9fd2be76468a567261f907a2c8268d822f9ee78750e1139e08bd871345e4c06c

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6414b47beefd8ac4b96ceffaaca49714_JaffaCakes118.exe
Size

28KB
MD5

6414b47beefd8ac4b96ceffaaca49714
SHA1

6c5dfcb663f22e0940903d074dfb6ca0981aa584
SHA256

9fd2be76468a567261f907a2c8268d822f9ee78750e1139e08bd871345e4c06c
SHA512

fcafb168a58075c749258551edca1358cbe4bf08de3bd5a56894554962a96ea2c78b84315ab50503108d85d07cdad83a04253556e523ae10ae273cae78ab2f2b
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNmEN:Dv8IRRdsxq1DjJcqfpK

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3100	services.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/796-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/files/0x0008000000023459-4.dat	upx
behavioral2/memory/3100-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/796-13-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3100-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3100-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3100-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3100-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3100-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3100-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/796-37-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3100-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/796-42-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3100-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000500000001e73d-53.dat	upx
behavioral2/memory/796-199-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3100-200-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/796-274-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3100-275-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3100-279-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/796-283-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3100-284-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/796-376-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3100-377-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/796-462-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3100-463-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	6414b47beefd8ac4b96ceffaaca49714_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	6414b47beefd8ac4b96ceffaaca49714_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	6414b47beefd8ac4b96ceffaaca49714_JaffaCakes118.exe
File created	C:\Windows\java.exe	6414b47beefd8ac4b96ceffaaca49714_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 796 wrote to memory of 3100	796	6414b47beefd8ac4b96ceffaaca49714_JaffaCakes118.exe	83
PID 796 wrote to memory of 3100	796	6414b47beefd8ac4b96ceffaaca49714_JaffaCakes118.exe	83
PID 796 wrote to memory of 3100	796	6414b47beefd8ac4b96ceffaaca49714_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\6414b47beefd8ac4b96ceffaaca49714_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6414b47beefd8ac4b96ceffaaca49714_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:796
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3WWFCFW4\YEPQLSH2.htm

Filesize
175KB

MD5
a8171503ff2c18e5713b6dea338aca2b

SHA1
67fb7dc7d7e5fc3323344180c5dbec4309c69cf1

SHA256
e29fb89243f285eb08e4cad3893fa788806c8adb131ff352de88ec1595b2ae02

SHA512
4e4b510f63fd4887831e527ba6de57cf73f40507ccad77a0b33cbb1aaa15842e4e40a56c0891cdbebd2fe2b3e7e191235e5c164187f6d919aa412f08f2a8b069

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3WWFCFW4\results[4].htm

Filesize
1KB

MD5
ee4aed56584bf64c08683064e422b722

SHA1
45e5ba33f57c6848e84b66e7e856a6b60af6c4a8

SHA256
a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61

SHA512
058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3WWFCFW4\results[6].htm

Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3WWFCFW4\search3L4P50IO.htm

Filesize
124KB

MD5
071fa5b169400769365483df7ec0e0b9

SHA1
4c82d38f2e7af86a947e960b2397c4e17b6e082e

SHA256
646710c6dd33403a346b873e83700674c5fb1b43c09043d4181fb56ecb5040fb

SHA512
631372c2dd4ba66c3c8a24da66aef2379bc610a993a2de32b322929edfc2dd2764bb03eff16166001caa8f76967f7b30fb51919956f48085f1ddab40f3881d1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LO59P0R8\search[8].htm

Filesize
121KB

MD5
10c6dd43135ac81b1c8eebcadea91df5

SHA1
0da9ad55236110b3c207a17f4a5c811870b6739b

SHA256
ed3debb9003f3243ef338027cfc10c24e584c36d62ab78c8b9896654814a6f9c

SHA512
834113fc9c32f2e38318eb04e4f1a9a6cd8fbde8211b6bf35b8de4c62b2dd03c3bb6d7f393caf861e2e091488a560cc088cf7cb7aa15e3da3c94211c27eba39d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T1DWO314\searchC44TFM47.htm

Filesize
102KB

MD5
87fa1f692df6d265b3209b61569bc133

SHA1
77ba309d5570f95d1ae3f904d58e45d605a31fc3

SHA256
31d48030d6f4cc42146a08cdd842bb5b7706ed599101eff80444443a1d92de83

SHA512
94a7d1440cc7f4be266792817cb5952923f41d67c48fd4c05344966baf843694d56edbba76445745da20ff529e9c555989ca5771e745e42e05f178f093974fb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T1DWO314\search[2].htm

Filesize
120KB

MD5
58ba574bdbcf70610163d852269a7f3c

SHA1
68c31e16833775fde37cb429d4218bb2d7301e33

SHA256
0e048d2dece32c0f656309e092ef1c25cc1e3f95f24f8e03498063c6b74d63de

SHA512
50df31e09c6740a32811ccd1053a36c81aacd54f7781664ecdd67ff8b098caf94df810982b56ddb4b91414e389f73b87ab9650647a90280f30fcab4ea777394b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T1DWO314\search[3].htm

