Analysis Overview
SHA256
fa33ef25404444f65328a5acc9e59ab100da3c0b3008d8a4a7a7e3656df910e7
Threat Level: Known bad
The file e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies security service
Themida packer
Executes dropped EXE
Loads dropped DLL
Identifies Wine through registry keys
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Runs .reg file with regedit
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-09 12:31
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-09 12:31
Reported
2024-04-09 12:34
Platform
win7-20240221-en
Max time kernel
144s
Max time network
123s
Command Line
Signatures
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winupdate.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\winupdate.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\winupdate.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\winupdate.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\winupdate.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\winupdate.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\winupdate.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\winupdate.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\winupdate.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\winupdate.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine | C:\Windows\SysWOW64\winupdate.exe | N/A |
Loads dropped DLL
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winupdate.exe | C:\Windows\SysWOW64\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winupdate.exe | C:\Windows\SysWOW64\winupdate.exe | N/A |
| File created | C:\Windows\SysWOW64\winupdate.exe | C:\Windows\SysWOW64\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winupdate.exe | C:\Windows\SysWOW64\winupdate.exe | N/A |
| File created | C:\Windows\SysWOW64\winupdate.exe | C:\Windows\SysWOW64\winupdate.exe | N/A |
| File created | C:\Windows\SysWOW64\winupdate.exe | C:\Users\Admin\AppData\Local\Temp\e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\winupdate.exe | C:\Windows\SysWOW64\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winupdate.exe | C:\Windows\SysWOW64\winupdate.exe | N/A |
| File created | C:\Windows\SysWOW64\winupdate.exe | C:\Windows\SysWOW64\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winupdate.exe | C:\Windows\SysWOW64\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winupdate.exe | C:\Windows\SysWOW64\winupdate.exe | N/A |
| File created | C:\Windows\SysWOW64\winupdate.exe | C:\Windows\SysWOW64\winupdate.exe | N/A |
| File created | C:\Windows\SysWOW64\winupdate.exe | C:\Windows\SysWOW64\winupdate.exe | N/A |
| File created | C:\Windows\SysWOW64\winupdate.exe | C:\Windows\SysWOW64\winupdate.exe | N/A |
| File created | C:\Windows\SysWOW64\winupdate.exe | C:\Windows\SysWOW64\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winupdate.exe | C:\Windows\SysWOW64\winupdate.exe | N/A |
| File created | C:\Windows\SysWOW64\winupdate.exe | C:\Windows\SysWOW64\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winupdate.exe | C:\Users\Admin\AppData\Local\Temp\e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winupdate.exe | C:\Windows\SysWOW64\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winupdate.exe | C:\Windows\SysWOW64\winupdate.exe | N/A |
| File created | C:\Windows\SysWOW64\winupdate.exe | C:\Windows\SysWOW64\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winupdate.exe | C:\Windows\SysWOW64\winupdate.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winupdate.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\winupdate.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\winupdate.exe
C:\Windows\system32\winupdate.exe 736 "C:\Users\Admin\AppData\Local\Temp\e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\winupdate.exe
C:\Windows\system32\winupdate.exe 808 "C:\Windows\SysWOW64\winupdate.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\winupdate.exe
C:\Windows\system32\winupdate.exe 804 "C:\Windows\SysWOW64\winupdate.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\winupdate.exe
C:\Windows\system32\winupdate.exe 816 "C:\Windows\SysWOW64\winupdate.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\winupdate.exe
C:\Windows\system32\winupdate.exe 812 "C:\Windows\SysWOW64\winupdate.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\winupdate.exe
