JaffaCakes118.exe	30
PID 2456 wrote to memory of 1096	2456	63cf1f3bd39877a0387ebe45fd17865f_JaffaCakes118.exe	30
PID 2456 wrote to memory of 1096	2456	63cf1f3bd39877a0387ebe45fd17865f_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\63cf1f3bd39877a0387ebe45fd17865f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\63cf1f3bd39877a0387ebe45fd17865f_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp62BC.tmp

Filesize
28KB

MD5
51c2c4cdb6825d246a9fbe2198e56c85

SHA1
d04f104d5633acfedae7b662331d561f7f93f6dc

SHA256
9bf77b3c8ec232f9cf903a922b8fa2028a804093053ecb15700bf91a8c583f16

SHA512
202799639d89f2b56fe0518ca2ecfea96fa7945f6c42b77620c01f9f98b6af1c67ffdad2932ffd7ca2dd1d30d7ffa86a193533c290b018edfb8bc0b0704ada84

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
6abc562aad0f26d47702c05bd25532de

SHA1
27e0fa2db115b1eb49c3744d71ca060c43c5d312

SHA256
9f3a4629a5ff61610db79889785c2261163cc0d67d6ec3779e25b4684b80c9f9

SHA512
a6ee763456f1c4223329fcfce84d3ed17384c6266f73bf84e2b986f2d10904e9300cfbbd869e70b7ce905ff1b6c841ef80ecf510ca9b7407abdaf16c9a3d1fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
1305eb1903df08a6ae1d8a97b1e262bf

SHA1
c48c86951385ed9692ea98727167a7e4c181d2b5

SHA256
dbd399b43735ffd7ca3aad4c2564f241b65b8f1821a03608a651c776c26e0320

SHA512
4cf150974437e3a1b58d5af51d9011525418cdfcb7742183676d0223439ec7b4533b741b44daec9c5c6da6b217a935a4886aaf4e3b1b2b13e4dd709f2810cd2a

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1096-42-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1096-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1096-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1096-90-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1096-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1096-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1096-35-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1096-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1096-85-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1096-83-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1096-78-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1096-47-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1096-73-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1096-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1096-71-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2456-70-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2456-16-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2456-77-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2456-46-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2456-82-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2456-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2456-84-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2456-41-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2456-23-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2456-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads