49c926d1f26a0368b481fa91b40c903bfba04abfff72c5e8d255895b866b953e

Analysis

max time kernel
141s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
15-04-2024 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efe5debaf0856160184082eb28e71e35_JaffaCakes118.exe
Size

3.2MB
MD5

efe5debaf0856160184082eb28e71e35
SHA1

0704ca46f8bbc2c6aa2b781cb8d05ed398aaa0cd
SHA256

49c926d1f26a0368b481fa91b40c903bfba04abfff72c5e8d255895b866b953e
SHA512

e2d305db7edfccc44197e00150c2cc3a5ebe554e475b3a8194b83c54274cb420d8bdd45d1c831ca364aa0c7e4390fa25be84a6d55d1c19e5a33e4f95efc3ee6b
SSDEEP

49152:lAy7fJ1X6HVPMMkBZKUh4az/MTBCNR4siei4+QLs7SWIo7fE8cTCyn2N5tdzJQ:l/F1XiVBUP4WMUj4sd+Ms17F5yUZd

Score

7^/10

persistence themida

Malware Config

Signatures

Themida packer 16 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1620-2-0x0000000000400000-0x00000000010C8000-memory.dmp	themida
behavioral1/memory/1620-27-0x0000000000400000-0x00000000010C8000-memory.dmp	themida
behavioral1/memory/1620-29-0x0000000000400000-0x00000000010C8000-memory.dmp	themida
behavioral1/memory/1620-30-0x0000000000400000-0x00000000010C8000-memory.dmp	themida
behavioral1/memory/1620-31-0x0000000000400000-0x00000000010C8000-memory.dmp	themida
behavioral1/memory/1620-32-0x0000000000400000-0x00000000010C8000-memory.dmp	themida
behavioral1/memory/1620-33-0x0000000000400000-0x00000000010C8000-memory.dmp	themida
behavioral1/memory/1620-34-0x0000000000400000-0x00000000010C8000-memory.dmp	themida
behavioral1/memory/1620-35-0x0000000000400000-0x00000000010C8000-memory.dmp	themida
behavioral1/memory/1620-36-0x0000000000400000-0x00000000010C8000-memory.dmp	themida
behavioral1/memory/1620-37-0x0000000000400000-0x00000000010C8000-memory.dmp	themida
behavioral1/memory/1620-38-0x0000000000400000-0x00000000010C8000-memory.dmp	themida
behavioral1/memory/1620-39-0x0000000000400000-0x00000000010C8000-memory.dmp	themida
behavioral1/memory/1620-40-0x0000000000400000-0x00000000010C8000-memory.dmp	themida
behavioral1/memory/1620-41-0x0000000000400000-0x00000000010C8000-memory.dmp	themida
behavioral1/memory/1620-42-0x0000000000400000-0x00000000010C8000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Arquivos de programas\\WindowsUpdate.scr"	efe5debaf0856160184082eb28e71e35_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\killer.Xapa	efe5debaf0856160184082eb28e71e35_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1620	efe5debaf0856160184082eb28e71e35_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1620	efe5debaf0856160184082eb28e71e35_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\efe5debaf0856160184082eb28e71e35_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\efe5debaf0856160184082eb28e71e35_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1620-1-0x0000000002800000-0x00000000028E6000-memory.dmp

Filesize
920KB

Download
memory/1620-0-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/1620-2-0x0000000000400000-0x00000000010C8000-memory.dmp

Filesize
12.8MB

Download
memory/1620-21-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/1620-20-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/1620-19-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/1620-18-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/1620-17-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download
memory/1620-22-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/1620-16-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/1620-15-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download
memory/1620-14-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/1620-13-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/1620-12-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/1620-11-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/1620-10-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/1620-9-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/1620-8-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/1620-7-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/1620-6-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/1620-5-0x0000000005670000-0x0000000005672000-memory.dmp

Filesize
8KB

Download
memory/1620-4-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/1620-3-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/1620-24-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/1620-23-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/1620-25-0x00000000059E0000-0x00000000059E2000-memory.dmp

Filesize
8KB

Download
memory/1620-26-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/1620-27-0x0000000000400000-0x00000000010C8000-memory.dmp

Filesize
12.8MB

Download
memory/1620-28-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/1620-29-0x0000000000400000-0x00000000010C8000-memory.dmp

Filesize
12.8MB

Download
memory/1620-30-0x0000000000400000-0x00000000010C8000-memory.dmp

Filesize
12.8MB

Download
memory/1620-31-0x0000000000400000-0x00000000010C8000-memory.dmp

Filesize
12.8MB

Download
memory/1620-32-0x0000000000400000-0x00000000010C8000-memory.dmp

Filesize
12.8MB

Download
memory/1620-33-0x0000000000400000-0x00000000010C8000-memory.dmp

Filesize
12.8MB

Download
memory/1620-34-0x0000000000400000-0x00000000010C8000-memory.dmp

Filesize
12.8MB

Download
memory/1620-35-0x0000000000400000-0x00000000010C8000-memory.dmp

Filesize
12.8MB

Download
memory/1620-36-0x0000000000400000-0x00000000010C8000-memory.dmp

Filesize
12.8MB

Download
memory/1620-37-0x0000000000400000-0x00000000010C8000-memory.dmp

Filesize
12.8MB

Download
memory/1620-38-0x0000000000400000-0x00000000010C8000-memory.dmp

Filesize
12.8MB

Download
memory/1620-39-0x0000000000400000-0x00000000010C8000-memory.dmp

Filesize
12.8MB

Download
memory/1620-40-0x0000000000400000-0x00000000010C8000-memory.dmp

Filesize
12.8MB

Download
memory/1620-41-0x0000000000400000-0x00000000010C8000-memory.dmp

Filesize
12.8MB

Download
memory/1620-42-0x0000000000400000-0x00000000010C8000-memory.dmp

Filesize
12.8MB

Download