C:\Windows\system32\winupdate.exe 820 "C:\Windows\SysWOW64\winupdate.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\winupdate.exe
C:\Windows\system32\winupdate.exe 828 "C:\Windows\SysWOW64\winupdate.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\winupdate.exe
C:\Windows\system32\winupdate.exe 824 "C:\Windows\SysWOW64\winupdate.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\winupdate.exe
C:\Windows\system32\winupdate.exe 836 "C:\Windows\SysWOW64\winupdate.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\winupdate.exe
C:\Windows\system32\winupdate.exe 840 "C:\Windows\SysWOW64\winupdate.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
Network
Files
memory/1136-0-0x0000000000400000-0x000000000067D000-memory.dmp
memory/1136-3-0x00000000045E0000-0x00000000045E1000-memory.dmp
C:\a.bat
| MD5 | 0019a0451cc6b9659762c3e274bc04fb |
| SHA1 | 5259e256cc0908f2846e532161b989f1295f479b |
| SHA256 | ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876 |
| SHA512 | 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904 |
memory/1136-5-0x0000000004630000-0x0000000004632000-memory.dmp
memory/1136-4-0x0000000004540000-0x0000000004541000-memory.dmp
memory/1136-2-0x0000000004670000-0x0000000004672000-memory.dmp
memory/1136-12-0x0000000004680000-0x0000000004681000-memory.dmp
memory/1136-14-0x0000000004570000-0x0000000004571000-memory.dmp
memory/1136-15-0x00000000045D0000-0x00000000045D1000-memory.dmp
memory/1136-13-0x0000000004530000-0x0000000004531000-memory.dmp
memory/1136-19-0x0000000004560000-0x0000000004561000-memory.dmp
memory/1136-18-0x0000000004600000-0x0000000004601000-memory.dmp
memory/1136-17-0x00000000045A0000-0x00000000045A1000-memory.dmp
memory/1136-16-0x0000000000400000-0x000000000067D000-memory.dmp
memory/1136-131-0x0000000004640000-0x0000000004641000-memory.dmp
C:\Windows\SysWOW64\winupdate.exe
| MD5 | e9ff47123f87724ec5f5b190b3f11abb |
| SHA1 | 8da923eac576cf70b752d7c002dc779a0d96e984 |
| SHA256 | fa33ef25404444f65328a5acc9e59ab100da3c0b3008d8a4a7a7e3656df910e7 |
| SHA512 | 6501381b8ecd52fb22e9c07276e7de2b2253e069128e80b1cefb3754bc9359532879ab53397e754251a829e2eb5f73eb0ef4b81af43e80fcb5c44063690aca25 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 9e5db93bd3302c217b15561d8f1e299d |
| SHA1 | 95a5579b336d16213909beda75589fd0a2091f30 |
| SHA256 | f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e |
| SHA512 | b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a |
memory/2324-143-0x0000000000C50000-0x0000000000ECD000-memory.dmp
memory/2324-144-0x0000000000C50000-0x0000000000ECD000-memory.dmp
memory/1136-145-0x0000000000400000-0x000000000067D000-memory.dmp
memory/2324-146-0x0000000000C50000-0x0000000000ECD000-memory.dmp
memory/2324-139-0x0000000000400000-0x000000000067D000-memory.dmp
memory/1136-136-0x0000000004D40000-0x0000000004FBD000-memory.dmp
memory/1136-128-0x0000000004650000-0x0000000004651000-memory.dmp
memory/2324-149-0x0000000004760000-0x0000000004762000-memory.dmp
memory/2324-156-0x0000000000400000-0x000000000067D000-memory.dmp
memory/2324-148-0x00000000047A0000-0x00000000047A2000-memory.dmp
memory/2324-265-0x0000000000400000-0x000000000067D000-memory.dmp
memory/2324-271-0x0000000000400000-0x000000000067D000-memory.dmp
memory/2324-273-0x0000000000400000-0x000000000067D000-memory.dmp
memory/2324-272-0x0000000005070000-0x00000000052ED000-memory.dmp
memory/2744-275-0x0000000000FB0000-0x000000000122D000-memory.dmp
memory/2744-276-0x0000000000FB0000-0x000000000122D000-memory.dmp
memory/2744-274-0x0000000000FB0000-0x000000000122D000-memory.dmp
memory/2744-277-0x0000000000400000-0x000000000067D000-memory.dmp
memory/2744-293-0x0000000000400000-0x000000000067D000-memory.dmp
memory/2744-286-0x0000000004760000-0x0000000004762000-memory.dmp
memory/2744-285-0x00000000047A0000-0x00000000047A2000-memory.dmp
memory/2744-396-0x0000000000400000-0x000000000067D000-memory.dmp
memory/2432-403-0x0000000000400000-0x000000000067D000-memory.dmp
memory/2432-404-0x0000000000C70000-0x0000000000EED000-memory.dmp
memory/2744-405-0x0000000000FB0000-0x000000000122D000-memory.dmp
memory/2744-406-0x0000000000400000-0x000000000067D000-memory.dmp
memory/2744-399-0x0000000004F40000-0x00000000051BD000-memory.dmp
memory/2432-411-0x00000000047A0000-0x00000000047A2000-memory.dmp
