d00581052c8624d968f1af763c5815ea2948748942cf67c8fab021758f636b2f

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ae9bb4a5aac1852983e4c9d6bb8ee8b_JaffaCakes118.exe
Size

28KB
MD5

1ae9bb4a5aac1852983e4c9d6bb8ee8b
SHA1

1f426032081aa011b9b3eb32bcdadac73533168b
SHA256

d00581052c8624d968f1af763c5815ea2948748942cf67c8fab021758f636b2f
SHA512

589ba2a98802f48dd8a5a58ece3c1368c4ad58fff4db8f078c1ff86c8392ce778f395b8c902117fe013eda1363c31ef33d15d4c29046240f0e181f1bbf180481
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNI0N:Dv8IRRdsxq1DjJcqf+

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

2532 services.exe

pid	process
2532	services.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3680-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
C:\Windows\services.exe	upx
behavioral2/memory/2532-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3680-13-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2532-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2532-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2532-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2532-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3680-30-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2532-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmp1A0D.tmp	upx
behavioral2/memory/3680-118-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2532-119-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2532-212-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3680-211-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/3680-215-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2532-216-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3680-220-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2532-221-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3680-253-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2532-254-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3680-374-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2532-375-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3680-379-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2532-380-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3680-390-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2532-391-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2532-395-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1ae9bb4a5aac1852983e4c9d6bb8ee8b_JaffaCakes118.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	1ae9bb4a5aac1852983e4c9d6bb8ee8b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

1ae9bb4a5aac1852983e4c9d6bb8ee8b_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\services.exe	1ae9bb4a5aac1852983e4c9d6bb8ee8b_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	1ae9bb4a5aac1852983e4c9d6bb8ee8b_JaffaCakes118.exe
File created	C:\Windows\java.exe	1ae9bb4a5aac1852983e4c9d6bb8ee8b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1ae9bb4a5aac1852983e4c9d6bb8ee8b_JaffaCakes118.exe

description	pid	process	target process
PID 3680 wrote to memory of 2532	3680	1ae9bb4a5aac1852983e4c9d6bb8ee8b_JaffaCakes118.exe	services.exe
PID 3680 wrote to memory of 2532	3680	1ae9bb4a5aac1852983e4c9d6bb8ee8b_JaffaCakes118.exe	services.exe
PID 3680 wrote to memory of 2532	3680	1ae9bb4a5aac1852983e4c9d6bb8ee8b_JaffaCakes118.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\1ae9bb4a5aac1852983e4c9d6bb8ee8b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1ae9bb4a5aac1852983e4c9d6bb8ee8b_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3680

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2532

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\searchIMECQPQW.htm
Filesize
134KB

MD5
15baee50df2f5391c928c6b2e61aa0ca

SHA1
733822fe9beeb3aa7e10c476f3079118eb3883b9

SHA256
3f0ad5bb9a8ca5114b0abd78bb90e8284e3b1169f1c0a69e858dfc9a7aee72d2

SHA512
753efd581be59528158f132fa10ac23a521452ecd734cb3a83861f90ba744d46405c49cd7d7de8ebfb2a68a377c8a108cbd38538902e1e6314f43d50e48deee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\searchJWA46QPU.htm
Filesize
144KB

MD5
4fc98b3479ecce8314d3e038da145897

SHA1
df44bdca97320624a9ee6be084e4de12ea06838e

SHA256
1af4f2a3f94597ea2a07e94a347250809eda6cad3a86dfd10550258f4b84db93

SHA512
ca805e12f7a64bc98cb6f701a1484dc52dda063a575438fcf8fde251dd113083e5f76a00b3ac7c1bc71de37cd513cc456f8043cb0b0022c93c07b346e370415f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\search[4].htm
Filesize
149KB

MD5
3231e809c8454316890d88f752b76c8a

SHA1
eb5f1a000894c0889b66ddb63d4a1d5000f7deb0

SHA256
77d5abe3f4f423ca49ac0daba349979686f0af1d08cfa9d283bfc0831199d204

SHA512
95f881cf2457def0c63cc6d6d13ad8d9eaf4505f1376aab47899ad088c39ceee46ac07309a94a89e1c1dbb083d926060afe8b7f8a09153fa909ce177e0408532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\search[6].htm
Filesize
185KB

MD5
9e97c1ee9e22b0e0edbc00192dbe167d

SHA1
61c264b557f3fb57cb093dc586d0ac34395d4be7

SHA256
14b063f777c4b04a1d542020c7b0d90ae04c58184ee613358f9105f7c8230f33

SHA512
3f0dff3673b4f5130f557657ecc75ff16b1e5b6bc090c832264b99d288ec7453fc36a416aef6ba36f33e940e9fb94b0507ec45b6840984ea5464383aeacafa7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\results[5].htm
Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\searchPJJ5Q7XZ.htm
Filesize
103KB

MD5
8dce27fc02554a58e25140de102e5e44

SHA1
8fe548d3608115cd72cb49f20d94094e9272fc36

SHA256
ae54e4217a53265c07be756bfddd253b70acfe1085363e389d89c3af1fb36114

SHA512
a6f15c69fb517b0ab0eec4b44a76d8007b8688c553426a856eb3e8ef799c562b6eb2a0055efc9666c574e0dd9fb7921f5a108bca754070abae3165979cc9c2bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\search[3].htm
Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RYAG7OSV\Z3WOAYG7.htm
Filesize
176KB

MD5
93d54c5502222cca201bdd9da388ce67

SHA1
6865d285ae0f0a8f5ed1d035ec662ad6d0c635a2

SHA256
88bd1cbc72a0e8157deb2d712dcf127aa81e8502732f7b2f663943f9d9dc6650

SHA512
51305a43c664bdfa910f882ce0f9655d9e353a1ca556dfb2de1dece8d48e6372b20c078032950f4da69fea3c501bf099a7237788bf2f3c5ed5212d577dc76e58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RYAG7OSV\searchNXF3OO4S.htm
Filesize
139KB

