0002e69005cc174bd43afffe3b1a06e604765d5b1a1c277a8c333d3331c0bae9

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ba49df189232267d14fca552a3f9852_JaffaCakes118.exe
Size

28KB
MD5

1ba49df189232267d14fca552a3f9852
SHA1

7dee9329f8d1b349949316459bd86a5e79c65082
SHA256

0002e69005cc174bd43afffe3b1a06e604765d5b1a1c277a8c333d3331c0bae9
SHA512

6054fe41f523538c32e71f2c51ae987b18e8ea93e3ae2a69d51c9c7173e11c02c96f4733e0e67cc1fd62f0cdf972d91b42fd0ea05156642d613d2a128c93561d
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyN2FYaB:Dv8IRRdsxq1DjJcqfFFYw

Score

10^/10

microsoft persistence phishing product:outlook upx

Malware Config

Signatures

Detected microsoft outlook phishing page
phishing microsoft product:outlook
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

2728 services.exe

pid	process
2728	services.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1200-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
C:\Windows\services.exe	upx
behavioral2/memory/2728-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1200-13-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2728-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2728-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2728-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2728-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2728-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2728-36-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2728-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/2728-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1200-47-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2728-48-0x0000000000400000-0x0000000000408000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\tmpAF46.tmp	upx
behavioral2/memory/1200-170-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2728-171-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1200-331-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2728-332-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1200-335-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2728-336-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1200-337-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2728-338-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1200-378-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral2/memory/2728-379-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1ba49df189232267d14fca552a3f9852_JaffaCakes118.exeservices.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	1ba49df189232267d14fca552a3f9852_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

Processes:

1ba49df189232267d14fca552a3f9852_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\services.exe	1ba49df189232267d14fca552a3f9852_JaffaCakes118.exe
File opened for modification	C:\Windows\java.exe	1ba49df189232267d14fca552a3f9852_JaffaCakes118.exe
File created	C:\Windows\java.exe	1ba49df189232267d14fca552a3f9852_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1ba49df189232267d14fca552a3f9852_JaffaCakes118.exe

description	pid	process	target process
PID 1200 wrote to memory of 2728	1200	1ba49df189232267d14fca552a3f9852_JaffaCakes118.exe	services.exe
PID 1200 wrote to memory of 2728	1200	1ba49df189232267d14fca552a3f9852_JaffaCakes118.exe	services.exe
PID 1200 wrote to memory of 2728	1200	1ba49df189232267d14fca552a3f9852_JaffaCakes118.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\1ba49df189232267d14fca552a3f9852_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1ba49df189232267d14fca552a3f9852_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2728

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8Z1Z4637\results[6].htm
Filesize
1KB

MD5
ee4aed56584bf64c08683064e422b722

SHA1
45e5ba33f57c6848e84b66e7e856a6b60af6c4a8

SHA256
a4e6ba8c1fe3df423e6f17fcbeeaa7e90e2bd2fffe8f98ff4b3e6ed970e32c61

SHA512
058f023cb934a00c8f1c689001438c9bdd067d923ddcbe7a951f54d3ca82218803e0e81fbc9af5c56375ff7961deed0359af1ffa7335d41379ee97d01a76ded6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8Z1Z4637\searchKIA3ER17.htm
Filesize
196KB

MD5
781ca9fc4405a5433490c53711e09ad5

SHA1
65c893560587ccb2e009805e4875f94d1d096536

SHA256
cf44591f93f576bcc8fe0ee0dded7cd0d1d24750b449f964931cba3a604390ee

SHA512
e3d88da5f47bf6774596d73083b9adea50adb0122180f3641b3f506c4333a07032e935a3431316ac9b90c1f5ead6239ac125ae6c2e99d8e74ac11db0840a1a73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8Z1Z4637\search[1].htm
Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8Z1Z4637\search[2].htm
Filesize
136KB

MD5
86b1483acd38aed03aa469c3628c815c

SHA1
cecb292f16609ece7935c1f7e73c68c9fda87c49

SHA256
ad62859268dce7c2e7993a7c964f0ccebce7db1f0aaa91b50dc7be79a2106818

SHA512
61e3753edd59c8920375174b4e9524067c0dabf654643d0e6792f4bb17a74de303bb8a243fbecb7fd01e84e228a128fdf11c04220f1fed8361445f6941b5407f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCKU5E0S\search7VXEDPAA.htm
Filesize
121KB

MD5
1155635d116a75649f6ca52b4328f5f2

SHA1
83b7c367d40da3c3843dd6d5caa97b71101dc284

SHA256
0db0adf50903fd4b93a2b79de4959984c78f40c7908798c5af624e844d8f947e

SHA512
9d2e4f0e8231eac4768262fcdef233f92885bfdb3d75064a0c529f534d81b6395a8250d528c2f54eda2074ea6f7969f587bf421b19d5e9826c05ef6691fd1bd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCKU5E0S\search[3].htm
Filesize
115KB