Filesize
130KB

MD5
c584762f597a7a29cbcd7a7051eb1518

SHA1
ab63e472efc1d5ddf43655e2916b5a9ee170d699

SHA256
a5b314858b18a7e1cd4b0f38f032c9531cc3639d94e1fcdda177c0a2acb78eaf

SHA512
15b80bffa8da214ed26b10e1dd175be6719e3f11357eef29ab340f27a4d9b429bcd25d368efb884c161537d91d475eb7215ef9d9347584ee92a37ebd38a8e138

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YFAWXPEZ\searchYV5J18SX.htm

Filesize
145KB

MD5
24c32a142230668131ae8ef56f4eab22

SHA1
c8d9124b6090127e7f3d0cd754ab789b6442ce3f

SHA256
275ba4db5bba8a162b32221b36fc006917b440fb8587c0e087bb797c4acb61a1

SHA512
40736dfc8eaf10e02ff70f1b3c9f28cd09f18b19c1a01ab4fa1f42f76f2f32cc4fd2548d62565a621fa79d56de3adb967516065f09fae31abe35b952f20b497c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YFAWXPEZ\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YFAWXPEZ\search[8].htm

Filesize
114KB

MD5
a17dfb8039e475b5d5a5f5e768903b3d

SHA1
89f9a03af3c945c26bb394c17aa0d78b8eabeca5

SHA256
86dde3cb2e3fee7b29e1803d1c7d9f3337b954d39a3056056087f34aef544bca

SHA512
6c0c60860b3adab1d6c9d49e85ebacb9b35faec523c48ae5bbe953369b72301a180faa591758cf4672c5375f4412bd79325211ae5b5f6a0e9fb1e1632d5fdf2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YFAWXPEZ\search[9].htm

Filesize
120KB

MD5
bc990b192513bba7735ad0b3a9a24b1c

SHA1
5a6f8f6990993cd9ff17ac087d6dc4b3e00de720

SHA256
087bc4318b76de7db6e5590184d0173d55f68f7d8b1b2e852342909a636ffdd9

SHA512
696a2f4eee926621618e5e6e74480bfbd7d53ff2eb2e736bd4c5654242c4ddd53721011d6be5dd12e826064ebf3931c0457a653c473bc86902b32275af56eda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEE45.tmp

Filesize
28KB

MD5
019e0187935191b1859ffffc0f3f1e44

SHA1
ec9a6349a21de3bbd4da87bab0e4e2459d80c26c

SHA256
897f88acc34890fed7955036b43028a6c56a55313d875d3f5f0b35e6e3bf13df

SHA512
56759aa7fda1333f980c9b460451dbf5782627eab862f2b3ec44c9a3375a47ac2624aa1d205c4e7c4977071fcc46487ac9484e8891355fe4ccf075bc3d351dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
28ceb1cd106a17e9ac63e3ec78501ede

SHA1
4e414eae972c5e9282b0969eab6326bab3123edb

SHA256
66b7d595f52d848f206e1629f836e298adcd696f8d1b5ac945f5329e489f9886

SHA512
bca7b4bf08eb4de9e792504faa8ab07c9c1b5902b5d6a767a2bc597128d180bc110e9c8a029888c09bacfd288ed8f537641c88f845fac352b2f68e7d3624ee6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
1fceec9dd55fbb95cf2a331539af337b

SHA1
333f903fa2021d883f76f50d34a4b105f9783fc3

SHA256
ee3de724cb4f202177b084cc0a105dbf599b8d9c68adc59848000b5926de9df7

SHA512
728e34573a7eeae668b518aa96a9f25dadfc6c0fb3baf2fd85eb2ee7574e825713c6447b03a0aa5456fa933661f8b2beb1bb30ee8ed63167caa73503349ddf4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
cb0be3e27479c618b03f92c830974c11

SHA1
112901ee5c404b4d3e4f1c6988d70067614875df

SHA256
2ec8f804aebafc5cfb557d10cc429e8ddc02eafbe02b68d39fd6e1a7eeb9429a

SHA512
e405458c0398009b9ceda05e11a24446f02d8b8f5116e11e901a96e27c24f67f2ac3b234e19107f14c01ce3af3da3c5d730e2f413283066995ca4e344a1a615e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
085109b22a25717d228197ec6af48aa0

SHA1
9e052131efd2e9cf117d0002c38acfd6e9dafda1

SHA256
acbc67d74870d122cb715d598ae96d57a458ee6e2700edadf26b97f7fcc27043

SHA512
cf9c695b7808582ff656d147ee7a75133e4e48abc50cf1ae9244a70883140226b011a7eccd719ec96c9fe72c093f035657d2c44f1b5683ee811117c07906915c

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/796-199-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/796-376-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/796-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/796-283-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/796-462-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/796-13-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/796-37-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/796-42-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/796-274-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3100-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3100-275-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3100-279-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3100-200-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3100-284-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3100-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3100-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3100-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3100-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3100-377-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3100-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3100-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3100-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3100-463-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3100-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads