Overview

overview

7

Static

static

7

ecf46bb870...18.exe

windows7-x64

7

ecf46bb870...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    145s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11-04-2024 08:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ecf46bb870e5ae83ea1b4750800c9d8e_JaffaCakes118.exe

  • Size

    2.2MB

  • MD5

    ecf46bb870e5ae83ea1b4750800c9d8e

  • SHA1

    52052fd67d7a0e2449b93d30f4c8dc66acfcd737

  • SHA256

    c61728d51c77d2ac3b42efe76120a83537b0930128d2b9c86b86c2c82a8d808e

  • SHA512

    43a4aaf994a2a604e7f93b62bd47f217d29ecf650a18cdaa637d670087b2d08d55bf705d29c460fa587831c5cb233e0938ddb8faf7da7e2df90c98804f9aa352

  • SSDEEP

    49152:BYsbQjtQ2tNbUarvaWtZMkFvU9ia91OVg308Tu3:BYO9NarvaYvq9TrTu3

Score
7/10
evasionthemida

Malware Config

Signatures

  • Executes dropped EXE 10 IoCs
  • Identifies Wine through registry keys 2 TTPs 11 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 20 IoCs
  • Themida packer 28 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Drops file in System32 directory 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ecf46bb870e5ae83ea1b4750800c9d8e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ecf46bb870e5ae83ea1b4750800c9d8e_JaffaCakes118.exe"
    1⤵
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\SysWOW64\Winxdiag.exe
      C:\Windows\system32\Winxdiag.exe 680 "C:\Users\Admin\AppData\Local\Temp\ecf46bb870e5ae83ea1b4750800c9d8e_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2124
      • C:\Windows\SysWOW64\Winxdiag.exe
        C:\Windows\system32\Winxdiag.exe 712 "C:\Windows\SysWOW64\Winxdiag.exe"
        3⤵
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1864
        • C:\Windows\SysWOW64\Winxdiag.exe
          C:\Windows\system32\Winxdiag.exe 716 "C:\Windows\SysWOW64\Winxdiag.exe"
          4⤵
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1520
          • C:\Windows\SysWOW64\Winxdiag.exe
            C:\Windows\system32\Winxdiag.exe 720 "C:\Windows\SysWOW64\Winxdiag.exe"
            5⤵
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Loads dropped DLL
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:828
            • C:\Windows\SysWOW64\Winxdiag.exe
              C:\Windows\system32\Winxdiag.exe 724 "C:\Windows\SysWOW64\Winxdiag.exe"
              6⤵
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Loads dropped DLL
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:2168
              • C:\Windows\SysWOW64\Winxdiag.exe
                C:\Windows\system32\Winxdiag.exe 732 "C:\Windows\SysWOW64\Winxdiag.exe"
                7⤵
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Loads dropped DLL
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:2536
                • C:\Windows\SysWOW64\Winxdiag.exe
                  C:\Windows\system32\Winxdiag.exe 728 "C:\Windows\SysWOW64\Winxdiag.exe"
                  8⤵
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:2948
                  • C:\Windows\SysWOW64\Winxdiag.exe
                    C:\Windows\system32\Winxdiag.exe 736 "C:\Windows\SysWOW64\Winxdiag.exe"
                    9⤵
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of WriteProcessMemory
                    PID:1352
                    • C:\Windows\SysWOW64\Winxdiag.exe
                      C:\Windows\system32\Winxdiag.exe 744 "C:\Windows\SysWOW64\Winxdiag.exe"
                      10⤵
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of WriteProcessMemory
                      PID:2156
                      • C:\Windows\SysWOW64\Winxdiag.exe
                        C:\Windows\system32\Winxdiag.exe 748 "C:\Windows\SysWOW64\Winxdiag.exe"
                        11⤵
                        • Executes dropped EXE
                        • Identifies Wine through registry keys
                        • Drops file in System32 directory
                        • Suspicious behavior: EnumeratesProcesses
                        PID:1920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\SysWOW64\Winxdiag.exe
    Filesize

    2.2MB

    MD5

    ecf46bb870e5ae83ea1b4750800c9d8e

    SHA1

    52052fd67d7a0e2449b93d30f4c8dc66acfcd737

    SHA256

    c61728d51c77d2ac3b42efe76120a83537b0930128d2b9c86b86c2c82a8d808e

    SHA512

    43a4aaf994a2a604e7f93b62bd47f217d29ecf650a18cdaa637d670087b2d08d55bf705d29c460fa587831c5cb233e0938ddb8faf7da7e2df90c98804f9aa352

    Download Submit

  • memory/828-127-0x0000000000400000-0x00000000008B8000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/828-121-0x0000000000400000-0x00000000008B8000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1352-224-0x0000000000400000-0x00000000008B8000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1352-219-0x0000000000400000-0x00000000008B8000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1520-102-0x0000000000400000-0x00000000008B8000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1520-97-0x0000000000400000-0x00000000008B8000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1520-85-0x0000000004670000-0x0000000004671000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1520-84-0x0000000000400000-0x00000000008B8000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1520-83-0x0000000004650000-0x0000000004652000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1520-81-0x00000000003E0000-0x00000000003E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1520-80-0x0000000000400000-0x00000000008B8000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1864-62-0x0000000004640000-0x0000000004641000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1864-72-0x0000000004550000-0x0000000004551000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1864-78-0x0000000000400000-0x00000000008B8000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1864-73-0x0000000000400000-0x00000000008B8000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1864-55-0x0000000000400000-0x00000000008B8000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1864-63-0x0000000004690000-0x0000000004691000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1864-64-0x0000000004650000-0x0000000004651000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1864-79-0x0000000004DB0000-0x0000000005268000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1864-68-0x00000000043F0000-0x00000000043F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1864-69-0x0000000004540000-0x0000000004541000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1864-71-0x0000000004570000-0x0000000004571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1864-77-0x00000000045B0000-0x00000000045B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1864-70-0x00000000043D0000-0x00000000043D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1864-65-0x0000000004680000-0x0000000004681000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1864-66-0x00000000043E0000-0x00000000043E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1864-67-0x0000000004560000-0x0000000004561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1864-60-0x00000000046A0000-0x00000000046A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1864-61-0x0000000004610000-0x0000000004611000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1864-59-0x0000000000400000-0x00000000008B8000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1864-58-0x0000000004670000-0x0000000004672000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1864-57-0x0000000000270000-0x0000000000271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2124-30-0x0000000000400000-0x00000000008B8000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2124-45-0x0000000004510000-0x0000000004511000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2124-40-0x0000000004650000-0x0000000004651000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2124-39-0x0000000004610000-0x0000000004611000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2124-38-0x00000000045F0000-0x00000000045F2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2124-37-0x0000000004660000-0x0000000004661000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2124-49-0x0000000000400000-0x00000000008B8000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2124-51-0x00000000045A0000-0x00000000045A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2124-42-0x0000000004520000-0x0000000004521000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2124-54-0x0000000000400000-0x00000000008B8000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2124-56-0x0000000004E00000-0x00000000052B8000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2124-43-0x0000000004560000-0x0000000004561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2124-44-0x0000000004530000-0x0000000004531000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2124-82-0x0000000004E00000-0x00000000052B8000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2124-48-0x0000000004550000-0x0000000004551000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2124-47-0x0000000004620000-0x0000000004621000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2124-46-0x0000000004540000-0x0000000004541000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2124-36-0x0000000000400000-0x00000000008B8000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2124-34-0x0000000004630000-0x0000000004632000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2124-41-0x0000000004640000-0x0000000004641000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2124-31-0x00000000002E0000-0x00000000002E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2156-244-0x0000000000400000-0x00000000008B8000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2156-251-0x0000000000400000-0x00000000008B8000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2168-149-0x0000000000400000-0x00000000008B8000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2168-144-0x0000000000400000-0x00000000008B8000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2536-172-0x0000000000400000-0x00000000008B8000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2536-167-0x0000000000400000-0x00000000008B8000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2872-17-0x0000000004410000-0x0000000004411000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2872-6-0x0000000004600000-0x0000000004601000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2872-12-0x00000000043F0000-0x00000000043F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2872-13-0x0000000002370000-0x0000000002371000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2872-10-0x0000000002380000-0x0000000002381000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2872-11-0x0000000004420000-0x0000000004421000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2872-9-0x0000000004660000-0x0000000004661000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2872-15-0x0000000004430000-0x0000000004431000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2872-8-0x0000000004670000-0x0000000004671000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2872-7-0x0000000004620000-0x0000000004621000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2872-5-0x0000000004680000-0x0000000004681000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2872-14-0x0000000004400000-0x0000000004401000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2872-4-0x0000000000400000-0x00000000008B8000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2872-3-0x0000000004650000-0x0000000004652000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2872-16-0x0000000004630000-0x0000000004631000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2872-21-0x0000000004470000-0x0000000004471000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2872-28-0x0000000004DC0000-0x0000000005278000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2872-0-0x0000000000400000-0x00000000008B8000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2872-33-0x0000000004DC0000-0x0000000005278000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2872-1-0x00000000002B0000-0x00000000003AB000-memory.dmp

    Filesize

    1004KB

    Download

  • memory/2872-2-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2872-32-0x0000000000400000-0x00000000008B8000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2948-193-0x0000000000400000-0x00000000008B8000-memory.dmp

    Filesize

    4.7MB

    Download