MD5
18644885ed63992ba4538578ff625aa0

SHA1
891c5faca9a4fe50809547ed9d754758cb1d6926

SHA256
5fb4d4ce507e7e4b2cf174474c1170a182eac1994ddffda89fc5e6a56189e8b7

SHA512
0283031b2b8f76fbb849d1a293bba07d1ed25392e728307233946e7459eb600d9867564ea269f7decb4132a894afa763865ae8ef86c9ff87677b9a933bc6ed8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RYAG7OSV\searchXI03F7SG.htm
Filesize
140KB

MD5
46e51db93a4bd83695fc409363e3caec

SHA1
afa952aa0f6cc023c376274ec0ca30d3788ffca9

SHA256
3f09bb658a728d0cae2d989fc850246713fb70d434b60ee3f62cf160af8b8535

SHA512
749d03b579e4329df464da2ebdcb3f7d96828b9bea3ae7c3e07d1ebd91c33b80c0351c17efdd87078f287010ec7bd2b5d551b1ed61dbed3dedf819a7988251ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RYAG7OSV\search[1].htm
Filesize
137KB

MD5
9cde11fdee0118becaf0a0430f499809

SHA1
c789eb7f4031669d4f92d824cfbe9d4a68938253

SHA256
b835ae705e79fcdf9f512738a82dd910605794187f02e1b05dd0a0b776bc64ea

SHA512
29bc67f1bcd269c041eb714dadbdffe1aa3260e69c73420c5b66a0ec3ad3cfc240b03579919e9b13b9f233f9cf4fd51b784fb80077632b18b274fc5a49398ca6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RYAG7OSV\search[8].htm
Filesize
130KB

MD5
a229ae553e4ee3d77ad200df7e4dd9a5

SHA1
4243e3f64e4faa2ce94b72979a23607752fd5cf7

SHA256
962412f4fe112ab1e7d134c93c0cccd547be1a6c52c3271bfa9a0292bcdf3750

SHA512
e5dbf62ae352b348606b9eb123ce6c133e55e2cd6236ea6a84d0ea7373163fd75e8f25e7ea22d90b5da785f857836744066643e7cc1bea36cd135d31660e93a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1A0D.tmp
Filesize
28KB

MD5
2de36d2ebc4d172183695395b713663f

SHA1
149482596b0a0d7aea4f104fe453482cc362ad55

SHA256
2f10f343ba2e07c514838479edcf1a53ae4b49048eea21c15492212a234a24ce

SHA512
49e4b022656e5a1d82c2a6f0c5f1d70093cbbe4ac02a73300a6b949446025d2f1aadda3d8168d5f13fda8c8ccb0b520f5a033b34204d708e545c3ff58ee10265

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
1KB

MD5
44664f90bb5028b30e1e8877e680eae6

SHA1
01355b0eadef6d71700f3985adaba67611f3879b

SHA256
07b0d300e61f05ad5ae8e94004f9fd316d8b85a7c8c866a1f5cf02a8537c02d3

SHA512
b81d91926598b346189f461ad70d3a8d7a59cf03cdcbff39abd425a4de0eff2dc72c935f863917122ea868c7452e760de07520cefd7f9335b748a39e3204e225

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
1KB

MD5
0f0b338adbba8ea07dcd664029e32541

SHA1
e83bf16b0ff3b2a31701025d776a449f20923b8c

SHA256
e22602b4d8986742dfebb6b566685bdb778addae356eda1724c8dc98b29e60c6

SHA512
84a105c3d46a345c23196d2c04d73688d8ec9c07d4a6d40dc8bb2c028e5c06c8a74b79a2e2d755449eb43fad47d4236536b5653106a047e758723f5e4032f5bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
1KB

MD5
8fe576d39a7cbe394c1d0c59764d5a52

SHA1
577a7d171aaf06b40b8ff4b6d636d6bf8c305e20

SHA256
40612919342a2c08950c674723fa97f0dbd7b26287eeef83b25f646bbf43df06

SHA512
4dbfb88ebeb47cd59e9853093ac93e32b025d42e03912116bde76dce50c817bbc4648a5c064535bc9ac05be758b4627e0425f7e00814575117119faa8ad4fece

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
1KB

MD5
d0909f900bbea20c3cc1a89f82545c7a

SHA1
7f5129c8168daa9297b10b9fd8a12e8915a2005f

SHA256
47dfb254e0f6394dbdb72ca06d00dfdff680c3d82e9ea6a950d7c31ee581edc4

SHA512
4cb23c24918ef51b796681d6da3ad953215d50c001119897bf04b3cac40828b3408effde9a280bd2d1bcde74730788625d69c3bc34ab1aa25380b74b4ef84b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
1KB

MD5
7b3b2e4717f2d73cac16d29a85e42aab

SHA1
1e4fb08882eb186e421effc04335094777575b12

SHA256
7f2fb20303e83c7b6964e28d520bcb638f19ef23706374b38be8a93346cfbf31

SHA512
7f1d395afb5192f28968babf4136a4fa4644afd8e8b22ff1ce614386e3eaf51cb4edf5dce66777a0eaa3e6f8480da11770c6334eb53b0260635e11909fcd9420

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe
Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2532-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2532-212-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2532-119-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2532-216-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2532-395-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2532-221-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2532-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2532-391-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2532-254-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2532-380-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2532-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2532-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2532-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2532-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2532-375-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3680-215-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3680-379-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3680-374-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3680-390-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3680-253-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3680-220-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3680-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3680-211-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3680-118-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3680-30-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3680-13-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download