memory/2432-415-0x0000000004760000-0x0000000004762000-memory.dmp
memory/2432-416-0x0000000000400000-0x000000000067D000-memory.dmp
memory/2432-525-0x0000000000400000-0x000000000067D000-memory.dmp
memory/2432-527-0x0000000005100000-0x000000000537D000-memory.dmp
memory/956-534-0x0000000000400000-0x000000000067D000-memory.dmp
memory/2432-532-0x0000000000400000-0x000000000067D000-memory.dmp
memory/956-542-0x0000000004780000-0x0000000004782000-memory.dmp
memory/956-560-0x00000000046E0000-0x00000000046E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | c6b0028a6f5508ef564d624eda0e72bc |
| SHA1 | 18901c9856a9af672c2e27383c15d2da41f27b6b |
| SHA256 | b41f477ecd348b1c3e12ef410d67b712627ed0696769c2c8cc2f087d02121d06 |
| SHA512 | 5d5f6fb437767096562f2ab9aac2cb75611afcc090b0a65ea63dfbadb3c4a73a3d45bbe139e43a7beea889370c76ac2eb2aa0fdffa92b69cfe47dd1ffbf10a71 |
memory/956-652-0x0000000000400000-0x000000000067D000-memory.dmp
memory/956-654-0x00000000046B0000-0x00000000046B2000-memory.dmp
memory/956-543-0x0000000004740000-0x0000000004742000-memory.dmp
memory/956-655-0x0000000000400000-0x000000000067D000-memory.dmp
memory/3008-663-0x0000000000C00000-0x0000000000E7D000-memory.dmp
memory/956-662-0x0000000000C60000-0x0000000000EDD000-memory.dmp
memory/3008-667-0x0000000000400000-0x000000000067D000-memory.dmp
memory/3008-666-0x0000000000C00000-0x0000000000E7D000-memory.dmp
memory/3008-664-0x0000000000C00000-0x0000000000E7D000-memory.dmp
memory/956-657-0x0000000000400000-0x000000000067D000-memory.dmp
memory/3008-675-0x00000000047A0000-0x00000000047A2000-memory.dmp
memory/3008-678-0x0000000004760000-0x0000000004762000-memory.dmp
memory/3008-784-0x0000000000400000-0x000000000067D000-memory.dmp
memory/3008-786-0x0000000000400000-0x000000000067D000-memory.dmp
memory/3008-792-0x0000000004FB0000-0x000000000522D000-memory.dmp
memory/1960-794-0x0000000000F90000-0x000000000120D000-memory.dmp
memory/3008-795-0x0000000000C00000-0x0000000000E7D000-memory.dmp
memory/3008-797-0x0000000000400000-0x000000000067D000-memory.dmp
memory/3008-796-0x0000000000C00000-0x0000000000E7D000-memory.dmp
memory/3008-798-0x0000000000C00000-0x0000000000E7D000-memory.dmp
memory/1960-799-0x0000000000400000-0x000000000067D000-memory.dmp
memory/1960-793-0x0000000000F90000-0x000000000120D000-memory.dmp
memory/1960-806-0x00000000047A0000-0x00000000047A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 558e454bc2d99d7949719cf24f540dd2 |
| SHA1 | e9c772bcee4ae780cdc28b0b4876385639e59b39 |
| SHA256 | 677ec2cfe2ae99352aa12ac658d01a7bb0b51cf3cd2c568e94a78754326ca43a |
| SHA512 | 5bb10dcf81ccab0b7e2274d3ccdbda5a38014576096fef71725cfa6e16a4bfd29f481f3bc5ad15426fb9918eeca67fff11291a88caf10974433214674c1c1b64 |
memory/1960-918-0x0000000000400000-0x000000000067D000-memory.dmp
memory/1960-927-0x0000000000400000-0x000000000067D000-memory.dmp
memory/3004-1047-0x0000000000400000-0x000000000067D000-memory.dmp
memory/3004-1056-0x0000000000400000-0x000000000067D000-memory.dmp
memory/2144-1179-0x0000000000400000-0x000000000067D000-memory.dmp
memory/2144-1186-0x0000000000400000-0x000000000067D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 6b0182442d6e09100c34904ae6d8ee0c |
| SHA1 | 6255e65587505629521ea048a4e40cc48b512f2c |
| SHA256 | cb34af7065e6c95f33fee397991045dae5dfae9d510660e6981ee6263542f9a4 |
| SHA512 | 64395a0c6fce50a64a2067522b798f9b27c577da96e8d68f830a075ba833f1d644af27a9c6fc941ebb3d79999ac31576763378c9997a5b38eb5fdf075918eb46 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 5575ef034e791d4d3b09da6c0c4ee764 |
| SHA1 | 50a0851ddf4b0c4014ad91f976e953baffe30951 |
| SHA256 | 9697ec584ef188873daa789eb779bb95dd3efa2c4c98a55dffa30cac4d156c14 |
| SHA512 | ecf52614d3a16d8e558751c799fde925650ef3e6d254d172217e1b0ed76a983d45b74688616d3e3432a16cec98b986b17eaecd319a18df9a67e4d47f17380756 |
memory/2056-1305-0x0000000000400000-0x000000000067D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-09 12:31
Reported
2024-04-09 12:35
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
160s
Command Line
Signatures
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e9ff47123f87724ec5f5b190b3f11abb_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.65.42.20.in-addr.arpa | udp |
Files
memory/3196-0-0x0000000000400000-0x000000000067D000-memory.dmp
memory/3196-1-0x0000000000400000-0x000000000067D000-memory.dmp