Analysis Overview
SHA256
e60dcf2bff28dbaaf4b0d2102d89c2c7bbc8c5703a4fe4fe718846b44f407c64
Threat Level: Shows suspicious behavior
The file e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Themida packer
Identifies Wine through registry keys
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Program Files directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-09 09:29
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-09 09:29
Reported
2024-04-09 09:32
Platform
win7-20240221-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TmmmanH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118.exe" | C:\Users\Admin\AppData\Local\Temp\e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Arquivos comuns\Flash Player\ | C:\Users\Admin\AppData\Local\Temp\e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Arquivos comuns\Flash Player\ArjcurX.exe | C:\Users\Admin\AppData\Local\Temp\e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Arquivos comuns\Flash Player\TmmmanH.exe | C:\Users\Admin\AppData\Local\Temp\e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | publicidade.atwebpages.com | udp |
| BG | 185.176.43.54:80 | publicidade.atwebpages.com | tcp |
Files
memory/1152-0-0x0000000000400000-0x0000000000649000-memory.dmp
memory/1152-1-0x0000000000400000-0x0000000000649000-memory.dmp
memory/1152-6-0x00000000042A0000-0x00000000042A1000-memory.dmp
memory/1152-9-0x0000000004240000-0x0000000004241000-memory.dmp
memory/1152-10-0x0000000004180000-0x0000000004181000-memory.dmp
memory/1152-26-0x0000000004210000-0x0000000004211000-memory.dmp
memory/1152-25-0x0000000004150000-0x0000000004151000-memory.dmp
memory/1152-24-0x0000000004220000-0x0000000004221000-memory.dmp
memory/1152-23-0x0000000004300000-0x0000000004301000-memory.dmp
memory/1152-22-0x00000000042C0000-0x00000000042C1000-memory.dmp
memory/1152-21-0x0000000004280000-0x0000000004281000-memory.dmp
memory/1152-20-0x00000000041A0000-0x00000000041A1000-memory.dmp
memory/1152-19-0x0000000004290000-0x0000000004291000-memory.dmp
memory/1152-18-0x0000000004250000-0x0000000004251000-memory.dmp
memory/1152-17-0x0000000004140000-0x0000000004141000-memory.dmp
memory/1152-16-0x00000000042F0000-0x00000000042F1000-memory.dmp
memory/1152-15-0x00000000041B0000-0x00000000041B1000-memory.dmp
memory/1152-14-0x0000000000310000-0x0000000000311000-memory.dmp
memory/1152-13-0x00000000041C0000-0x00000000041C1000-memory.dmp
memory/1152-12-0x0000000004190000-0x0000000004191000-memory.dmp
memory/1152-11-0x00000000041E0000-0x00000000041E1000-memory.dmp
memory/1152-8-0x00000000041D0000-0x00000000041D1000-memory.dmp
memory/1152-7-0x0000000004490000-0x0000000004492000-memory.dmp
memory/1152-5-0x0000000004120000-0x0000000004121000-memory.dmp
memory/1152-4-0x0000000004130000-0x0000000004132000-memory.dmp
memory/1152-3-0x0000000004110000-0x0000000004111000-memory.dmp
memory/1152-2-0x0000000004160000-0x0000000004161000-memory.dmp
memory/1152-27-0x0000000004370000-0x0000000004372000-memory.dmp
memory/1152-28-0x0000000000400000-0x0000000000649000-memory.dmp
memory/1152-29-0x0000000000400000-0x0000000000649000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-09 09:29
Reported
2024-04-09 09:31
Platform
win10v2004-20240226-en
Max time kernel
93s
Max time network
126s
Command Line
Signatures
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e9aeccb2d0b469a5f7fcd429291261fc_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/3788-0-0x0000000000400000-0x0000000000649000-memory.dmp
memory/3788-1-0x0000000000400000-0x0000000000649000-memory.dmp