MD5
d910795e5499dc4c7725b73f47506c21

SHA1
ca0f3f038a42e7765da08afdac04342840c7f0b9

SHA256
0b5c319b53180ad457f8e47fab349f34974acf890d8c937d566452ab377686a4

SHA512
6eb979ed3a197ae9e5540b8eb5c4ee04f6f16b4893bb18c8ce91f3721b24929aa0b05419b1425300db9eeac7bbe19ab95e451b5dabab1ceb5fc696b2e644275f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCKU5E0S\search[5].htm
Filesize
130KB

MD5
dc268e07d1b1ac30148994f1e4e72b79

SHA1
c490b5d1ffe242289ac2f9d0b87719822f774cad

SHA256
bd3c1a64b05dfed363b3e64d5e720537ad94305b5c939d5e7a1341679a8f9a90

SHA512
3ba022d3cccfaec09ff4c8e54816b35efa1674214393d1cf6c1bbf18d26dad1356a4743c5c150786e6abc99cfbd2326f3bfea0314f1fc55d15e3f70f4a105b9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QQACG5HD\11E6SBJN.htm
Filesize
175KB

MD5
e0bce0d892221023f2087bb7f81de5f9

SHA1
6831f7f5a75c72f9f222e7845eb14ef4ed54339a

SHA256
b23e40b30f680ef452a719e66648bc8bf449459f94fd0cbd462ab72214b004a6

SHA512
eb6286ca36a0a31051693237dea18cb5328db05907880d11a3d92950a93370056b42a9f47a07e9a421b87b43124e857a2b2b712a56f2b251e673f3b98d57de83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QQACG5HD\search84M9A9WG.htm
Filesize
135KB

MD5
0afa9bd8656260b7eb7c018861b97c9d

SHA1
6fd65fecf3aff00c2ee79e0ff792609dfc5579f6

SHA256
6ec9a35c83993a207071239989510383e4473995bd1dcb0011a236dc0dc862e2

SHA512
07d20593e55be7b0b65e5dcfa84268486951b8e560b07cec17e45ef9f873ccff6210ba0a67e36aa6ace20c1035cfaab5dda7b7c9230e5e9e91e938d2ce36f460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QQACG5HD\searchDBA1K458.htm
Filesize
150KB

MD5
ff7c04309144a8dfbdc5318f3324765a

SHA1
47dde003b2649495684006304961f0e2d2a27331

SHA256
eb0af915052c950349385611553b67098ca61909414dc35003a63b2e5490bb63

SHA512
626630339aaa74002ce723f7caa2531ed2dc0dd4f15f309cc661fcaeb1159675e0df6527dbd4f13f8c087c80223f90f30eec7a12580af418ad9df380cdbd21f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZRDQ3WBJ\results[3].htm
Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAF46.tmp
Filesize
28KB

MD5
12eaf3f63c0af1d2f0a28fd3524fc5d2

SHA1
eaeee8baadc0d8dcfcb811c7dd934bf6781c666c

SHA256
e5c8612fb81d328534667571eae0a68293b7730064e88cb5d2eb935f7820aef4

SHA512
a44598124e43084244cd6d94416252ab6cbe5739f03d163da85f478111612561193188e16c58a8fac55e4479c7940d9aa2fb3761a5140a9e2f051b63818956ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
1KB

MD5
753b8f18001d0d890f8fe35e5704cf8d

SHA1
107f9301385f43ae9452896b69cc26259aa1708c

SHA256
868bca00ec23623c400d7437d811a623f012ad42e828136e34e4bc38cd5e858c

SHA512
0d98f3bd1201b5fde038d81e5a19bd744d27b812646e949a1016e741d6804e91834bb4752f666fe038d46d445b96e853957d3f0a1dcdbb9a68b04d76f313dd28

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
1KB

MD5
6aa582e2e6de2ea1b95fcb49f976c248

SHA1
46133cd1b4a8f21babe2c028dc3a9ca035823cb6

SHA256
602f20704ef0e785636e83b8b4e5dd7d8824c7e660d51bbc2de9c7946d7ac65a

SHA512
b79a51891a006d98ae161447bb90925d044cc6b632a4b44dbf139b50878d0204c2e1d4a15c39e64d72101e6c10f8ac9120e9c30500598f2a02d6e9e773cb1027

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
Filesize
1KB

MD5
61fd25a252666a3a5d5272374d0926cd

SHA1
9fe430f8a1050a74456d924912d2c74293015bdd

SHA256
d49b16100b6844ac348711227328210c6a730144d7d03a2878b0a39ed86fcab7

SHA512
1c006e707c3de403957e966f57c7482f3496895a598565a10edaa35dc7c792491bc4a8592fa065d8457b8453b69c03f8724d9a81dbc0a37a7c3006fe745f1474

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\services.exe
Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1200-337-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1200-47-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1200-13-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1200-331-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1200-170-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1200-335-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1200-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/1200-378-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2728-36-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2728-332-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2728-171-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2728-336-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2728-48-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2728-338-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2728-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2728-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2728-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2728-379-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2728-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2728-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2728-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2728-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2728-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download