Malware Analysis Report

2025-08-11 03:50

Sample ID 240409-lf4lvsfa2w
Target e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118
SHA256 e60dcf2bff28dbaaf4b0d2102d89c2c7bbc8c5703a4fe4fe718846b44f407c64
Tags
themida evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e60dcf2bff28dbaaf4b0d2102d89c2c7bbc8c5703a4fe4fe718846b44f407c64

Threat Level: Shows suspicious behavior

The file e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

themida evasion persistence

Themida packer

Identifies Wine through registry keys

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-09 09:29

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 09:29

Reported

2024-04-09 09:32

Platform

win7-20240221-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118.exe"

Signatures

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TmmmanH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118.exe" C:\Users\Admin\AppData\Local\Temp\e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Arquivos comuns\Flash Player\ C:\Users\Admin\AppData\Local\Temp\e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Arquivos comuns\Flash Player\ArjcurX.exe C:\Users\Admin\AppData\Local\Temp\e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Arquivos comuns\Flash Player\TmmmanH.exe C:\Users\Admin\AppData\Local\Temp\e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 publicidade.atwebpages.com udp
BG 185.176.43.54:80 publicidade.atwebpages.com tcp

Files

memory/1152-0-0x0000000000400000-0x0000000000649000-memory.dmp

memory/1152-1-0x0000000000400000-0x0000000000649000-memory.dmp

memory/1152-6-0x00000000042A0000-0x00000000042A1000-memory.dmp

memory/1152-9-0x0000000004240000-0x0000000004241000-memory.dmp

memory/1152-10-0x0000000004180000-0x0000000004181000-memory.dmp

memory/1152-26-0x0000000004210000-0x0000000004211000-memory.dmp

memory/1152-25-0x0000000004150000-0x0000000004151000-memory.dmp

memory/1152-24-0x0000000004220000-0x0000000004221000-memory.dmp

memory/1152-23-0x0000000004300000-0x0000000004301000-memory.dmp

memory/1152-22-0x00000000042C0000-0x00000000042C1000-memory.dmp

memory/1152-21-0x0000000004280000-0x0000000004281000-memory.dmp

memory/1152-20-0x00000000041A0000-0x00000000041A1000-memory.dmp

memory/1152-19-0x0000000004290000-0x0000000004291000-memory.dmp

memory/1152-18-0x0000000004250000-0x0000000004251000-memory.dmp

memory/1152-17-0x0000000004140000-0x0000000004141000-memory.dmp

memory/1152-16-0x00000000042F0000-0x00000000042F1000-memory.dmp

memory/1152-15-0x00000000041B0000-0x00000000041B1000-memory.dmp

memory/1152-14-0x0000000000310000-0x0000000000311000-memory.dmp

memory/1152-13-0x00000000041C0000-0x00000000041C1000-memory.dmp

memory/1152-12-0x0000000004190000-0x0000000004191000-memory.dmp

memory/1152-11-0x00000000041E0000-0x00000000041E1000-memory.dmp

memory/1152-8-0x00000000041D0000-0x00000000041D1000-memory.dmp

memory/1152-7-0x0000000004490000-0x0000000004492000-memory.dmp

memory/1152-5-0x0000000004120000-0x0000000004121000-memory.dmp

memory/1152-4-0x0000000004130000-0x0000000004132000-memory.dmp

memory/1152-3-0x0000000004110000-0x0000000004111000-memory.dmp

memory/1152-2-0x0000000004160000-0x0000000004161000-memory.dmp

memory/1152-27-0x0000000004370000-0x0000000004372000-memory.dmp

memory/1152-28-0x0000000000400000-0x0000000000649000-memory.dmp

memory/1152-29-0x0000000000400000-0x0000000000649000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 09:29

Reported

2024-04-09 09:31

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118.exe"

Signatures

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/3788-0-0x0000000000400000-0x0000000000649000-memory.dmp

memory/3788-1-0x0000000000400000-0x0000000000649000-memory.dmp